Subgraph OS: Adversary resistant computing platform
Subgraph OS is a desktop computing and communications platform that is designed to be resistant to network-borne exploit and malware attacks. It is also meant to be familiar and easy to use. Even in alpha, Subgraph OS looks and feels like a modern desktop operating system.
Subgraph OS includes strong system-wide attack mitigations that protect all applications as well as the core operating system, and key applications are run in sandbox environments to reduce the impact of any attacks against applications that are successful.
Subgraph OS was designed to reduce the risks in endpoint systems so that individuals and organizations around the world can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network borne attacks. Subgraph OS is designed to be difficult to attack. This is accomplished through system hardening and proactive, ongoing research on defensible system design.
Hardened kernel built with grsecurity, PaX, and RAP
Subgraph OS includes a kernel hardened with the well-respected grsecurity/PaX patchset for system-wide exploit and privilege escalation mitigation. In addition to making the kernel more resistant to attacks, grsecurity and PaX security features offer strong security protection to all processes running without modification (i.e. recompiling / relinking).
The Subgraph OS kernel is also built with the recently released RAP (demo from the test patch) security enhancements designed to prevent code-reuse (i.e. ROP) attacks in the kernel. This is an important mitigation against contemporary exploitaion techniques and greatly increases the resistance of the kernel to modern exploits that can be used to escalate privileges once an application on the endpoint is breached. grsecurity, PaX, and RAP are essential defenses implemented in Subgraph OS.
The Subgraph OS kernel (4.9) is also built with fewer features to the extent possible producing a widely-usable desktop operating system. This is done to proactively reduce kernel attack surface.
Subgraph OS runs exposed or vulnerable applications in sandbox environments. This sandbox framework, known as Oz, unique to Subgraph OS, is designed to isolate applications from each other and the rest of the system. Access to system resources are only granted to applications that need them. For example, the PDF viewer and the image viewer do not have access to any network interface in the sandbox they're configured to run in.
The technologies underlying Oz include Linux namespaces, restricted filesystem environments, desktop isolation, and seccomp bpf to reduce kernel attack surface through system call whitelists. Subgraph is regularly instrumenting applications and libraries to limit the exposed kernel API to what is necessary for each sandboxed application to function. Many applications only need about one-third to one-half of the available system calls to function, and the Subgraph Oz sandbox framework ensures that the unnecessary system calls cannot be invoked (Oz can and often does restrict system calls to specific known parameters to further narrow kernel attack surface through system calls such as ioctl(2)). Subgraph OS will soon be using gosecco, a new library for seccomp-bpf that lets policies be expressed in a format that is more efficient, cross-platform, and understandable to humans.
Sandboxed applications include:
- Web browser
- Email client with built-in support for encryption
- CoyIM instant messenger
- LibreOffice productivity suite
- PDF viewer
- Image viewer
- Video player
Most custom code written for Subgraph OS is written in Golang, which is a memory safe language. Golang libraries are also often implemented in pure Golang, which is in contrast to other popular languages such as Python. While the Python runtime may be memory safe, the C languages wrapped by so many of the commonly used libraries expose tools written in Python to the same old memory corruption vulnerabilities.
Subgraph also includes an application firewall that will detect and alert the user to unexpected outbound connections by applications. The Subgraph application firewall is fairly unique to Linux-based operating systems and is an area of ongoing development.
Other security features
Subgraph OS is constantly improving and hardening the default security state of the operating system. This includes making configuration enhancements and adding entirely new mitigations.
Additional security features in Subgraph OS include:
- AppArmor profiles covering many system utilities and applications
- Security event monitor and desktop notifications (coming soon)
- Roflcoptor tor control port filter service
- Port to new seccomp-bpf golang library Gosecco
Subgraph OS is based on a foundation designed to be resistant to attacks against operating systems and the applications they run.
Subgraph OS includes built-in Tor integration, and a default policy that sensitive applications only communicate over the Tor network.
Subgraph OS ships with a new, more secure IM client, and an e-mail client configured by default for PGP and Tor support.
Alpha release availability
Try the Subgraph OS Alpha today. You can install it on a computer, run it as a live-disk, or use it in a VM.