Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Garbage Collection & Secure Programming

by sgifford (Prior)
on May 03, 2006 at 05:01 UTC ( [id://547057]=note: print w/replies, xml ) Need Help??


in reply to Garbage Collection & Secure Programming

Hi Solostian,

Whether or not garbage-collected data is zeroed out after collection doesn't affect buffer overflows one way or the other. It could possibly affect information leakage, but the Perl language always initializes variables to something (even if it's undef), so they never end up pointing to uninitialized memory.

Because of its design, the Perl language is immune to these attacks and to buffer overflow attacks. However, a bug in the Perl interpreter could lead to a buffer overflow; this is the same as with Java, or any other interpreted language (compiled languages have the same problem with potential bugs in their compilers). This would of course be a flawed implementation, but looking at any recent ChangeLog for the Perl interpreter will confirm that every implementation so far has been flawed in some way, and it's likely future ones will have flaws from time to time.

That said, I've found Perl to be the easiest language to write secure programs in, because of the language design and because of taint mode. So far none of Perl's bugs have created real security problems in my applications, so I've been happy from that perspective as well. Perl's developers take security very seriously, and I have confidence that the remaining bugs will be small ones and quickly fixed when they are discovered.

Replies are listed 'Best First'.
Re^2: Garbage Collection & Secure Programming
by rafl (Friar) on May 09, 2006 at 11:41 UTC
    Because of its design, the Perl language is immune to these attacks and to buffer overflow attacks. However, a bug in the Perl interpreter could lead to a buffer overflow;

    This is not exactly true. Think of a perl extension, which is written in C or C++ or any other language which suffers from those "traditional" buffer-overflow problems. Those could bring the problem of buffer overflow attacks to your perl application, even if perl is theoretically immune to such attacks.

    This is why I usually prefer pure-perl implementations when I choose to use a module from CPAN. At least as long as performance doesn't suffer too much.

    Cheers, Flo

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://547057]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (8)
As of 2024-03-28 15:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found