Security Working Group Minutes

Erlang Ecosystem Foundation EEF Security
21

February 5, 2025

Participants: Dan Janowski, @varnerac, Lee Barney, @maennchen, @voltone, Marc Nickert, Michael Lubas, Paul Swartz, Bas Wegh, @kiko

Compliance updates

CNA (CVE Numbering Authority)

  • Still pending a response from MITRE
    • Proposed meeting slots in February approaching

CISA Self Attestation and NIST SSDF

  • To be discussed in call with NIST
    • Some uncertainty about whether EEF can do this on behalf of projects

OpenChain

  • Erlang/OTP certified (see @kiko’s announcement)
  • Working on Elixir and Gleam
    • Source SBOM
    • Policies

Source SBoM of OTP

  • Contributions to OSS Review Toolkit accepted
  • Source SBOM will be published with OTP releases starting with OTP 28
  • Working on splitting SBOM by application

Application for Supply Chain Funding

  • Trying to obtain funding for ongoing supply chain work
  • Next step: align with documented package manager best-practices
    • Get hex.pm involved, as well as build tools (Mix, Rebar3)

Erlang distribution protocol hardening

  • Picking up discussion started in Slack
  • Initial idea (Dan): make it easier to secure with TLS out of the box
    • Issuing certificates
    • Injecting kernel parameters
  • Broader use-cases (Lee): connecting (possibly transient) nodes across the Internet
    • Instead of having to go through e.g. HTTPS
    • Large clusters, frequent membership changes, unreliable nodes
    • Security aspects just one part of it
  • Invited Lee to present his work to the group in the future
  • Offered Dan support with first round of research into possible approaches

Other updates

PenTest Sample App

  • Michael just finished pen-testing Oban Pro, might be interested
  • Need to start collecting requirements for the app’s scope
    • Take it to Slack or Notion (see below)

WG collaboration tooling

  • We have access to Notion, with non-profit discounts
    • Read-only access is free, must pay per write-enabled seat
    • Currently being used by @maennchen for broader EEF work
  • Open it up a bit, start linking from Slack and meeting notes
    • Create a landing page for the WG
    • Keep licensed seats at a minimum

Next meeting

Wed 5 March 2025 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 0:00 (Thu) JST

7 Likes
22

March 5, 2025

Participants: @maennchen, Daniel Janowski, @Alistair, @varnerac, @voltone

Updates from the CISO

CNA

  • New dates in March proposed at Mitre’s request
  • If/when meetings happen, CNA could be live in weeks

Grant Application

  • Revised proposal, waiting for feedback
    • First phase is to pen-test existing package manager integrations
  • Got first offers for pen-test providers
    • Started discussions with two, one for code review, one for red team
    • Recommendations? Share with @maennchen
  • Started to define “initiative” for EEF website for the purpose of fundraising in general

OpenChain

  • Elixir: done
  • Gleam: work started

NIST SSDF Sub-Standard

  • Work started by Jonatan to define an SSDF “profile”
    • Progress can be followed in Notion
    • Contributions welcome
  • Alignment with other ecosystems would be useful
    • Just hard to find out who else might be working on something like this
    • We asked NIST, they do not have visibility (at this time)

HTTP Clients in the ecosystem

  • Lots of clients, some not actively maintained
    • This state of things has security implications
  • Some discussion on whether to adopt “Mint” approach for Erlang/OTP
    • Perhaps as part of OTP?
  • Try and invite @ingela @kiko and perhaps Andrea next month

Distribution TLS by default

  • Two operating modes can be considered:
    • PSK (not great with TLS 1.2, no support in OTP with TLS 1.3)
    • Shared self-signed certificate
  • Goal is to have some (build) tooling to prepare a release config “automatically”
  • Align with OpenRiak, looking for migration to secure cluster
    • Might need ability to listen both with and without TLS
  • Configuring TLS settings at boot is tricky
  • Next steps:
    • Continue digging and documenting in Notion
    • Discuss with OTP team, if they join next meeting (see above)

Next meeting

Wed 2 April 2025 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 0:00 (Thu) JST

6 Likes
23

April 2, 2025

Participants: Daniel Janowski, @Alistair, @ingela, @varnerac, Dave Lucia, Lee Barney, George Madi, @voltone, @peerst

