Résumé de la conférence :
Adversary resistant computing
Subgraph OS: Adversary resistant computing
Subgraph OS is a desktop Linux distribution designed to be resistant to compromise through exploitation of software vulnerabilities on the endpoint by Internet-borne adversaries. We strive to accomplish this by:
- utilizing strong exploit mitigations (PaX, grsecurity, RAP)
- a desktop application sandbox we wrote that uses:
- linux namespaces (« containers »)
- desktop (x11) isolation (xpraPoC, soon wayland)
- an application firewall based in nfqueue
- apparmor across the system
.. and other controls designed to reduce attack surface and possibility for local privilege escalation.
This presentation will cover some background information and ou threat model, followed by a technical walk-through of Subgraph OS, and then Q&A.