Subgraph OS is an adversary resistant computing platform. The main purpose of Subgraph OS is to empower people to communicate, share, and collaborate without fear of surveillance and interference. What this means in practical terms is that users of Subgraph OS can safely perform their day-to-day tasks securely and privately.
In some ways, Subgraph OS is like other operating systems — it is derived from Debian GNU/Linux and uses the GNOME desktop environment as its graphical user interface. Many applications found in other Linux distributions are also available in Subgraph OS. Therefore, users who are already familiar to Linux and particularly the GNOME desktop environment will find Subgraph OS easy to use.
Subgraph OS also has key differences from conventional Linux operating systems. In particular:
- Subgraph OS anonymizes Internet traffic by sending it through the Tor network
- Subgraph OS is hardened against common security vulnerabilities
- Subgraph runs many desktop applications in a security sandbox to limit their risk in case of compromise
The Internet is a hostile environment, and recent revelations have made it more apparent than ever before that risk to every day users extends beyond the need to secure the network transport – the endpoint is also at risk. Subgraph OS was designed from the ground-up to reduce the risks in endpoint systems so that individuals and organizations around the world can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network borne attacks. Subgraph OS is designed to be difficult to attack. This is accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also places emphasis on the integrity of installable software packages.
One of the primary goals of Subgraph OS is to increase the cost of successful attacks against users through a defense-in-depth strategy. Therefore Subgraph OS includes mitigation features to help accomplish this objective.
Kernel Hardened with Grsecurity/PaX
Subgraph OS ships with a kernel hardened with Grsecurity, the best set of Linux kernel security enhancements available.Grsecurity includes PaX, a set of patches to make both the userland and the kernel more resistant to exploitation of memory corruption vulnerabilities. Other Grsecurity enhancements strengthen local access control and provide a more secure environment for application containment.
Subgraph OS’s application containment mechanism creates sandboxes around at-risk applications, such as the browser, email client, PDF viewer, and IM client. The objective of this is to contain the impact of a successful attack against these applications, preventing compromise of the entire system. Each application within a container has a limited view of the host system and limited set of capabilities such as limiting access to the file system or the network. Strengthening the level of isolation that Subgraph OS can provide will be an ongoing area of research focus.
Application Network Policy
Subgraph OS includes features to enforce application network policies such as Subgraph Metaproxy and the application firewall.
Metaproxy is configured to redirect outgoing connections to the Tor network based on a white-list of approved applications. Each application is automatically relayed through a proxy that will use a different Tor circuit. This will help ensure that, for example, the instant messaging client and web browser are not passing over the same Tor circuit, which could undermine the anonymity provided by Tor.
The application firewall will restrict which applications can connect to the network based on the name of the application or the destination. Users will be prompted to set temporary or permanent policies as outgoing connections are made. This can help prevent malicious code from making unauthorized outgoing connections to phone home.
Mandatory Filesystem Encryption
Subgraph OS users who install the operating system must have encrypted filesystems. It is not optional in Subgraph OS.
Encryped filesystems help to prevent certain types of attacks by an adversary with physical access to the computer. Subgraph OS also wipes memory when the system is shutdown as a countermeasure against “cold boot” attacks.
Subgraph believes that managed runtimes and memory-safe languages should be used where possible. For this reason, Subgraph Mail, the Metaproxy, and other components of the Subgraph OS are written in higher level languages that are memory-safe or run in managed runtimes, making them less susceptible to memory corruption style implementation vulnerabilities. This is done with the intent of reducing entire avenues of attack against these applications.
Subgraph OS ships with a reduced set of packages to minimize the total attack surface. Subgraph OS identifies key applications that are especially high-risk and adds additional controls, such as containment. Additionally, certain applications, such as the email client, have been re-written from scratch by Subgraph.
Reducing the risk of installation of malicious or vulnerable packages is a long term priority for Subgraph. Subgraph is developing a deterministic build process for verifying the integrity of distributed binary packages. This will allow users to verify that the binary packages from our repositories have not been tampered with as the user can rebuild them from source on their computer and compare the results against our builds.
