What is the most secure FOSS operating system with Internet access?
Random people say Arch Linux, OpenBSD or Qubes, but it is true that Arch Linux is secure to an extent if it is fully hardened, but not as secure as OpenBSD, so is OpenBSD secure? Qubes is a good approach to an OS, but it's Xen security, not OS security, and I'd rather run a secure OS other than Fedora or Debian on Qubes. And I've heard that Chrome OS/Chromium OS has the highest security of any Linux OS, but it's not more secure, it's just more limited. But that, like Qubes, goes back to the drawing board. So which OS is the most secure? Maybe Multics (better protection rings than Linux, OSX or Windows)? I use the most aggressive attackers as my threat model.
I have also heard that the Windows NT kernel design, although not FOSS, is better than Linux, BSD and OSX because it is based on OpenVMS knowledge.
24 comments
[ 3.6 ms ] story [ 72.4 ms ] threadIt's the same reason they discourage knowledge of capability based security.
AFAIK seL4 is the only formally security verified kernel for specific hardware. See their website for verification status of different hardware configurations.
The closest widely used system is Apple OSX which in turn was evolved from CMU Mach. The critical aspect is keeping the smallest possible attack surface, which is why capability based message-passing microkernels are more resilient than monolithic kernels.
Now I'm guessing you want to use a computer, probably to run programs. So your choice of programs will limit your choice of OS.
For example, DOS is likely the most secure (since it contains neither networking or USB support.) But I'm guessing the programs you likely want to run don't work on DOS.
A computer disconnected from any network has fewer attack points than one that is. A computer behind a firewall which blocks incoming connections is more secure than one that isn't.
your question is thus inadequately defined for a useful answer. You need to better describe your context - what you plan to use the computer for, whether the boot drive is read-only, and so on.
So, government agency? My vote would go for live USB Tails on librebooted ThinkPad. Use only public wifi. Always consider if your actions can be correlated and lead back to you or hint at you.
P.s. consider using wokfi
Good luck, space cowboy!
Is that what you chose out of interest, or do you actually need it? I will assume the former, because that's how your question sounds.
My answer in that case would be: you need to work on your threat model. It is tempting to say "I want the best security, therefore I will define my threat model as 'the most aggressive one'". But that is a fallacy: the best security model is the one that fits your use-case best, not the one that defends against most attackers.
Security is always a tradeoff. Remember that you need security fundamentally because what you want to do has some inherent risk (small or high). The whole point is to decide what risk you can afford and find a security model that is acceptable under those conditions. If you say "I can't take any risk at all", then the answer is always "don't do anything at all".
But if you say "I am making a connected fridge for my home and I really want to make sure that the NSA won't be able to shut it down remotely", then the answer is most likely that your threat model is wrong. Because you actually don't really care about the NSA shutting down your fridge: you can probably live with that risk.
To go back more concretely on your specific question ("which OS should I use against the most aggressive attacker?"), it means that you are probably simply not competent to defend against the most aggressive attacker. There is no such thing as "the most secure OS" if you don't know how to configure and use it properly, and there is arguably no such thing as "security against the most aggressive attacker".
If that's out of interest, I would suggest you pick a realistic threat model and try to reason about it. If you have an actual need (e.g. you need to contact a journalist or something), then try to be more specific than "the most aggressive attacker".
Don't be! It's good to think about security :-).
But keep in mind that "the most aggressive attacker" is a bit of a poor threat model. It sounds like a shortcut for not having to think about it, and therefore it misses the point.
For instance:
- Could it be the case that someone points a gun to your head and asks you to give access to your OS? Probably not => that's a first step in defining your threat model, where you can assume that nobody will force you to give up your password.
- Will someone have physical access to your computer? If you have a laptop that you carry around, it may get lost/stolen and therefore you probably want encryption at rest (i.e. full disk encryption). Even if it is your desktop computer at home, one could imagine that it gets stolen. If it is a desktop computer at work, then employees may have access to it. If not encrypted, they could just read what's on the disk. Or they could plug a keylogger and read everything that you type on your keyboard, etc.
- Will your OS be exposed to the Internet? Will it expose ports or can it be completely hidden behind a firewall?
- Are you the only user, or is it possible that another user gets phished?
- etc.
Those are all questions (but it is not an exhaustive list) you need to ask to decide what is an acceptable security model. If all you do is browse the web, maybe you don't need QubesOS (because you don't have anything to compartmentalize). If you sometimes need to write an email anonymously, again maybe you don't need QubesOS but you could go with TailsOS. Depending on the threat model, maybe you will want a brand new computer just for the "sensitive" activity you have, and maybe you will only connect to the Internet from "outside" (i.e. not your personal WiFi). Etc.
https://www.qubes-os.org/
https://en.wikipedia.org/wiki/ReactOS
Not sure what you mean by "Xen security" in contrast with "OS security". Qubes is an OS. Though a lot depends on your threat model, if you have high security needs, Qubes is likely to be your best companion.
Anyway, another reasonable choice is Kicksecure. It's the debian-based OS underlying Whonix (Kicksecure is focused on security and Whonix adds its privacy/anonymity setup on top of it). You can use Kicksecure as a VM within Qubes, by the way.
https://www.kicksecure.com