[concerndc1tizen]

I agree about data diodes, but how do you handle data egress? One solution is to have strict data checks on egress, but leaks are still possible. Data diodes also still suffer from the ability to inject malware that can execute DOS attacks.

I agree about capability-based security, but strictly speaking, the capabilities of current OS are just primitive, i.e. checking file permissions. What capability checks do you mean?

My understanding is that the biggest threat is not capability checking, but capability escalation, i.e. bypassing checks, and hardware hacking, e.g. spectre/meltdown-type attacks that can read arbitrary memory.

[khaki54]

There is a step up from diodes called [inspecting] data guards and an adjacent technology called content disarm and reconstruct (CDR) that doesn't rely on signatures or heuristics - it just assumes every document is malicious.

Combining these 3 technologies with certain policies, e.g. 2 man rule, the hw/sw itself developed on airgap you can make it practically impossible to attack, even for nation state adversaries.

Edit to point out that these all work in 2-way configurations as well.