A technical analysis of the Chinese 'Green Dam Youth-Escort' censorship software
From WikiLeaks
June 10, 2009
The Green Dam censorship/spy software is mandated to be installed on all Chinese personal computers sold as of July 1, 2009[1]
绿坝-花季护航软件技术分析
A Technical Analysis of the 'Green Dam-Youth Escort' Software
Contents |
关于 About
绿坝-花季护航是金惠堵截黄色图像和不良信息专家系统的市场产品名。Green Dam is the informal name given to the expert system from Jinhui Technologies which blocks pornographic images and other "harmful" information.
金惠堵截黄色图像和不良信息专家系统 V2.51
项目总监 赵慧琴 Project Director: Zhao Huiqin
技术总监 周翚 Technical Director: Zhou Hui
总设计师 汤怀礼 Chief Designer: Tang Huaili
策划经理 何红杰 Project Manager: He Hongjie
项目工程师 李弼程 ,曹闻 ,彭天强 ,钟声 Project Engineers: Li Bicheng, Cao Wen, Peng Tianqiang, Zhong Sheng, Li Xiaohe, Li Yang, Zhang Wenzhong
李晓贺 ,李扬 ,李书进黄亮 ,张文中
测 试 Mary 马, Sharon 张, 董娟 Beta Testers: Mary Ma, Sharon Zhang, Dong Juan
文 档 张晨民,刘裕 ,Biddle 张 Documentation: Zhang Chenmin, Liu Yu, Biddle Zhang
系统支持 吴朝阳, 宜娟 ,刘移山 ,丁敏 Systems Support: Wu Chaoyang, Xuan Juan, Liu Yishan, Ding Min
金惠科技 版权 (c) 2005 所有权利保留 Http://www.zzjinhui.com ©2009 Jinhui Technologies. All Rights Reserved
1)国家公安部信息安全专用产品销售许可证(XKC30492)National Ministry of Public Safety Information Security Product Sales License No. XKC30492
2)国家发展和改革委员会批准(发改高技[2004]2040号)列入“重大软件产业化专项”,是全国同类过滤产品唯一批准项目 National Development and Reform Commission Approval (NDRC Circular[2004]#2040) as "Major Software Industrialization Project", the only approved filtering software project of its kind nationwide
3)国家科技部(国科发技字[2004]449号)批准为“技术创新基金项目” Ministry of Science and Technology (MOST Circular[2004]#449) Approval for "technological innovation project funding"
4)国家信息产业部(信部运[2005]9号)批准为“电子信息产业发展基金项目” Ministry of Industry and Information Technology (MIIT Circular[2005]#9) Approval for "electronic information industry development project funding"
国家互联网违法和不良信息举报中心(net.china.cn)唯一正式推荐 Only the China Internet Illegal Information Reporting Center (ciirc.china.cn) has officially recommended Green Dam.
第九届中国国际软件博览会荣获金奖 Awarded first prize at the Ninth Chinese International Software Expo
2005中国郑州先进适用技术交易会金奖 First prize at the 2005 Zhengzhou Advanced Adaptive Technology Trade Fair
郑州市科技进步一等奖 First prize in technological advancement from Zhengzhou City
金惠公司营销服务中心电话:0371-63697160,63697161 Jinhui Marketing Service Center: 0371-63697160
传真:0371-63697171 Fax: 0371-63697171
目的和功能 Objectives and functions
Stated features: To protect minors from age 10-16 through the filtering of pornographic and violent images and content.
Latent features: To filter political content? To filter circumvention software (such as Wujie)?
还有一个绿坝网络版,在 http://www.zzjinhui.com/down/newServerCard.rar 可以下载。
There also exists a Network Edition of Green Dam, which can be downloaded here (.rar).
适用性 Applicability
技术架构分析 Technical Framework Analysis
在windows目录下的xstring.s2g存放着该软件所有文件的安装路径。Within xstring.s2g, located in the Windows directory, there can be found all the installation paths for all the program's files.
服务: C:Windows\MPSvcC.exe
启动项: C:Windows\system32\xnet2.exe
During operation, Green Dam installs the following modules:
Drivers: C:Windows\system32\Drivers\mgtaki.sys
Service: C:Windows\MPSvcC.exe
Launch: C:Windows\system32\xnet2.exe
绿坝将密码用MD5算法转换后,以文本方式保存在C:\WINDOWS\system32目录下的kwpwf.dll文件中。以记事本打开该文件,以“D0970714757783E6CF17B26FB8E2298F”替换其内容后保存,即可将密码恢复为初始密码“112233”。
After Green Dam converts the password using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:\WINDOWS\system32 directory. When opened using Notepad, if the content is then replaced with "D0970714757783E6CF17B26FB8E2298F" and saved, the password can then be restored to the original "112233".
