[erlang-questions] Automated Code Scanning of Erlang Source for Security

Bob Ippolito bob@REDACTED
Sat Jul 7 01:05:54 CEST 2007


On 7/6/07, Eric Merritt <cyberlync@REDACTED> wrote:
> Guys,
>
>  Over the last month or so I have come across a need for a security
> scanning tool. There isn't any point in asking why, it really wouldn't
> matter anyway. In any case, no tool like this seems to exist. I think
> the reason for that is because the simple problems these tools detect
> generally don't exist in Erlang. I was setting down, trying to come up
> with a list of possible  detectable defects in preparation for writing
> my own scanner or extending Dialyzer. The only problems I could think
> of was use of eval and related constructs and sql injection style
> attacks. Other then that I can't think of a single thing.
>
> So here is my question, finally. What type of, possibly detectable,
> security issues are related to Erlang? aside from the ones already
> mentioned.

Well you could easily run out of memory using list_to_atom on
arbitrary input or receive statements that don't eventually match
everything (filling up mailboxes).

-bob



More information about the erlang-questions mailing list