[erlang-questions] Security scanning tools for Erlang?
Fri Oct 28 07:25:46 CEST 2016
On 10/26/2016 10:23 AM, Garry Hodgson wrote:
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
It should be generally obvious that the main weakness in Erlang use is the C source code that you depend on while using Erlang. So, that includes the Erlang/OTP source code and NIFs, port drivers, ports and cnodes that you use, where NIFs and port drivers are the main problem since they share the same address space as the Erlang VM.
As was previously mentioned, Dialyzer usage and PropEr usage should be the main tools available for testing Erlang source code, to find problems, though there is no focus on security in these tools. Dialyzer depends on appropriate usage of type specifications and PropEr requires that you understand the bounds of your potential problems (in addition to some effort to build a model, if necessary).
Another issue to consider is the potential for binary blobs to exist, since 3rd party libraries often used a rebar binary to build in the past within the repository and sometimes people add beam files to 3rd part libraries (binary blobs lack visibility). The Erlang/OTP source code provides compiled beam files for boot-strapping the compiler, so having an easy way to verify the beam files in the Erlang/OTP source code don't differ from ones that are created locally would be helpful (currently the Erlang/OTP source code doesn't provide clear steps to create the beam files that are included, but if it did, it should be an exact match with locally compiled files, assuming the source code doesn't change, due to previous changes that helped to get rid of timestamps in the beam file usage). This problem has been discussed in the past on IRC (@ freenode in #erlang).
More information about the erlang-questions