Whether or not garbage-collected data is zeroed out after collection doesn't affect buffer overflows one way or the other. It could possibly affect information leakage, but the Perl language always initializes variables to something (even if it's undef), so they never end up pointing to uninitialized memory.
Because of its design, the Perl language is immune to these attacks and to buffer overflow attacks. However, a bug in the Perl interpreter could lead to a buffer overflow; this is the same as with Java, or any other interpreted language (compiled languages have the same problem with potential bugs in their compilers). This would of course be a flawed implementation, but looking at any recent ChangeLog for the Perl interpreter will confirm that every implementation so far has been flawed in some way, and it's likely future ones will have flaws from time to time.
That said, I've found Perl to be the easiest language to write secure programs in, because of the language design and because of taint mode. So far none of Perl's bugs have created real security problems in my applications, so I've been happy from that perspective as well. Perl's developers take security very seriously, and I have confidence that the remaining bugs will be small ones and quickly fixed when they are discovered.
In reply to Re: Garbage Collection & Secure Programming
by sgifford
in thread Garbage Collection & Secure Programming
by Solostian
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |