Subgraph OS: Open source, hardened OS that prioritizes security and anonymity

Subgraph, an open source security company based in Montreal, has published the alpha release of Subgraph OS, which is designed to with security, anonymity AND usability in mind.

“Subgraph OS was designed from the ground-up to reduce the risks in endpoint systems so that individuals and organizations around the world can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network borne attacks,” its creators say.

It has been in the works for the last two years, and it’s development has been partially funded by the Open Technology Fund.

The company has implemented attack mitigation features such as:

• A kernel hardened with Grsecurity/PaX
• Applications (browser, email client, PDF viewer, and IM client) running isolated in their own application container, with limited view of the host system and limited set of capabilities
• Mandatory filesystem encryption
• Features that enforce application network policies (Subgraph Metaproxy, which redirects outgoing connections to the Tor network based on a white-list of approved applications, and an application firewall)
• OS components written in memory-safe languages to minimize memory corruption style implementation vulnerabilities
• Additional controls for high-risk apps

A deterministic build process for verifying the integrity of distributed binary packages is also planned.

To prevent user identification and tracking, the plan is to restrict the communication of applications so that they always use the Tor network (except in certain specific cases). Also, Subgraph OS makes use of Tor hidden services for certain facilities, (e.g. the Identity Verification Service by Subgraph).

The OS comes with the Tor Browser and Subgraph Mail, a new email client that has been written from scratch so that it’s both highly secure and usable.

It has a GUI, supports OpenPGP, has a built-in identity verification service, and runs in a managed runtime. It’s also architected in a way that prevents attackers who have compromised part of the app to access the encryption keys.

The PDF reader included in the OS is isolated in a container and can’t access the network.

“The Subgraph OS installer requires the user to use full disk encryption with Linux’s trusted dm-crypt/LUKS mechanism. Additionally, the system’s memory is wiped on shutdown to help mitigate cold boot attacks designed to steal your encryption keys,” the developers noted.

The OS has been made available for download in mid-March, but the developers warned that the software is still in alpha and shouldn’t be considered secure. They invited users to try it out and report bugs and issues.

Also, some of the tools that the developers plan to include in the final release have yet to be added.