undefined | Better HN

0 pointswithoutboats31y ago0 comments

Joe Armstrong goes to lengths to describe the benefits of "privately addressable" actors in his thesis (though he uses different terminology). As far as I'm aware, Erlang actors are also privately addressable. cf:

> System security is intimately connected with the idea of knowing the name of a process. If we do not know the name of a process we cannot interact with it in any way, thus the system is secure. Once the names of processes become widely know the system becomes less secure. We call the process of revealing names to other processes in a controlled manner the name distribution problem— the key to security lies in the name distribution problem. When we reveal a Pid to another process we will say that we have published the name of the process. If a name is never published there are no security problems.

> Thus knowing the name of a process is the key element of security. Since names are unforgeable the system is secure only if we can limit the knowledge of the names of the processes to trusted processes.

https://erlang.org/download/armstrong_thesis_2003.pdf (page 24-25)

0 comments

jerf1y ago

That may be what is in the thesis, but in real Erlang, any process can list all processes on any node it can reach: https://www.erlang.org/doc/apps/erts/erlang.html#processes/0 (As the docs say, it lists "processes on the local node" but I'm fairly sure any process can RPC that to any connected node to get the local processes on that node) From there you've got a lot of introspection on the processes in question.

And beyond that, there is no sandboxing in Erlang that allows you to do anything like spawn a process that can't access the disk or network or anything like that. So in practice that doesn't even hardly buy you anything on a real system because if you were somehow running unauthenticated Erlang code you've already got access corresponding to the OS permissions of the running Erlang process. (Though for those not familiar with Erlang, "somehow running unauthenticated Erlang code" is very unlikely, to the point that it's not a realistic threat. I'm just speaking hypothetically here.)

The thesis may cover how such systems could be turned to a more secure context but it does not correspond to current Erlang.

davexunit1y ago

There are many layers of capabilities. Unguessable process IDs would be necessary for network capabilities. A sandboxing environment would be necessary for system or process level capabilities. It's still worth having the network security even if process security isn't there. Very few language implementations can provide that level of security.

jerf1y ago

My point here is merely to make sure that people do not come away from this thread thinking that Erlang has, well, anything like this at all. It isn't an especially insecure language as it lacks most of the really egregious footguns, but it isn't a specially secure one either, with any sort of "capabilities" or anything else.

withoutboats3OP1y ago

The IO aspect is not a surprising flaw but it's disappointing to learn that Erlang lets any process enumerate all the other ones.

SoftTalker1y ago

This really only works if the process names are unguessable? Erlang PIDs are if not predicatable at least appear to be guessable, e.g. they look like this: <0.30.0>

davexunit1y ago

Right, they would need to be unguessable to be used as capabilities.

j / k navigate · click thread line to collapse

0 pointswithoutboats31y ago0 comments

https://erlang.org/download/armstrong_thesis_2003.pdf (page 24-25)

0 comments

jerf1y ago

The thesis may cover how such systems could be turned to a more secure context but it does not correspond to current Erlang.

davexunit1y ago

jerf1y ago

withoutboats3OP1y ago

The IO aspect is not a surprising flaw but it's disappointing to learn that Erlang lets any process enumerate all the other ones.

SoftTalker1y ago

This really only works if the process names are unguessable? Erlang PIDs are if not predicatable at least appear to be guessable, e.g. they look like this: <0.30.0>

davexunit1y ago

Right, they would need to be unguessable to be used as capabilities.

j / k navigate · click thread line to collapse