That's an amazing paper, thank you for linking to it! I actually learned something new from it, in particular the sections 5.1 "Accurately measuring the TCB" and 5.2 "Isolating single-source transformations". It turns out there's a wrong way and a right way to do "privilege minimization" for security, and all my life I've been thinking about it the wrong way.
It also shows that the resulting "bug-minimal" code didn't just spring out of nothing but is the result of a lot of experience even two decades ago:
"I started writing an MTA, qmail, in 1995, because I was
sick of the security holes in Eric Allman’s “Sendmail” soft-
ware."
djb even then analysed the security aspects of the bugs. And spent the considerable time working on the solutions:
"My views of security have become increasingly ruthless
over the years. I see a huge amount of money and effort being invested in security, and I have become convinced that
most of that money and effort is being wasted. Most “security” efforts are designed to stop yesterday’s attacks but fail
completely to stop tomorrow’s attacks and are of no use in
building invulnerable software. These efforts are a distraction from work that does have long-term value."
BTW the "TCB" was never explained in the article but I guess he means "trusted computing base."
