[erlang-questions] Automated Code Scanning of Erlang Source for Security

Bob Ippolito bob@REDACTED
Sat Jul 7 01:07:56 CEST 2007


On 7/6/07, Bob Ippolito <bob@REDACTED> wrote:
> On 7/6/07, Eric Merritt <cyberlync@REDACTED> wrote:
> > Guys,
> >
> >  Over the last month or so I have come across a need for a security
> > scanning tool. There isn't any point in asking why, it really wouldn't
> > matter anyway. In any case, no tool like this seems to exist. I think
> > the reason for that is because the simple problems these tools detect
> > generally don't exist in Erlang. I was setting down, trying to come up
> > with a list of possible  detectable defects in preparation for writing
> > my own scanner or extending Dialyzer. The only problems I could think
> > of was use of eval and related constructs and sql injection style
> > attacks. Other then that I can't think of a single thing.
> >
> > So here is my question, finally. What type of, possibly detectable,
> > security issues are related to Erlang? aside from the ones already
> > mentioned.
>
> Well you could easily run out of memory using list_to_atom on
> arbitrary input or receive statements that don't eventually match
> everything (filling up mailboxes).
>

also binary_to_term and anything else that turns input into atoms
could fill up the atom table..

-bob



More information about the erlang-questions mailing list