Secure coding curriculum

  • Project by Podium:
  • Currently seems abandoned, no activity for 2 years:
    • Dave suggests EEF take over the GH repository
    • Maintenance can be joint effort between SecWG, EduWG and TV Labs
  • Next step: Dave reached out to Podium and EduWG

Compliance updates

CNA (CVE Numbering Authority)

  • Meeting with MITRE finally took place:
    • On track to get setup in next couple of weeks
    • Need to define and document some internal policies, procedures and CVE record conventions

Erlang distribution protocol hardening

  • Prototype by Daniel generates self-signed certificates using Rebar3:
    • Requires OTP patch to allow verify_fun for client certs to be customised
    • Private key the same on all nodes, simplifying key distribution
  • Reservations about promoting anything based on self-signed certs:
    • People tend to abuse those, at the expense of security
  • Peer mentioned Braid:
    • Delegates cert and key management to orchestrator (e.g. fly.io)
  • As discussed previously, PSK would be a good fit:
    • Simplest, most universal setup, without assumptions about e.g. orchestrator
    • OTP team open to contributions to add PSK to TLS 1.3
    • Needs to be driven by real use-cases, starting with requirements for APIs

SEMP (Secure Erlang Message Protocol)

  • Paper sent by Lee in the Slack channel (here):
    • Broader scope than just secure transport
  • Consider developing outside OTP as an alternative distribution protocol:

Next meeting

Wed April 30 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

(WG Calendar is here, including subscription link to import into your calendar app)

3 Likes
24

April 30, 2025

Participants: @kiko, @maennchen, @voltone, Michael Lubas, Paula Calgaro, Nicholas Adams, Dan Janowski, @ingela, @Alistair, Lee Barney, George Madi, @varnerac

OTP purl type

  • Proposal (from several years ago): ‘otp’ Package URL type | EEF Security WG
    • Can help produce more accurate, actionable SBOMs
    • EEF becoming CVE Numbering Authority gives us an opportunity to define how OTP apps will be identified in CVE records
  • OTP team on board with the proposal
  • Next steps: create a PR to the purl specs, then remove “draft”, write up an announcement

Marketing WG proposal: interview series

  • To be published on YouTube by Marketing WG:
    • Along with shorts for other social media
    • Target for full length video perhaps 30 mins
    • Editing/publishing/promotion done by Marketing WG
  • Need to find host and interviewees:
    • Several people said they would be willing to be interviewed
    • Host may be trickier, may want to consider enlisting help from e.g. established podcasters
  • Topic and set of questions defined beforehand:
    • To be prepared by host, together with others
    • Shared with interviewee, for preparation
  • Consider audio-only version (podcast) as well

Updates from the CISO

  • purl library moved to EEF:
    • Core now in Erlang
    • PR to adopt as “Security WG project”
    • Consider teaming up with Build/Packaging WG
  • GitHub dependency submission tool:
    • Basics now working
    • Ongoing work to support all features
    • May require some fixes on GH side as well
  • AEgis project:
    • Looking for more funding/sponsors
    • Dashbit joined as contributing sponsor
  • OIDC Client
    • Preparing for additional certification

Industry groups partnerships

Windows/Mac binary signing

  • EEF already helps release Elixir binaries for Windows
  • Could do the same for Gleam, Erlang/OTP
    • Also consider adding Mac
  • Look at how Livebook handles this
  • Also consider OpenRiak
  • Next step: Gleam binaries for Windows, then see what’s next

Next meeting

Wed May 28 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

(WG Calendar is here, including subscription link to import into your calendar app)

1 Like
25

May 28, 2025

Participants: Dan Janowski, Lee Barney, @maennchen, @voltone, Paul Swartz, Marc Nickert, @kiko

Updates from the CISO

Interview series

  • Follow-up from last month’s call regarding Marketing WG proposal
  • Dan is willing to host
  • First topic should be CNA:
    • Interviewee could be @voltone (to avoid over-exposure of @maennchen, who is appearing on many podcasts lately)
  • Check with Marketing WG about partnering with podcast producer

VEX

  • OTP team wants to publish VEX (Vulnerability Exploitability Exchange) statements:
    • Looking for feedback, anyone has experience?
    • OpenVEX versus CSAF: latter seems to be overly complex

