[erlang-patches] What's cooking in erlang/otp (2010-03-22)
Jayson Vantuyl
kagato@REDACTED
Tue Mar 23 21:29:25 CET 2010
> No they haven't. Not if you want to actually utilize the advertised
> features
If you'd like to spearhead the effort, feel free. The current
Distributed Erlang implementation uses binary_to_term internally, so
you can probably start by setting the safe flag there.
Your first problem is that node names and many atoms are embedded in
some unique structures (pids, refs, funs), so you'll have to create an
infrastructure to allocate them when nodes are trusted, or the safety
won't be too useful. Then you can start securing things like Rex and
RPC.
As for "advertised features", I question that entire line of
reasoning. Of course Erlang doesn't give you the tools to utilize all
of the advertised features PLUS your additional feature. The
guarantees of advertising end when you add requirements.
> of the platform. Providing a means to communicate outside the VM and
> then serialize terms is hardly "all the instruments" needed to
> secure a platform.
That's all that the current distribution is based on. Of course, a new
distribution module is not trivial, but it's that way for a reason.
> The former is standard fair in languages and the latter can be done
> independently.
That's a bold claim. Name these languages, so I may ignite your
strawman.
> 1) Having to recreate the transport every time for every developer
> is wasteful. Why shouldn't there be a pluggable security model for
> the transport layer between nodes that would allow standard
> libraries to be shared?
There should be such a thing. We'd all love it. Your disagreement is
that it should integrate with the significant toolset that already
exists. That would be awesome, but it's probably US$250k of programmer
time to implement and integrate it. That means it will take a while.
> Knowing that the node you are talking with is actually who you
> believe it is surely useful and would need to be a first step in any
> further security developments around message passing.
And what of the endpoints inside (pids)? Host-based security doesn't
have the strongest track record.
> 2) It becomes impossible to utilize the distributed functionality
> built into the platform. From visualization tools to all the node
> based libraries. It turns the platform into a husk of what it was
> IMO. The language is nice as is the concurrency but it also
> advertises itself as a distributed platform. Well most distributed
> platforms I've worked with provide more than secret keys to a
> completely open platform.
Names please. Not that I don't believe you, but we can't code on
generalities.
> 3) I'm simply not talking about RPC in some specific case but
> general sandboxing of the platform. Not leaving holes open that
> aren't desired. Not allowing any ol' process to communicate with a
> port. Not allowing anyone to just rpc or spawn os:cmd("rm -rf /").
> Some features and additions perfectly fit the NIF, Port, Cnode
> models. Others don't.
I recently added the safe binary_to_term patch. One flag check turned
10 microseconds into 16. Messaging in Erlang is a fast path for a
reason. Understand, then, that what seems like reasonable changes
could very well cut messaging speed in half.
In addition, provisioning a cluster right now is one of the few,
lightweight deploy tasks that Erlang has. Generating certs is a whole
new level of trouble.
I'm not saying that security doesn't have value, but the costs of your
model are:
* slowing down a critical path
* a large time investment
* significant deployment complexity
* significant maintainence load
* a new class of security errors to bite all legacy code
* backwards-incompatible changes to distribution
The port + {packet,4} + binary_to_term method takes approximately 20
lines of actual code, supervises very well, and funnels quite well
into a pattern match.
Additionally, almost all security is application-specific. I often
prefer explicit security (i.e. flowing through a pattern match +
validation code) than implicity security (in-image messaging
isolation) precisely because it eases managing the security profile.
--
Jayson
More information about the erlang-patches
mailing list