[erlang-questions] Restricting the connection between two nodes

[Kenji Rikitake]

In the message <AANLkTik=pJK4a8F_vH4iKCPJf6Vqry1A-WWb27bMiq+Q@REDACTED>
dated Mon, Jan 03, 2011 at 03:33:44PM +0100,
Tomasz Maciejewski <ponton@REDACTED> writes:
> Is there a way to restrict the connection between two nodes, allowing
> executing only specific functions (eg. only from specific "exported"
> module)?
>
> Suppose we have two nodes running one application, respectively:
> private_node (eg. Mnesia with sensitive data, or a port owner) and
> public_node (eg. HTTP/FTP daemon). The two nodes are connected
> together and the public_node needs some data from private_node, but
> private_node has some sensitive functions. Now, if someone gains
> control over
> public_node, he can call any function from private_node by simply
> rpc:call, as well as sending arbitrary messages to processes on
> private_node.

In the case above, once the public_node is taken over, you can't do much
to protect the private node. So don't let the public_node get taken.

> How can I protect against breaking in to Erlang by public internet
> service? Is it even possible to gain access to a remote shell
> (assuming cookie wasn't stolen) by some remote hole in Erlang/Inets/My
> application?

As default, the Distributed Erlang RPC packets are unprotected (i.e.,
not encrypted) at all; they are built on the plain TCP connections.

What you might need is secure-and-private connection between the two
nodes with encryption.  The secure connection can be on many different
levels: application software or on the IP (IPsec).

About a year ago I tried to build an example of Erlang RPC over the SSH
module [1].  Dave "Dizzyd" Smith, the rebar guru, also once published a
paper of his idea on securely building inter-node RPCs on Erlang [2].

Related links:
[1] https://github.com/jj1bdx/sshrpc
If you want to see the video on my presentation at Erlang Factory
SF Bay 2010:
http://www.erlang-factory.com/conference/SFBay2010/speakers/kenjirikitake
And the slides:
http://www.erlang-factory.com/upload/presentations/214/ErlangFactorySFBay2010-KenjiRikitake.pdf
[2] http://dizzyd.com/sdist.pdf

> With the solution of "restricring remote function calls only to
> functions from specific module", I could implement public API in
> private_server and be protected against gaining control over
> private_server.

Currently there's no native mechanism to restrict function calls in
Erlang, so far I've learned.  If you really want this level of
protection, Distributed Erlang RPC itself is not suitable.

> I will really appreciate any comments on security in Erlang.
> 
> -- 
> Tomasz Maciejewski

Kenji Rikitake