Security of binary_to_term ?

Lon Willett Lon.Willett@REDACTED
Wed Jun 27 18:35:24 CEST 2001

This stuff looks like it's down my alley, so I'll add my $0.02.

Pascal Brisset <pascal.brisset@REDACTED> writes:
>  > An aside note: If you get the data over TCP, why should it be
>  > invalid. TCP ensures the data is non corrupted.... or maybe you
>  > are worrying over rogue nodes ??? 
> Well this is what security is about, isn't it ? :) Actually I stumbled
> on one of those pathological cases, and I was wondering whether it was
> just a bug or whether additional checks were required anyway.
> $ erl
> Erlang (BEAM) emulator version [source]
> Eshell V5.0.2.4  (abort with ^G)
> 1> binary_to_term(<<131,111,255,0,0,0>>).
> zsh: 30198 segmentation fault  ./bin/erl

Ugh!  Crashing the emulator is a bad sign.

I wouldn't worry overmuch about the crash per se, since all an
attacker could use that for would be a denial-of-service attack (DOS).
IMO, preventing DOS attacks is probably impossible (although one
shouldn't make them _too_ easy).

What is a concern is that the segfault indicates that there might be a
buffer overflow problem, and this possibly would allow an attacker to
execute arbitrary code on your machine.

Even if you fix "binary_to_term" so that it is safe, I would advise
caution anyway.  While it (term_to_binary+binary_to_term) is a
convenient and easy way to define a data format, it is just too
powerful.  An attacker could provide all kinds of funny data (pids,
refs, funs, very large ints, etc), so even when the binary is validly
formatted, you still need to be very sure that the contents of the
resulting erlang term are fully validated (or are only used in "safe"
ways).  This required validation is very easy to overlook, especially
when the contents of the term are broken down and passed around to
different modules, some of which may not have been written to handle
maliciously formatted data (e.g. consider perl's "taint" mechanism,
meant to help deal with this same problem).

Despite its dangers, I would be interested in what exactly the
problems with binary_to_term are.  So if anyone has the time to look
at it (or already knows), I'd appreciate seeing the results.


More information about the erlang-questions mailing list