From the article: “In Subgraph OS, any application a computer interacts with running the operating system is isolated in containers to prevent exploits from having a meaningful impact at the OS level. It uses the Grsecurity kernel, a patch applied to the Linux kernel that enhances security by limiting what processes can do.
For example, with most operating systems, receiving an infected PDF making use of a zero-day vulnerability means before you realize it, there’s malicious code running on your computer.
The set of security features implemented in Subgraph OS limits what the code is doing entirely: a PDF exploit would only be running in the PDF viewer container, unable to grab anymore data internally or access the network.
‘If there’s an exploit it can’t do much,’ sums up David McKinney the lead developer at Subgraph. It also features a new email client written from scratch.”
Read the full Motherboard article here: https://motherboard.vice.com/en_us/article/canadian-developers-want-to-make-the-next-tails