Distributed Erlang Security

Lon Willett Lon.Willett@REDACTED
Mon Jan 15 22:16:46 CET 2001


At 19:53 15/01/01, Charles Martin wrote:
>Are there any provisions for code security in Erlang?  To make this question concrete, suppose I implemented a Gnutella-like system in Erlang.  Every user now runs an Erlang node.  Suppose one of the users is malicious; could they execute arbitrary code on the other user's machines?  Is there any way to use Erlang with untrusted users?

In brief: no, yes, and no.  Currently, Erlang/OTP has very little built-in security of any sort.  I'm trying to put together a basic method of securing the communications layer at the moment, but this still wouldn't answer your needs.

What you want is the Safe Erlang project (http://www.ericsson.se/cslab/~dan/proj/safeerlang).  But I don't think that it is ready to fly yet, and you're likely to run into some other limitations of OTP for this type of application.  So you're pretty much stuck with using TCP or UDP sockets and defining the protocol yourself.  Note however that term_to_binary and binary_to_term can be very handy when you're willing to stick to strictly Erlang implementations of your protocol.  In that case, it's not _too_ painful to implement, despite not being as convenient as using the built-in communication facility.


More information about the erlang-questions mailing list