Melinda Tóth

Researcher and Trainer

Melinda Tóth is an associate professor at Eötvös Loránd University (ELTE), teaching distributed systems and Erlang/OTP technology, and the head of the Cooperation Center for IT Research and Education responsible for coordinating the industrial R&D projects of the Faculty of Informatics. She also works as a researcher at ELTE-Soft Nonprofit Ltd. (Budapest, Hungary), leading the ELTE-Ericsson Software Technology Lab. On top of that Melinda is a chief architect of RefactorErl, a static source code analysis and transformation system for Erlang. Her research focuses on static program analysis and its usage in software development and maintenance.

Talk:
Don’t let it crash - How we Applied our Security Checks on Elixir Code

Something to love about the BEAM is the principle of ‘let it crash’: exceptions are isolated and handled by design. However, it would be rash to conclude that all input validation is redundant and unnecessary. EEF curated a list of secure coding principles to help developers create secure systems on the BEAM. But the reality is always messy: Erlang/Elixir projects rarely follow these guidelines, and legacy has been running for years with well-known vulnerabilities. We presented that static analysis can be useful for detecting critical security issues in new or legacy systems, and showed that we carried out a successful DoS attack based on a vulnerability found in a widely used Erlang software. In this talk, we will present how we applied our static analysis framework to Elixir programs: what difficulties we encountered, and how we extended our existing tools to detect vulnerabilities in Elixir. We will show some use cases of vulnerabilities we found in open-source Elixir projects.