Subgraph OS was a
Debian
Debian () is a free and open-source software, free and open source Linux distribution, developed by the Debian Project, which was established by Ian Murdock in August 1993. Debian is one of the oldest operating systems based on the Linux kerne ...
-based project designed to be resistant to surveillance and interference by sophisticated adversaries over the Internet. It has been mentioned by
Edward Snowden
Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs.
Born in 1983 in Elizabeth ...
as showing future potential.
Subgraph OS was designed to be locked down, with a reduced attack surface, to increase the difficulty to carry out certain classes of attack against it. This was accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also placed emphasis on ensuring the integrity of installed software packages through
deterministic compilation.
The last update of the project's blog was in September 2017, and all of its
GitHub
GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
repositories haven't seen activity since 2020.
Features
Some of Subgraph OS's notable features included:
*
Linux kernel
The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
hardened with the grsecurity and
PaX patchset.
*
Linux namespaces and
xpra for application containment.
* Mandatory file system encryption during installation using
LUKS.
* Configurable firewall rules to automatically ensure that network connections for installed applications are made using the
Tor anonymity network. Default settings ensure that each application's communication is transmitted via an independent circuit on the network.
*
GNOME Shell integration for the OZ virtualization client, which runs apps inside a secure Linux container, targeting ease-of-use by everyday users.
Security
Subgraph OS's
sandbox containers have been critiqued as inferior to
Qubes OS's
virtualization
In computing, virtualization (abbreviated v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers.
Virtualization began in the 1960s wit ...
. An attacker can trick a Subgraph user to run a malicious unsandboxed script via the default
Nautilus
A nautilus (; ) is any of the various species within the cephalopod family Nautilidae. This is the sole extant family of the superfamily Nautilaceae and the suborder Nautilina.
It comprises nine living species in two genera, the type genus, ty ...
file manager or in the terminal. It is also possible to run malicious code containing
.desktop files (which are used to launch applications). Malware can also bypass Subgraph OS's
application firewall
An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to c ...
. Also, by design, Subgraph does not isolate the
network stack like Qubes OS.
See also
*
Tails (operating system)
*
Qubes OS
References
External links
*
* {{DistroWatch, Subgraph
Debian-based distributions
Operating system security
Linux distributions