Subgraph OS is a

Linux distribution A Linux distribution (often abbreviated as distro) is an operating system made from a software collection that includes the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one ...

designed to be resistant to surveillance and interference by sophisticated adversaries over the Internet. It is based on

Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...

. The operating system has been mentioned by

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

as showing future potential. Subgraph OS is designed to be locked down and with features which aim to reduce the attack surface of the operating system, and increase the difficulty required to carry out certain classes of attack. This is accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also places emphasis on ensuring the integrity of installed software packages through

deterministic compilation Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary. ...

Features

Some of Subgraph OS's notable features include: *

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...

hardened with the grsecurity and PaX patchset. * Linux namespaces and xpra for application containment. * Mandatory file system encryption during installation, using LUKS. * Resistance to cold boot attacks. * Configurable firewall rules to automatically ensure that network connections for installed applications are made using the

Tor anonymity network Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network, consisting of more than seven thousand relays, to con ...

. Default settings ensure that each application's communication is transmitted via an independent circuit on the network. * GNOME Shell integration for the OZ virtualization client, which runs apps inside a secure Linux container, targeting ease-of-use by everyday users.

Security

The security of Subgraph OS (which uses sandbox containers) has been questioned in comparison to Qubes (which uses virtualization), another security focused operating system. An attacker can trick a Subgraph user to run a malicious unsandboxed script via the OS's default Nautilus file manager or in the terminal. It is also possible to run malicious code containing

.desktop In computing, a file shortcut is a handle in a user interface that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located. Similarly, an Internet shortcut allows the user ...

files (which are used to launch applications). Malware can also bypass Subgraph OS's application firewall. Also, by design, Subgraph does not isolate the network stack like Qubes OS.

References

External links

* * {{DistroWatch, Subgraph Debian-based distributions Operating system security Linux distributions

Features

Security

See also

References

External links