Hi, I'm an SGOS dev. I don't know what you mean by "mostly a patched Linux", but here's what Subgraph OS is so far -- and it's a young project: we have a kernel patched with grsec/PaX/RAP, but we have also developed our own application sandbox framework (namespaces + limited fs + seccomp bpf whitelisting), app firewall, event monitoring subsystem, usb disable on desktop lock (based on grsec), etc. Here's a walkthrough of our sandbox framework:
I believe initially there were some discussions to integrate Subgraph into Qubes as a TemplateVM (just like the Debian VM, Ubuntu VM, etc), but the Subgrapth guys thought Grsecurity wouldn't work well with Qubes OS. I think that situation has improved, and there is some progress in making Grsecurity work with TemplateVMs and AppVMs.
However, even if it does work, I'm not sure how excited the Subgraph guys are about making their OS "just" a Qubes OS TemplateVM. They may think that's the wrong business strategy for them as a company. I'm just saying this as someone watching from the outside. They may actually not believe that at all.
However, I did also notice the relationship between the two projects got a little colder, at least for a while, and in public, after Edward Snowden called Qubes his preferred secure OS.
It was me, at Subgraph, that setup the Secure Desktops mailing list and website. We hope to collaborate more with other projects in the future. There is already interest from other projects in things we've built for Subgraph.
As for Subgraph in Qubes, being a template OS, etc, maybe later? We haven't even had a real release yet and are still building. I wouldn't recommend it anyways unless all of the Qubes VMs have hardened kernels by default.
Having a subgraph TemplateVM will get easier with Qubes 4.0, as Qubes switches over to HVM (I think just HVM with PV drivers, PVH in Xen is not ready yet). grsecurity and PaX do not work with paravirtualization, which is pretty limiting in terms of memory management and such (It also opens up some vulnerabilities, which is why Qubes is switching).
The new ISO is coming very soon. We've just been busy with consulting we do to support the project and there were some issues with gpg2.
Wayland is one huge reason why we aren't even calling this "beta". Wayland is absolutely part of the plan. We are working on integration now.
Flatpaks: probably not. Different vision. Flatpak is an 'appstore' type model, not sure we will want that in Subgraph OS, but it's worth a deeper investigation than the thought I've given it so far. There are things in Flatpak that we can benefit from, such as the UI advantages of "Portals". We'll probably be adding support for it to Oz.
Good to hear you're considering it. It may be worth looking into appimages as well. They don't seem to focus as much on security, but perhaps their isolation is better? Flatpaks seem to share quite a bit with each other, and I worry it may create another X11-situation. Flatpaks may still be better overall, though, if they can also have good isolation.
I doubt you should even bother with snaps. They don't seem to be that well supported outside of Ubuntu, and I doubt they will ever be.
We use Xpra to do desktop isolation for now, by the way. It's similar to Qubes' display mechanism, but we didn't write it, and don't really like it as a security control. Just serves as PoC until we can jump to Walyand.
Therefore Subgraph OS isn't in the worst possible x11 situation, which is the default for every desktop Linux except I think the most recently released Fedora.
Re: iso / updates, we have rolling updates. Installed users are kept current if they install the OS and regularly apply updates and do dist-upgrades.
Yup. Subgraph is a nearly 7 year old open source software company. We wrote a web scanner (Vega) that's sadly neglected, though still used regularly by thousands of users. We also do consulting, like pentesting, etc.
The name was inspired by work I was following at the time (10 years ago?) by Halvar Flake etc, on applying graph theory methods to reverse engineering / runtime analysis.
After reading the article, and reading replies to you, I still have to guess whether this is a Linux kernel or something else. And I still don't understand why they don't mention this on their site. The talk of "kernel with certain patches" has me guessing it is indeed Linux.
imho the qubes approach is more viable and exposes far less attack surface. Qubes is also, contrary to it's reputation, a very usable OS (with KDE in dom0, at least).
Subgraph does lots of things Qubes doesn't, and this will only increase over time. For example: an experimental Subgraph OS feature[1] is to, by mandatory sandbox policy, prevent a specific application from connecting to anything except TLS endpoints, or specific TLS endpoints while adding certificate pinning outside of an application and performing extra-app validation. Could be useful over Tor or public wi-fi, right? Qubes is not going to build this, yet I am running a prototype of it on my SGOS dev laptop.
