[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: make-string uninitialized memory eposure considered harmful

From: Egil Moeller
Subject: Re: make-string uninitialized memory eposure considered harmful
Date: Fri, 10 Jan 2003 16:51:33 +0100 (CET)

> At this point, I get what is going on.  This is confusing, and exposes
> the contents of random memory locations, perhaps exposing a password
> that somone thought had been garbage collected.  So, I'd argue that
> the default behavior should be to fill with nulls, or something, even
> though the spec should remain unspecified.  If we are afraid people
> will depend on that, it can fill with something chosen arbitrarily,
> but it shouldn't expose the existing contents of free memory.
> Anyone want to call me paranoid?

Yes, you are. But not entierly... I don't think that make-string is broken
in any way - random data that comes from old values in the program are
as good as any other values for the purpose of undefined characters...
But, you hit an interresting problem - one might think of a situation when
one would like to be able to create a string (or other object?) that, when
garbage-collected, was guaranteed to be overwritten with 0's. Is this
doable? It would require one more type-bit in all datatypes that would
support this behaviour. Also, such a bit would need to be copied whenever
the object was copied or parts of it extracted or merged with other

I'm quite interrested in this, as I have written a wrapper around GnuPG
(using the C-wrapper GpgME) for Guile (if you are interrested in it, it is
currently a bit too integrated with the rest of a bigger project, but it
is allready fully functional (you can sign, encrypt, veryfy and decrypt
messages in memmory), but in the end, I hope to release it as a separate


GPG Public key:
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]