If you overwrite the key with a string of equivilent length then there is no logical reason for Perl to need to change the memory location. In fact you can show that it does not quite simply with Devel::Peek. The PV memory address remains constant.Just as I said, you might be able to decide that overwriting works in a particular version of Perl (although it's far from clear that your example shows it will work in all cases), but there's no guarantee it'll work in a different version of Perl. Nor that your test case is sufficient.While there are no guarantees this will work on every version of Perl I don't see why not, and you could easily incorporate this test into the test suite.
When it comes to security on a level like this, it's a bad mistake to trivialize it with "there is no logical reason for Perl to need to change the memory location" and simple examples. You haven't even started to contemplate how you load the password in a variable in the first place, and how you're going to wipe out all the traces of doing that.
Abigail
In reply to Re: Handling encryption safely
by Abigail-II
in thread Handling encryption safely
by bagu
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |