Subgraph OS – Adversary-resistant computing platform
Playing Coy
Special mention must go to Subgraph's own CoyIM instant messenger. CoyIM is designed to work with the XMPP message protocol, so you'll need to register an account with a compatible chat server to use it. (Figure 5). Connections are made via Tor + TLS to clearnet chat servers, although for extra security you may wish to consider using an XMPP provider that supports connecting via Tor hidden services, such as The Calyx Institute [5]. Where possible, the messenger will use the hidden service for a chat server, if it has a record of it.
All conversations are encrypted via Off the Record (OTR) Messaging, which offers perfect forward secrecy – in other words, if the keys are compromised and a single conversation is decrypted, this won't help decrypt any of your other chats. On first run, CoyIM will ask you if you wish to encrypt your configuration file and if so, to choose a master password. You'll then be asked to either sign in or register your XMPP account. A green dot will appear next to your name once you're connected.
Like Subgraph itself, CoyIM has yet to undergo a full security audit, so use with caution.
Sub Rosa
Aside from hard work and a pat on the proverbial back from Snowden, Subgraph has much to offer the privacy-minded user.
Subgraph's website describes the OS as an "adversary resistant computer platform." The term adversary seems to have been interpreted broadly to include both hackers and government officials from oppressive regimes.
Users will notice this approach most when new programs are run: Subgraph Firewall will ask you to allow or deny the connection (Figure 6). You can also choose to permit a connection for only a certain amount of time. The default firewall policy of most Linux distros is to block incoming connections but allow all outgoing ones, so it's heartening to see that Subgraph polices connections on an application-by-application basis so seriously.
The Subgraph team discovered an excellent case in point when coding their firewall with Gnome Calculator. By default, this program will connect to various financial institutions online to gather currency exchange rates. This seems fairly harmless until you consider that searching for a specific currency could be used to determine which country you're in or about to travel to.
The Linux kernel used by Subgraph's latest release has been hardened with GrSecurity v4.8.15, which contains a number of privacy-related enhancements such as USB Lockout, a background process that denies all access to USB devices when the screen is locked or you're logged out.
GrSecurity also includes PaX – a set of patches that makes the kernel and userspace much less vulnerable to memory corruption exploits.
One form of memory corruption exploit, known as "stack smashing," is among the oldest and most reliable ways to hack into a system, whereby an adversary can execute arbitrary malicious code on your system.
PaX protects your computer from memory corruption exploits in a variety of ways. Chief among these is randomizing the layout of process memory, which makes it much more difficult for hackers to locate exactly where they've placed malicious code. It can also make memory pages non-executable. Payload stored in non-executable memory cannot run.
PaX also attempts to proactively kill applications that violate its security policies, hopefully preventing issues before they even arise [6].
The Wonderful Wizardry of Oz
Subgraph OS runs desktop applications inside the team's very own security sandbox named Oz. This builds on the protection offered by kernel hardening to protect your system from compromised applications.
On most mainstream Linux distributions, desktop applications running with the X11 display server can see and interact with each other. The Oz sandboxes prevent this by using Xpra, which renders individual applications with their own display server, so they cannot interact, improving security.
Oz can also restrict access to certain files, as well as network access and audio playback for applications that don't need it.
The actual sandboxing process works seamlessly for the user. Applications that are to be run in Oz are renamed, and a symbolic link is created in the original location of the program, which directs the system instead to the Oz binary. When the program is started, Oz automatically scans the program name and examines its associated policy document, which governs how the application launches and its run-time environment.
The Oz daemon then creates the sandbox and launches the real application safely inside it, as per the policy document. Outside the sandbox, an Xpra instance connects to the Xpra server inside the sandbox. This means the application cannot log keystrokes or otherwise meddle with applications [7].
The applications that run within the Oz sandboxes are those most likely to be exposed to untrustworthy networks and data, such as the Tor Browser and Evince PDF Reader. You can, however, enable Oz profiles for other applications by running the command:
sudo oz-setup install <program-name>
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.