There is no known method of fully protecting yourself from application layer attacks other than having 100% unexploitable code, layering isolation techniques can slow down some attackers (to be fair, most attackers) from getting IOIs (items of interest, in this case your external IP address). Phyiscal isolation (airgaps) can protect you from having your encryption system bypassed on the application layer, but nothing can prevent you from theoretically being traced on the application layer other than correct code. I am not quite educated on the matter enough to say if it is literally impossible to protect from such attacks, but I have heard as much from one extremely skilled hacker friend. I have also heard some whispers about various experimental operating systems and kernels that attempt to make hacking at least a lot harder, and I believe there is some sort of 'provably correct' system formally verified code correctness or something. I wish I knew more about this matter to share knowledge on it, I will look into the formal code correctness methods thingie some more and report back. Oh yeah systems like ASLR can also make it harder to be attacked in this way, but a skilled hacker can by pass ASLR and break through as many layers of isolation as you throw at them, code correctness is the only way to be secure from such attacks but code correctness may very well be more of a perfect ideal than something that can be fully formally verified (this is what im going to follow up on). As far as secure operating systems go, I would def keep your eyes on some of the research projects of various universities / research groups...qubes is the first that comes to mind but it isn't the most interesting (although it does automatically put every application you launch into its own virtual machine and other cool things) https://secure.wikimedia.org/wikipedia/en/wiki/Formal_verification sel4 is a formally verified kernel In general, security professionals tend to fall into a few sorts of group in regards to what they think the best overall strategy / technique is. I prefer defense in depth and am a fan of isolation, although some hackers I talk with think isolation like this is over rated enormously. Others think isolation like this is essentially a requirement for security. The general strategy with isolation is to add as many layers as possible for the attacker to defeat before they can root the host or gain access to IOIs, and use intrusion detection and prevention systems like snort to try and detect and remove the attacker before they breach the final layer of isolation keeping the host or IOI secure.