Most attacks aim at executing arbitrary code in the process space of the application being targeted. The lack of user-land does not help.