Re: make-string uninitialized memory eposure considered harmful

[Egil Moeller]

> At this point, I get what is going on.  This is confusing, and exposes
> the contents of random memory locations, perhaps exposing a password
> that somone thought had been garbage collected.  So, I'd argue that
> the default behavior should be to fill with nulls, or something, even
> though the spec should remain unspecified.  If we are afraid people
> will depend on that, it can fill with something chosen arbitrarily,
> but it shouldn't expose the existing contents of free memory.
>
> Anyone want to call me paranoid?

Yes, you are. But not entierly... I don't think that make-string is broken
in any way - random data that comes from old values in the program are
as good as any other values for the purpose of undefined characters...
But, you hit an interresting problem - one might think of a situation when
one would like to be able to create a string (or other object?) that, when
garbage-collected, was guaranteed to be overwritten with 0's. Is this
doable? It would require one more type-bit in all datatypes that would
support this behaviour. Also, such a bit would need to be copied whenever
the object was copied or parts of it extracted or merged with other
objects.

I'm quite interrested in this, as I have written a wrapper around GnuPG
(using the C-wrapper GpgME) for Guile (if you are interrested in it, it is
currently a bit too integrated with the rest of a bigger project, but it
is allready fully functional (you can sign, encrypt, veryfy and decrypt
messages in memmory), but in the end, I hope to release it as a separate
project)...

/Egil

-- 
http://redhog.org
GPG Public key: http://redhog.org/PGP%20Public%20key.asc
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!