in reply to Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications)

You can use Devel::Peek to see the internal representation of the scalar.

For instance: 

$a = "foo bar";
$a = 0;
Dump $a;

# SV = PVIV(0x8155b10) at 0x8154654
#  REFCNT = 1
#  FLAGS = (IOK,pIOK)
#  IV = 0
#  PV = 0x816fa60 "foo bar"\0
#  CUR = 7
#  LEN = 8

[download]
so asigning an integer to the variable does not overwrite the memory. 
$a = "foo bar";
Dump $a;
$a = '*' x length $a;
Dump $a;
# SV = PV(0x8154b00) at 0x8154654
#   REFCNT = 1
#   FLAGS = (POK,pPOK)
#   PV = 0x816fa78 "foo bar"\0
#   CUR = 7
#   LEN = 8
# SV = PV(0x8154b00) at 0x8154654
#   REFCNT = 1
#   FLAGS = (POK,pPOK)
#   PV = 0x816fa78 "*******"\0
#   CUR = 7different
#   LEN = 8

[download]
but assigning a string of the same size seems to work!

Anyway, you should also take into account, that the string (or parts of it) can be copied when passed to a subroutine, perl builtin or operator, and what is safe, is highly implementation dependent and could change between perl versions!

  • Comment on Re: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications)
  • Select or Download Code

Replies are listed 'Best First'.
Re^2: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications)
by missingthepoint (Friar) on Aug 30, 2008 at 00:51 UTC

    I didn't know about Devel::Peek... Thanks.

    It looks like you have to assign a value of the same type as the one you wish to overwrite. I wonder why Perl preserves values of other types... maybe something to do with the number/string autoconversion? I'm guessing efficiency... Anyone?

    Anyway, by now I'm convinced that the Perl internals are sufficiently complex that it's best to use C libraries that don't expose sensitive data to Perl at all (if possible).

    email: perl -e 'print reverse map { chr( ord($_)-1 ) } split //, "\x0bufo/hojsfufqAofc";'
[reply]

In Section Seekers of Perl Wisdom