Subgraph OS is a Snowden-Approved Operating System

Kid-tested, Snowden-approved. That’s what the makers of Subgraph OS say, although maybe not in those exact words. The premise is that Subgraph is a secure Linux distribution that anyone can use, even without technical know-how.

Further Reading

Our Top 5 Security Extensions for your Browser

5 Best Security Tools to Secure Your Data

Subgraph OS

Subgraph launched earlier this year at Logan CIJ Symposium as an alpha release. This is the stage of the software release cycle where it’s still in development. The developers release software so the public can report bugs and help improve the software. Designed by a four-man team in Montreal, Subgraph has the blessing of the Open Technology Fund.

SandboxManagerSubgraph is a lightweight Linux OS that the developers based on Debian. Debian is considered to be a very stable Linux OS. The developers designed Subgraph to be resistant to “network-borne exploit and malware attacks.” Probably one of the most important features of Subgraph: it’s user-friendly. Company president David Mirza Ahmad said,

“We want to remove the security decisions that the user has to make by providing a holistic end-to-end OS. Rather than having to ask which chat tool you should use, we’re curating applications, based on our assessments, so that users are equipped with the best tools, all integrated with the OS.”

  • Hardened kernel
  • Sandboxed applications
  • Memory safety
  • Application firewall
  • Other

The kernel is the central part of the operating system. It’s the first part of the OS to load into memory during startup. The OS constantly uses the kernel, and if the computer crashes, that means the kernel crashed. It provides essential services for every other part of the OS. These include memory, process, file and I/O management.

Grsecurity and PaX security patchsets are what make the Subgraph kernel “hardened”. Hardening means it’s more resistant to attacks. Grsecurity and PaX, which we wrote about in a previous article, give more security protection to un-modified processes.

appsThe kernel has RAP security features to prevent code-reuse attacks in the kernel. This helps make sure that the kernel is more resistant to exploits that escalate system privileges. As of Subgraph kernel version 4.5.7, it has fewer features than most operating systems to shrink its attack surface.

Sandboxed Applications

The developers call the sandbox architecture “Oz.” Oz isolates programs from the rest of the system. The sandbox only grants programs system resources only when needed. The tech that makes up Oz includes Linux namespaces, restricted filesystem environments, desktop isolation and seccomp bpf.

DesktopApps put into a sandbox include:

  • Web browser
  • Email client with built-in support for encryption
  • CoyIM instant messenger
  • LibreOffice productivity suite
  • PDF viewer
  • Image viewer
  • Video player
  • Hexchat
Memory Safety

Most of the code for Subgraph is Go, which is a “memory safe language.” Go’s FAQ page says this: “…Another point is that a large part of the difficulty of concurrent and multi-threaded programming is memory management; as objects [pass] among threads, it becomes cumbersome to guarantee they become freed safely. Automatic garbage collection makes concurrent code far easier to write. Of course, implementing garbage collection in a concurrent environment is itself a challenge, but meeting it once rather than in every program helps everyone.”

Subgraph OSApplication Firewall

Application firewalls are unique to Linux-based operating systems, also called an outbound firewall. It differs from an inbound firewall in that it detects when programs try to connect to the internet. Depending on the program and its function, this can be normal or suspicious.


Lumped under the Other umbrella are a bunch of small, but not unimportant security features. These includes:

  • AppArmor profiles for system utilities and apps
  • Security event monitors and desktop notifications
  • Roflcopter Tor control port filter service
  • Port to new seccomp-bpf Gosecco library

Subbgraph integrates with Tor. It has a default policy that makes sure sensitive apps can only communicate over the Tor network.


You can find instructions and the ISO image here. It probably won’t be until 2017 when we see later versions. If you have used Subgraph OS or have been following the development of it let us know in the comments.