Research on the topic: which OS is safer? Reliable and secure operating systems? The safest operating room

When was the last time your TV suddenly turned off or required you to urgently download some software patch from the Web to fix a critical error? In the end, if you have a not quite ancient TV, then, in fact, it is the same computer - with a central processor, a large monitor, some kind of analog electronics for decoding radio signals, a couple of special input/output devices (remote control, built-in disk drive for cassettes or DVDs) and with software, registered in random access memory. This rhetorical question brings us back to one unpleasant problem that the computer industry does not like to talk about. Why TVs, DVD players, MP3 players, Cell Phones and other electronic devices with software are quite reliable and well protected, but computers are not? Of course, there are many “explanations” for this: computers are flexible systems, users can change software, the information technology industry is not yet sufficiently developed, and so on. But since we live in an era where the vast majority computer users are not well versed in technical issues, then such “explanations” do not seem convincing to them.

What does the consumer expect from a computer? The same as from TV. You buy it, connect it, and it works great for the next ten years. IT professionals should take these expectations into account and make computers as reliable and secure as televisions.

The weakest point in terms of reliability and security remains the operating system. Although application programs contain many defects; if the operating system were error-free, then the incorrectness of application programs would not have such serious consequences as it does now, so in this article we will focus specifically on operating systems.

But before we get into the details, a few words about the connection between reliability and protection. The problems that arise in each of these areas often have a common root: software bugs. A buffer overflow error can cause a system crash (a reliability issue), but it also allows a cleverly written virus to enter the computer (a security issue). Although we will primarily talk about reliability in this article, it should be kept in mind that increased reliability can lead to increased protection.

Why are systems unreliable?

Modern OS have two features due to which they lose both reliability and security. Firstly, these operating systems are huge in size, and secondly, they have very poor error isolation. The Linux kernel has over 2.5 million lines of code, and the Windows XP kernel is at least twice as large.

One study examining software reliability found that programs contained between 6 and 16 errors for every 1,000 lines of code executed. According to another study, program error rates range from 2 to 75 per 1000 lines of code executed, depending on the size of the module. Even based on a conservative estimate of 6 bugs per 1000 lines of code, the Linux kernel appears to contain approximately 15,000 bugs; Windows XP - at least twice as much.

To make matters worse, typically about 70% of the operating system is made up of device drivers, which have error rates three to seven times higher than regular code, so the above estimate of the number of errors in the OS is likely a gross underestimate. It is clear that it is simply impossible to find and correct all these errors. Moreover, when some errors are corrected, new ones are often introduced.

Due to the enormous size of modern operating systems, no one alone can know them thoroughly. Indeed, it is extremely difficult to create good system, if no one actually fully imagines it.

This fact brings us to the second problem: error isolation. No one in the world knows everything about how an aircraft carrier functions, but an aircraft carrier's subsystems are well isolated from each other, and a clogged toilet will not affect the operation of the missile launch subsystem.

Operating systems do not have this kind of isolation between components. A modern operating system contains hundreds or even thousands of procedures combined into one binary program running in kernel mode. Each of the millions of lines of kernel code can overwrite core data structures that use components unrelated to the code, resulting in a system crash that is extremely difficult to figure out. Moreover, once a virus has infected one kernel procedure, there is no way to prevent it from rapidly spreading to other procedures and infecting the entire machine.

Let's return to the ship analogy. The hull of a modern ship is divided into many compartments. If a leak occurs in one of the compartments, then only that compartment is flooded, and not the entire hold. Modern operating systems are like the ships that existed before the invention of bulkheads: any hole can sink a ship.

Fortunately, the situation is not so hopeless. Developers are striving to create more reliable operating systems. There are four different approaches that are being taken to make operating systems more reliable and secure in the future. We will present them in our article in “ascending” order, from less radical to more radical.

Hardened operating systems

The most conservative approach, Nooks, was designed to increase the reliability of existing operating systems such as Windows and Linux. Nooks technology supports a monolithic kernel structure in which hundreds or thousands of procedures are chained together in a single address space and run in kernel mode. This approach focuses on making device drivers (the root cause of all problems) less dangerous.

In particular, as Fig. 1, Nooks protects the kernel from incorrect device drivers by wrapping each driver and placing it in a secure software layer that forms a lightweight security domain. This technology is sometimes called a “sandbox”. The wrapper around each driver carefully monitors all interactions between the driver and the kernel. In addition, this technology can be used for other kernel extensions, such as bootable operating systems, but for simplicity we will only talk about it in relation to drivers.

The goals of the Nooks project are:

  • protect kernels from driver errors;
  • provide automatic recovery in case of driver failure;
  • do all this with minimal changes to existing drivers and the kernel.

Protecting the kernel from incorrect drivers is not the main goal. Nooks technology was first implemented on Linux, but the ideas apply equally to other legacy kernels.

Insulation

The main means of protecting kernel data structures from being destroyed by incorrect drivers is a virtual memory page map. When the driver is running, all external pages are set to read-only mode, creating a separate simplified security domain for each driver. This way, the driver can read the kernel data structures it needs, but any attempt to directly modify the kernel data structures will throw an exception central processor, which is intercepted by the Nooks isolation manager. Access to the driver's private memory, where stacks, heaps, private data structures, and copies of kernel objects are stored, is read-write.

Mediation

Each driver class exports a set of functions that the kernel can call. For example, audio drivers may provide a call to write a block of audio samples to sound card, the other is for volume control and so on. When a driver is loaded, an array of pointers to the driver's functions is populated so that the kernel can find any of them. In addition, the driver imports a set of functions provided by the kernel, for example, for data buffer reservation.

Nooks provides wrappers for both exported and imported functions. Now, when the kernel calls a driver function or a driver calls a kernel function, the call is actually sent to the shell, which checks that the parameters are correct and controls the call. Despite the fact that shell surrogates (stubs) (in Fig. 1 they are depicted as lines pointing both inside and outside the driver) are generated automatically based on function prototypes, developers have to write the body of the shell manually. In total, the Nooks team wrote 455 wrappers: 329 for functions that the kernel exports, and 126 for functions that export device drivers.

When a driver attempts to modify a kernel object, its shell copies the object into the driver's security domain, that is, into its private read-write pages. The driver then changes the copy. If the request is successful, the isolation manager copies the modified objects back to the kernel. Thus, a driver failure or an error during a call always leaves kernel objects in the correct state. The control operations for imported objects are specific to each object, so the Nooks team had to manually write code to control the 43 classes of objects that use Linux drivers.

Recovery

If a failure occurs in user mode, a recovery agent is launched that consults the configuration database to figure out what to do. In many cases, releasing all occupied resources and restarting the driver is sufficient, since the most common algorithmic errors are usually found during testing, and synchronization errors and specific defects mainly remain in the code.

