I was not trivializing it. As you well know Perl is a memory pig and optimized for speed. Part of this optimization is the over allocation of memory for scalars (as the test case shows). In fact Perl over allocates memory for just about all its data types. The reason is simple optimisation. If you don't have to reallocate memory simply to add an extra few bytes to a string, or add an extra element to an array you avoid the memory allocation and copy costs. I can't see a good reason why the gnomes should change this behaviour other than to save memory. I can't see ANY reason why overwriting the value in a scalar with the same number of bytes should EVER change to the situation where Perl is reallocating memory and doing a copy every time. This would be inefficient and is completely unnecessary.

As noted before physically securing the box is to my mind far more important. Just look at the banks for example. How many root kits are there that let you escalate user level privilege to root whereby you can just read the script/config without having to go to the extent of trawling through memory? 

package Config;

$key = 'hello';

package Foo;

use Devel::Peek;

my $str = 'the key is:';
Dump($Config::key);
decrypt( $str, $Config::key );

$Config::key = 'x'x19;
Dump($Config::key);
decrypt( $str, $Config::key );

$Config::key = 'x'x20;
Dump($Config::key);
decrypt( $str, $Config::key );

sub decrypt{ warn "Got: @_\n" }

__DATA__
SV = PV(0x15d5284) at 0x1a454a0
  REFCNT = 1
  FLAGS = (POK,pPOK)
  PV = 0x15dd0ac "hello"\0
  CUR = 5
  LEN = 6
Got: the key is: hello
SV = PV(0x15d5284) at 0x1a454a0
  REFCNT = 1
  FLAGS = (POK,pPOK)
  PV = 0x15dd0ac "xxxxxxxxxxxxxxxxxxx"\0 <--- Same Pointer == overwrit
+e
  CUR = 19
  LEN = 20
Got: the key is: xxxxxxxxxxxxxxxxxxx
SV = PV(0x15d5284) at 0x1a454a0
  REFCNT = 1
  FLAGS = (POK,pPOK)
  PV = 0x1a48edc "xxxxxxxxxxxxxxxxxxxx"\0 <--- Reallocation has occurr
+ed
  CUR = 20
  LEN = 21
Got: the key is: xxxxxxxxxxxxxxxxxxxx

[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

In reply to Re: Re: Handling encryption safely by tachyon
in thread Handling encryption safely by bagu

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.