This seems really cool. I’d love to have email more under my own control. I also need 100% uptime for email though, so it’s hard to contemplate moving from some large hosted service like Gmail.
If email is that important to you (100% uptime requirement), then what’s your backup plan for a situation where Google locks your account for whatever reason?
Yeah, that’s true. I mean I do have copies of all my email locally, so at least I wouldn’t lose access to old email, but it doesn’t help for new email in that eventuality.
Email does have the nifty feature that (legit) mail servers will keep retrying SMTP connections to you if you’re down for a bit, so you don’t really need 100% uptime.
Source: ran a mail server for my business for years on a single EC2 instance; sometimes it went down, but it was never a real problem.
True. I rely on email enough that I’m wary of changing a (more or less) working system. But I could always transition piece by piece.
If you need 100% delivery, then you can just list multiple MX records. If your primary MX goes down (ISP outage, whatever), then your mail will just get delivered to the backup. My DNS registrar / provider offers backup MX service, and I have them configured to just forward everything to gmail. So when my self hosted email is unavailable, email starts showing up via gmail until the primary MX is back online. Provides peace of mind when the power goes out or my ISP has outages, or we’re moving house and everything is torn apart.
That’s a good system that seems worth looking into.
Note that email resending works. If your server is unreachable, the sending mail server will actually try the secondary MX server, and if both are down, it will retry half an hour later, then a few more times up to 24 hours later, 48 hours if you are lucky. The sender will usually receive a noification if the initial attempts fail (and a second one when the sending server gives up)
On the other hand, if your GMail spam filter randomly decides without a good reason that a reply to your email is too dangerous even to put into the spam folder, neither you nor the sender will be notified.
And I have had that issue with GMail, both as a sender and a receiver, of mail inexplicably going missing. Not frequently, but it occurs.
What is the overhead of this?
I love openbsd, though one of my coworkers told me he fundamentally disagrees with security by depth when we are starting to get memory safe language and I somewhat agree. While our useful kernels and applications are written in C, it seems like the best thing to do for now.
The overhead is two xor instructions per function call (using a register and the top of the stack). This is cheap.
Memory safe languages have their own overhead. Even rust - which achieves so much at compile time - still has to check for overflow at runtime in some situations, and doesn’t implement integer overflow protection because it is too expensive. I am a big fan of memory safe languages, but there is still a lot of C/C++ out there.
why are all the infosec people I follow charitably saying this is theatre at best and doesn’t do anything for any kind of attack?
The most common negative response I have seen is that this can be bypassed if an attacker knows the addresses they will write their rop chain to. This is true, but it is not the case that all attacks know the addresses where the rop chain goes. The @grsecurity response is interesting, since they point out that this idea has been seen before (quite some time ago - in 1999 and 2003). If you have heard other specific criticisms, then I’d be interested to hear them.
The next iteration of this doesn’t have to use the stack pointer - it can use something stronger. Step 1 is getting the ecosystem working with mangled return addresses. For this, the stack pointer is cheap and easy.
Does OpenBSD have any plans to upstream RETGUARD to llvm?
Definitely. The llvm people I have spoken with have pointed out it might be better to implement in the preamble / epilogue lowering functions instead of as a pass, so once we prove it works in the ecosystem and have worked out any kinks, then I will do it that way and submit upstream.
Very cool! Thank you for the detailed answer.
Sure. Why not?