couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject Re: Elixir Sandbox
Date Wed, 16 Oct 2013 21:40:24 GMT
On Wed, Oct 16, 2013 at 11:32 PM, Klaus Trainer <>wrote:

> Hi there!
> You might want to check out Try Erlang (
> That is, you can't check out the source code right now.  However,
> according to the FAQ ( they "plan to
> release the whole project as Open Source very soon".  I guess that
> nagging Roberto Aloi (who's the principal author) might speed that up ;)
> Regarding sandbox security: I believe that it is possible to implement a
> sandbox thing that provides reasonable security, as long as your
> whitelist is restrictive enough.  That is, one has to be pretty cautious
> regarding the whitelist policy, especially when it comes to functions
> that have the ability to construct new terms, like for instance
> `list_to_atom/1` or `binary_to_term/1,2`.  The former makes it possible
> fill up the Erlang VM's atom table, which makes it prone to DoS attacks.
>  The latter has a "safe" mode (when being invoked with the `safe`
> option), though, but still allows to create function references, which
> can be exploited (see
> ).
> Oh, I've used the term "reasonable security" above.  I should explain
> (at least roughly) what I mean with that ;)  For example, Try Erlang has
> been existing (and being online) for several years now, and people
> haven't found something exploitable, except for one time more than three
> years ago.  Depending on your security needs, your knowledge of Erlang,
> your knowledge of the sandbox code, and other known facts as well as
> your general level of paranoia, this might be enough for you to trust it.
> Klaus

On linux a simpler way would be launching an external command in a cgroup.
with cgexec from libcgroup or stuff like rather than try to filter any call
you could then forbid some devices, the network and such...

- benoit

> On 10/16/2013 08:48 PM, Paul Davis wrote:
> > There have been discussions on figuring out how to sandbox Erlang. The
> > biggest thing on that front was that we'd want it to be a whitelist as
> > opposed to a blacklist of modules and/or module/function pairs. The
> > second is that with dynamic invocation its not immediately apparent if
> > that's entirely possible to do.
> >
> > On Wed, Oct 16, 2013 at 10:39 AM, Chris Keele <>
> wrote:
> >> Hey everyone! I'm trying to develop a sandbox for Elixir, and I wanted
> to see how such a library might prove useful to the CouchDB dev community.
> >>
> >> My initial goal is just to be able to run string of code in a
> predefined environment with configurable modules disabled, returning all
> output. But I'd like to design it for bigger things from the ground up, so
> I was wondering what sorts of requirements you might have of a sandbox
> library if you wanted to, say, implement a secure view processor.
> >>
> >> I've started a discussion thread here:
>!topic/elixir-lang-talk/wA1l74HCZmI, but
> I'm particularly interested in your opinions!
> >> --
> >> Chris Keele
> >>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message