Within Green Dam installation file xnet2_lang.ini, one line reads: "AOption0_1117=Upon discovery of harmful information, report automatically to Jinhui Corporation." Located in system32 in the file filtport.dat, the default content is "FreeGate/8567/tcp Urf/9666/tcp", suggesting that this is Green Dam's filtering file.
Green Dam updates automatically online, and the update address is: http://www.zzjinhui.com/softpatch/; found therein is a pretty woman picture http://www.zzjinhui.com/softpatch/Image0.jpg although its purpose is unknown. Following analysis by Internet users, it was discovered that the file http://www.zzjinhui.com/softpatch/kwupdate.dat is related to the filtering of keywords and URLs. Connected to that are two IP addresses: 211.161.1.134 and 203.171.236.231; the second of the IP addresses belongs to Zhengzhou Giant Computer Network Technology Co. Ltd. in Henan province. (zzidc.com.cn)
使用测试和算法分析 Performance test and algorithm analysis
通过实际测试和用户反馈,发现绿坝的宣称功能的实现能力并不强,却没有避免在各个层面添加很多没有宣称的功能。部分用户的使用体验和讨论:
Through testing and user feedback, it has been noted that Green Dam's ability to achieve its stated function is in fact not that strong, and has not avoided including many additional undisclosed functions situated at various levels. Here is a sample of some users' user experiences and discussion:
- http://blog.sina.com.cn/s/blog_4b862d070100doj4.html
- http://club.cat898.com/newbbs/dispbbs.asp?BoardID=1&id=2853590
- http://www.meirendaddy.com/blog/?p=404
- http://tieba.baidu.com/f?kz=591097210
图像过滤 Image filtering
图像检测进程从待检图像队列中获取图像数据,先归一化图像尺寸,然后分离肤色区域和非肤色区域,在对肤色区域关系进行分析后去除干扰,提取区域的特征送入已训练SVM分类器。当图像被检为色情图像后送入人脸检测器,若人脸不是主要部分便确定为色情图像。这套算法的主要问题是,色情图像的识别严重依赖于肤色和肤色形状;而最后使用人脸检测加权判定也只是手工打补丁避免出现大幅人脸识别为色情图像问题的办法,且经验权值可靠性缺乏验证。
The process of image detection begins when visual data is obtaining as the image is in queue to be screened, first normalizing the image's size, then separating areas of skin tone from those without skin tone; analysis of the relationship between areas of skin tone is followed by removal of noises, then extraction of the area's characteristics, which are then input into a trained SVM classifier. Once the image has been deemed pornographic it is sent to a human face detector; if a human face is not the primary component, the image is then classified as pornography. The main problem with this algorithm is that recognition of pornographic images relies heavily on skin color and shape, and the final use of a human face detector in a weighted judgment is only a manual patch aimed at preventing the problematic occurrence of large faces being identified as pornography, but also the reliability of empirical weighting lacks verification.
From XFImage.xml it can be observed that Green Dam uses OpenCV's Haar classifier in undergoing human face detection. Included with Green Dam, cximage.dll, CImage.dll, xcore.dll and Xcv.dll, also library files from OpenCV. This all suggests that Green Dam primarily uses OpenCV to process images. However, as is done with much of domestic Chinese software, Green Dam has disregarded OpenCV's BSD license.
金惠公司承诺图像检测正检率>90%,误检率<7%,而检出率 = 正检率*色情图像比例 + (1 – 误检率)*(1–色情图像比例),在色情图像占1%时,检出率为93%。
Jinhui Corporation has committed to an accurate image detection rate of higher than 90%, and a false detection rate of less than 7%, with the detection rate=accurate detection rate*proportion of pornographic images+(1-false detection rate)*(1-proportion of pornographic images); with 1% of images being pornographic, the detection rate would be 93%.
对政治性内容的分析,包括法轮功内容的过滤,使用了北京大正语言知识处理科技有限公司提供的文字过滤引擎HncEng.exe、HncEngPS.dll、SentenceObj.dll,数据文件HNCLIB/FalunWord.lib 中还包含以UTF-32LE编码的除法轮功外大量政治和色情有关的词汇。
An analysis of political content, including the filtering of Falun Gong-related content, shows that used is Beijing Dazheng Language Technology Co. Ltd.'s text filtering engine, HncEng.exe, HncEngPS.dll and SentenceObj.dll, and within data file HNCLIB/FalunWord.lib, in UTF-32LE code, aside from Falun Gong there can also be found a large glossary related to political and pornographic content.
