arnomi

arnomi

BEAM security - best practices to secure a running system?

I find myself quite often in the following situation.

Colleague: “Elixir/Erlang is problematic because we cannot secure the VM (i.e. Beam). It is vulnerable to code injection because anybody that gets to the system can start a remote shell and change running code without anybody noticing it. On the JVM in contrast this is not possible.

To some extend this argument is correct. The JVM (and most other runtime systems) don’t offer the debug or cluster capabilities BEAM offers which make debugging a lot harder but also works in favor of securing the system (completely neglecting the code that is actually running withing the VM).

My question is: What are good arguments in favor of the security of BEAM and what are best practices to secure a running system (both in cluster mode and as a single isolated VM) as much as possible?

Most Liked

garazdawi

garazdawi

Erlang Core Team

If you remove those debugging capabilities, by for instance not running distributed Erlang and not using run_erl/to_erl, you get into a very similar state as the JVM. You cannot debug, but you also cannot do code injection.

josevalim

josevalim

Creator of Elixir

Right, that’s my point. The distribution and debug features are opt-in. When you start the VM, they are not enabled by default. You don’t have to do anything.

idi527

idi527

Distribution over vpn is another alternative to tls (which I find simpler since no certificate management), wireguard will probably be integrated into the linux kernel “soon” (maybe in 5.0?). There’s also tinc, but it’s slower. I can publish a demo repo with my setup for both, if there is any interest. And if your hosting provider also provides a private network between vms as a service, then it’s even easier.


When I don’t need the distribution, I add

config :kernel, inet_dist_use_interface: {127, 0, 0, 1}

to the config to avoid epmd binding to all network interfaces. I also close all ports by default, and only leave the ones necessary for the application usage open.

Where Next?

Popular in Discussions Top

blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
mikl
I wanted to capitalize a string, and tried using String.capitalize(). That generally works well, until you try to capitalize a word like...
New
sashaafm
I’m trying to evaluate the best combo/stack for a BEAM Web app. Right now I’m exploring Yaws a bit, after having dealt with Phoenix for a...
New
Fl4m3Ph03n1x
Background A few days ago I was listening to The future of Elixir from Elixir Talks, with Dave Thomas (@pragdave ) and Brian Mitchell. I...
New
mmmrrr
Just saw that dhh announced https://hotwire.dev/ Is it just me or is this essentially live view? :smiley: Although I like the “iFrame-e...
New
AlexMcConnell
The reason that Rails is as popular as it is is because it’s very easy for relatively inexperienced developers to get a lot of work done....
588 19568 166
New
fireproofsocks
I’ve been working on an Elixir project that has required a lot of scripting. I usually reach for Elixir because I like it more (and in th...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
griffinbyatt
Sobelow Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for g...
New
opsb
We’re considering our architecture from a viewpoint of scaling our traffic heavily over the next 6 months. Our current deployment is runn...
New

Other popular topics Top

danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New

We're in Beta

About us Mission Statement