Richard Clarke said that "The reason why you have people breaking into your software is because your software sucks." More than just scathing criticism of the software industry, this comment highlights the extreme difficulty of assuring that your applications do what they are supposed to do, /and nothing else/. You can test for what an application is supposed to do, but you cannot effectively test for the surprising "something else" mis-features that attackers exploit: they "tickle" your applications with "creative" inputs that make software mis-behave, and as a result can break into your systems. Effects like open source code review help Linux to be more secure by being less likely to have unpleasant surprises, but this does not eliminate the threat. To really secure applications, host application security is required to nail down what each application is permitted to do, to ensure that it is not doing any surprising "something else"s. This talk will explain the theoretical foundations that make proving "nothing else" impossible, and show how host application security provides the only real alternative to trust-worthy software. We then show how the LSM (Linux Security Modules) feature (new in the Linux 2.6 kernel) enables unprecedented precision in the control of application behavior on standard Linux kernels.