I don't think it is significantly oversold, although it is definitely overselling a bit:
"More disconcertingly, in some cases, attacks may be still be possible despite the above protections."
"We should prepare for a case where these defenses will fail to protect against a specific vulnerability in some specific software".
My main concern with the paper is there is no careful analysis showing that the 4 techniques they propose are really sufficient to cover the majority of RCE exploits. Having said that, I don't dispute that having them would raise the bar for them a lot.
"More disconcertingly, in some cases, attacks may be still be possible despite the above protections."
"We should prepare for a case where these defenses will fail to protect against a specific vulnerability in some specific software".
My main concern with the paper is there is no careful analysis showing that the 4 techniques they propose are really sufficient to cover the majority of RCE exploits. Having said that, I don't dispute that having them would raise the bar for them a lot.