From a functional programming perspective, Erlang is an excellent language that substantially reduces risk when writing code. What many developers don’t understand is that Erlang is built on an architecture and within ecosystem that contains many subtle security flaws. One such set of flaws allows anyone with the ability to interact with a remote Erlang node to compromise that node by abusing the underlying BEAM Virtual Machine and the services required to run Erlang.
The author’s previous work on Erlang security risks was demonstrated in 2016 at LambdaConf. This work detailed internal flaws that could be subverted by a clever attacker with the ability to pass messages through an Erlang system. This demonstration and discussion focuses on the ability to attack an Erlang node with only the ability to connect to an arbitrary Erlang instance and abuse it without knowing the correct security keys.