This technology allows you to restore the system, but applications that were running at the time of the failure may be in an incorrect state. As a result of their work, the Nooks team added the concept of shadow drivers so that applications can run correctly even after a driver failure.

In short, during normal operation, the redundant driver logs interactions between each driver and the kernel if those interactions may be required for recovery. After the driver is restarted, the duplicate driver passes all log data to the restarted driver, for example by repeating the input/output control (IOCTL) call to set parameters such as audio volume. The kernel knows nothing about the process of returning the driver to the state it was in. old driver. Once this process is completed, the driver begins processing new requests.

Restrictions

Even though Nooks can detect 99% of fatal driver errors and 55% of non-fatal driver errors, according to experiments, it is far from perfect. For example, drivers can execute privileged commands that they should not; they may write data to incorrect I/O ports and perform infinite loops. Moreover, the Nooks group a large number of shells had to be written by hand, and these shells may contain bugs. Finally, with this approach it is impossible to prevent drivers from writing data to any memory location. However, this is a potentially very useful step towards improving the reliability of legacy kernels.

Paravirtual machines

The second approach is based on the concept of a virtual machine. This concept was developed in the late 60s. The idea is to use a special control program called a virtual machine monitor that works directly with the hardware rather than the operating system. A virtual machine creates multiple instances of a real machine. Each instance can support any program that can run on that hardware.

This technique is often used to allow two or more operating systems, say Linux and Windows, to run on the same machine at the same time, so that each OS thinks it has control of the entire machine. The use of virtual machines has a well-deserved reputation for providing good error isolation. After all, if none of the virtual machines is aware of the existence of the others, problems occurring on one machine cannot possibly spread to others.

An attempt was made to adapt this concept to organize protection within one operating system, and not between different operating systems. Moreover, since the Pentium does not fully support virtualization, we had to deviate from the principle of running the operating system in a virtual machine without any changes to it. This concession allows changes to be made to the operating system to ensure that it cannot do anything that cannot be virtualized. In order to this technology distinguished from true virtualization, it is called paravirtualization.

In particular, in the 90s, a group of developers from the University of Karlsruhe created the L4 microkernel. They were able to run a slightly modified version of Linux (L4Linux) on L4 in what can be called a virtual machine view. Developers later figured out that instead of running just one copy of Linux on L4, they could run multiple copies. As shown in rice. 2, this thought led to the idea of ​​using one of the Linux virtual machines to run application programs, and another or more to run device drivers.

If device drivers run in one or more virtual machines that are isolated from the main virtual machine where the rest of the operating system and application programs are running, then if a driver fails, only its virtual machine fails, not the main one. An additional benefit of this approach is that device drivers do not need to be modified since they see the normal Linux kernel environment. Of course, the Linux kernel itself will have to be changed to support paravirtualization, but this is a one-time change. Additionally, there is no need to repeat this procedure for each device driver.

Since device drivers run on hardware in user mode, the main question is how they will perform I/O and handle interrupts. Physical I/O was supported by adding approximately 3K lines of code to the Linux kernel that runs the drivers, allowing the drivers to use L4 services for I/O instead of having to do it themselves. An additional 5K lines of code support interactions between three isolated drivers (disk, network, and PCI buses) and a virtual machine in which application programs are executed.

In principle, this approach should provide greater reliability than a single operating system, because if a virtual machine containing one or more drivers fails, the virtual machine can be restarted and the drivers will return to their original state. Unlike Nooks, this approach makes no attempt to return the drivers to a previous state (the state they were in before the crash occurred). This way, if the audio driver fails, it will be restored to the default audio level, not what it was before the failure occurred.

Performance parameters show that the overhead when using paravirtualized machines is around 3-8%.

Multiserver operating systems

The first two approaches involve modifying legacy systems. The next two are about future systems.

One of these approaches goes directly to the core of the problem: running the entire operating system as a single giant binary program in kernel mode. Instead, it proposes to have several small microkernels running in kernel mode, while the rest of the operating system is a set of completely isolated server and driver processes running in user mode. This idea was proposed 20 years ago, but then it was never fully implemented due to the lower performance of a multiserver OS compared to a monolithic kernel. In the 80s, performance was considered the most important indicator, and reliability and protection were not even thought about. Of course, in their day, aircraft engineers did not think about fuel consumption or creating cabin doors that could withstand armed attack. Times change, and people's ideas about what is truly important change too.

Multiserver architecture

In order to better understand what the idea of ​​​​a multiserver operating system is, let's turn to a modern example. As shown in rice. 3,In Minix 3, the microkernel handles interrupts, provides ,basic mechanisms for process control, implements ,interprocess interactions, and performs process scheduling. It also provides a small set of kernel calls to authorized drivers and servers, such as reading a select portion of a particular user's address space or writing to authorized I/O ports. The clock driver uses the same address space as the microkernel, but it is scheduled as a separate process. No other driver works in kernel mode.

Above the microkernel is the device driver layer. Each I/O device has its own driver, which runs as a separate process in its own private address space, protected by hardware module memory management unit (MMU). This layer includes driver processes for disk, terminal (keyboard and display), Ethernet, printer, audio, and so on. These drivers operate in user mode and cannot perform privileged commands or read/write operations on the computer's I/O ports. In order to obtain these services, drivers must contact the kernel. Although this architecture increases overhead, it significantly improves reliability.

Above the device driver layer is the server layer. The file server is a program (4.5K lines of executable code) that accepts requests from user processes for file-related Posix system calls, such as read, write, lseek, and stat, and executes them. In addition, this layer houses the process manager, which manages processes and memory and executes Posix calls and other system calls such as fork, exec and brk.

A somewhat unusual feature is the reincarnation server, which acts as the parent process for all other servers and all drivers. If a driver or server fails, crashes, or does not respond to periodic ping commands, the reincarnation server removes these processes if necessary and then restarts them from a copy on disk or from RAM. This way you can restart drivers, but currently only those servers whose internal state is limited can be restarted.

Other servers include network server, which contains: a complete TCP/IP stack; a data store, a simple name server that other servers use; information server, which is used for debugging. Finally, above the server layer are user processes. The only difference between this and other Unix systems is that library routines for reading, writing, and other system calls are performed by sending messages to servers. Other than this difference (hidden in the system libraries), these are normal user processes that can use the POSIX API.

Inter-Process Interactions

Because Interprocess Communication (IPC) is the mechanism that allows all processes to work together, it is critical in a multiserver operating system. However, because all servers and drivers in Minix 3 run as physically isolated processes, they cannot directly call each other's functions or share data structures. Instead, Minix 3 supports IPC by transmitting fixed-length messages using the so-called rendezvous principle (when both the sender and recipient are ready to exchange, the system copies the message directly from the sender to the recipient). In addition, there is a mechanism for asynchronous event notifications. Events that cannot be implemented are marked as deferred in the process table.

