Computers systems comprise hundreds of software components and are only as secure as the weakest one.
This is not a fundamental fact about computation. Rather it arises from operating system architectures (isolation per “user”) that made some sense back when people mostly ran programs they wrote or could reasonably trust, on data they supplied, but don’t fit today’s world of networked computers.
If interactions between components are limited to the interfaces those components deliberately expose to each other, then the attacker’s problem is no longer to find one broken component and win, but to find a path of exploitability through the graph of components that reaches the valuable one.
This limiting can, with proper design, be done in a way which does not require the tedious design and maintenance of allow/deny policies as some approaches (firewalls, SELinux, etc.) do.
This is not a fundamental fact about computation. Rather it arises from operating system architectures (isolation per “user”) that made some sense back when people mostly ran programs they wrote or could reasonably trust, on data they supplied, but don’t fit today’s world of networked computers.
If interactions between components are limited to the interfaces those components deliberately expose to each other, then the attacker’s problem is no longer to find one broken component and win, but to find a path of exploitability through the graph of components that reaches the valuable one.
This limiting can, with proper design, be done in a way which does not require the tedious design and maintenance of allow/deny policies as some approaches (firewalls, SELinux, etc.) do.