The media has been all over a newly disclosed 'secure' operating system from China called 'Kylin'.
ZD Net,
The Inquirerer, and
MSN (to name a few) all have articles about this 'unhackable' operating system.
Assuming that such as system exists, it means that existing cyber efforts against Windows, Mac, and Unix systems would be pointless since we're focusing on the wrong systems. There has even been
speculation about whether Kylin is actually a hardened version of Linux or BSD.
Your download has 12 minutes remaining...
My thought is: why speculate when I can actually download Kylin and look for myself.
Kylin has their own web site at
http://www.kylin.org.cn/. The site includes news, updates, and forums. Although the download links are currently disabled, you can find mirrors easily enough. Search Google for "KYLIN-2.1-1A.iso" and "KYLIN-2.1-1B.iso".
Considering that there are open forums for a live community, this hardly seems like a secret weapon.
Inside the ISOs
I've begun going over the Kylin ISOs (dated 2006) and so far, nothing looks like a cyberthreat. Unless they slid some malware inside one of the RPMs, there is nothing dangerous here.
Oh yes: I said 'rpm', as in 'RedHat Package Manager'. The speculation is a focus on FreeBSD. But this uses the RedHat/Fedora packaging system. (By default, BSD uses 'ports' as the package installer, and not rpm.)
I had previously written about various
custom Linux distros. A
distribution is a collection of otherwise-disconnected packages. Most distributions are customized for a particular field or purpose. For example, "Edubutu" is Ubuntu for educational environments, RedHat focuses on Linux with corporate support, and NetBSD focuses on stability and security. Other distros are tuned for a particular purpose (everything from game-specific configurations to religious and astronomy).
From what I can tell, Kylin (circa 2006) is nothing more than Redhat/Fedora tuned for the Chinese language and it includes a large number of optional packages already available to the online community. Just as Ubuntu selected the packages considered "Best" for their distribution, it seems that Kylin has also just collected various packages and preconfigured them.
To reiterate: The Kylin packages all include standard open source and public packages which have been brought onto one system for easy installation.
Some things that Kylin includes:
- Font sets, X11, and Gnome configured for Chinese.
- Standard crypto libraries. Some Linux distributions do not include them by default because of munitions and export restrictions. China does not have those issues, so they packaged up crypto-utils-2.0-4.i386.rpm and a few other packages.
- Various communication protocols like PPPoE, PPP, OSPF, and RADVD. Basically, it looks like the distro wants to have the option to connect to anything.
- Various archive files. They include things like rar-2.90-2.i386.rpm (support for Windows RAR archives).
- Various media players. They include RealPlayer10GOLD-10.0.5.765-20050513.i386.rpm and other media players. Basically, they want to play anything.
- VMware. (Always good to have an emulator available.) I don't know if packaging a distro with VMware violates the VMware licensing, but that's between VMware and China. (Same goes for including the RealPlayer package...)
In fact, beyond a few configuration files, a PDF on installation, and a splash-screen logo, I'm not seeing anything that is not obviously from some standard open source or publicly available package.
Technically, Kylin seems to use the Mach kernel (same family of kernels used in both BSD and Mac OS X systems). The most interesting aspect is that it includes
LuValley -- a virtual machine monitor. From the description:
Luvalley is a Virtual Machine Monitor (VMM) spawned from the KVM project, because its part of source codes are derived from KVM. However, its overall architecture is completely different from KVM, but somewhat like Xen. Luvalley runs outside of Linux, just like Xen's architecture, but it still uses Linux as its scheduler, memory manager, physical device driver provider and virtual IO device emulator. Moreover, Luvalley may run WITHOUT Linux. In theory, any operating system could take the place of Linux to provide the above services. Currently, Luvalley supports Linux and Windows. That is to say, one may run Luvalley to boot a Linux or Windows, and then run multiple virtualized operating systems on such Linux or Windows.
The Kylin distribution seems to provide a lot of optional software. Considering all of the network services that they will be opening, including all of the network service announcement daemons, and all of the file formats and optional plugins (like most plugin modules for Apache), I'd actually say that Kylin is potentially
LESS secure that other distributions.
What was that threat again? China has their own super secure operating system? Unless the security is from being unable to read Chinese (security by obscurity), I'm just not seeing it.
From the Mouth
At EuroBSDCon 2006, the person responsible for the Kylin project gave a public presentation. Qingbo Wu
described Kylin as an operating system "focusing on high performance, availability and security". Although they say it contains a "system service layer which is based on FreeBSD", it was designed to be compatible with Linux (hence all of the RPM files).
The speaker does mention that it received government funding in 2002. However, that does not mean that it is a government project. I mean, seriously: Windows, Linux, BSD, and SSH all receive funds from government sponsors. Does that mean that we are all using secret hidden weapons?
Moreover, if this were a secret project designed for offensive or defensive capabilities, then why give a presentation on it to the open source community?
Ready, Set, Panic!
The event that kicked off this initial cyber threat came from the "
The U.S. - China Economic and Security Review Commission, Opening Statement of Kevin G. Coleman". The particular alert comes from pages 6 and 7 of the report:
2. We need to take any and all actions necessary to ensure our military has access to a continuing supply of new offensive and defensive cyber capabilities that are required and will continue to be required to defend our nation. This is not a one-time investment. Continuous investment will be necessary to respond to the ever changing global supply of computer technology. Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!
This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows. Refer to our report - RED SOS.
The uppercase text, which really is capitalized like that in the report, is certainly alarmist. But for clarity, alarmist does not mean that it is inaccurate.
However, the very next paragraph mentions Kylin. It describes Kylin as a hardened operating system, made by China, and negates our offensive cyber capabilities which were designed against "Linux, UNIX, and Windows".
Sorry Kevin, but I'm just not seeing that.
- I reviewed a 2006 version of Kylin. It was created by people in China, but I don't see anything that suggests it was created for military or government purposes.
- Creating a hardened system is not a fast process. Unless they did some complete recreation between 2006 and 2007, I seriously doubt that it has been very hardened. Just with the network services that are installed, it really seems far from secure.
- In 2006, Kylin was based on BSD (which is Unix) and Linux (rpm packages). So how does this invalidate any offensive UNIX and Linux capabilities?
Other people are also claiming that Coleman's statement is more hype that fact. Security Guru Bruce "I'm better than Chuck Noris" Schneier
questioned the findings and speculates that it is more hype than fact. Even the Chinese media Xinhua
denounced the findings as propaganda and stated that "'Kylin' was designed and used for civilian purposes only." While I would usually question Xinhua's own view as biased propaganda, this time their statements align with my own findings.
