Subgraph OS is a Debian-based Linux distribution that is designed for superior security and offers a variety of secure, anonymous Internet, and enhanced features. Its kernel has been reinforced with a number of enhancements, and Subgraph has created a virtual “sandbox” in high-risk applications such as browsers. Therefore, any attack against a standalone application will not compromise the entire system. The Subgraph OS uses a rugged Linux kernel and application firewall to block specific executables from accessing the network and forcing all Internet traffic through the Tor network. Each application needs to be connected to the network and access to other applications “sandbox” are subject to manual permission. The release of the file manager with a featured tool can remove the metadata from the data file, and also integrates the OnionShare file sharing software. The distribution uses the Icedove mail client to automatically encrypt the e-mail with Enigmail. In Subgraph, the encryption of the file system is mandatory, which means that there is no danger of writing unencrypted data. It is important to note that Subgraph is still in beta, so do not rely on it to protect any truly sensitive data (and keep the regular backups as before).
One of the design objectives of Subgraph OS is create an endpoint that is resistant to user identification and tracking. Anonymization through the Tor onion routing network plays an important role in the Subgraph approach to accomplishing this.
Everything through Tor
By default policy, Subgraph OS will restrict the communication of applications so that they use the Tor network exclusively, obfuscating the endpoint’s physical origin. Applications will be transparently redirected to connect through the Tor network via our Metaproxy application. Metaproxy will intercept outgoing connections and relay them through the correct proxy (SOCKS, HTTP, etc). Proxy configuration is managed within Metaproxy, allowing applications to transparently connect to the Tor network without having to configure each individual application to use a proxy.
Exceptions to the “everything through Tor” policy will be made for specific use cases, such as accessing a captive portal on a public wi-fi network.
Application Network Policy
The policy that controls how and when applications can connect to external peers will be enforced in two different ways.
Firstly, the Subgraph Metaproxy is configured to white-list allowed applications based on connection properties such as the name of the application and the destination port. Any connections that do not match the white-list will simply be dropped. Metaproxy is also configured to leverage Tor’s stream isolation capabilities to ensure that two applications do not use the same Tor circuit. This will make it more difficult to correlate activities from different applications to the same pseudonym.
Our second layer of network policy enforcement is the application firewall. The application firewall manages outgoing connections. When it sees a new connection that does not match an existing policy, it prompts to user to accept or deny the connections on a temporary or permanent basis. The user will be able to set policy based on the properties they wish to allow or deny, such as the destination of the connection or the name of the application that initiated the connection.