[erlang-questions] Efficient Denial of Service Attacks on Web Application Platforms and it's effects in Erlang?
Jesper Louis Andersen
jesper.louis.andersen@REDACTED
Fri Dec 30 14:04:13 CET 2011
On 12/30/11 10:47 AM, Dmitrii Dimandt wrote:
>
> Specifically, I'm worried about
>
> - Yaws
> - Mochiweb
> - Webmachine
> - Misultin
> - Cowboy
>
The most worrisome place in Erlang is if you are using ETS in a mode
where the underlying runtime uses a Hash, i.e, set or bag semantics. The
ordered semantics use a tree and are thus not vulnerable - and the hash
may not be either, but I don't know the details of that. There is a
reason Dan J. Bernstein went for using critbit/radix/patricia trees in
most of his software due to this. It is kind of a timing attack in a
similar form.
What you should be worried about is this: A user can control an input
which ends up being a key in a hash table. If this is true, then the
table may be a problem if the user can craft collisions. The simplest
solution is probably to lace the key with some "salt" or build up the
hash so it is a family and change it such that an enemy attacker doesn't
know what values to use in order to create collisions. Or you can chose
a hash table structure without the problem in the first place.
But the quick Erlang fix is to use an ordered ETS table where
applicable. Problem solved.
--
Jesper Louis Andersen
Erlang Solutions Ltd., Copenhagen, DK
More information about the erlang-questions
mailing list