[erlang-questions] Process state and sensitive information

Chris de Villiers chrisdevilliers@REDACTED
Tue Sep 2 12:41:33 CEST 2014 

Hi, thanks for your input.

@Mark
> An other question I would have is, how are you going to supply the credentials to this gen_server to to make these API calls?
I was thinking to call the gen_server from the shell after application
startup to pass it the credentials.  Another approach would be to
store the credentials encrypted on disk and have the gen_server
decrypt them upon use.  But essentially this is just another instance
of the same problem because you still have to store the private key's
pass phrase or the symmetric key somewhere.

@Tony
The sensitive process_flag takes care of the stack traces and error
reports, thanks!

@Steve
I realise I should be tackling the problem from the OS side first.  My
programming ability far exceeds my sysadmin skills that is why my
first instinct is the other direction.

I think I will proceed as follows:
1. Restrict user account under which the VM is executed (Any suggestions?)
2. Store access credentials encrypted on disk.
3. Set the sensitive process_flag.
4. Call the gen_server with the private key's pass phrase and store it
in private ETS storage.
5. Decrypt access credentials every time upon use.

Any comments?

Best regards,
chris


On Tue, Sep 2, 2014 at 7:27 AM, Steve Strong <steve@REDACTED> wrote:
> If they have access to the user account, then there's nothing you can do to secure the VM; the best you'll manage is to make it harder.
>
> For example, they could attach to the Vm, load a linked in driver, and then dump all memory to disk.
>
> Your safest approach is to assume they can see it, and to make sure that what they see is of little use.  So make sure you don't store plaintext credentials, instead store salted hashes - at least now they can't steal the passwords...
>
> You could also have a second account that runs a second VM - have that VM handle all the security sensitive information and expose a thin API to the first; now the first account is less privileged and less damage can be done.  Of course, that just moves the problem to the second account, but since it is doing less, it should be easier to secure.
>
> Kind of hard to suggest much more with talking about OS hardening; if your OS isn't secured then you really might as well give up ;)
>
> Cheers,
>
> Steve
>
> Sent from my iPhone
>
>> On 1 Sep 2014, at 23:10, Chris de Villiers <chrisdevilliers@REDACTED> wrote:
>>
>> Hello
>>
>> I want to make requests to a web service which authenticates users
>> with a key and secret.  I will be implementing their API with a
>> gen_server and need to place the access credentials somewhere "safe".
>> By safe I mean It should be out of plain sight and not accessible to a
>> user that can attach to the VM.  I also do not want them to show up in
>> stack traces or kernel/SASL logs should the gen_server die
>> unexpectedly.
>>
>> The application's environment is obviously ruled out.  Storing them in
>> the gen_server's state is also no good because sys:get_status/1 gives
>> them away.
>>
>> I thought about placing them in an ETS table private to the gen_server
>> process.  Is it possible for another process to read private ETS
>> tables somehow?
>>
>> Any other suggestions how I can handle this situation?  I do not want
>> to start a discussion about OS level security.  Lets assume someone
>> gets access to the user account under which the VM runs and can attach
>> to it.
>>
>> Regards,
>> chris
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions



-- 
chris de villiers

More information about the erlang-questions mailing list