ancatrusca

ancatrusca

BEAM There, Done That - The BEAM security wake-up call episode

We just published a new episode of BEAM There, Done That that I think deserves a focused discussion here.

Peter Ullrich spent an afternoon at ElixirConf EU running a $10 Claude experiment against the most-downloaded Hex packages. He found a critical vulnerability in decimal - a library used by almost every database and money-handling package in the ecosystem - in under 30 minutes, with no prior security experience. Since then he’s been systematically scanning further down the list and has reported roughly twice as many vulnerabilities as have been published so far.

Jonathan Machen, EEF CISO and operator of the Erlang Ecosystem Foundation’s CVE Numbering Authority, joins to explain what happens on the receiving end of those reports and where the infrastructure currently stands.

For library maintainers specifically: Jonathan’s single recommendation is to enable private vulnerability reporting on GitHub (three clicks) and write a security policy. If Peter finds something in your library, this is how he reaches you privately before anything is public. Without it, disclosure gets significantly harder for everyone.

The patterns appearing most often:

  • String.to_atom/1 and binary_to_term/1 enabling atom table exhaustion or remote code execution

  • HTTP libraries with missing buffer caps on WebSocket connections

  • Sobelow and Credo catch a meaningful portion of these statically

Peter’s prompts are open source - linked from his blog post if you want to run a scan on your own codebase. He recommends feeding your application file-by-file to Claude Opus with a prompt focused on externally-reachable attack vectors.

The bigger picture: the obscurity advantage the ecosystem relied on for 30 years is eroding. The EEF is building real infrastructure to replace it (CNA, AGES initiative, supply chain security), but it’s currently funded by a single sponsorship and staffed largely by volunteers. If your company is running Phoenix in production, that’s worth thinking about.

Happy to discuss the technical patterns, the disclosure process, or anything else from the episode.

Most Liked

josevalim

josevalim

Creator of Elixir

I understand AI can be divisive but this is not an accurate summary of the episode and both the EEF and Jonatan have done a lot of positive work for the community, especially when it comes to security.

You can criticize the process and the structure but it is unfair to describe the work they have done as FUD or a way to get funds. Let’s please respect each other.

  • You need to have a handful of people you can trust and are security experts to coordinate the whole process. The number of CVEs are going to increase in the short-medium term and the community will need assistance because it will be the first-time experience for many of us

  • Most funds related to security will require an organization and those funds are important for projects like Hex Security Audit

  • There is literally one person working on it today and yet it is being labelled as a cadre of middle-manager and bureaucracy

But most importantly, if you believe in a lightweight/decentralized approach, you can either:

  • engage constructively with the current process to improve it

  • or go ahead and build the solution you want to see: gather the funds (or don’t), perform security audits for important projects, establish your own CNA for Hex package owners, and reach out to maintainers

The only reason we have a podcast episode to listen to is because people are doing work for the community. So if we want to challenge them, we should put our work into it too.

lpil

lpil

Creator of Gleam

Just wanted to drop in and say that I am extremely impressed with the work that the EEF security folks are doing, especially given spike in workload due to these new AI scanning tools. Bravo team! Recently I was talking to maintainers of the GitHub Advisory Database, and unprompted they brought up the EEF team and praised them, so it’s not just me that’s noticing.

I don’t agree with the evaluation that they’re taken a heavyweight approach in any particular way. My experience having worked on several CVEs with them is that it’s very lightweight and substantially easier than doing it alone.

I do hope more BEAM companies step forward to support the security team. Their work is invaluable and saves us all a great deal of money and risk.

LostKobrakai

LostKobrakai

Where does the CVE come from though. Sure you can build a tracking platform, but what the foundation built is actually being able to have CVE issued for our ecosystem in the first place - one controlled by people understanding our ecosystem.

These are the people with more work on their hands than time to deal with it. You’re free to think their claims are FUD, but their trackrecord of securing funding, becoming a CVE Numbering Authority – creating not just a CVE tracking page but one validating, scoring and issuing CVEs – working with the standards bodies involved in all that, working through the raising number of CVEs, handling communciation with maintainers and reporters. All these are real accomplishments of the foundation in recent years. These are the people telling you they’re understaffed and/or underfunded. What they do is not an lazy afternoon job.

If you don’t trust them the problem is real, there’s other reports of the same problems like e.g. of the maintainer of curl:

To your individual suggestions:

  • build a CVE tracking website (for the MVP: an afternoon’s work?)

We have something better: https://cna.erlef.org/. Not just a tracker, but an issuing body of CVEs.

  • auto-send CVE alert to the project maintainer

The point is that maintainers should be informed before CVEs are made public, so fixes are available at the time the CVE becomes public. Reporting is just a part of the work we need to deal with.

  • display aggregate stats for the public

This exists on https://cna.erlef.org/

  • keep a leader board of CVE reporters

That doesn’t seem to exist, but I’m very sure Peter Ullrich is at the top currently. I’m also sure there would be ways to calculate the data based on the APIs you get of https://cna.erlef.org/. You could try to build it. The website is also open source on Erlang Ecosystem Foundation CNA · GitHub.

That makes it sound like there’s no transparency. The foundation has been talking at conferences, creating blog posts (like this one), is free for people to join and attend the meetings and all their financials are public. I’m not sure what else you’re expecting in terms of transparency.

TLDR: It’s fine to think this is less urgent than stated, but making is sound like what the people at the foundation do is to be challenged by some random afternoon coding session doesn’t match reality.

11
Post #9

Where Next?

Popular in Podcasts Top

brainlid
In episode 73 of Thinking Elixir, we talk with Paul Copplestone, founder and CEO of Supabase. Supabase leverages the power of Elixir, Pos...
New
brainlid
Securing our apps is our responsibility as developers. We are the custodians and the guardians of our user’s data. We met up again with M...
New
brainlid
In episode 103 of Thinking Elixir, James Arthur shares his project Vaxine.io, an Elixir layer built on top of a CRDT based distributed Er...
New
brainlid
In episode 76 of Thinking Elixir, we talk with host David Bernheisel about his recently released Safe Ecto Migrations guide. Intended as ...
New
brainlid
In episode 58 of Thinking Elixir, after covering the news we catch up on what Elixir things we’ve been thinking about and working on. Mar...
New
brainlid
In episode 54 of Thinking Elixir, Lucas San Román explains his library Sourceror and how it was created to solve some AST parsing limitat...
New
brainlid
Episode 161 of Thinking Elixir. Language Servers underpin the language specific support we rely on in modern code editors. Lately, there ...
New
wolf4earth
Ben Moss joins the Mix to discuss Event Sourcing and CQRS in Elixir. Event sourcing is the practice of logging data across logged series ...
New
wolf4earth
David Yamnitsky joins the mix to discuss tangram.dev and how to use it to add Machine Learning features to your Elixir applications. He ...
New
brainlid
Episode 112 of Thinking Elixir. Google Chrome extension that displays a LiveView and integrates with a web page like Gmail? Steve Bussey ...
New

Other popular topics Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52774 488
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New

We're in Beta

About us Mission Statement