Subgraph OS Alpha
Every so often new secure operating system’s get developed behind closed doors but then make their way to us regular people for us to use. Subgraph OS is one of those, but it is not really available as such. It is currently in Alpha release so it may not be for the faint-hearted.
The operating system design has learned from many of the other security features that have made their way into Linux as well as utilizing industry standard security tools such as Tor at the core. If we look at the logical make up using the diagram below, you can see it looks very promising.
(Image courtesy of the Subgraph OS Website https://subgraph.com/sgos/graph/index.en.html)
If you look at the breakdown you can see that a lot has been invested in building a secure core with layers of protection wrapped at every level.
The website breaks down the design into three areas, Hardening, Anonymization and Secure Communications.
Hardened Computing Platform
Mitigations are effective at making it more expensive to reliably exploit many classes of vulnerabilities. One of the primary goals of Subgraph OS is to increase the cost of successful attacks against users through a defense-in-depth strategy. Therefore, Subgraph OS includes mitigation features to help accomplish this objective. Some of them are outlined below.
Kernel Hardened with Grsecurity/PaX
Subgraph OS ships with a kernel hardened with Grsecurity, the best set of Linux kernel security enhancements available. Grsecurity includes PaX, a set of patches to make both the userland and the kernel more resistant to exploitation of memory corruption vulnerabilities. Other Grsecurity enhancements strengthen local access control and provide a more secure environment for application containment.
Subgraph OS’s application containment mechanism creates sandboxes around at-risk applications, such as the browser, email client, PDF viewer, and IM client. The objective of this is to contain the impact of a successful attack against these applications, preventing compromise of the entire system. Each application within a container has a limited view of the host system and limited set of capabilities such as limiting access to the file system or the network. Strengthening the level of isolation that Subgraph OS can provide will be an ongoing area of research focus.
Application Network Policy
Subgraph OS includes features to enforce application network policies such as Subgraph Metaproxy and the application firewall. Metaproxy is configured to redirect outgoing connections to the Tor network based on a white-list of approved applications. Each application is automatically relayed through a proxy that will use a different Tor circuit. This will help ensure that, for example, the instant messaging client and web browser are not passing over the same Tor circuit, which could undermine the anonymity provided by Tor. The application firewall will restrict which applications can connect to the network based on the name of the application or the destination. Users will be prompted to set temporary or permanent policies as outgoing connections are made. This can help prevent malicious code from making unauthorized outgoing connections to phone home.
Mandatory Filesystem Encryption
Subgraph OS users who install the operating system must have encrypted filesystems. It is not optional in Subgraph OS. Encrypted filesystems help to prevent certain types of attacks by an adversary with physical access to the computer. Subgraph OS also wipes memory when the system is shutdown as a countermeasure against “cold boot” attacks.
Subgraph believes that managed runtimes and memory-safe languages should be used where possible. For this reason, Subgraph Mail, the Metaproxy, and other components of the Subgraph OS are written in higher level languages that are memory-safe or run in managed runtimes, making them less susceptible to memory corruption style implementation vulnerabilities. This is done with the intent of reducing entire avenues of attack against these applications.
Subgraph OS ships with a reduced set of packages to minimize the total attack surface. Subgraph OS identifies key applications that are especially high-risk and adds additional controls, such as containment. Additionally, certain applications, such as the email client, have been re-written from scratch by Subgraph.
Reducing the risk of installation of malicious or vulnerable packages is a long term priority for Subgraph. Subgraph is developing a deterministic build process for verifying the integrity of distributed binary packages. This will allow users to verify that the binary packages from our repositories have not been tampered with as the user can rebuild them from source on their computer and compare the results against our builds.
One of the design objectives of Subgraph OS is create an endpoint that is resistant to user identification and tracking. Anonymization through the Toronion routing network plays an important role in the Subgraph approach to accomplishing this.
Everything through Tor
By default, policy, Subgraph OS will restrict the communication of applications so that they use the Tor network exclusively, obfuscating the endpoint’s physical origin. Applications will be transparently redirected to connect through the Tor network via our Metaproxy application. Metaproxy will intercept outgoing connections and relay them through the correct proxy (SOCKS, HTTP, etc.). Proxy configuration is managed within Metaproxy, allowing applications to transparently connect to the Tor network without having to configure each individual application to use a proxy. Exceptions to the “everything through Tor” policy will be made for specific use cases, such as accessing a captive portal on a public Wi-Fi network.