You can compare the sandbox technologies: hypervisor vs. Linux kernel containment facilities, but we are doing a lot more than that. There's no doubt that there will be many that want to run Subgraph or parts of Subgraph inside of Qubes for this reason, though we believe Qubes needs strong exploit mitigation throughout, in every VM, and I think wouldn't recommend it until that is the default.
1. Screenshots of Oz' coming TLS Guard, which proxies the TLS handshake to ensure correct TLS session & enforce other policy req's:
" Qubes is not going to build this, yet I am running a prototype of it on my SGOS dev laptop."
You can do that in Qubes or the architecturally-superior GenodeOS. Genode is FOSS so nothing stops you. Any programs computing with secrets can run in an isolated partition to prevent leaks. Similar with protecting integrity of backups like in some partitioned filesystems. And you get the benefits of subgraph on the inside.
Sorry for being OT but do you mind explaining a bit what exactly does Genode do/is? I read about it in their web page but I'm not sure I understand the difference between "an OS" and "an OS framework".
It seems that they are trying to create an architecture with all components compartmentalized, but it says it can run Linux and Windows so I'm guessing it's virtualizing something at some point.
Also, they say they have a reference implementation of the architecture, so I guess the real work is defining that architecture and making an API compatible with what modern OS's do so later on they can jump on board and make it Genode compatible?
It sounds very interesting but it feels like I'm misunderstanding a lot and thus hitting a wall here due to lack of knowledge so any pointers are appreciated :)
From there, Genode is a different take on the same concept even using some of the same components (eg Nitpicker GUI). In both, there are various components integrated that might be used in other projects. A specific set of components together makes up a desktop. A different set might make an appliance. A different set a TV box. Much like how you build your Linux distros with packages and source files but these components can run on the microkernel communicating with each other and operating within their resource-management scheme. That scheme is hierarchical where each process spawns others with control of their memory or resources. Includes ways to let them communicate in such a way that your attack surface is mostly restricted to that composition.
No, Qubes hasn't written the TLS client handshake proxy to enforce the policy. Out of scope. That's what I meant, and it's just one example of the things above the level of "Qubes" or "Oz" plumbing that makes Subgraph OS what it is.
> imho the qubes approach is more viable and exposes far less attack surface.
I don't know what you base that opinion on since it's not an easy comparison to reason about. One metric you could use would be actual vulnerabilities. In the last year there have been several hypervisor escape vulnerabilites that compromised Qubes OS VM isolation completely, most (all?) of which have been present in Xen for the entire lifetime of the Qubes project.
By contrast during the same period only one Linux kernel vulnerability (DirtyCow) affected Subgraph sandboxed applications, and it would only have been exploitable using techniques which have not been disclosed in any public exploit so far.
I greatly prefer a desktop that has searchable menus and decent Hi DPI support (although the older version in F23/Q dom0 isn't quite plugnplay). Personally I think that KDE also looks better. Especially XFCEs window decorations are just so... 90s "design".
You can do a desktop on a microkernel that runs Linux in user-mode or with hypervisor support. Critical stuff stays outside directly on microkernel. It's what every vendor of separation kernels does. Two examples from commercial and FOSS that's similarly alpha:
Have you use any of those commercial offerings? I've honestly never heard of them before. Can i, as a regular consumer go purchase one of those operating systems and use it on my laptop?
You can go and use Genode right now. There's no installer (to my knowledge) -- you'll have to build the OS by hand. If the area of secure OSes or capability-based OSes are interesting to you, Genode is the best playground for that. The DROPS/Dresden folks have been working in this area for a long time.
Genode is largely kernel agnostic, being an "Operating System Framework" -- you can run it on Linux, variants of L4, seL4, Muen, and more.
You probably have to buy hardware from them if the drivers are on the microkernels because I doubt they're doing many ports. I haven't used the product as I had custom stuff. Here's a video of the academic prototypes that both the commercial stuff and Genode drew from if you're wondering about performance. That's on a Core Duo 2 @ 1.6GHz. The L4Linux VM's were fast.
https://github.com/subgraph/oz/wiki/Oz-Technical-Details