[erlang-questions] Erlang offensive paper
Lee Sylvester
lee.sylvester@REDACTED
Thu Jun 2 00:26:56 CEST 2016
In fairness; should we ever rely on the underlying virtual machine to be
secure for any platform? If you were coding a *ahem* NodeJS app, would you
rely on its security?
Personally, I implement security for the messaging, be it HTTP or sockets
etc., and implement safeguards around that VM through other technologies.
In fact, I even proxy my HTTP / sockets.
On Thu, Jun 2, 2016 at 10:18 AM, Richard A. O'Keefe <ok@REDACTED>
wrote:
> A rough summary:
> - The underlying C code can be attacked through Erlang.
> * Avoid NIFs if you can.
> - The default distribution machinery has weak security.
> * Search the archives for alternative distribution methods,
> e.g., TLS
> - Secrets can leak out through the OS and attacks can leak in.
> * Can dumps be routed to another machine, through TLS?
> * Limit use of external commands.
>
> Whatever happened to Laurie Brown's work on "Safe Erlang"?
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160602/b6b5f15d/attachment.htm>
More information about the erlang-questions
mailing list