I’m glad you liked my post. Did you read this part?

So why isn’t security application instrumentation sufficient? The problem is one should not place one’s trust entirely in the hands of the target. One of Marcus Ranum’s best pieces of wisdom for me was the distinction between “trusted” and “trustworthy.” Just because you trust an application doesn’t make it worthy of that trust. Just because you have no alternative but to “trust” an application doesn’t make it trustworthy either. Trustworthy systems behave in the manner you expect and can be validated by systems outside of the influence of the target.

For most of my career my mechanism for determining whether systems are trustworthy has been network sensors. That’s why they sit at the top of my TaoSecurity Enterprise Trust Pyramid. In a host- and application-centric world I might consider a second system with one-way direct memory access to a target to be the most trusted source of information on the target, followed by a host reporting its own memory, then other mechanisms including application state, logs, etc.

You can’t entirely trust the target because it can be compromised and told to lie. Of course all elements of my trust pyramid (or any trust pyramid) can be compromised but the degree of difficulty (should) increase as isolation from the target is achieved.