by Michael Lubas
In Elixir and Erlang, the atom is a basic type, a constant whose value is its own name. There is a hard limit on the number of atoms that can be created, the default is
1_048_576. If external user input results in atoms being created at runtime, this can cause the entire system to crash. There is an obvious question raised from all this, “If my application is vulnerable, what is the impact?”
Will your entire site go down? Could it just crash and restart? The answer depends on the environment your application is running in. The example test below is a Phoenix application running on an AWS EC2 server, using Elixir releases, with systemd.
Warning: It is recommended to perform this test in a development or staging environment that is similar to production. Do not try this in production.
This step is so you can observe what happens during the crash.
journalctl -u parax.service -f --output cat
If you have a different logging setup, such as Gigalixir or Fly.io, use the appropriate command.
If you’re using Elixir releases, connecting to your running application can be done with one command:
If you have a different setup, such as Gigalixir or Fly.io, use the appropriate command.
iex shell you just created, run:
Enum.map(1..1048576, fn x -> String.to_atom(Integer.to_string(x)) end)
It will crash the application.
no more index entries in atom_tab (max=1048576) Crash dump is being written to: erl_crash.dump...done parax.service: main process exited, code=exited, status=1/FAILURE Unit parax.service entered failed state. parax.service failed. parax.service holdoff time over, scheduling restart. Stopped Parax daemon. Started Parax daemon. 17:19:07.065 [info] Running ParaxWeb.Endpoint with cowboy 2.9.0 at 0.0.0.0:8443 (https)
In this test the application daemon is restarted successfully, and the site will continue to function normally. This is the ideal scenario, and the impact is low, although there is some downtime during the restart. With a different configuration the application may fail to restart, meaning an attacker can use this vulnerability to take the application offline. The default impact of atom DoS should still be considered high, because there is a risk of the system failing to restart.
Paraxial.io is a security platform built for Elixir, which replaces Snyk, reCaptcha, and Cloudflare bot defense. Sign up for a 30 day free trial, no credit card required, or schedule a demo today.
Paraxial.io is the only application security and compliance platform made for Elixir.
Subscribe for new posts about Elixir and Phoenix security.