Clearing sensitive in-memory data in perl
Ben Laurie
ben at algroup.co.uk
Sat Sep 17 15:36:11 EDT 2005
Adam Shostack wrote:
> On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote:
> | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote:
> |
> | > >My view is that C is fine, but it needs a real library and programmers
> | > >who learn C need to learn to use the real library, with the bare-metal
> | > >C-library used only by library developers to bootstrap new safe
> | > >primitives.
> | >
> | > So wouldn't the world be a better place if we could all agree on a
> | > single such library? Or at least, a single API. Like the STL is for C++.
> | >
> |
> | Yes, absolutely, but who is going to do it?
>
> The glibc people? The openbsd people?
>
> I recall that for a while if you used gets, the linker would
> complain. I can't recall what platform this was on. BSDi, maybe?
gets is so not the problem. Using strings that _can_ overflow is the
problem. That means wrapping the entire standard library.
And, of course, the issue is that every other library in the universe
uses C-style strings (etc.), so unless we can all agree on a better
paradigm, we're screwed.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list