Clearing sensitive in-memory data in perl

Adam Shostack adam at
Sat Sep 17 16:14:07 EDT 2005

On Sat, Sep 17, 2005 at 08:36:11PM +0100, Ben Laurie wrote:
| Adam Shostack wrote:
| >On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote:
| >| On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote:
| >| 
| >| > >My view is that C is fine, but it needs a real library and programmers
| >| > >who learn C need to learn to use the real library, with the bare-metal
| >| > >C-library used only by library developers to bootstrap new safe
| >| > >primitives.
| >| > 
| >| > So wouldn't the world be a better place if we could all agree on a 
| >| > single such library? Or at least, a single API. Like the STL is for 
| >C++.
| >| > 
| >| 
| >| Yes, absolutely, but who is going to do it?
| >
| >The glibc people?  The openbsd people?
| >
| >I recall that for a while if you used gets, the linker would
| >complain.  I can't recall what platform this was on.  BSDi, maybe?
| gets is so not the problem. Using strings that _can_ overflow is the 
| problem. That means wrapping the entire standard library.
| And, of course, the issue is that every other library in the universe 
| uses C-style strings (etc.), so unless we can all agree on a better 
| paradigm, we're screwed.

I didn't mean to imply that gets was the issue, only that when your
linker laughed at you for trying to use a function, it was an
encouragement to move to other functions.  That is it possible to get
people to move, when there's something to move to.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list