Subgraph
Security Meets Accessibility
BySubgraph OS is designed with built-in, accessible security features and a modern desktop.
In graph theory, a subgraph is a graph contained by a larger graph. Inspired by efforts to apply graph theory to reverse engineering by comparing flow control graphs, Subgraph is a Montreal-based company and the name of the Linux distribution it is developing to make increased security easily available.
Many of Subgraph’s core members first met in the Calgary hacking scene in the 1990s. Another was a founder of the hacker space movement in Montreal. CTO Bruce Leidl is known for his work on Obfusated SSH, a technology used in Tor and Psiphon3.
Two core members, president David Mirza Ahmad and principal developer David McKinney, were moderators of Bugtraq, the controversial mailing list that advocates the free sharing of vulnerability details and exploit code – an approach that many proprietary companies often oppose, preferring to keep vulnerabilities secret until they can be patched.
“System operators were being compromised and, facing negligent software vendors, [they] took matters into their own hands,” Ahmad says, describing Bugtraq around the turn of the millennium. “Bugtraq was also a place to post interesting computer security research, including early implementations of new ideas.” Much of this work used free software licenses, partly because subscribers were understandably reluctant to run a binary downloaded from a mailing list, but also because of what Ahmad describes as “the fantastic spirit of open collaboration” that developed among list regulars. The result, Ahmad says, was “tools and an opportunity to learn and explore that I could never have had any other way.”
As a result of these backgrounds, members of Subgraph pride themselves on being able to work at all levels, from low-level kernel code to Gnome Shell plugins to increase usability. Meant to be at least a 10-year project, Subgraph was originally founded in 2010 as an attempt to build a security business based on free software. “We did not want to work for boring proprietary software companies,” Ahmad says.
Its first product was Vega, a web application vulnerability scanner written in Java. It was followed by Orchid, a Java implementation of Tor. However, although both Vega and Orchid remain in use today, in 2013, Subgraph shifted its focus to privacy and security and began development of Subgraph OS. Currently in alpha release, Subgraph OS is intended as “a usable desktop that is resistant to an adversary armed with reliable exploits,” Ahmad says.
Another major goal is to make security easy to use. According to Ahmad, for example, “before Subgraph OS, many users had to build their own kernel to benefit from grsecurity and PaX,” two leading kernel security patches. A particular problem is managing these patches during system updates, which Subgraph OS automatically manages. Similarly, OnionShare, A Nautilus plugin developed by Subgraph’s Micah F. Lee, uses Tor services to share files securely and anonymously, and many applications are automatically sandboxed.
First Line Defenses
Subgraph is a Debian derivative running a Gnome desktop. Debian, Ahmad says, was chosen for its packaging and distro tool set and out of admiration for its community ideals. However, although based on these standard components, Subgraph OS includes substantial changes.
To start, Subgraph’s kernel is compiled without support for obscure hardware, protocols, and unprivileged user namespaces. The result is that would-be intruders have fewer avenues of attack.
Additionally, Subgraph makes full use of kernel patches such as grsecurity, PaX, and RAP. Although RAP is a commercial product, in its kernel compilation, Subgraph uses a public demo of RAP that was made by PaX, giving free software users security to which they would otherwise not have access.
These patches “strive to be general and broadly useful mitigations that eliminate entire classes of vulnerabilities, rather than fixing individual instances,” Ahmad says. Their flexibility often makes them effective against newer, unannounced expoits – so-called zero-day vulnerabilities. Grsecurity and PaX also offer general hardening measures, including PID randomization, detection of brute force attacks, and the strengthening of chroots, whereas RAP is a modern defense against code reuse attacks, in which intruders take advantage of software vulnerabilities on an already compromised machine.
Similarly, Subgraph OS writes most of its own code in GoLang, a memory-safe language that guards against attacks that depend on memory corruption, such as buffer overflows. “It’s an interesting choice,” Ahmad remarks, “and fun to program in, especially if C has your heart” – a reference to the fact that both C and C+ have been historically open to memory vulnerabilities.
Second Line Defenses
Behind these defenses, Subgraph OS has additional defenses that are more visible to users. For example, the instant messenger Pidgin, which Adhmad dismisses as “suspected by many of having unpatched security vulnerabilities [and] written in an unsafe language,” has been replaced with CoyIM, written with the help of ThoughtWorks. Similarly, a feature called USBLockout removes an obvious vulnerability by controlling access to USB ports when the desktop is locked. Still to come are a system event monitor and notification system that alerts users to problems and Subgraph Mail, a replacement for Thunderbird. For now, the distribution ships with Enigmail ready to install, to make encrypted email easy to configure.
Another second line of defense is the Subgraph Firewall. Describing it as similar to Mac OS’s popular Little Snitch, Ahmad describes the Subgraph Firewall as allowing “users to better understand and control how individual applications communicate with servers on the Internet. As an example, during development, we found that the Gnome Calculator makes connections to hosts on the Internet when it is started. Although the connection is fairly benign (IMF and Europenan Central Bank, to obtain curency conversion rates), it was default behavior, and we found that surprising.” To the best of Ahmad’s knowledge, Linux currently has nothing comparable.
However, Subgraph’s most important innovation on the desktop is Oz, its sandboxing system. Based on existing technologies, Oz is unique in its strict filtering of system calls. Ahmad estimates that Subgraph’s desktop applications average about one-third the number of system calls they do in other distributions. Each application has its own profile for Oz, which is stored in an editable file, /var/lib/oz/cell.d.
The roadmap for Oz also includes the ability to restrict outgoing access within sandboxes and certificate pinning, which double-checks server certificates against a set of hashes of public keys for the server name. Essentially, with Oz, Subgraph can offer much more security customization for individual applications than other sandboxes.
All these tools will be built in to the desktop, making them easy to access. In the alpha release, for example, an application in the upper left corner of the panel lists all applications that are currently running using Oz.
Continuing Development
Subgraph OS is an ambitious project and still some ways from general completion. Ahmad expects the beta release in six months and the general release in a year. However, Subgraph particularly wants to ship with full Wayland support, which may cause some delay, and the full implementation of some features may extend beyond the 1.0 release.
However, judging from the alpha release, Subgraph promises not only to have unique security features, but also to make them accessible. In fact, except perhaps for Qubes OS, which takes a very different approach to accessible security, I know of no other distribution that integrates security features so thoroughly into the desktop. In these days of increasingly urgent calls for accessible security, Subgraph shows every sign of becoming a major player in the near future.
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.