Minix 3 elegantly integrates interrupts with a message passing system. Interrupt handlers use a notification mechanism to signal the completion of I/O. This mechanism allows the handler to set a bit in the "delayed interrupt" bitmap and then continue running without blocking. When the driver is ready to receive an interrupt, the kernel converts it into a regular message.

Reliability characteristics

There are several reasons for the high reliability of Minix 3. First, the kernel runs no more than 4k lines of code, so based on a conservative estimate of 6 errors per 1000 lines, total number there are probably about 24 bugs in the kernel. Compare this number with 15 thousand bugs in Linux and a much higher number in Windows. Since all device drivers except clocks are user processes, no foreign code will ever run in kernel mode. In addition, the small size of the kernel allows for more efficient verification of its correctness, either manually or using formal methods.

The IPC architecture in Minix 3 does not require support for queues or message buffering, eliminating the need for buffer management in the kernel. Moreover, since IPC is a powerful design, the IPC capabilities of each server and driver are strictly limited. For each process, the IPC primitives used, available destinations, and notifications of user events are strictly defined. User processes, for example, can only communicate by rendezvous or send messages only to Posix servers.

Additionally, all kernel data structures are static. All these features greatly simplify the code and eliminate kernel errors associated with buffer overflows, memory leaks, untimely interrupts, unreliable kernel code, and so on. Of course, putting most of the operating system into user mode doesn't eliminate the inevitable bugs in drivers and servers, but it does make them significantly less dangerous. Due to an error, the kernel can destroy critical kernel structures, write garbage to disk, and so on. A bug in most drivers and servers cannot cause significant damage because the processes are clearly separated and the operations they can perform are strictly limited.

Drivers and servers in user mode cannot run with superuser privileges. They cannot access memory areas outside their own address spaces, except for kernel calls (which the kernel checks for correctness). Moreover, bitmaps and ranges within the kernel process table control the set of valid kernel calls, IPC capabilities, and valid I/O ports on a per-process basis. For example, the kernel may prevent the printer driver from writing to user address spaces, accessing disk I/O ports, or sending messages to the audio driver. In traditional monolithic systems, any driver can do anything.

Another reason for reliability is the use of separate instruction and data spaces. If a bug or virus causes a driver or server buffer overflow to occur and foreign code is written to data space, the infected code cannot be executed by passing control to it or by using a procedure pointing to it, because the kernel will not execute the code unless it is in the process's read-only command space.

Among other specific features that provide higher reliability, the most important is the self-healing property. If a driver attempts to store data at an invalid pointer, enters an infinite loop, or attempts other invalid operations, the reincarnation server will automatically replace the driver, usually without affecting other running processes.

Although restarting a logically incorrect driver will not fix the error, in practice incorrect synchronization and similar errors cause many problems, and restarting the driver can often restore the system to a correct state.

Performance Options

For decades, developers have criticized multiserver architectures based on microkernels for their lower performance than monolithic architectures. However, various projects confirm that modular architecture can in fact provide comparable performance. Despite the fact that Minix 3 has not been optimized for performance, the system is quite fast. The performance penalty that occurs because drivers run in user mode compared to kernel mode drivers is less than 10%, and the system can be built including the kernel, shared drivers, and all servers (112 compilations and 11 links ), in less than 6 s on an Athlon/2.2 GHz machine.

The fact that multiserver architectures can support a fairly reliable Unix-like environment with very little performance overhead makes this approach practically acceptable. Minix 3 for Pentium can be downloaded free of charge under the terms of the Berkeley license from the website www.minix3.org. Versions for other architectures and embedded systems are currently being developed.

Language-based protection

The most radical approach, quite unexpectedly, was proposed by Microsoft Research, abandoning the operating system as a single program running in kernel mode and a certain set of user processes operating in user mode. Instead, it offers a system written in completely new, type-safe languages ​​that are free of all the pointer problems and other bugs associated with C and C++. Like the previous two approaches, this approach was proposed several decades ago and was implemented in the Burroughs B5000 computer. At that time, only the Algol language existed, and protection was supported not by the MMU (which was not in the machine at all), but by the fact that the Algol compiler simply did not generate “dangerous” code. The approach proposed by Microsoft Research adapts this idea to the conditions of the 21st century.

general description

Called Singularity, the system is written almost entirely in Sing#, a new type-safe language. This language is based on C#, but is supplemented with message passing primitives, the semantics of which are determined by formal contracts described by the language. Because the language tightly limits system and user processes, all processes can work together in a single virtual address space. This increases both safety (since the compiler will prevent one process from changing the data of another process) and efficiency (since it eliminates kernel traps and context switches).

Moreover, the Singularity architecture is flexible because each process is a closed entity and can therefore have its own code, data structures, memory structure, runtime system, libraries, and garbage collector. MMU is supported, but it only allocates pages rather than establishing a separate secure domain for each process.

The core principle of the Singularity architecture is to prohibit dynamic process extensions. Additionally, this architecture does not support loadable modules such as device drivers and browser plug-ins, since they might introduce extraneous and untested code that could harm the parent process. Instead, such extensions should run as separate processes, completely isolated and communicating using standard mechanism IPC.

Microkernel

The Singularity operating system consists of a microkernel process and a set of user processes that typically run in a shared virtual address space. The microkernel controls access to hardware, reserves and frees memory, creates, closes and schedules chains, maintains chain synchronization using semaphores, maintains synchronization between processes using channels, and controls input/output. Each device driver runs as a separate process.

Although most of the microkernel is written in Sing#, individual components are written in C#, C++ or assembler and must be reliable, since their correctness cannot be verified. Trusted code includes the hardware abstraction layer and the garbage collector. The hardware abstraction layer hides low-level hardware from the system by encapsulating concepts such as I/O ports, interrupt request lines, DMA channels, and timers in order to provide interoperable abstractions to the rest of the operating system.

Communication between processes

User processes obtain system services by sending strongly typed messages to the microkernel over bidirectional point-to-point channels. In fact, these channels are used for all interactions between processes. Unlike other messaging systems that have a send and receive library, Sing# fully supports language-level channels, including formal typing and protocol specifications. To make this clearer, let's look at the channel specification.

contract C1 (

In message Request(int x) requires x > 0;

Out message Reply(int y);

Out message Error();

Request? -> Pending;

State Pending: one (

Reply! -> Start;

Error! -> Stopped;

State Stopped: ;

This contract states that a channel accepts three messages: Request, Reply, and Error. The first has a positive integer as a parameter, the second has an integer, and the third has no parameters. When a channel is used to access a server, Request messages are sent from the client to the server, and the other two messages are sent in a different way. The state machine describes the protocol for the channel.