从数据文件HNCLIB/FalunWord.lib中分析出来的关键词列表:http://filetwt.com/f/bn734dm89h
更完整的解析出的关键词:https://docs.google.com/View?docid=d7w7twp_977hcmc35g3
通过对http://www.hncit.com/update/ST771.rar的分析,对ST771.rar\ST771\package2 下的
在北京大正语言知识处理科技有限公司网站上还可以找到未加密的关键词文件: http://docs.google.com/Doc?docid=dczkbptk_0ffc2hvc9&hl=en
测试版中的色情关键词:https://docs.google.com/View?id=ah27xz4pbz6s_22cgwh6xf7
非色情关键词:https://docs.google.com/View?id=ah27xz4pbz6s_24c6dw27g6
上级部门指示:https://docs.google.com/View?id=ah27xz4pbz6s_25fpx2qkhp
<font class="Apple-style-span" face="arial, helvetica, sans-serif">应用程序控制与过滤 Application control and filtering
Green Dam controls the time minors spend online, using QQ or MSN, and playing games; by preventing overindulgence of the Internet, Green Dam effectively eliminates Internet addiction.
对应用程序的内容控制:Regarding control over content in applications
Testing has shown that if any word resembling "Falun Gong" is entered into either Notepad or WordPad, the application will shut down; however, typing the same characters into Paint or MSN Messenger bears no response, illustrating the incompleteness of the the program.
部分反编译的内容发现有多种应用程序是其监控的对象。
A segment of decompiled content shows the extent of the Green Dam's monitoring.
00468940 .wow.exe.魔兽世界....yaho
00468980 omessenger.exe..雅虎通..wangwang.exe....阿里旺旺....start.exe...
004689C0 网易POPO....网易popo....uc.exe..新浪UC..新浪uc..icq.exe.ICQ6....
00468A00 icq6....skype.exe...Skype...skype...eph.exe.e话通...doshow..msnm
00468A40 sgr.exe.MSN.msn messenger...qqgame.exe..QQ游戏..qq游戏..qqchat.e
00468A80 xe..QQ聊天室....qq聊天室....qq.exe..QQ..qq2.bitbomet.exe....BitC
00468AC0 omet....bitcomet....
对反审查软件的屏蔽:例如FreeGate。在system32中有个 filtport.dat 文件 默认内容是FreeGate/8567/tcp Urf/9666/tcp 两个进程:xdaemon.exe和xnet2.exe,进入无界页面会.....
经鉴定,是XDaemon.exe、XNet2.exe、gn.exe三个程序相互保护,防止被删掉和结束进程。 这是一种通常被病毒和流流氓软件所使用的技术。
Screening of anticircumvention software, such as FreeGate. In system32 there can be found a filtport.dat file whose default content reads: FreeGate/8567/tcp Urf/9666/tcp. Two processes, xdaemon.exe and xnet2.exe, upon entering FreeGate will......
Following evaluation, three applications, XDaemon.exe, XNet2.exe and gn.exe, can be seen to be protecting one another, preventing each process from being deleted or interrupted, a kind of technique used by malware...
uedit32.exe
emeditor.exe
wordpad.exe
notepad.exe
wps.exe
wpp.exe
et.exe
powerpnt.exe
frontpg.exe
excel.exe
msaccess.exe
outlook.exe
winword.exe
mailmagic.exe
popo.exe
qqmail.exe
aixmail.exe
imapp.exe
incmail.exe
msimn.exe
dm2005.exe
foxmail.exe
googletalk.exe
miranda32.exe
imu.exe
ypager.exe
tmshell.exe
start.exe
uc.exe
icqchatrobot.exe
qq.exe
msnmsgr.exe
几乎市面上所有常见文本编辑工具(EditPlus, UltraEdit, EmEditor)、办公软件(WPS三部件,MS Office系列)、邮件客户端、IM客户端、浏览器都会受到监视。
It seems that nearly all text editors on the market (EditPlus, UltraEdit, EmEditor), office software suites (WPS, MS Office), e-mail clients, instant messaging clients and browsers, are being monitored.
网络过滤 Internet filtering
“绿坝”通过Winsock2的SPI接口获取发送和接收的数据,对这些数据进行分析,获取HTTP数据,将HTTP数据解协议后,经过URL检测器,不良URL检测器和关键字检测器后,根据检测结果决定是否需要使用图像检测器,通过图像检测将新发现的不良网址提供给系统管理员。
潜在风险
- 中国收紧互联网控制(华尔街日报)
- 工业和信息化部文件
- 下月起新售个人电脑将预装上网过滤软件(网易科技)
- “绿坝·花季护航”上网管理软件试用测评
- 外交部发言人反驳“你有孩子吗?”
- “绿坝”为何遭质疑 (财经网)
- 上网过滤软件绿坝官网遭黑客攻击无法访问(新浪科技)