Capabilities are a better security model, but don't protect you from kernel bugs. Provably correct kernels (such as seL4) do.
Having said that, being a microkernel, seL4 ends up pushing a bunch of potentially buggy code to use space. There are real benefits to that, but if you can exploit the page table server, the system is pretty much yours.
Having said that, being a microkernel, seL4 ends up pushing a bunch of potentially buggy code to use space. There are real benefits to that, but if you can exploit the page table server, the system is pretty much yours.