Melinda Tóth is an associate professor at Eötvös Loránd University (ELTE), teaching distributed systems and Erlang/OTP technology, and the head of the Cooperation Center for IT Research and Education responsible for coordinating the industrial R&D projects of the Faculty of Informatics. She also works as a researcher at ELTE-Soft Nonprofit Ltd. (Budapest, Hungary), leading the ELTE-Ericsson Software Technology Lab. On top of that Melinda is a chief architect of RefactorErl, a static source code analysis and transformation system for Erlang. Her research focuses on static program analysis and its usage in software development and maintenance.
Something to love about the BEAM is the principle of ‘let it crash’: exceptions are isolated and handled by design. However, it would be rash to conclude that all input validation is redundant and unnecessary. EEF curated a list of secure coding principles to help developers create secure systems on the BEAM. But the reality is always messy: Erlang/Elixir projects rarely follow these guidelines, and legacy has been running for years with well-known vulnerabilities. We presented that static analysis can be useful for detecting critical security issues in new or legacy systems, and showed that we carried out a successful DoS attack based on a vulnerability found in a widely used Erlang software. In this talk, we will present how we applied our static analysis framework to Elixir programs: what difficulties we encountered, and how we extended our existing tools to detect vulnerabilities in Elixir. We will show some use cases of vulnerabilities we found in open-source Elixir projects.