OTP 28

  • Changes in public_key may impact applications/libraries that rely on ASN.1 encoding/decoding

Public roadmap

  • Dan is working on a public roadmap of EEF activities
    • Not just ongoing work and their sponsors, but also work that should be done but needs sponsors
  • Will track Security WG items in Notion, extract data for public doc from there

Next meeting

Wed June 25 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

(WG Calendar is here, including subscription link to import into your calendar app)

3 Likes
26

June 26, 2025

Participants: Dan Janowski, @voltone, @varnerac, Paul Swartz, @maennchen, @Alistair, George Madi

CVE Numbering Authority (CNA)

  • First CVEs published: List of Issued CVE’s | Erlang Ecosystem Foundation CNA
  • Expressing affected versions remains challenging:
    • Especially for OTP, which does not use semver
    • Not all systems/tools handle all features of CVE record schema
    • This leads to loss of information, e.g. in EUVD
    • Linux distro advisories appear to be correct, probably processed manually
  • Embargo List:
    • Looking into establishing an embargo list, like some other CNAs have
    • Allow for careful disclosure of vulnerabilities to trusted partners, allowing them to prepare their own advisory/fix/response
    • Example: Cisco was affected by the SSH RCE vulnerability, had to learn about it in public channels (but that one was still through GitHub’s CNA)

Updates from the CISO

  • Windows code signing:
    • Gleam PR opened
    • Elixir PR for hardening of the existing code signing implementation
    • Next up: automate OTP (currently done manually)
  • Looking at Mac OS notarisation (Gleam, OTP)
  • OSS Review Toolkit (ORT) fix PR
  • OIDC Financial API certification still pending

Interview series

  • Currently stalled on our end:
    • We can help with people, topics, questions, answers, but nobody is chasing this
    • Could use Marketing WG “project management”
    • Consider (again) partnering with existing podcast producers
  • Dan will discuss with Marketing WG

Next meeting

Wed July 23 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

2 Likes
27

July 23, 2025

Participants: George Madi, @varnerac, @voltone, @maennchen, @peerst, Dan Janowski

Updates from the CISO

  • Affected versions for our CNA’s CVEs not picked up by some tools:
    • OSV:
      • They are working on a PR
      • We may need to propose some further fixes later
    • EUVD:
      • Data is ingested from NVD
      • May pick up more details once NVD data is enriched
  • Embargo list proposal (Implement Embargo List Policy by maennchen · Pull Request #61 · erlef-cna/website · GitHub)
    • How do we distribute vulnerabilites to members of the list?
      • Encrypted email?
      • Invite to private GH repo (fork of the actual CNA repo)?
    • Should we disclose selectively, or globally?
      • Selective disclosure requires tooling, is a liability
      • Global disclosure might reveal information to competitors
    • To be discussed in GitHub issue
  • Gleam windows code signing
  • Erlang code signing:
    • OTP team would welcome PRs
    • Build process is complicated, includes manual steps
      • Waiting for OTP team to come back from vacation
    • Should we build for Windows ARM too?
      • Peer might be able to help a bit (but not with Windows, specifically)
  • ORT:
    • Can we have a binary (using Burrito) that can scan, without requiring install of e.g. Rebar3
    • @maennchen to discuss with @voltone
  • (redacted) grant application
    • Initial (broad) application rejected
    • New one submitted for Hex security audit

Community outreach

  • How can we reach out more regularly, raise awareness?
    • Something with less effort than the proposed video interviews
    • Blog posts, essentially
  • In the past it was mostly individual WG members posting on private/corporate blogs
    • There would be value in doing this from the EEF and the WG instead
  • There are a handful of posts on the EEF website
    • Need to add more content, to make this a “go-to” place for the community
    • Marketing WG can help spread the word through socials
  • Do we need an RSS feed, ideally per tag?
    • Not sure it is worth adding to the current website, it needs to be reworked anyway
    • For now update WG landing page to list security-related posts
  • Dan invites people to submit contents (old and new)
    • Start building up an initial collection of useful resources

Next call

Wed August 20 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

1 Like
28

August 21, 2025

Participants: @varnerac, @Alistair, @kiko, Dan Janowski, @voltone, Michael Lubas, @maennchen, George Madi, @georgeguimaraes

