Malicious libraries can steal all your application secrets in Elixir

chrisco255 2 years ago |

This is an important thing to be aware of, but this is not unique to Elixir, and the article title does not mention Elixir specifically although the example shown is in Elixir. If you are not careful about your dependency chain, attacks like this could happen in any language. When you pull code in and run it in your app, you are trusting it as if you wrote it yourself.

abecedarius 2 years ago | |

Not quite every language. Giving libraries access to every capability by default is a language design decision, not a law of nature.

lytedev 2 years ago | | |

Do you mind highlighting languages that have avoided making similar decisions?

xrd 2 years ago | | |

With deno you need to manually specify if you want to permit internet access:

deno run --allow-net=xyz.com,abc.com

If you run without a domain, it allows access to all. Seems like it should be more explicit by default, perhaps there is a config option.

Speaking of config options, I wonder if there is a config option to prohibit access to domains like pastebin.org no matter what. Seems like an arms race that an attacker could circumvent, but maybe they won't bother and will only attack my dumber friends.

abecedarius 2 years ago | | |

I used E in the 90s: http://erights.org/

I haven't kept up with newer systems but I've heard of https://github.com/endojs/endo and just came across http://reports-archive.adm.cs.cmu.edu/anon/home/anon/isr2017... (which says "in the style of the E programming language" -- that's as far as I've read) while looking that up.

WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.

Yet another newer capability system in progress -- I don't know what it can do today or if it tackles this particular problem but it sounds cool: https://spritelyproject.org/

chrisco255 2 years ago | | |

WASM is great in that you can sandbox code and give it limited permissions to run. Actually I do hope wasm becomes more widespread as a base for app development, however, when importing library code into your own native code base, it's going to run with the same perms as that code base. Sandboxing a library would have the effect of making it probably slower and more annoying to interact with.

LoganDark 2 years ago | | |

This isn't a language, but CHERI has hardware-enforced capabilities, so if your library was never given a pointer that (even transitively) has access to some secret, it's completely SOL as it's impossible to access any memory without the corresponding capability.

jjtheblunt 2 years ago | | |

Don't programs runnign in iOS and perhaps Android (and macOS) have to put up modal dialogs requesting the person running the program for access to things it could screw up?

Is that an example?

abecedarius 2 years ago | | |

That's not nothing, but it's not a usable and flexible enough solution -- people end up giving far too coarse-grained authority because that's seemingly the only way that's easy.

NovemberWhiskey 2 years ago |

Is there something about Elixir that makes this surprising? Otherwise, the insight that code that forms part of an application has access to the application state is not exactly very deep.

ashishbijlani 2 years ago |

Plug: I've been building Packj [1] to detect dummy, malicious, abandoned, typo-squatting, and other "risky" packages. It carries out static/dynamic/metadata analysis and scans for 40+ attributes such as num funcs/files, spawning of shell, use of SSH keys, network communication, use of decode+eval, mismatch of GitHub code vs packaged code (provenance), change in APIs across versions, etc. to flag risky packages.

1. https://github.com/ossillate-inc/packj

1letterunixname 2 years ago |

in any language

The subject matter and title unfairly single-out Elixir.