Existing attempts to improve on the security of Unix-like operating systems for everyday personal use have been hampered by complexity, bugs, and security theatre. The concept of isolating applications by giving them what appears to be a dedicated computer to run in is a solid one, because it allows virtually all existing software to run without modification. However, allowing all these isolated computers to persist state leads to large maintenance costs — you now have n stateful computers to maintain, not one.
By minimizing the persistent state these computers are allowed to store to a well-defined absolute minimum required by the software running inside them, not only do we improve maintainability by minimising side effects and even allowing the computers to be regenerated without data loss if required, we also massively reduce the avenues to persisting malware.
Mutable state, then, across the whole system could be isolated into two locations on the host: a global state store, which is broken down by application instance, and a global configuration file defining all configuration for the host, and the isolated environments for each application instance. Aside from these two locations, the host computer should prevent persistent state as much as possible. This means that it is possible to restore the host computer, along with all the isolated application environments, simply by restoring a copy of the global state store and configuration file. After an audit of the global configuration, a potentially compromised host could be safely restored onto a new computer without risk of the new host inheriting the infection from the old one, since the only mutable data affecting the host is the global configuration file. (Of course, this does not prevent the new host from being compromised shortly afterward through the same methods.)
This system is Spectrum.
Qubes OS is a distribution of the Xen hypervisor that isolates IO and user applications inside their own dedicated virtual machines. Many people interested in secure computing are aware of Qubes, however they are often hampered by usability issues:
Hardware compatibility is extremely limited. People often have to buy a new computer just to use Qubes, and even then it can be a struggle to set up.
People are reluctant to use Xen on their computer for power management etc. reasons.
VMs are heavy, and there is no isolation between applications in the same domain (VM).
GUI applications are buggy, command line tools are mostly undocumented.
Maintaining many different TemplateVMs with persistent state is difficult. (Qubes can use Salt to mitigate this.)
It is important to note, however, that the Qubes developers have created utilities for using compartmentalized environments that could be very useful to other implementations. For example, Qubes allows clipboard data to be safely shared between isolated environments with explicit user action on both ends, and Qubes Split GPG allows one environment to perform operations using a GPG key stored in another environment, with permission granted on a per-operation basis.
Subgraph OS only provides isolation to the 22 applications they have manually containerized. Any other software is still run as normal. This should be considered a major security issue.
The last release of SubgraphOS was an alpha in 2017.
Permission is granted to copy, distribute and/or modify this document under either the terms of the Creative Commons Attribution-ShareAlike 4.0 International License, or the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.