In the Start state, the client sends a Request message, moving the channel to the Pending state. The server can respond with either a Reply message or an Error message. The Reply message places the channel back into the Start state, in which communication can continue. Error message switches the channel to the Stopped state, ending communication on the channel.

Heap

If all data, such as file blocks read from disk, must be transferred over pipes, the system will run very slowly, so an exception is made to the basic rule that each process's data is completely private and internal to that process. Singularity maintains a shared object heap, but each instance of each object on the heap is owned by a single process. However, ownership of an object can be transferred over a channel.

As an example of how the heap works, consider I/O. When a disk driver reads a block of data, it places that block on the heap. The system then passes the handle to that block to the user who requested the data, adhering to the "single owner" principle, but allowing the data to be transferred from disk to the user without making additional copies.

File system

Singularity maintains a single hierarchical namespace for all services. The root nameserver uses the top of the tree, but other nameservers can be mounted on their own nodes. In particular, file system, which is just a process, is mounted on /fs, so for example the name /fs/users/linda/foo could be a user file. The files are implemented as B-trees, with block numbers serving as keys. When a user process requests a file, the file system instructs the disk driver to place the requested blocks on the heap. Possession is then transferred as described above.

Examination

Each system component has metadata that describes its dependencies, exports, resources, and behavior. This metadata is used for verification. The system image consists of the microkernel, drivers and applications necessary for the system to operate, as well as their metadata. External verification modules (verifiers) can perform many checks on a system image before the system uses it, in particular to ensure that drivers do not have resource conflicts. The verification consists of three stages:

  • the compiler checks type safety, object ownership, channel protocols, and so on;
  • the compiler generates Microsoft Intermediate Language, a portable JVM-like bytecode that can be verified by a verifier;
  • MSIL compiles to x86 code for the host computer, which can add runtime checks to the code (however, the existing compiler does not).

Higher reliability can be achieved by using tools to detect errors in the verifiers themselves.

Each of four different attempts to improve the reliability of the operating system aims to prevent incorrect drivers devices caused a system crash.

In the Nooks approach, each driver is individually wrapped in software to carefully control its interactions with the rest of the operating system, but in this approach, all drivers reside in the kernel. In the implementation of the paravirtual machine approach, this idea received further development. In this case, the drivers are moved to one or more machines that are separate from the main machine, further limiting the capabilities of the drivers. Both of these approaches are designed to increase the reliability of existing (legacy) operating systems.

The other two approaches replace legacy operating systems with more reliable and secure ones. The multiserver approach runs each driver and operating system component in a separate user process and allows them to communicate using the microkernel's IPC mechanism. Finally, Singularity, the most radical approach, uses a type-safe language, a single address space, and formal contracts that strictly limit what each module can do.

Three of the four research projects—L4-based paravirtualization, Minix 3, and Singularity—use microkernels. It is not yet known which of these approaches will become widespread in the future (unless it is some other solution). However, it is interesting to note that microkernels for a long time considered unacceptable due to their lower performance compared to monolithic kernels may find their way back into operating systems due to their potentially higher reliability, which many consider to be more important than performance. The wheel of history has turned.

Andrew Tanenbaum ( [email protected]) - Professor of Computer Science at Vrije Universiteit (Amsterdam, Holland). Jorrit Herder ( [email protected]) - postgraduate student in the Department of Computer Systems, Faculty of Informatics, Vrije Universiteit. Herber Bos ( [email protected]) - Associate Professor, Department of Computer Systems, Faculty of Informatics, Vrije Universiteit.

Literature
  1. V. Basili, B. Perricone, Software Errors and Complexity: An Empirical Investigation, Comm. ACM, Jan. 1984.
  2. T. Ostrand, E. Weyuker, The Distribution of Faults in a Large Industrial Software System, Proc. Int?l Symp. Software Testing and Analysis, ACM Press, 2002.
  3. A. Chou et al., An Empirical Study of Operating System Errors, Proc. 18th ACM Symp. Operating System Principles, ACM Press, 2001.
  4. M. Swift, B. Bershad, H. Levy, Improving the Reliability of Commodity Operating Systems, ACM Trans. Computer Systems, vol. 23, 2005.
  5. M. Swift et al., Recovering Device Drivers, Proc. 6th Symp. Operating System Design and Implementation, ACM Press, 2003.
  6. R. Goldberg, Architecture of Virtual Machines, Proc. Workshop Virtual Computer Systems, ACM Press, 1973.
  7. J. LeVasseur et al., Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines, Proc. 6th Symp. Operating System Design and Implementation, 2004.
  8. J. Liedtke, On Microkernel Construction, Proc. 15th ACM Symp. Operating System Principles, ACM Press, 1995.
  9. H. Hartig et al., The Performance of Microkernel-Based Systems, Proc. 16th ACM Symp. Operating System Principles, ACM Press, 1997.
  10. J.N. Herder et al., Modular System Programming in MINIX 3, Usenix; www.usenix.org/publications/login/2006-04/openpdfs/herder.pdf.

Andrew Tanenbaum, Jorrit Herder, Herbert Bos, Can We Make Operating Systems Reliable and Secure?, IEEE Computer, May, 2006. IEEE Computer Society, 2006, All rights reserved. Reprinted with permission.

Are you looking for the most secure Linux distribution that will be secure and provide strong privacy for your operating system?

Here are the 15 safest Linux distributions for privacy and security users.

Well, you may already know that the operating system is the main software that allows you to interact with your computer's hardware and software. It controls all the hardware and communicates with the processor and memory.

Top 15 most secure Linux distributions

The number of Linux users is growing every day. Their peculiarity is that they are less common than other operating systems. Still, they are working on being more technical in the coming days.

Here is a list of the most secure Linux distributions that are "specifically focused on Linux security." This means that this article is written specifically to focus on Sharp Security, which is more of a Linux user's concern

1. Cubes OS | Qubes Linux

If you're looking for the most secure Linux distribution for your desktop, Qubes comes out on top. Why? Well, Qubes is a Fedora based operating system focused on security desktop computers. This OS will protect you by isolating and virtualizing different virtual machines separately.

Suppose you downloaded malicious software without immediately realizing what the software was? Or you don't know if it's safe or not. Don't worry, Qubes OS plays a role here. Cubes isolate your other personal files from malware without causing damage. It's cool, isn't it? Please note: This OS is best suited for advanced users. Therefore, if you are a beginner, you will find it difficult to operate this system.

2. Tails Linux

Tails is one of the best and most secure Linux distributions after Parrot Security OS. Tails was first released in 2009. This operating system is designed specifically for personal computers. If you're looking for an OS that will keep you safe while browsing the internet, Tails takes the top spot.

