If you care about security, you should not rely on a perfect code. Consider compartmentalization instead: https://qubes-os.org. Works for me (or so I hope).
It's become a dirty word because it's been somewhat hijacked by
management-class values and wrapped up in an unthinking "compliance
and audits" mind-set.
Thinking about what you want to allow, where to draw lines, planning
in advance and sticking to it (including using tricks that force you
to stick to it) is mature security thinking. You only have to be an
organisation of one person to have a security policy.
I don't like the architecture because it looks like a set of ugly hacks. You don't need virtual machines to isolate applications because CPU already has a sandbox provided by protected mode. The problem is that legacy OS like Linux/Mac/Windows are unable to use this sandbox effectively.
For example, here [1] they show a separate VM for the USB stack. But why do you need it if you can simply run USB stack in protected mode?
Also, I assume that running so many VMs requires a lot of drive space and hurts performance.
> I don't like the architecture because it looks like a set of ugly hacks.
It's not a set of hacks. You simply isolate your workflows using a hardware virtualization, transparently to the user.
> You don't need virtual machines to isolate applications because CPU already has a sandbox provided by protected mode.
What exactly do you mean? Qubes uses VT-d hardware virtualization. AFAIK it's the most secure compartmentalization method, and you can't use it without VMs.
> But why do you need it if you can simply run USB stack in protected mode?
On how many lines of code do you rely in "protected mode"? On Qubes, you assign the devices to VMs, hide them from the dom0, so they can't attack it. It relies on Xen, one of the most tested piece of software with a small Trusted Computing Base. See this: https://www.qubes-os.org/faq/#why-does-qubes-use-xen-instead....
> Also, I assume that running so many VMs requires a lot of drive space and hurts performance.
You need a lot of RAM, if you want to run a lot of VMs simultaneously. But you don't have to. CPU performance should not be affected much. Drive space is saved by using TemplateVMs (which provide root partition to other VMs): https://www.qubes-os.org/doc/templates/.
That's of course on the side of due diligence on the user of any software, but most software should have tests, and certainly one of the importance of rsync, doubly so because it's written in C.
You add tests for this sort of thing after the fact to make sure the fix works as you think it does and to make sure the issue isn't re-introduced later. Tests can't find them, but they can help keep them away.
