Clearing sensitive in-memory data in perl
Bill Frantz
frantz at pwpconsult.com
Thu Sep 15 23:51:02 EDT 2005
On 9/13/05, perry at piermont.com (Perry E. Metzger) wrote:
>Generally speaking, I think software with a security impact should not
>be written in C.
I agree. I also note that Paul A. Karger and Roger R. Schell, in their
paper, "Thirty Years Later: Lessons from the Multics Security
Evaluation" state:
2.3.1 Programming in PL/I for Better Security
Multics was one of the first operating systems to be
implemented in a higher level language.(1) While the Multics
developers considered the use of several languages,
including BCPL (an ancestor of C) and AED (Algol Extended
for Design), they ultimately settled on PL/I [15].
Although PL/I had some influence on the development
of C, the differences in the handling of varying length
data structures between the two languages can be seen as
a major cause of buffer overflows. In C, the length of all
character strings is varying and can only be determined by
searching for a null byte. By contrast, PL/I character
strings may be either fixed length or varying length, but a
maximum length must always be specified, either at compile
time or in an argument descriptor or in another variable
using the REFER option. When PL/I strings are used
or copied, the maximum length specifications are honored
by the compiled code, resulting in automatic string truncation
or padding, even when full string length checking is
not enabled. The net result is that a PL/I programmer
would have to work very hard to program a buffer overflow
error, while a C programmer has to work very hard
to avoid programming a buffer overflow error.
Multics added one additional feature in its runtime
support that could detect mismatches between calling and
called argument descriptors of separately compiled programs
and raise an error.
PL/I also provides richer features for arrays and structures.
While these differences are not as immediately
visible as the character string differences, an algorithm
coded in PL/I will have less need for pointers and pointer
arithmetic than the same algorithm coded in C. Again,
the compiler will do automatic truncation or padding,
even when full array bounds checking is not enabled.
While neither PL/I nor C are strongly typed languages
and security errors are possible in both languages, PL/I
programs tend to suffer significantly fewer security problems
than the corresponding C programs.
(1) Burroughs’ use of ALGOL for the B5000 operating system was well
known to the original Multics designers.
15. Corbató, F.J., PL/I As a Tool for System Programming.
Datamation, May 1969. 15(5): p. 68-76. URL:
http://home.nycap.rr.com/pflass/plisprg.htm
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list