It is a live CD and a pre-installed operating system with the Tor browser package using the onion scheme. Since all outgoing connections go through Tor, it allows you to use the Internet anonymously and no matter what you do, it never leaves any trace.

Tails OS does not use any hard drive space, it only uses the required space in your RAM, but it will be deleted automatically when you shut down the system. It can be used as live DVD or live USB. It will be more convenient to boot from a flash drive rather than from a DVD. However, there are some problems with this OS. Lately, most of the users claim that installing Tails requires 2 USB drives, which is boring.

3. Parrot Security OS

Parrot Security OS was developed by FrozenBox and released in 2013. This software is a game changer when it comes to the security and privacy of a computer's operating system. Parrot Security OS is specially designed to test an authorized simulated attack on your computer system, which helps to evaluate your system's vulnerabilities whether it is strong enough or not.

It comes with a fully portable lab that keeps your system safe from any unwanted diseases while surfing the internet, browsing anything, playing a game, etc. Again, if you are a forensic expert, then this operating system is the best...

4. Kali Linux

Kali Linux It is a pre-installed Linux distribution built on Debian, specially designed for Pen Testing and Forensic Experts. Kali comes with a package of tools like -Aircrack-ng, Ettercap, Foremost, Wireshark Kismet, Maltigo and many more that help you in many ways like exploiting the victim's network or application, network discovery or identifying the target IP address. address.

Not only does Kali include Armitage's graphical cyber attack tool that allows you to dine and exploit, exploit recommendations, and advanced Metasploit Framework counter capabilities. Kali Linux is considered one of the safest Linux distributions for developers.

Like Tails, this OS can also be booted as a live DVD or USB drive and is easier to use than other OSes available. Whether you are using 32 or 62 operating systems, Kali Linux can be used on both. This OS requires a minimum of 512 MB of RAM and 10 GB of hard drive space.

5. Wonix | Whonix Linux

If you want to hide your IP address, then Whonix is ​​perfect for you. Whonix is ​​a Debian-based operating system focused on anonymity, privacy and security. Whonix provides security through isolation. It is an operating system that explicitly uses the principle of isolation to ensure security, privacy and anonymity.

This operating system is developed by two main programs. One is a workstation and the other is a Gateway. The gateway acts as an intermediary here and forces all connections to go through the Tor network. So, there is no possibility of IP address leakage and this is how Whonix OS protects you.

6. Discrete | Discreet Linux

Perhaps you are trying to keep your data safe and still find best distribution security for your operating room Linux systems. Let your fears fly away. Here you have Discreete Linux OS, which is said to be one of the most secure Linux distributions to protect your valuable data.

This OS does not interact with the Internet during operation, which separates data and cryptographic keys to protect it from an untrusted network. Another one interesting thing this is that this OS is purely a live system, so you don't need to install it on your computer, you can quickly run it from a USB drive.

7. Linux Kodachi | Kodachi

Do you like to remain completely anonymous while surfing the Internet? Then Kodachi Linux is one of the best and most secure Linux distributions that you would like to have. Many users say that it is the most secure Linux distribution they have ever owned. Personally I've never tested it though. This operating system comes with Tor, VPN and DNSCrypt and can be easily booted from a DVD or USB drive.

You can select your exit country when you go online. This operating system contains many other useful applications such as Pidgin Internet Messenger Transmission VirtualBox Geany, FileZilla and many more. Finally, I must say that this operating system comes with everything you need to protect the user.

8.BlackArch Linux

BlackArck Linux is a new security distribution for Linux specially designed for pen testing and security. It offers a huge number of tools, even twice as many as Kali Linux.

They can be installed individually or, if you prefer, you can install them in a group as well. This operating system is easy to use. This OS is lightweight enough that you can run it on any hardware.

9. Heads OS

Heads is a free security distribution based on GNU Linux. This OS is significantly smaller than others and is easier to manage. Executives only use free software, which means this OS values ​​user and community freedom more.

Like the other OSes above, Heads also uses Tor to keep you anonymous while surfing the internet. All your traffic goes through Tor by default, but they give you the option to stop it if you want. Leaders always prioritize their users.

10. Subgraph | Subgraph OS

Like Tails, Subgraph Operating System is also a Debian-based operating system that prevents surveillance and interference by sophisticated Internet adversaries. This OS is for everyone. Its GNOME-based desktop environment is incredibly user-friendly.

Talking about security and privacy, this security distribution prevents attack with intelligent access control; Preventing memory corruption exploits using a patch set (grsecurity patchset and Pax). The Grsecurity patch set provides a security suite such as address space protection, advanced auditing and process control

11.IprediaOS

This security distribution is useful for web browsing, sending Email, chat and share any files over the Internet anonymously. All connections are made through I2P software.

Unlike other distributions, IprediaOS supports TORRENTS. This operating system is competitively faster than Tor, even if you are going to use it on your old computer, this OS will work well on that too.

12. PureOS

If you are looking for a user-friendly security distribution that will allow you to change it freely. Then it's PureOS. PureOS is free software that provides a security package including search engine Duck Duck Go.

This will protect your privacy by avoiding private search results. Since this is free software, you can download it without purchasing anything. You can request its source code, even if you are allowed to change it.

13. Openwall GNU / * / Linux

Openwall is a secure distribution-based Linux operating system specifically designed for servers and applications. Openwall provides security by reducing flaws in its software components through the Openwall patch (best known as (not exec stack patch). It is a free server platform designed to do this.

14. Alpine Linux

Alpine Linux is the most secure Linux distribution based on mus libc and BusyBox. It's as light as you'd think. Its size basic system is about 5 MB, which is less than other systems available out there. And that is why this Linux distribution is so popular.

Another component of BusyBox includes many tools and very few of them are bunzip2, bzip2, less, lzma, unlzma, vi, wget. These tools are in the Alpine base image, which are not in the Debian base image. This APK app manager is much faster than others and very easy to use.

15. Container | Container Linux (formerly CoreOS)

If you like to work on different machines and update machines without downtime, then Container Linux (formerly CoreOS) is your Linux distribution. Linux Container is a lightweight Linux distribution designed for clusters and servers. This security distribution is becoming popular these days because it is easy to deploy, manage, and run containers. Previously, CoreOS only supported the Dockers platform, but recently it supports rkt (Rocket) as an alternative to Docker. This software updates automatically when an update is needed, increasing security.

Linux distributions can be divided into different categories, depending on their purpose and intended target group. Servers, education, games and multimedia are some of the popular categories of Linux distributions.

For users concerned about security, there are several distributions that are designed to enhanced protection privacy. These builds guarantee protection from tracking your activity while surfing the Internet.

