Hardened Computing Platform
Mitigations are effective at making it more expensive to reliably exploit many classes of vulnerabilities. One of the primary goals of Subgraph OS is to increase the cost of successful attacks against users through a defense-in-depth strategy. Therefore Subgraph OS includes mitigation features to help accomplish this objective. Some of them are outlined below.
Kernel Hardened with Grsecurity/PaX
Subgraph OS ships with a kernel hardened with Grsecurity, the best set of Linux kernel security enhancements available. Grsecurity includes PaX, a set of patches to make both the userland and the kernel more resistant to exploitation of memory corruption vulnerabilities. Other Grsecurity enhancements strengthen local access control and provide a more secure environment for application containment.
Subgraph OS's application containment mechanism creates sandboxes around at-risk applications, such as the browser, email client, PDF viewer, and IM client. The objective of this is to contain the impact of a successful attack against these applications, preventing compromise of the entire system. Each application within a container has a limited view of the host system and limited set of capabilities such as limiting access to the file system or the network. Strengthening the level of isolation that Subgraph OS can provide will be an ongoing area of research focus.
Application Network Policy
Subgraph OS includes features to enforce application network policies such as Subgraph Metaproxy and the application firewall.
Metaproxy is configured to redirect outgoing connections to the Tor network based on a white-list of approved applications. Each application is automatically relayed through a proxy that will use a different Tor circuit. This will help ensure that, for example, the instant messaging client and web browser are not passing over the same Tor circuit, which could undermine the anonymity provided by Tor.
The application firewall will restrict which applications can connect to the network based on the name of the application or the destination. Users will be prompted to set temporary or permanent policies as outgoing connections are made. This can help prevent malicious code from making unauthorized outgoing connections to phone home.
Mandatory Filesystem Encryption
Subgraph OS users who install the operating system must have encrypted filesystems. It is not optional in Subgraph OS.
Encrypted filesystems help to prevent certain types of attacks by an adversary with physical access to the computer.
Subgraph believes that managed runtimes and memory-safe languages should be used where possible. For this reason, CoyIM, the Metaproxy, and other components of the Subgraph OS are written in higher level languages that are memory-safe or run in managed runtimes, making them less susceptible to memory corruption style implementation vulnerabilities. This is done with the intent of reducing entire avenues of attack against these applications.
Subgraph OS ships with a reduced set of packages to minimize the total attack surface. Subgraph OS identifies key applications that are especially high-risk and adds additional controls, such as containment. Additionally, certain applications, such as the email client, have been re-written from scratch by Subgraph.
Reducing the risk of installation of malicious or vulnerable packages is a long term priority for Subgraph. Subgraph is developing a deterministic build process for verifying the integrity of distributed binary packages. This will allow users to verify that the binary packages from our repositories have not been tampered with as the user can rebuild them from source on their computer and compare the results against our builds.