[erlang-questions] Security scanning tools for Erlang?

zv zv@REDACTED
Thu Oct 27 08:53:30 CEST 2016


On 10/26/2016 10:23 AM, Garry Hodgson wrote:
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
> 
> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
> 
> Thanks
> 
> 

I've actually found bugs and submitted patches upstream for a number of exploitable heap and stack-based buffer overflows in Erlang/ERTS[1] with a symbolic and static analysis tool I wrote. The machinery is heavily based on KLEE LLVM execution engine and the Z3 SAT Solver and could be rewritten to accommodate a CI process like Fortinet. Some of the code for it is available on my Github now but if you're using it in a commercial context I'd appreciate you contact me first @ <zv@REDACTED 。org>.

Outside of this, there is a Greek academic behind a project called Cuter that has done considerable work in the somewhat neighboring field of concolic analysis, but his project is primarily concerned with HOL-style verification as I recall. There is also a guy who found some Term decoding bug, /perhaps/ with a tool of his own creation who then promised to release it at some point in the future (or perhaps release more? I forget) but I haven't heard of any developments.

If you are interested in evaluating the security of NIFs, Port Drivers, etc /alone/, the story on is more clear cut. There is, however, a whole set of other considerations for an analysis/testing harness when statically or symbolically analyzing NIFS (or even running in 'dynamic' tools like Valgrind) without building a special version of the runtime.

As to existing solutions, I'm not aware of any turnkey solution for subjecting Erlang code, nifs, port drivers to any sort of meaningful security review or even perfunctory static analysis.


[1] I've also subjected EPMD to separate analysis and manual review as well, but without luck.




More information about the erlang-questions mailing list