Everything through Tor
By default policy, Subgraph OS will restrict the communication of applications so that they use the Tor network exclusively, obfuscating the endpoint’s physical origin. Applications will be transparently redirected to connect through the Tor network via our Metaproxy application. Metaproxy will intercept outgoing connections and relay them through the correct proxy (SOCKS, HTTP, etc). Proxy configuration is managed within Metaproxy, allowing applications to transparently connect to the Tor network without having to configure each individual application to use a proxy.
Exceptions to the “everything through Tor” policy will be made for specific use cases, such as accessing a captive portal on a public wi-fi network.
Application Network Policy
The policy that controls how and when applications can connect to external peers will be enforced in two different ways.
Firstly, the Subgraph Metaproxy is configured to white-list allowed applications based on connection properties such as the name of the application and the destination port. Any connections that do not match the white-list will simply be dropped. Metaproxy is also configured to leverage Tor’s stream isolation capabilities to ensure that two applications do not use the same Tor circuit. This will make it more difficult to correlate activities from different applications to the same pseudonym.
Our second layer of network policy enforcement is the application firewall. The application firewall manages outgoing connections. When it sees a new connection that does not match an existing policy, it prompts to user to accept or deny the connections on a temporary or permanent basis. The user will be able to set policy based on the properties they wish to allow or deny, such as the destination of the connection or the name of the application that initiated the connection.
Subgraph OS makes use of Tor hidden services for certain facilities, such as the Identity Verification Service operated by Subgraph. Additional services will be developed and accessed by Subgraph OS users through Tor hidden services in the future.
A Platform for Secure Communication
Subgraph OS was designed to enable secure communication, and a key part of a secure communications platform is the email client. Subgraph has written an entirely new email client from the ground-up to be a usable, attack resistant, standards-supporting end-user client for communicating securely with email.
Subgraph Mail is a GUI-based, modern desktop email client. Subgraph Mail supports IMAPS and can be used with your existing e-mail service provider. Subgraph Mail was written for the purpose of secure communication. Data security, authentication, and integrity verification are not add-ons – it’s built in.
Subgraph Mail supports OpenPGP and can seamlessly send and receive encrypted/signed messages using PGP/MIME. The OpenPGP implementation used by Subgraph Mail is written from scratch and fully integrated as part of the Subgraph Mail source code. There is no reliance on external command-line utilities or plug-ins to perform encryption, decryption, and signature verification operations. Re-implementing OpenPGP for email was a decision made to avoid the potential risk present in other clients of third-party plug-ins, and third-party encryption utilities failing to operate together correctly.
Authentication is one of the challenges in establishing a global web of trust – key signing parties don’t scale. We offer a basic solution to this challenge. Subgraph Mail makes it easy to authenticate peers through an identity verification service built right into the client. Users of Subgraph Mail can easily create new keys – or use pre-existing keys – and register the public portion with the Nyms Identity Verification Service, which is exposed as a Tor Hidden Service. Our identity verification service can verify the email address associated with the key through the Subgraph Mail client, and then sign the key and host it on the Subgraph public key server. Verified keys will be seamlessly available to other users of Subgraph Mail, which will automatically consult the Subgraph keyserver when a public key is needed, but unavailable.
Subgraph Mail runs in a managed runtime, making it more resistant to many implementation bugs that are commonly exploited against complex applications such as email clients and browsers. Design decisions have also focused on keeping the attack surface low. For example, Subgraph Mail does not include a browser, as do many other clients.
Subgraph Mail will support Pond in the near future, presenting it as an alternative method of communication. We realize the need to think beyond email, and flexibility to support alternatives is another reason why we decided to write our own mail client.
Anything that can comfortably run GNOME 3:
- 64-bit machine (Core2Duo or over)
- 2GB of RAM (4GB recommended)
- At least 20GB of hard disk space
Verifying the download
First download all three files, the iso image, the shasum, and the gpg signature.
Secondly verify the signature of the shasum file:
gpg --recv-key 19F90630D6A1F29CF1D8D94604242BE5CDC948DA # You can also get the fingerprint in the title of our IRC channel! gpg --verify subgraph-os-alpha_2016-03-11_1.iso.sha256.sig subgraph-os-alpha_2016-03-11_1.iso.sha256
You will be prompted with a “Good Signature” message.
You can now verify the shasum:
sha256sum -c subgraph-os-alpha_2016-03-11_1.iso.sha256