Clearing sensitive in-memory data in perl

Bill Frantz frantz at pwpconsult.com
Thu Sep 15 23:51:02 EDT 2005 

On 9/13/05, perry at piermont.com (Perry E. Metzger) wrote:


>Generally speaking, I think software with a security impact should not
>be written in C.

I agree.  I also note that Paul A. Karger and Roger R. Schell, in their
paper, "Thirty Years Later: Lessons from the Multics Security
Evaluation" state:

    2.3.1 Programming in PL/I for Better Security
    
    Multics was one of the first operating systems to be
    implemented in a higher level language.(1) While the Multics
    developers considered the use of several languages,
    including BCPL (an ancestor of C) and AED (Algol Extended
    for Design), they ultimately settled on PL/I [15].
    
    Although PL/I had some influence on the development
    of C, the differences in the handling of varying length
    data structures between the two languages can be seen as
    a major cause of buffer overflows. In C, the length of all
    character strings is varying and can only be determined by
    searching for a null byte. By contrast, PL/I character
    strings may be either fixed length or varying length, but a
    maximum length must always be specified, either at compile
    time or in an argument descriptor or in another variable
    using the REFER option. When PL/I strings are used
    or copied, the maximum length specifications are honored
    by the compiled code, resulting in automatic string truncation
    or padding, even when full string length checking is
    not enabled. The net result is that a PL/I programmer
    would have to work very hard to program a buffer overflow
    error, while a C programmer has to work very hard
    to avoid programming a buffer overflow error.
    
    Multics added one additional feature in its runtime
    support that could detect mismatches between calling and
    called argument descriptors of separately compiled programs
    and raise an error.
    
    PL/I also provides richer features for arrays and structures.
    While these differences are not as immediately
    visible as the character string differences, an algorithm
    coded in PL/I will have less need for pointers and pointer
    arithmetic than the same algorithm coded in C. Again,
    the compiler will do automatic truncation or padding,
    even when full array bounds checking is not enabled.
    
    While neither PL/I nor C are strongly typed languages
    and security errors are possible in both languages, PL/I
    programs tend to suffer significantly fewer security problems
    than the corresponding C programs.


    (1) Burroughs’ use of ALGOL for the B5000 operating system was well
    known to the original Multics designers.
    
    15. Corbató, F.J., PL/I As a Tool for System Programming.
    Datamation, May 1969. 15(5): p. 68-76. URL:
    http://home.nycap.rr.com/pflass/plisprg.htm


Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle 
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, CA 95032

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list