On Thu, Feb 11, 2016 at 8:20 PM Peter Gutmann
   <[1]pgut001@cs.auckland.ac.nz> wrote:

     Sean Lynch <[2]seanl@literati.org> writes:
     >I'm not talking about raw size or complexity here; obviously having
     lots of
     >features and support for lots of devices means high complexity, but
     it doesn't
     >require that all that complexity run with full system privileges.
     XKCD is, as usual, most apropos here:
     [3]https://www.xkcd.com/1200/
     A huge amount of embedded stuff doesn't even have a kernel mode,
     because its
     irrelevant (or, if the hardware does actually support two different
     modes,
     everything is run in the highest-priv'd mode).  Either the system is
     robust/secure/reliable or it isn't, whether there's a kernel/user
     split is
     irrelevant.

   Obviously on a device with no MMU or supervisor mode everything running
   on it is your trusted computing base.
   Security is not binary.

References

   1. mailto:pgut001@cs.auckland.ac.nz
   2. mailto:seanl@literati.org
   3. https://www.xkcd.com/1200/