PlagueOS: Operating System of the Underground
Intro
There has been a lot of hype around the latest player in the operating system market. PlagueOS is designed to be a security-centric distribution built on Void Linux. Currently, the market with secure computing is limited to Whonix, TAILS, Qubes, and now the addition of Plague.
Background
According to the main developer (arcanedev), Void Linux was selected primarily due to the MUSL codebase and use of runit service manager by default.
On the main git repository, the developer quotes to Hunter S. Thompson, a renowned journalist who rode with the Hell’s Angels, following the description of the project.
“In a nation of frightened dullards, there is a shortage of outlaws, and those few who make the grade are always welcome.” - Hunter S. Thompson
The operating system includes in-depth security considerations as detailed in the project’s wiki. It would be a crime to cheaply summarize the considerations, however the most notable would be the following:
- FDE Custom LUKS Encryption (AES256XTS+Argon2id KDF)
- Hardened Memory Allocator via system-wide LD_PRELOAD (ported over from the GrapheneOS project)
- Hardened / Trimmed Kernel
- Full Wayland environment
This operating system follows a hypervisor usage model; it was designed to kill off classes of exploitation that plague the standard Linux environment with a strict use-case. The hypervisor usage model is essentially practicing security by compartmentalization.
“To fully compromise the host, one would have to find a way to exploit the running VM, perform a sandbox escape from libvirt, exploit a running process or create a reverse shell from the unprivileged user, then pivot to the ‘admin’ user via cracked credentials.”
Now you may wonder how this differs from an operating system such as QubeOS. From the PlagueOS FAQ:
“QubesOS has some downsides such as computational power required to run every single process as a VM and it throttles the host. Outdated templates are a huge issue with qubes. Not to mention the difficulty of routing Xen via tor on the main host. For these reasons, Whonix even started Whonix-Host which is the same idea of this project. Albeit, they’ve been slow with their implementation.”
In short, Plague does not isolate every process like Qubes does, thus it does not suffer as substantial of a performance hit. Different Whonix and Kicksecure (clearnet baseline of Whonix) VMs can be leveraged to isolate certain functions. The granularity of each guest machine is ultimately up to the end user, while Plague simply provides a secure, minimalist baseline.
Plague, even in its adolescence, stands to be more hardened than Whonix due to the kernel hardening implementations. The plague-installer script still supports auto-imports of Kicksecure & Whonix, as these guests are great hardened baselines that can easily be routed via TOR, along with optionally leveraging the anti-forensic, non-persistent sessions within the VM.
Conclusion
The project is in its adolescence and should excite security researchers in the sense that it covers new ground in the name of security hardening. The kernel mitigations from the project do laps around recommendations poised by DISA STIGs and CIS controls. The project itself clearly has outlaw / dissident roots. The operating system even received a mention from the developer’s writings in Into the Crypt: The Art of Anti-Forensics. Regardless of your stance on the developer’s philosophy, the project stands to bridge the gap between hardening and usability. The internet by and large has a retroactive approach that focuses on post-exploitation, which then circles back to the vulnerability that led to initial access. It is clear that the main developer is taking a proactive approach that focuses on killing classes of vulnerabilities before exploits can come to fruition.