> we note that kernel exploits are a way to exploit the system (kernel becomes part of the TCB).
care to quote me that part from your paper? i was specifically looking for anything kernel bug/exploit related and found nothing, ditto for discussing what constitutes the TCB. whenever you mention exploit it's always in the context of application (userland) exploits, never the kernel.
> if your threat model has to deal with kernel exploits[...]
yours does, that's what i was trying to imply. there's nothing to prevent a userland exploit from going after a kernel bug next. in other words, your system wouldn't survive for long in the real world, quite the contrary to your claims ;).