see the specifics). I'm all in favour of hardware memory protection and the like separating disparate system components as a step in the direction of safety, and I already deplore the monolithicity of the Linux kernel. (Perhaps formal verification would be an adequate substitute, but we're not there yet.) But with adequate code review and such we manage to get along.
OpenVMS had it right. Split it up, put the pieces in their own cpu ring and have them pass messages. Processes never get escalated privileges.
People had a lot of fun *trying* to break in to OpenVMS at Defcon -> http://deathrow.vistech.net/defcon.txt
Dean