Here we will describe the operating system and other Subgraph products. Furthermore, we will discuss the pros and cons of Subgraph solutions for development.
Subgraph is an operating system
that focuses on enhanced security and privacy. It exploits sandbox containers and other technologies to limit the access permissions to programs and protect the user data from hackers and harmful software. We will tell you the way the Subgraph security system works, its safety characteristics. Moreover, we will take a look at the disadvantages and disadvantages of Subgraph solutions.
What is Subgraph
||Desktop, Live Medium, Privacy, Security
Subgraph operating system is a computing platform strongly resistant to hacking. The development team
has more than 50 years of experience in the sector of informational security and privacy. The USA Open Technology Fund is financially supporting the Subgraph OS. This fund also supported the Tor, Tails, and Open Whisper Systems. In addition, Edward Snowden supported the Subgraph and stated that among other privacy-oriented solutions he will always
choose this one.
Subgraph developers emphasize that their project is the very first solution that provides instruments for privacy and security and maintains a high level of comfort. The desktop environment is powered by GNOME, a general distribution Debian by Linux is responsible for security. It offers a range of functions, like private web sessions, and enhanced protection.
The core of Subgraph functions on grsecurity / PaX
(a patch for protection against exploits and elevated privileges) and RAP (an instrument designed to prevent attacks on the core and to fight modern methods of exploitation). The key feature is the Oz sandboxes that strongly limit the rights of these applications.
The other significant security functions of Subgraph are:
- A secure language, Golang, is the main coding method.
- AppArmor profiles cover system tools and applications.
- YubiKey's hardware keys use one-time passwords.
- Roflcoptorservice filters for the port of control.
- A safe mailing client — Subgraph Mail.
- Transparent proxying in Tor.
- Anonymous messenger — OnionShare.
- Trusted upload.
- Disk encryption.
How do Subgraph sandboxes work?
As we mentioned above, the main feature of the Subgraph operating system is the ability to run applications in special sandboxes that can take control over different processes. This means that if an application or a website run
on Subgraph is hacked, the hackers themselves or the malware will be stuck in the sandbox with limited access to the system, files, and hardware.
Subgraph uses Oz, which is quite similar to Firejail. It uses a remarkable service to receive inquiries to run or create the sandboxes, Xpra’s X-server, and other noteworthy instruments. To isolate the applications on Oz, the service itself applies the namespaces
. In addition, it introduces other limitations to the software by the mechanism of core security — seccomp-bpf.
The application communicates within the sandbox with a graphic subsystem on a virtual Xpra’s
X-server. The server is run in each sandbox: Subgraph X-server connects to the Xpra and broadcasts the application on the screen. This is important since the graphic applications in sandboxes are usually run through an X-server /tmp/.X11-unix/X0 directly into the sandbox, which allows the hackers and viruses to broadcast their own image on the screen. Moreover, it allows them to take control over the mouse and keyboard, to get access to any window of other applications that are working. And finally, they can trace the input devices. Subgraph does not have this issue.
Generally, the application boot in a Subgraph environment goes the next way:
- The user runs an application the common way by using the desktop icon or through the command line (in fact, they do not run the executable file from the /usr/bin-oz/ catalog, they run sort of an application link from /bin-oz/).
- Oz gets the control. The subsystem analyzes the application name and transfers it over the socket to oz-daemon, which launches the application.
- Daemon sees the application profile, where the rules and limitations are clearly outlined. It knows which files are accessible and which are under restriction.
- Daemon creates a catalog /srv/oz/rootfs/, then it connects with the main system catalogs ( /bin, /lib, /lib64, /usr, /et), afterward, it creates the other necessary catalogs (/var, /tmp, /mnt, and other). It creates a minimal set of tools required for a proper work of files and devices in /dev, connects other applications, files, and catalogs. Next, the daemon introduces chroot to the catalog and creates new namespaces that lock the application within the sandbox.
- Daemon creates a new virtual interface and connects it to the virtual switch that itself is connected to an external network interface.
- The daemon starts Oz-init, which runs the Xpra and uses seccomp-bpf to set the permissions and limits for system calls.
- Lastly, Oz-init launches the application from /usr/bin-oz/ catalog.
Here is how the process looks like on a scheme:
Launching process scheme in Subgraph environment. Source
If an application that uses the sandbox to function is hacked (to wit, the system found out that the application interacts with files, processes, and devices without permission), it will not be able to leave the sandbox and harm the main system. The information is safe, too, since the hacker can only get access to the application configs and cache
. For example, if you use PDF Evince to view the file, the application will get access only to the very document and nothing else.
Other Subgraph security functions
The security architecture design of a Subgraph operating system. Source
The second significant feature of the Subgraph security system is proxying the outgoing traffic through Tor (The Onion Router).
By default, Tor does not support this configuration, it simply works as a SOCKS proxy, so to say it requires the software to be compatible with SOCKS, the users set the application proxying through Tor on their own.
