Subgraph (operating system)
 |
 | |
| OS family | Linux (Unix-like) |
|---|---|
| Working state | Discontinued[1] |
| Source model | Open source |
| Final preview | 2017.09.22[2] / 22 September 2017 |
| Repository | github |
| Kernel type | Monolithic (Linux) |
| Userland | GNU |
| Influenced by | Tails, Qubes OS |
| Default user interface | GNOME 3 |
| License | GPLv3+ |
| Official website | subgraph |
Subgraph OS was a Debian-based project designed to be resistant to surveillance and interference by sophisticated adversaries over the Internet.[3][4][5][6][7][8] It has been mentioned by Edward Snowden as showing future potential.[9]
Subgraph OS was designed to be locked down, with a reduced attack surface, to increase the difficulty to carry out certain classes of attack against it. This was accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also placed emphasis on ensuring the integrity of installed software packages through deterministic compilation.
The last update of the project's blog was in September 2017[10], and all of its github repositories haven't seen any recent activity as of 2021.[11]
Features
Some of Subgraph OS's notable features included:
- Linux kernel hardened with the grsecurity and PaX patchset.[12]
- Linux namespaces and xpra for application containment.
- Mandatory file system encryption during installation using LUKS.
- Configurable firewall rules to automatically ensure that network connections for installed applications are made using the Tor anonymity network. Default settings ensure that each application's communication is transmitted via an independent circuit on the network.
- GNOME Shell integration for the OZ virtualization client, which runs apps inside a secure Linux container, targeting ease-of-use by everyday users.[13]
Security
The security of Subgraph OS (which uses sandbox containers) has been questioned in comparison to Qubes (which uses virtualization), another security focused operating system. An attacker can trick a Subgraph user to run a malicious unsandboxed script via the OS's default Nautilus file manager or in the terminal. It is also possible to run malicious code containing .desktop files (which are used to launch applications). Malware can also bypass Subgraph OS's application firewall. Also, by design, Subgraph does not isolate the network stack like Qubes OS.[14]
See also
References
- ^ https://distrowatch.com/table.php?distribution=Subgraph
- ^ "Subgraph OS September 2017 ISO Availability". subgraph.com. Retrieved 22 September 2017.
- ^ Subgraph: This Security-Focused Distro Is Malware's Worst Nightmare | Linux.com | The source of Linux information
- ^ DistroWatch Weekly, Issue 697, 30 January 2017
- ^ The best Linux distro for privacy and security in 2018 | TechRadar
- ^ Subgraph announces security conscious OS | WIRED UK
- ^ Best Linux Distributions For Privacy Freaks | It's FOSS
- ^ Subgraph OS, a new security-centric desktop distribution [LWN.net]
- ^ Styles, Kirsty (16 March 2016). "Subgraph will be Snowden's OS of choice – but it's not quite ready for humans yet". The Next Web. Retrieved 7 July 2016.
- ^ "Subgraph - Blog". subgraph.com. Retrieved 2023-08-03.
- ^ "Subgraph". GitHub. Retrieved 2023-08-03.
- ^ "Hardening". subgraph.com. Retrieved 2023-08-03.
- ^ "GitHub - OZ: a sandboxing system targeting everyday workstation applications". Subgraph. Retrieved 6 October 2016.
- ^ "Breaking the Security Model of Subgraph OS | Micah Lee's Blog". micahflee.com. Retrieved 2017-04-25.