Mitigations without Modeling

Something that has been brought up for years is that mitigation techniques should not be built without a threat model. I agree with this premise, mostly at least, but I wanted to consider the alternative argument; if I truly believed that mitigations should be built without modeling, what would that look like?

I believe that the argument would look like this; By implementing mitigations without threat models we can address unknown threats before they occur. Mitigations can be built without modeling but still be based on principles.

PaX Team published numerous documents about mitigations and threat models. It’s worth reading all of them, but a common theme is to define exploit primitives and vulnerability classes and then to discuss what mitigations for those would look like. This is how you build mitigations with clear threat modeling.

Contrast this, OpenBSD has been adding mitigations that arguably do not have a threat model. There is no rigid definition of attack primitives and how these mitigations interfere with those primitives - there is definitely some discussion of primitives and how this would interfere with attackers but it’s a bit more handwavy and “hopefully this will be annoying to attackers”.

What OpenBSD is doing could be seen as “bad”, but a lot of the argument is “this could end up making things harder for attackers”. What OpenBSD is doing is building mitigations based on principles, which are broad, rather than models, which are rigid.

We can imagine building existing mitigations from a principle. The Principle of Least Privilege would be enough for us to invent N^X, even if we didn’t yet have a threat model to guide us, for example.

One can continue to build principled systems without ever thinking about the actual implications, and they might be useless, or, when some new unforseen threat changes the existing threat model, we might have actually addressed it without even trying.

That is to say, systems which are designed in a principled way have the potential to be safer against unknown threats, whereas systems designed in a modeled way have known value for existing threats.

“Potential for unknown threats” is, I suspect for many, far less compelling than “definitive value against known threats”. If you have to pick one I think anyone would agree to pick the latter. But that doesn’t mean that the former isn’t a valuable way to build systems.

Certainly, the ideal system is built in a principled way and with mitigations for known techniques.