realcorvus

realcorvus

A misleading published paper on Elixir security

“Vision for a Secure Elixir Ecosystem: An Empirical Study of Vulnerabilities in Elixir Programs” was published by the ACM in April, 2022. From the paper:

Practitioners perceive Elixir to be a ‘safe’ language, as the language allows practitioners to write fast software programs without introducing vulnerabilities, unlike other languages, such as C[16]

[16] Nathan Long. 2021. Elixir is Safe. Elixir is Safe - DockYard

The ACM is a reputable journal, and this paper may come up in many contexts, for example if a business is considering using Elixir. I do not believe the paper gives an accurate picture of Elixir from a security POV, have published my reply:

Elixir’s reputation is important, and I hope this article is useful in showing why the claims in the paper are misleading.

Most Liked

hst337

hst337

Relax, some people write papers because they are mandatory to finish the university to get a grade. Whole academia is more about getting a degree, not about science or anything really useful.

I don’t think that these students are wrong. In my opinion, they are 100% correct: nobody cares about academic papers or their quality, young people just need a degree to have more opportunities in the future. I think that there should be more papers like this. This would destroy authority of universities in terms of defining competence

JeyHey

JeyHey

Having quickly read the article cited above, my opinion is the following.

The research question is narrow and does appear to be part of a broader, established research field. It is unclear which conclusions for Elixir, the field of computer science or for security research the answering of the research question yields.

The paper does not seem to follow established methodology. What are the established metrics for measuring code quality and security issues ? What prior research exist in that field ? No papers on established methodology are quoted. Normally, a paper does either apply established methodology to a new dataset, or it applies new methodology to an already studied dataset. This study does not explain, which one it does.

The whole paper is short. It does not explore the topic in its depth nor in its breadth. Additionally, the few pages written are bloated with unnecessary information. This paper is not research, this is undergraduate homework.

How can the authors address these issues? I see two ways. Either (i) broaden the scope and explore the security aspect of Elixir in a comparative study with other languages. Does Elixir code show statistically different levels of security issues than other code ? Are there differences in the types of security issues ? Do code bases with high levels of security issues have further differences compared to code bases with lower levels ? Are these differences also observable for Elixir code ? Or (ii) deepen the research and explore which security problems can be identified for the specific case of Elixir code. What type of issues can be identified ? How extensive are they ? What can these issue say about the language and tools used ? What suggestion for improved code can be derived ?

D4no0

D4no0

What the hell is that paper about, the quality of the content is worse than my laboratory work in the first year of the university, just repeating 100 times that we extracted commits from some random projects and found X vulnerabilities, without even showing a single example of a vulnerability.

With their methodology, I could hire 2 kids from school and search for words in commits with the same result:

This is just embarrassing :joy:

And by the way, when vulnerabilities are fixed, they are not marked as CRITICAL VULNERABILITY FIXED, HERE IS AN EXAMPLE if you want to replicate it, as vulnerabilities are things that can happen in any language/library.

Where Next?

Popular in Discussions Top

blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
owaisqayum
I have a sample string sentence = "Hello, world ... 123 *** ^%&*())^% %%:>" From this string, I want to only keep the integers, ...
New
lucaong
Hello Elixir and Nerves community, I have been working for a while on an open-source embedded key-value database for Elixir, that I call...
230 13924 124
New
AstonJ
If a newbie asked you about Phoenix Contexts, how would you explain the basics to them? Feel free to be as concise or in-depth as you li...
New
mbenatti
Following https://github.com/tbrand/which_is_the_fastest |> https://raw.githubusercontent.com/tbrand/which_is_the_fastest/master/imgs...
New
tmbb
This is a post to discuss the new Phoenix LiveView functionality. From Chris’s talk, it appears that they generate all HTML on the serve...
342 18146 126
New
und0ck3d
Hello everyone! A few days ago I’ve created a topic here about how people were creating CMSs with Elixir and Phoenix. I’ve been studying...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
acrolink
How does the two languages compare when it comes to server side application development? Any experiences or ideas? Thank you.
New
joeerl
I’m playing with Elixir - It’s fun. I think @rvirding does give Elixir courses these days. Re: files and database - when I given Erlang ...
New

Other popular topics Top

AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement