ElixirConf 2018 Keynote by Jose Valim

https://www.youtube.com/watch?v=m7TWMFtDwHg&list=PLqj39LCvnOWaxI87jVkxSdtjG8tlhl7U6

• Elixir History, versions
• 1.7 release: EEP (Elixir Enhancement Proposal) 48 (documentation standard)
• Community:
  • New podcasts
  • new ExDoc versions
  • Erlang/OTP 21 (compilation time is 20% faster)
  • Phoenix v1.3, Nerves v1.0
  • Nerves: ecosystem to build embedded systems with Elixir
    • https://nerves-project.org
    • Platform (Linux starts BEAM VM)
    • Framework: libraries
    • Tooling: to manage builds, update firmware, configure devices, etc
    • work via mix (mix firmware.burn -d /dev/rdisk3)
• Feedback from community
  • Difficult to contribute
  • now it’s transparent what team is doing
  • doubled the elixir team
• Criteria for new features
• Guidelines for new features
• on-going effort
  • code formatter
    • released in elixir-1.6
    • consistent style
    • focus you on what matters
    • guide for newcomers
    • unifies the community
  • property-based testing
    • useful to describe the invariants
    • (examples)
    • 2 lectures about property based language + book (The pragmatic programming)
    • StreamData will remain as a lib, outside of elixir-lang
https://github.com/whatyouhide/stream_data
  • xhttp
    • HTTP client, architecture-agnostic
    • unifies the mechanisms to interact with HTTP1 and HTTP2
    • https://github.com/ericmj/xhttp
  • releases
    • will be part of core
    • will be smaller scope than in Distillery
    • https://dockyard.com/blog/2018/08/23/announcing-distillery-2-0
  • Type system
    • started and stopped working on the Type system
    • why? detect errors, documentation & tooling, performance
    • intersection types (converter: str->int, int->str) are very expensive -> impractical
  • the next 5 years
    • elixir v2.0 - not coming any soon
    • only 1 breaker change from 2014 - doc attribute
    • Elixir is extensible, plenty of “depraceted” => 2.0 to remove deprecated
    • everything else - is in the hands of the community

Remote Code Execution in Alpine Linux

https://justi.cz/security/2018/09/13/alpine-apk-rce.html

• .apk - is a gzipped tar files
• apk pull packages without TLS for default repos
• /etc/apk/commit_hooks.d/ folder with scripts to run when apk exists
• apk add works:
  • pull
  • extract into root (/) (suffix with .apk-new)
    • extracted folder are not suffixed with .apk-new
  • checksumm
  • if incorrect remove all extracted files
• vulnerability. Create apk:
  • with “/etc/apk/commit_hooks.d/“ folder. Without “.apk-new” suffix
  • create symlink /etc/apk/commit_hooks.d/x that points to “link” (-> link.apk-new)
  • create a regular file, named “link” (-> link.apk-new). This will write through the symlink and create a file at “/etc/apk/commit_hooks.d/x”
  • incorrect checksum -> remove everything:
    • unlink link.apk-new (the file /etc/apk/commit_hooks.d/x will persist)
    • unlink /etc/apk/commit_hooks.d -> ENONEMTPY error (contains our payload)
  • RESULT: apk commit-hook
• Step2. fix the exit code.
  • apk returns number of packages it failed to install (number%256 !!! )
  • write to the /proc//mem for the apk process
• Conclusion: 100x of orgranizations might have problems in prod
• Fixed. Update your images.
• BountyGraph: crowdfund bug bounty programs