OpenVEX in Erlang/OTP

OTP release assets in CI

  • Starting with Windows binaries, including code signing
  • OTP team open to expanding this to include other platforms
    • Provided contributors continue to help with maintenance
    • Aim would be to eventually have binary distributions for all platforms in one place, signed where possible

CNA embargo list

Collection of security articles on SecWG website

Doc warnings on dangerous functions

  • Not all functions in Erlang/OTP that can potentially (indirectly) create atoms warn about the risks of untrusted input
  • OTP team unsure whether we should aim for full coverage
    • It sets the expectation that any function without a warning is safe
  • First step: review Preventing atom exhaustion | EEF Security WG and aim for completeness there

Next call

Wed September 18 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

29

September 19, 2025

Participants: @Alistair, Lee Barney, @lawik, @ingela, @rickard, Paul Swartz, Dan Janowski, @kiko, @maennchen, @peerst, @voltone

CNA updates

  • Scope expansion:
    • Considering adding two projects to CNA scope
    • Nerves:
      • Not all of Nerves is on Hex
      • Need to figure out how to define scope, preferably at GH org level, so we do not have to update the CNA scope for every new repo
    • OpenRiak
  • Embargo list (PR):
    • Feedback from Ericsson CNA: looking good, just prefer a different name
    • Alternative name: pre-disclosure list
    • @maennchen will make a list of common names used by other CNAs
    • Still need a decision on distribution channel
  • OSV.dev
    • Having trouble ingesting our CVEs directly, currently through GHSA
    • Our attempts to make CVEs accurate may be back-firing: tools cannot (yet) process latest CVE schema
    • Multiple conversions (CVE → GHSA → OSV) lead to loss of fidelity
    • Consider supporting OSV’s custom format directly
      • Ideally through automatic conversion from CVE; @maennchen to try

OpenVEX in OTP

  • Trial is ongoing (see also last month’s notes)

SEMP

  • GitHub - yenrab/BEAM_SEMP
  • TRUST (stable nodes) now working
  • TEMPUS (transient nodes) up next
  • Not an alternative Erlang distribution module; completely replaces distribution protocol
  • mTLS auth with certificates issued out-of-band

Erlang distribution with TLS

  • Reviving old topic: can we help people get started?
  • Earlier attempts to find an alternative to mTLS (e.g. PSK) were not successful
  • For now focus on documenting what is possible today
  • Further work/enhancements to be added to AEgis project?

Other topics

  • CodeBEAM coming up in November, several members are attending/presenting
    • If someone is unable to attend but wants to bring something up, reach out to Dan
  • Library of articles on WG website:
  • Jonatan creating an updated list of achievements and goals for the WG
    • To share with (potential) sponsors
    • Suggestions welcome in the Slack channel

Next meeting

Wed October 15 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

2 Likes
30

October 15, 2025

Participants: @Alistair, @maennchen, Dan Janowski, @voltone, @peerst, Lee Barney

Updates from the CISO

  • Hex attestations (part of project Ægis):
    • Private repo for design explorations
    • Reaching out to MS for collaboration
  • BEAM worm post:
    • Lots of engagement
    • Resulted in two volunteers who want to contribute to project Ægis
  • CNA updates:
    • EU vulnerability DB have improved the way they ingest CVEs:
      • Our “affected versions” now presented correctly
    • OSV export, to improve Hex CVEs in OSV.dev:
      • Seems to work, need to add an index page
    • Pre-disclosure list:
      • PR still open, but close to being finalized

Erlang distribution over TLS

  • We discussed the merits of hostnames in certificates:
    • No real node identity, and no hooks in OTP to add custom verification
    • For simple use-cases (strong membership auth, encryption in-flight) strong node identity may not be a requirement
    • For use-cases that require it, secure distribution of a per-node private key (through orchestration) may replace identity in the cert (e.g. Braid)
  • For now continue with prototype for minimal TLS distribution, e.g. as a Hex package
  • On a side note, Lee updated us on the progress with SEMP

Next meeting

Note: GMT and JST time changes due to end of DST in EU and US

Wed November 12 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 00:00 JST (so effectively 13/11)

1 Like