Clearing sensitive in-memory data in perl

Greg Black cryptography at mail.gbch.net
Sun Sep 18 17:02:51 EDT 2005 

On 2005-09-18, Ian G wrote:
> Greg Black wrote:

>> The problem is bad programmers.
> 
> No, the problem is good programmers.  When K & R
> wrote C in the early 70s

K & R did not write C, they wrote a book about C.  R was the
creator of the language, with some inspiration and collaboration
from some others at Bell Labs, mainly Ken Thompson.  For the
history, see DMR's paper "The Development of the C Language" at
<http://cm.bell-labs.com/cm/cs/who/dmr/chist.html>.

Re the book, BWK wrote the descriptive part and DMR wrote the
appendix that described the language.  Not surprisingly, BWK's
part has most of the real errors (as distinct from typos).

> , programming was a real
> heavy duty science, and K & R were in a place
> which was one of the meccas of the art.  They
> wrote a language for not only good programmers,
> but for great programmers.

Dennis wrote C for Ken (and for his own amusement).  It was
adopted by other people at Bell when they saw how useful it was
and escaped for the same reason.

> Their world is not the world we live in

Indeed it's not.  In particular, our world has bad guys and
cheap, powerful hardware with no constraints on memory or
particular needs for efficiency.

If somebody like Ritchie sat down today to write a new language
to replace C, then it would indeed be different and people with
real work to do might even switch to it.  But not one language
that has appeared since C is as useful and every language that
has appeared since then has had significant disadvantages in
comparison.  The only languages that strike me as being in any
way comparable are the Lisp family -- but they are useless for
system programming, and so people like me tend to stick to C
since it can do everything.  (Of course, I use other languages
as well; but C is the basis of everything I do.)

> PS: if one is forced to use C, what is the best
> recommendation for string / array processing?

One is never /forced/ to use C.  One chooses the tools to best
do the job.  One day, I'll package up my string library, which
would then be my recommendation.  As it is now, it's used in
quite a few places where I have consulted (since working with
software teams almost always involves teaching them to use C
effectively).  The only string library that I'm aware of that's
freely available is Dan Bernstein's stralloc[1] library and its
array library[2] successor:

  [1] http://cr.yp.to/lib/stralloc.html
  [2] http://cr.yp.to/lib/array.html

These both have disadvantages common to all DJB code: weird
licensing, unreadable style, and somewhat fanatic admiration of
his own work in preference to all other work.  However, for
somebody wanting some ideas for implementation of their own
library, these might make a useful starting point.

Bear in mind that, even though we are not all Ritchies, those of
us who work with software can learn to use sharp tools if we
take the time to do it and put in the work required.  If that's
really too much, then there are always buses that need drivers.

Greg

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list