China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

Summary: Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another's IT infrastructure.

SHARE:

Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another's IT infrastructure.

Suddenly, one of the countries starts migrating to a hardened operating system of its own, and by integrating it on systems managing the critical infrastructure it successfully undermines the offensive cyber warfare capabilities developed by adversaries designed to be used primarily against Linux, UNIX and Windows.

That's exactly what China is doing right now with their hardened OS Kylin according to Kevin G. Coleman, Senior Fellow and Strategic Management Consultant with the Technolytics Institute who presented his viewpoint in a hearing at the U.S. – China Economic and Security Review Commission.

Here's an excerpt from the hearing:

"Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!

This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows."

Kylin is an operating system developed by the the University of Science and Technology for National Defense, and successfully approved by China's 863 Hi-tech Research and Development Program office in 2006.  According to their web site, the OS has already achieved one of the highest national data security standards, and is therefore to be used as critical military and government servers. Is Kylin so unique and impenetrable as China is pitching it, following years of research and piles of money spent on branding it as the secure national operating system of choice? That may not be the case.

In a recently conducted kernel similarity analysis, a Chinese student debunks this notion by pointing out that not only are different versions of Kylin's kernel virtually the same, but also, that most of the kernel code is identical to the one of FreeBSD5.3:

"A Linux specialist who declined to be named, said recently that of all the Linux kernel codes, none are developed by Chinese. The situation has been acknowledged by Ni Guangnan, an academic with the Chinese Academy of Engineering and a strong advocate of Linux in China.

Prior to this, the Kylin operating system - which is funded by the National 863 High-Tech Program - was found to have plagiarized from the FreeBSD5.3. An anonymous internet user, who goes by the handle name "Dancefire", pointed out similarities between the two systems reached 99.45 percent."

All warfare is indeed based on deception, especially when you're re-branding.

The rush to participate in the "national security operating system" arms race is pretty evident across the world, with the European Union's secure OS Minix, the U.S Air Force new 'secure distribution of Windows XP' and Russia's interest in a similar secure OS.

What everyone appears to be forgetting is the fact that security is proportional with usability, and as well as the fact that complexity is the worst enemy of security. Combined, these complexities and usability issues end up in not so surprising results such as the recently conducted pen testing audit at the U.S Federal Aviation Administration, where the auditors from KPMG logically bypassed the "security through secure OS mentality" and by attacking the upper layers of the OSI Model presented the following results:

"We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems. Our test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders."

Upon exploitation of the Web applications, they were able to gain unauthorized access to a Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower, an ATC system used to monitor critical power supply at six en route centers, and had the capability to install malicious code on users' computers part of FAA's network. How did they do that? By exploiting the basic insecurities that every 'secure' OS has, in this case exploiting the insecurely configured web applications allowing them to gain access, next to exploiting the unpatched ones or the usability and complexity altogether.

The bottom line - are secure operating systems the cornerstone for a hardened critical infrastructure, or is a misconfigured 'secure' operating system just as insecure as the supposedly insecure one in general, managing assets through a flawed and outdated risk assessment process? Talkback.

Topics: Software, Linux, Open Source, Operating Systems, Security, China

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Interesting!

    There is no way that you can start from scratch these days and have a usable OS in a reasonable time. Look how long it has taken Linux distros to catch up to Mac and Windows and they still have a ways to go.

    I always wondered why other countries would want to use Windows or Mac OS in their secure government systems? I am sure that MS has a back door to Windows and can provide the US government with that if needed (This has been shown already with built in encryption)

    The key is to make a secure OS, make it tight and right and deploy with a tested standard.

    This is how we do it at the US government agency I work for. We are using XP standard and we have a security standard. We roll out EVERY machine using that standard. When we make a change to to the image we put it though a CM process and then security testing and do not deploy the updated load until it passes the set security standard. This works for us and we have very few security issues.

    We do the same process with our Linux machines and Macs.

    tymiles
    • Re: Interesting!

      "This is how we do it at the US government agency I work for."
      Is any of this info you're providing even mildly classified?
      Col Mustard
    • Source?

      [i]I am sure that MS has a back door to Windows and can provide the US government with that if needed (This has been shown already with built in encryption)[/i]

      If there was a backdoor, the pirate/hacking community would have found it ages ago.

      IMHO
      rtk
      • You mean they didn't?