Application Network Policy
The policy that controls how and when applications can connect to external peers will be enforced in two different ways. Firstly, the Subgraph Metaproxy is configured to white-list allowed applications based on connection properties such as the name of the application and the destination port. Any connections that do not match the white-list will simply be dropped. Metaproxy is also configured to leverage Tor’s stream isolation capabilities to ensure that two applications do not use the same Tor circuit. This will make it more difficult to correlate activities from different applications to the same pseudonym. Our second layer of network policy enforcement is the application firewall. The application firewall manages outgoing connections. When it sees a new connection that does not match an existing policy, it prompts to user to accept or deny the connections on a temporary or permanent basis. The user will be able to set policy based on the properties they wish to allow or deny, such as the destination of the connection or the name of the application that initiated the connection.
Subgraph OS makes use of Tor hidden services for certain facilities, such as the Identity Verification Service operated by Subgraph. Additional services will be developed and accessed by Subgraph OS users through Tor hidden services in the future.
Secure Communication: (https://subgraph.com/sgos/secure-communication/index.en.html)
A Platform for Secure Communication
Subgraph OS was designed to enable secure communication, and a key part of a secure communications platform is the email client. Subgraph has written an entirely new email client from the ground-up to be a usable, attack resistant, standards-supporting end-user client for communicating securely with email.
Subgraph Mail is a GUI-based, modern desktop email client. Subgraph Mail supports IMAPS and can be used with your existing e-mail service provider. Subgraph Mail was written for the purpose of secure communication. Data security, authentication, and integrity verification are not add-ons – it’s built in.
Subgraph Mail supports OpenPGP and can seamlessly send and receive encrypted/signed messages using PGP/MIME. The OpenPGP implementation used by Subgraph Mail is written from scratch and fully integrated as part of the Subgraph Mail source code. There is no reliance on external command-line utilities or plug-ins to perform encryption, decryption, and signature verification operations. Re-implementing OpenPGP for email was a decision we made to avoid the potential risk we see in other clients of third-party plug-ins, and third-party encryption utilities failing to operate together correctly.
Authentication is one of the challenges in establishing a global web of trust – key signing parties don’t scale. We offer a basic solution to this challenge. Subgraph Mail makes it easy to authenticate peers through an identity verification service built right into the client. Users of Subgraph Mail can easily create new keys – or use pre-existing keys – and register the public portion with the Nyms Identity Verification Service, which is exposed as a Tor Hidden Service. Our identity verification service can verify the email address associated with the key through the Subgraph Mail client, and then sign the key and host it on the Subgraph public key server. Verified keys will be seamlessly available to other users of Subgraph Mail, which will automatically consult the Subgraph keyserver when a public key is needed, but unavailable.
Subgraph Mail runs in a managed runtime, making it more resistant to many implementation bugs that are commonly exploited against complex applications such as email clients and browsers. Design decisions have also focused on keeping the attack surface low. For example, Subgraph Mail does not include a browser, as do many other clients.
Subgraph Mail will support Pond in the near future, presenting it as an alternative method of communication. We realize the need to think beyond email, and flexibility to support alternatives is another reason why we decided to write our own mail client.
All in all, the system is built on top of Debian, so once installed it looks very much any other Debian based system.
Clean and slick looking background with a minimal interface has my vote already. Clicking around the interface, we can get access to the Firewall settings directly from the launcher up in the right corner.
There you will also find access to the Tor component, for specifying a “New Identity” as you need it.
The user experience for menus, is similar to other builds of Debian, allowing you to click through screens of applications and search for what you need.
As you can see the left navigation is also available for quick access, along with virtual desktops when you just need to isolate applications to different screens.
Atheistically it looks nice and works like any other Debian build. The key however is the under covers pieces that, make it secure.
The big win here is the idea of sandboxing applications from each other ensuring that nothing can cross the boundaries assigned in the whitelist and blacklist policies. When an application utilizes this you can access the current sandboxes from the main menu. The Sandboxing is completed the tool “Oz” which is also in Alpha, more details can be found here: https://github.com/subgraph/oz#oz-client-commands
A detailed walk through can be found here too: https://github.com/subgraph/oz/wiki/Oz-Technical-Details
At the moment only the chat applications and Tor utilize this, other will follow. The idea behind this is that each application can be isolated form each other, and interaction with that application controlled within the Sandbox, stopping for example an infected PDF from infecting other processes in the system. You can read about this in the FAQ section of the Subgraph OS Site.
If you feel brave then head over and download the ISO and start playing: https://subgraph.com/sgos/download/index.en.html
More to come in the future J