Papers, academic research and threat model
The security page’s “New Technologies” section starts with a cocky note:
As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do.
Despite the “OpenBSD’s innovations” starting with the following sentence:
This is a list of software and ideas developed or maintained by the OpenBSD project, sorted in order of approximate introduction. Some of them are explained in detail in our research papers.
Between 2019 and 2009, the following “papers” are:
- More than 150 decks of slide without accompanying papers
- Some “papers” are only videos
- Some others are only titles of talks
- There are 25 real papers:
- 3 of them are related to My BSD sucks less than yours
- only one of them is about mitigations
In none of the slides nor the paper have I seen any threat model description about what each mitigation is supposed to defend against: What primitives does the attacker have? Read and/or Write? Are they arbitrary or partial? Can they be triggered at arbitrary times? How many times? Is the attacker a local or a remote one? What about side channels? Is this a one-time cost mitigation? What kind of previous vulnerabilities would it prevent? Was am exploit writer in the design process? Was there a public code review with review history?
Of course, it doesn’t mean that because they don’t come with a shiny academic paper, the mitigations aren’t working. But it means that it’s harder to understand what are they goals and limits, and even if they are working at all.
Can you imagine cryptographers pushing new ciphers, without a proper design document, no public peer review, no threat model, … Why would this be acceptable for exploit mitigations?
Finally, not having a lot of public exploits doesn’t mean that your operating system is secure, otherwise, Haiku would be the one of the safest ones.