However, our selection includes not only distributions with an emphasis on privacy, but also distributions for conducting intrusion testing. These builds are specifically designed for analyzing and assessing system and network security and contain a wide range of specialized tools for testing systems for potential vulnerabilities.

An Ubuntu-based distribution designed for intrusion testing. By using XFCE as a standard window manager, it works very quickly.

Repositories of software solutions are constantly updated to ensure that the user always has the latest versions of built-in tools that allow you to perform web application analysis, stress tests, assessment of potential vulnerabilities, privileges and much more.

Unlike other distributions, which include a large set various applications,Backbox does not contain such redundancy. Here you will only find best tools for each individual task or goal. All tools are sorted into categories, making them easy to discover.

Wikipedia provides short overviews of many of the built-in tools. Although Backbox was originally created solely for testing, the distribution also supports the Tor network, which will help hide your digital presence.

Kali

Probably the most popular penetration testing distribution based on Debian Wheezy. developed by Offensive Security Ltd and is a continuation of the earlier BackTrack Linux project.

Kali is available in the form of 32-bit and 64-bit ISO images, which can be burned to a USB drive or CD, or even installed on HDD or solid state drive. The project also supports the ARM architecture and can even run on a Raspberry Pi single board computer, and also includes a huge number of analysis and testing tools. The main desktop is Gnome, but Kali allows you to create a custom ISO with a different desktop environment. This highly customizable distribution allows users to even modify and rebuild the Linux kernel to suit specific requirements.

Kali's popularity can be judged by the fact that the system is a compatible and supported platform for the MetaSpoilt Framework, a powerful tool that allows you to develop and execute exploit code on a remote computer.

Available for 32-bit and 64-bit machines, it is an intrusion testing distribution that is based on Gentoo Linux. Gentoo users can optionally install Pentoo, which will be installed on top of the main system. The distribution is based on XFCE and supports saving changes, so if you disconnect the USB drive, all applied changes will be saved for future sessions.

The built-in tools are divided into 15 different categories, such as Exploit, Fingerprint, Cracker, Database, Scanner, etc. Being based on Gentoo, the distribution inherits a set of Gentoo security features that allow you to perform additional security settings and more granular control of the distribution. You can use the Application Finder utility to quickly discover applications located in various categories.

Since the distribution is based on Gentoo, you will need to perform some manipulations to get it to work network card and other hardware components. Upon boot, select the verification option and set up all your devices.

Based on Ubuntu, this distribution is designed for intrusion detection and network security monitoring. Unlike other pentesting distributions, which are more offensive in nature, it is a more defensive system.

However, the project includes many of the offensive tools found in other penetration testing distributions, as well as network monitoring tools such as the Wireshark packet sniffer and the Suricata intrusion detection utility.

Security Onion is built around XFCE and includes all the essential applications found in Xubuntu. Security Onion is not intended for amateurs, but rather for experienced professionals who have a certain level of knowledge in the field of network monitoring and intrusion prevention. Fortunately, the project is constantly supported detailed guides and video tutorials to help you work with complex firmware.

Caine

Default account: root:blackarch. BlackArch is over 4 gigabytes in size and comes with several different window managers including Fluxbox, Openbox, Awesome.

Unlike other penetration testing distributions, BlackArch can also be used as a privacy-enhanced tool. In addition to various analysis, monitoring and testing tools, the distribution also includes anti-tracking tools, in particular sswap and ropeadope for securely erasing the contents of the page file and system logs, respectively, and many other privacy programs.

Developed by the Italian IT security and programming network Frozenbox, based on Debian, can be used for intrusion testing and maintaining privacy. Just like BlackArch, Parrot Security OS is a rolling release distribution. The default login for a Live session is root:toor.

The installed Live image offers several boot options, such as persistent mode or persistent mode with data encryption. In addition to analytical tools, the distribution includes several programs for anonymity and even cryptographic software.

Mate's customizable desktop environment offers an attractive interface, and Parrot Security OS itself runs very quickly, even on machines with 2 gigabytes of RAM. The system has several niche utilities built into it, for example, apktool - a tool for changing APK files.

For users who care about privacy, the distribution provides a special category of applications where users can enable anonymous mode surfing the Internet (used Tor networks) in one click.

JonDo

“Anonymous” Linux OS (operating systems) are designed for highly protected and safe manipulations in digital life, for example, when making bank transfers in online banking systems on other people’s computers. At a minimum, these OS systems are pre-configured to be on your portable device in order to make fast and secure web surfing without telling everyone in clear text where or who you really are.
We put "Anonymous" Linux in quotes for two reasons:

  1. First, successfully hiding your identity online involves a lot more care and discipline than simply installing the appropriate software or using a secure OS.
  2. Secondly, and sometimes firstly: Think about what computers you work on? The risk of password leakage, or even worse, perhaps other people’s machines already infected with Trojans and keyloggers, which you are forced to use in this situation for your personal life, checking mail, or even worse, checking financial resources, can extract your personal information and use it in the future. I hope this article will help you deal with similar situations.

Below (in this series of articles), you will find five secure OSes designed with anonymity and general privacy protection as their primary goal.

Five most secure operating systems:

So, your choice for secure OS, should definitely be made towards Linux, there are several reasons for this:

  1. Firstly: Windows OS was never developed for such purposes; it has always been closed from outside eyes (all Windows code encrypted, we have no way of knowing what's inside). In theory, Windows can be prepared for safe use, but no one has done this yet, and even if you do, you will spend a huge amount of time on it. And Linux, due to its openness, allows you to do whatever you want with it. Moreover, such people have already been found and have made special versions of the Linux OS, which are absolutely safe and make you an anonymous person, just a “spy kit”.
  2. Secondly: Live CD technology - Linux can launch and deploy very quickly without installing it to your hard drive. You can use such a secure OS at optical disk or a USB drive (flash drive) and carry it in your pocket. “In the blink of an eye” you will be able to get an operating system with a ready-made desktop and accompanying applications for working on the Internet, regardless of the installed main operating system on the computer that you will have to use.

We present to your attention a selection of the 10 best operating systems that are perfect for both everyday work and for finding new features for your PC.

Despite the widespread use different versions Windows, every year more and more users begin to look for new interesting OS.

Installation new system on your computer allows you to work with programs that do not run on Windows. Some users prefer to use other operating systems to ensure the security of their data. Also, simple and lightweight OS options significantly speed up the operation of old laptops and help get rid of the problem of constant overheating and slowdowns.

10th place – Windows 10

Despite the fact that in this rating we abstract from the huge number of versions of the well-known Windows, we cannot help but highlight one of the most successful and fastest versions – Windows 10. Don’t be surprised that we put Windows in 10th place. Yes, it is the most popular, but precisely because of this, it is one of the most hackable and not always safe. And it also costs money, unless, of course, you downloaded its distribution from pirated sites.