However, the Subgraph team applied Metaproxy
to overcome this limitation. Metaproxy redirects the traffic to the needed HTTP address or SOCKS-proxy (in our case to Tor), another simple firewall algorithm receives the traffic at the Metaproxy port. The only exception goes for websites that complete the authentication of public Wi-Fi networks.
A window with Subgraph firewall settings
As the main internet browser, the platform uses a regular Tor Browser. This is the only Subgraph application that uses Tor proxying directly, the rest just transfer the traffic to Metaproxy. ICMP (Internet Control Message Protocol) transfers are forbidden, so Subgraph is not responding to pings and does not allow to ping another host.
System and core security.
Subgraph operating system is also enhanced by PaX and Grsecurity. PaX is a set of OS updates that fix the gaps in the Linux security core. These gaps were usually related to buffer overflow and memory corruption flaws in applications and the core, namely. Grsecurity is a set of patches, which fixes the gaps in memory corruption. Furthermore, Grsecurity introduces the following security measures:
Full disk encryption (FDE).
- It forbids date and time changes;
- Restricts applications and protocols that deal with chroot;
- Bans executing binary files that are not under the possession of the user with root rights;
- Shadows the information in /proc file system.
- Restricts the usage of FIFO channels and sockets;
Subgraph also offers full disk encryption as a basic feature. It allows applying shadow encryption to secure important ROM (read-only memory). Even so, if a disk or flash memory is stolen, lost, or left at a service center, the data will still be safe. Moreover, Subgraph OS formats the disk before installation so that it can fight cold boot attacks. These are the hacker attacks that use DRAM and SRAM data just a few seconds after power off.
Safe mailing services.
The operating system uses the Subgraph Mail application. It is integrated with the system’s encryption instrument OpenPGP. The other Subgraph Mail feature is that even if a part of an application is hacked, the hacker still will not have access to other mails and encryption keys. Moreover, Subgraph Mail has consciously not support web browsers so that the possibility of web exploits from emails is impossible.
Subgraph OS also offers alternative technologies of the trusted boot. Normally, an encrypted uploading section with a digital key, a RAM disk, and file systems are used for this purpose. The Subgraph has the technology, where packers should be compared to binary files in the list of OS packets. As a result, the platform is safe from fake and harmful uploading packets.
Advantages of software development on Subgraph
Subgraph operating system is usually used when enhanced security and privacy are vital. For example, in server systems, retail sales, logistics, financial services, etc. Subgraph OS is simply the basement, where necessary solutions are added. It may be a common safe messenger or a CRM-, ERM-, POS-system.
Other advantages of Subgraph, as a platform for application launch, are:
- An application can be locked in a sandbox, the permissions can be restricted and customized. This helps to significantly increase security and save time on development.
- Subgraph is an open-source code software, to wit, it can be used by anybody for free. Furthermore, Subgraph core is Linux, which is considered the top standard for customized solutions. Many server operating systems, such as routers, televisors, consoles, and others work on it. This proves the flexibility, safety, and security of Linux and derivative solutions.
- Subgraph solutions can protect both applications and internet connections. This is highly important if you wish to secure yourself or your partners from phishing emails (the main reason for hacks on the internet).
- The Subgraph operating system is free, it can also be modified as wanted. Despite Windows or macOS/iOS, that is expensive and protected by copyright law.
- Subgraph is easy to install, and it has no issues with usability.
Disadvantages of software development on Subgraph
The Subgraph operating system is still in the development stage (alpha version), and this is the main disadvantage. This means that some functions are not launched yet, or work only partly. For instance, the Subgraph firewall does not support TLSGuard, UDP/ICMP, or SOCKS5. However, even in the development stage, Subgraph proves to be a modern operating system, and it can be used to launch applications.
These are the disadvantages of Subgraph products:
- To develop your solution on Subgraph, you will need a development team with decent experience in Linux or Subgraph, such as Merehead.
- All Subgraph solutions have a target audience, which focuses on security and privacy. The target audience is not vast, so, doubtful, whether Subgraph solutions will become popular.
- Subgraph products do not give a 100% guarantee of privacy and protection. Restricted sandboxes and Tor proxying still can be hacked. Furthermore, only a few applications can be launched in Subgraph at present.
- Every single existing sandbox has an issue with transferring components between the sandbox and the working environment. In addition, you might not even know about this issue, since most sandboxes do not trace this type of flaw.
- Some users can lose their attention and awareness, because of the fake feeling of safety.
- Subgraph OS was not updated for a long time.
Subgraph solutions can be a perfect choice for those who want enhanced security and privacy on a desktop device. Despite the numerous restrictions of the Subgraph system, the developers still find this platform very useful. It seems that the popularity of these projects will only increase since more and more users suffer from harmful applications, hacker attacks, and data leaks. Moreover, when Subgraph leaves the alpha stage, the solutions might become a sector standard for the developers that focus on desktop systems. However, to be fair, that will now happen soon.