        Judging by the malware over the last fifteen or so years, Windows vulnerabilities are well distributed outside Microsoft.
        epcraig
  • They had no choice.

    "How did they do that? By exploiting the basic insecurities that every ?secure? OS has..."

    They couldn't exploit the 'insecure' OS because it wasn't there to exploit.
    kozmcrae
  • The "user" is always the weakest link...

    Hardening the OS internals and properly configuring the security settings on a system can only go so far. Poor choices and actions by the user sitting at the keyboard will always defeat even the best security settings. Perhaps we need to get behavioral psychologists involved in the development process for our future secure operating systems?
    BillDem
  • Good to see Linux development advancing, just remember

    That if security is the priority then all of that the fancy features you don't need should be left out of the code. This freedom of choice is yet another benefit of a modular kernel such as Linux. (not OS, the OS is the distro)
    T1Oracle
    • That's more an issue of how the kernel is designed.

      If it's like Windows (everything is exposed) then
      yes, having more features directly decreases
      security. But if it's designed in a smart way, so
      that features which have nothing to do with the
      internet aren't exposed to the internet, they pose
      no security risk.
      AzuMao
  • RE: China's 'secure' OS Kylin...

    It is hilarious that the article mentions that the US gubmint uses a secure version of windoze xp.

    Now, why anyone would want to run such critical applications on a piece of [b]"Swiss Cheese"[/b] is beyond me!

    Windoze != secure
    Windoze == malware
    fatman65535
    • Pity...

      ...you are too ignorant to properly install and configure a windows system.

      You think you are being 'cute' or 'clever' using the term "windoze"? When you turn 16, come back and let us know...

      Ya, like that's going to earn your comments a lot of cred.
      Marty R. Milette
      • it does not matter!!!

        as i said it doe not matter how well you configure it, windows Kernel does not change, then there will be back door somewhere out there, people have larger amount of knowledge in the Windows Kernel compare to a BSD, on the same point to BSD when it's well configured plus people has lesser knowledge of it, it will take huge amount of time to brake through, knowledge is the critical of a system is the key point to brake through something....

        just like braking through a into a city if you have no knowledge of the city plan do you dare to attack it????? if you have no knowledge of it your whole army will die the moment you enter the city.
        Darkra
    • i totally agree with you!!!!!!!!!!!!!!!!!!!!!

      It is hilarious, hearing a secure version of windows XP, if the new secure version of windows has the same Kernel as the rest of the windows systems, there is nothing secure about it

      Darkra
  • RE: China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

    Great points here. Even though it is now turning out that the "consultant" that raised the Kylin story knows no more than is available on the web about it, your point about secure OS's is wise. Who hacks Windoze anymore? Why bother when the apps are so weak?

    RStiennon
  • RE: China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

    It could be that the malware is installed in bios when the motherboard is manufactured.
    Col Mustard
  • I win!

    I'm the most secure.
    I forgot my password!
    ;-)
    kd5auq
  • RE: China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

    Which reminds me--anyone know the link to the M$ spoof toon done by Penny Arcade? Whenever I see Windoze or M$ that's what I think of.
    Selvarin
  • " is the fact that security is proportional with usability"

    Trouble is Sir, It's not, you can have both security and usability, in fact users demand it, and get it.

    If you cant write code be it application or operating system and you are not capable of making it usable and secure, you're in the wrong job, go back to flicking burgers.
    Aussie_Troll
  • RE: China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilitie

    Guys, you know what bullshit is? If they could develop a full-
    fledged operating system, the "Party" should've already
    advertised it all over the media they could reach. They don't
    really need a ZDNet to spread the news. Obviously, they
    suck. Sorry guys.
    Truthologist
  • Anyone who wants to test this OS can apparently

    download an ISO from the website to which Dancho provides a link. As for the ?kylin? (?qilin? ??), it's the same mythical creature portrayed on the label of what IMHO is Japan's best beer, [b]Kirin[/b]....

    Henri
    mhenriday
  • There is a third case.

    Dancho, you ask whether a secure O/S is feasible, or does misconfiguration destroy this feasibility? Both are true: the science is do-able, but we live in a human world, where chaos, miscommunication, under-education, etc indeed prevent security from being applied to any sizeable network.
    My point is that the REAL secrets are never put onto networked computers. They can live on computers, but not connected to a WAN. If you put information onto a networked computer you are effectively publishing it, and no-one should kid themselves otherwise.
    peter_erskine@...