The Mill security model abandons (or rather permits the implementation to abandon) protection of addresses, on the grounds that protecting addresses is impossible in real code written and maintained by real people. It relies instead on the inability to program via return addresses and the impracticality to program via function pointers. The goal is to let the attacker have a complete dump of memory to craft the exploit; to give an ability to overwrite all of application dataspace as the threat entry point; and still leave a kernel-busting exploit infeasible.
Yes, that’s a challenge. When we have an OS ported I’d be willing to put some money behind it 🙂
Of course, a technical fix doesn’t stop phishing, Mata Hari, or corruption.