Clearing sensitive in-memory data in perl

Ben Laurie ben at
Sat Sep 17 15:36:11 EDT 2005

Adam Shostack wrote:
> On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote:
> | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote:
> | 
> | > >My view is that C is fine, but it needs a real library and programmers
> | > >who learn C need to learn to use the real library, with the bare-metal
> | > >C-library used only by library developers to bootstrap new safe
> | > >primitives.
> | > 
> | > So wouldn't the world be a better place if we could all agree on a 
> | > single such library? Or at least, a single API. Like the STL is for C++.
> | > 
> | 
> | Yes, absolutely, but who is going to do it?
> The glibc people?  The openbsd people?
> I recall that for a while if you used gets, the linker would
> complain.  I can't recall what platform this was on.  BSDi, maybe?

gets is so not the problem. Using strings that _can_ overflow is the 
problem. That means wrapping the entire standard library.

And, of course, the issue is that every other library in the universe 
uses C-style strings (etc.), so unless we can all agree on a better 
paradigm, we're screwed.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list