The system is very simple to use and will appeal to both fans of the metro interface and those who are accustomed to the regular Start menu. The official build contains all the necessary programs to get started, including a new fast browser MS Edge.

Windows 10 benefits:
  • The START key has been returned. In the eighth version of the OS, the developers relied on a tiled interface, which did not delight users. Now the PC owner can independently choose how it is more convenient for him to work with the start screen;
  • Windows 10 is Microsoft's latest development. This means that all the company’s efforts are aimed specifically at improving and maintaining the operation of the OS. Security update packages are released almost every week. Microsoft also performs well in quickly eliminating viruses. Owners of computers with licensed tens have repeatedly noted that they managed to avoid the massive spread of malware thanks to quick developer updates;
  • Availability voice assistant Cortana. With the built-in speech recognition service, working with search will be even easier;
  • Reliable Firewall. With built-in Microsoft Defender, there is no need to install additional antivirus programs. The firewall does an excellent job of detecting threats, quickly blocks the execution of malicious code, and allows you to scan the system;
  • Quick start. The operating system starts in less than 15 seconds, regardless of your PC's performance;
  • Setting up multiple desktops. Users can add an unlimited number of home screens and easily switch between them using hotkeys.

It is worth noting that Windows supports almost any games and programs, so there will definitely not be any problems installing the software.

Disadvantages of Windows 10:
  • User tracking. Microsoft does not hide the fact that the new Windows 10 is capable of tracking user actions. The system regularly scans your PC for the use of illegal software products from Microsoft. Now the hacked one will simply be deleted from the PC. It is also no secret that the OS sends the developer data about visited resources and desktop photos. If desired, all these options and permissions can be disabled in the settings;
  • Usage Policy. Even after a long time since the release, the developers still have not decided on a distribution policy. In the first year the owners Windows licenses 7/8 could upgrade to ten for free. Today it costs money (from 8,000 to 14,000 rubles, depending on the assembly). At the same time, a loophole has been found that allows you to update for free using the built-in Accessibility utility.

9th place – ROSA

ROSA is a Russian build of the open Linux OS. The standard kernel of the operating system was completely rewritten by the developers of the ROSA company. The goal of the project is to create a functional, free and convenient system that will suit any Russian-speaking user.

ROSA OS completely free system. There are no purchases within the OS itself either. The availability of the distribution contributed to the spread of the system not only among ordinary users, but also among large companies. As you know, ROSA is used both in units of the Ministry of Defense of the Russian Federation and in many private companies throughout the country.

Advantages of ROSA OS:
  • Everything is ready to go. After installing the system, you do not need to install any drivers and additional programs. Everything you need is already in the system. If you wish, you can download the software from any specialized site. As you know, Linux has almost zero percentage of virus programs, so installation from third-party sources does not pose any danger;
  • Test mode. For those who have not yet decided to completely switch to ROSA OS, the developers have provided a guest mode. You can create a regular installation flash drive and boot from it. The OS will not be installed, but the user will be able to get acquainted with its interface and functionality;
  • User-friendly interface. The arrangement of all elements is very thoughtful. Even a beginner can master the new system in 10-15 minutes. All programs are conveniently divided into tabs on the desktop. You can pin frequently used programs to the Toolbox. Home screen resembles Windows functionality;
  • Virus protection. The risk of downloading malware is minimal, so you can browse any sites and install programs and games without any problems. If they have a virus embedded in them, then it will only work in Windows or other more common operating systems.

Among the disadvantages of ROSA OS, one can highlight a small number of programs. Not all Windows software has analogues for the Linux kernel.

8th place – FreeBSD

FreeBSD is an operating system that is designed to work with servers, and now regular desktop PCs. More than 30 years have passed since the first development of this system began. Today FreeBSD is a simple, reliable and convenient OS that will be a good replacement for the usual Windows.

Benefits of FreeBSD:
  • Free license and download from the network;
  • Open source code allows you to modify the system;
  • Spreading. FreeBSD is used by many popular sites in the world to maintain the server part - Webmoney, Aliexpress, ASOS and others;
  • Protection and reliability. It is worth noting the well-thought-out OS logic and rational consumption of PC resources. FreeBSD runs fast even on low-end computers;
  • Large selection of software. More than 4 thousand developers from all over the world are developing versions of programs for FreeBSD. Thereby, current versions all popular programs quickly appear in the public domain.
Disadvantages of FreeBSD:
  • Difficulty setting up. This is the main reason for the low popularity of FreeBSD among ordinary users. Once you've figured out the first OS setup, you'll have a system that runs much faster than Windows;
  • Difficulty obtaining documentation. If you want to set up administration for your FreeBSD site, you'll need to take the time to find the administration documentation.

To ensure security, FreeBSD uses all the necessary levels of protection: encryption mechanisms, authentication control, checking incoming and outgoing traffic, and regularly monitoring the system for malicious code.

7th place – Fedora

Fedora is a Linux-like operating system that features free software. It should be noted that the drivers used may be closed source, and some types of software may have a limited license (for example, codecs for media playback).

Fedora Benefits:
  • Using the Gnome environment. Gnome's development for Fedora is considered one of the most successful desktop implementations in operating systems;
  • Easy to use. The developers have created a simple and beautiful design for the desktop and program tabs. Quickly move between open applications and folders is possible thanks to the side toolbar;
  • Pre-installed programs. After installation, you will have access to a software package to fully start working with Fedora (web browser, explorer, image viewing utility, management software virtual machines and others);
  • Quick installation of new applications. Installation of the software occurs through the “Application Center”, in the same way as on a regular smartphone;
  • Possibility of over-the-air updates. You can download and install new OS firmware using the Gnome Software utility.
Disadvantages of Fedora:
  • Among developers, Fedora is considered a "free ground" for testing programs. All applications appear faster, but there is a high chance that the software will be unfinished and unstable.

6th place – Elementary OS

Elementary OS is a fast and at the same time functional replacement for the usual Windows. The developers position the system as a simple environment for work, which logically follows from the name of the OS.

The system uses the Linux distribution kernel. Elementary OS covers free of charge and works on absolutely all computers, regardless of hardware components.

Advantages of Elementary OS:
  • Convenient and pleasant interface. The minimalist style is the basis of the operating system functionality. A minimum of elements have been added to the desktop, but all of them allow you to manage the OS without any problems. It should be noted that windows switch smoothly and programs load very quickly;
  • Easy to learn. Even a novice user can understand Elementary OS. No complex commands, forced work with the console and unclear parameters. The functionality can be compared to the ease of use of the Android mobile OS - everything basic settings can be adjusted in the desktop tools window.;
  • Great set standard programs. As a rule, users do not take applications pre-installed in the OS seriously. In the case of Elementary OS, the developers tried to create a useful basic software package that you won't want to remove;
  • Regular stream of new programs. Developers quickly adapt programs for Elementary OS.

