“Paranoid Mode” Compromise Recovery on Qubes OS

&gt; …I don’t believe that advances in so called “safe languages” or anti-exploitation technology could significantly change this landscape. These approaches, while admittedly effective in many situations, especially against memory-corruption-based vulnerabilities, cannot address other broad categories of software vulnerabilities, such as security bugs in application logic, nor stop malicious (or compromised) vendors from building backdoors intentionally into their software.<p>True. But never underestimate how common memory corruption bugs are. It&#x27;s <i>fucking embarrassing</i> just how common they are. Look at the Project Zero tracker. Just the first page of the newest issues: &quot;double-free&quot;, &quot;out-of-bounds write&quot;, &quot;use-after-poison&quot;, &quot;use-after-free&quot;, &quot;kernel double free&quot;, &quot;kernel memory corruption due to off-by-one&quot;, &quot;kernel heap overflow&quot;, &quot;kernel uaf due to double-release&quot;, &quot;heap-buffer-overflow&quot;… And it&#x27;s <i>these bugs</i> that often lead to the scariest situation for regular users, &quot;I just visited a web page and my browser got pwned&quot;.

An excellent point that applies to almost any system:<p><i>The inconvenient and somehow embarrassing truth for us – the malware experts – is that there does not exist any reliable method to determine if a given system is</i> not <i>compromised.</i>

&gt; True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.<p>This is wrong. A computers behaviour, even if allowed to access &quot;true randomness&quot;, can be determined in finitely many steps. Sure, the upper bound to the number of steps is unfeasibly big, but not without limit.<p>Practically, there might be no difference if you assume there is no limit, but excluding the possibility seems u justified.