Crash dumps and core dumps
- Prevent sensitive data from being recorded in crash dumps
- Consider disabling core dumps
Background
A crash dump is generated by BEAM when the system terminates abnormally, when triggered through the erlang:halt/1,2 function, or when receiving the ‘SIGUSR1’ signal. It contains a snapshot of the state of the application and its processes, as well as of the VM. As a result it may contain sensitive information such as credentials or personal information. Creation of crash dumps can be disabled by setting the ‘ERL_CRASH_DUMP_SECONDS’ environment variable to zero.
Disabling crash dumps makes it very difficult to understand the cause of a failure that unexpectedly brings down the VM. So in all but the most privacy-sensitive environments, disabling them altogether is perhaps not desirable. There are several techniques that can selectively prevent sensitive data from being included in a crash dump, as described in Protecting sensitive data.
Such techniques do not hide the data from core dumps, however. And techniques that may work in other languages to limit the chance of leakage, such as overwriting memory locations containing sensitive data immediately after use, are not available due to the nature of the BEAM.
Core dumps are normally only readable by ‘root’, which may mitigate the problem, but in some cases it may be best to disable core dumps and rely entirely on crash dumps. The core dump may be of limited use anyway since it captures the state of the VM after writing the crash dump, rather than at the moment of the failure.
Next: Resources »