[erlang-questions] Erlang offensive paper

Lee Sylvester lee.sylvester@REDACTED
Thu Jun 2 00:26:56 CEST 2016

In fairness; should we ever rely on the underlying virtual machine to be
secure for any platform?  If you were coding a *ahem* NodeJS app, would you
rely on its security?

Personally, I implement security for the messaging, be it HTTP or sockets
etc., and implement safeguards around that VM through other technologies.
In fact, I even proxy my HTTP / sockets.

On Thu, Jun 2, 2016 at 10:18 AM, Richard A. O'Keefe <ok@REDACTED>

> A rough summary:
>  - The underlying C code can be attacked through Erlang.
>    * Avoid NIFs if you can.
>  - The default distribution machinery has weak security.
>    * Search the archives for alternative distribution methods,
>      e.g., TLS
>  - Secrets can leak out through the OS and attacks can leak in.
>    * Can dumps be routed to another machine, through TLS?
>    * Limit use of external commands.
> Whatever happened to Laurie Brown's work on "Safe Erlang"?
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160602/b6b5f15d/attachment.htm>

More information about the erlang-questions mailing list