Overall, the system is great for home use. Such an OS is still not suitable for administering a server or creating a workstation. Elementary OS security is ensured by built-in Linux protection modules.

If you have weak computer or you want to install an additional “light” OS, feel free to choose Elementary OS.

5th place – Chrome OS

Chrome OS is an open source operating system from Google. The main feature of the system is the use of a hybrid kernel (Linux kernel combined with Google services).

The OS is distributed completely free of charge, and its popularity among users is due to fast work and nice design.

Advantages of Chrome OS:
  • The system is dominated by web applications, and the key role in system management is given to Chrome browser. It is with its help that web applications are loaded and run;
  • There are no special requirements for hardware architecture. Thanks to the simple concept of Chrome OS, you don't need a powerful PC or laptop to install the system. On the contrary, the system was specially designed for low-performance machines (netbooks, low-end laptops) price category). Using web services allows you to reduce the load on your hard drive and RAM;
  • Safety in automatic mode. Protection module update packages are downloaded regularly. Also, the system has a built-in defender to quickly identify threats;
  • Easy to use;
  • Availability of software. You can download all programs from Google Play or Android Nougat service. The abundance of software in these online stores will not allow the user to experience a shortage of applications. In addition, all software is perfectly adapted for the desktop operating system.

At first glance, the Chrome OS interface resembles a combination of Android and Windows. Installed programs are placed in a separate menu, and the system is controlled using the toolbar, as in the Windows desktop.

Among disadvantages of Chrome OS can highlight the need for a constant connection to the Internet. It is advisable to use Wi-Fi network or Ethernet connection. Otherwise, you will not be able to work with web services.

4th place – OpenSuse

OpenSuse is another popular distribution that runs on the Linux kernel. Used to support both servers and home computers. New system firmware is released regularly; all release dates can be found on the developer’s website.

An OpenSuse user can independently customize the system. You don't need any programming skills to do this. Changing the interface consists of choosing the desktop environment you like. While most Linux builds can only work with one desktop environment, OpenSuse supports multiple styling utilities. The most popular of them are KDE and XFCE.

Benefits of OpenSuse:
  • Easy setup. You can manage the operating system using a single YaST application. This tool allows you to adjust OpenSuse operating parameters. Users can independently add repositories, manage boot parameters, OS partitions, network connection settings and other parameters;
  • Free distribution of software. OpenSuse will run all the programs you need. The system automatically adapts the software for your computer;
  • Easy installation of programs. Unlike most Linux builds, you no longer need to install repositories, add access keys, and carry out complex settings yourself. Just download the desired program from the official source https://software.opensuse.org/ and install in one click.
Disadvantages of OpenSuse:
  • The standard build lacks codecs and driver software, which complicates the first OS setup;
  • Users note the unstable operation of the standard MonSoon torrent client.

3rd place – Ubuntu

Ubuntu is a universal operating system that runs on the Debian GNU/Linux engine. The system works fine on servers, personal computers and laptops. The standard build comes with a desktop environment running Unity.

Ubuntu benefits:
  • Working with equipment. Ubuntu supports a huge number of connected device types. For example, any connected via USB device will work without any problems and driver software;
  • User support. Ubuntu OS has the largest and most responsive community. If necessary, beginners will be able to get answers to all questions using the official website of the developer;
  • Reliability. The OS has built-in utilities for Reserve copy data. The system independently creates copies of important files, archives them and sends them to the cloud. This ensures the reliability of Ubuntu. If you administer a server on this OS, the best way there is no way to quickly roll back data;
  • Safety system. The developers have provided a whole system of applications that background monitor vulnerabilities. Ubuntu is considered the strongest Linux distribution in terms of security;
  • Program Center. Special utility for searching and installing programs also allows a beginner to become familiar with the basics of installing software under Linux. On the page of each application there is a detailed description of the software, its requirements and reviews from other users.

Ubuntu is distributed free of charge. As for the shortcomings of the system, we can highlight the lack simple means migration from Windows OS. Also, Ubuntu lacks effective parental control utilities, so installing the distribution for family use is not recommended.

2nd place – MacOS

MacOS is a family of operating systems from Apple. At the moment, the most current build is Mac OS Sierra. Unlike the operating systems described above, Mac does not run on Unix-like systems, but using Apple’s native engine.

The system distribution is distributed free of charge.

Advantages of MacOS:
  • Usability and graphical shell. This OS is recognized the best system for users. All options and settings are designed for quick learning. The interface is multilingual, intuitive and convenient;
  • High degree of protection. Mac OS is the most secure among all modern operating systems. The number of viruses is almost zero, and the built-in antivirus can handle all “pests”;
  • Easy to install and remove programs. Simply move the shortcut to the trash to completely remove the application. Mac OS does everything for the user. You don't need to manually wipe your hard drive like you do in Windows or Linux;
  • Stable work. Due to the high compatibility of components, users do not encounter bugs, freezes or crashes in the OS.
Disadvantages of MacOS:
  • Compatibility. If you own a regular PC rather than a Macintosh, you can install an operating system only if it is compatible with the hardware components. MacOS runs on a limited number of processors (mostly Intel Core and Xeon);
  • Fewer programs than in Windows.

1st place – Linux Mint

Linux Mint is recognized as the best build for installation on user PCs. It satisfies all the requirements of the average user - it is distributed free of charge, is compatible with any hardware, efficiently consumes PC resources and has a user-friendly interface.

Benefits of Linux Mint:
  • Quick start. The system boots in 10-12 seconds, which is significantly faster than Mac OS and most Windows systems;
  • Support for working with multiple desktops;
  • Built-in utility for quick installation and uninstalling programs. In this version of Linux, users will not have to deal with repositories. Everything is done for comfortable work with software;
  • Multilingual interface;
  • Quick system debugging. If you encounter programs freezing, you can disable the process by pressing one key;
  • Supported by all desktop PCs and laptops.
  • User-friendly interface.
Disadvantages of Linux Mint:
  • A limited amount of software for specific tasks (video editing, working with graphics, etc.);
  • Lack of stable graphics driver for AMD, which may cause some games to not work correctly.

Bottom line

When choosing an operating system, first of all pay attention to the tasks you set for yourself. software environment. Need a fast and secure OS for everyday use? Pay attention to Unix-like systems.

If you want a reliable OS with excellent graphics, we recommend choosing Mac OS. For lovers of interface and functionality mobile systems you should start using Chrome OS.