[erlang-questions] Process state and sensitive information
Tue Sep 2 10:13:52 CEST 2014
The idea behind the process_flag(sensitive, true) function was to let you disable trace and introspection. As background info, tele- and datacoms systems must usually provide support for ‘Lawful Intercept’ , i.e. wiretapping by the authorities. It should not be ‘possible' for a human operator or service technician, even with console access, to see which phones are being monitored… for some pragmatic interpretation of ‘possible’.
This is of course hard to accomplish with Erlang, but we decided that a sufficient level of security could be achieved by combining private ets tables, process_flag(sensitive, true), secure shell, a carefully limited Bash shell and audit logging. Basically, you shouldn’t be able to inspect the sensitive data without somehow brutalizing the system, and this would show up in the audit log.
Now, if the perpetrator has root access and physical access to the machine, it becomes trickier, but then, one has to rely on physical premises security and surveillance.
On 02 Sep 2014, at 07:53, Attila Rajmund Nohl <attila.r.nohl@REDACTED> wrote:
> 2014-09-01 23:10 GMT+02:00 Chris de Villiers <chrisdevilliers@REDACTED>:
>> Any other suggestions how I can handle this situation? I do not want
>> to start a discussion about OS level security. Lets assume someone
>> gets access to the user account under which the VM runs and can attach
>> to it.
> If the attacker can attach to the VM, you lost. The attacker can turn
> on trace and see all of your function calls with their parameters, so
> you can't pass the password to any functions. The attacker can also
> see all of your messages, so you can't send the password to any other
> process. The attacker can even load his/her own code and replace
> erlang-questions mailing list
Ulf Wiger, Co-founder & Developer Advocate, Feuerlabs Inc.
More information about the erlang-questions