[xdma]

Subgraph does lots of things Qubes doesn't, and this will only increase over time. For example: an experimental Subgraph OS feature[1] is to, by mandatory sandbox policy, prevent a specific application from connecting to anything except TLS endpoints, or specific TLS endpoints while adding certificate pinning outside of an application and performing extra-app validation. Could be useful over Tor or public wi-fi, right? Qubes is not going to build this, yet I am running a prototype of it on my SGOS dev laptop.

You can compare the sandbox technologies: hypervisor vs. Linux kernel containment facilities, but we are doing a lot more than that. There's no doubt that there will be many that want to run Subgraph or parts of Subgraph inside of Qubes for this reason, though we believe Qubes needs strong exploit mitigation throughout, in every VM, and I think wouldn't recommend it until that is the default.

1. Screenshots of Oz' coming TLS Guard, which proxies the TLS handshake to ensure correct TLS session & enforce other policy req's:

https://twitter.com/attractr/status/783013051335319553

https://twitter.com/attractr/status/783521883715203073

https://twitter.com/attractr/status/786235879111090176

etc

(edited, formatting)

[nickpsecurity]

" Qubes is not going to build this, yet I am running a prototype of it on my SGOS dev laptop."

You can do that in Qubes or the architecturally-superior GenodeOS. Genode is FOSS so nothing stops you. Any programs computing with secrets can run in an isolated partition to prevent leaks. Similar with protecting integrity of backups like in some partitioned filesystems. And you get the benefits of subgraph on the inside.

[saganus]

Sorry for being OT but do you mind explaining a bit what exactly does Genode do/is? I read about it in their web page but I'm not sure I understand the difference between "an OS" and "an OS framework".

It seems that they are trying to create an architecture with all components compartmentalized, but it says it can run Linux and Windows so I'm guessing it's virtualizing something at some point.

Also, they say they have a reference implementation of the architecture, so I guess the real work is defining that architecture and making an API compatible with what modern OS's do so later on they can jump on board and make it Genode compatible?

It sounds very interesting but it feels like I'm misunderstanding a lot and thus hitting a wall here due to lack of knowledge so any pointers are appreciated :)

[nickpsecurity]

There's a lot of conceptual similarity to Nizza architecture that's explained thoroughly in this paper:

https://os.inf.tu-dresden.de/papers_ps/nizza.pdf

From there, Genode is a different take on the same concept even using some of the same components (eg Nitpicker GUI). In both, there are various components integrated that might be used in other projects. A specific set of components together makes up a desktop. A different set might make an appliance. A different set a TV box. Much like how you build your Linux distros with packages and source files but these components can run on the microkernel communicating with each other and operating within their resource-management scheme. That scheme is hierarchical where each process spawns others with control of their memory or resources. Includes ways to let them communicate in such a way that your attack surface is mostly restricted to that composition.

Feske, the designer, gives specifics here:

http://www.slideshare.net/sartakov/genode-os-framework

Nitpicker by itself is worth looking at if you're unfamiliar with trusted paths. Too few systems have a good one.

https://os.inf.tu-dresden.de/papers_ps/feske-nitpicker.pdf

[saganus]

Awesome! thanks a mil.

I'll read up the linked resources.

[xdma]

No, Qubes hasn't written the TLS client handshake proxy to enforce the policy. Out of scope. That's what I meant, and it's just one example of the things above the level of "Qubes" or "Oz" plumbing that makes Subgraph OS what it is.