Re: [OT] What kind of data is is returned by 'new' ?
Re: [OT] What kind of data is is returned by 'new' ?
- Subject: Re: [OT] What kind of data is is returned by 'new' ?
- From: Chris Page <email@hidden>
- Date: Sun, 10 Jul 2005 04:29:50 -0700
On Jul 10, 2005, at 4:08 AM, Dirk Stegemann wrote:
On the other hand, though the quality of such "randomized" memory
may not proof best, for my program it seems far better to use data
that isn't as reliably random as other well-known high-quality
random sources can privide than using such sources by accessing
public APIs. My application does read and write data from and to
memory very frequently, and sometimes treating e.g. a 128-byte
allocated non-initialised buffer as 1024 bit-value might seem far
less obvious to an adversary who was just breaking for my random()
calls, I guess.
If someone can use a debugger to break on your call to random(), all
bets are off. They can examine your code, intercept calls, modify
memory, and inject code. And if they can do that, they've either got
your privileges or root, and you have worse problems than them trying
to modify your running program.
Unless you're a crypto expert, I strongly advise you to use random().
Also, read up on using srandomdev() to seed random(). Anything else
is almost certainly less secure. Most people aren't experts on
"randomness", and many things that most people consider "random"
aren't, or aren't sufficiently so.
I am not a crypto expert, but I know enough to know better than to
try to use unproven and risky means to acquire entropy. Stick with
random() coupled with srandomdev() for high-quality seeding.
In fact, my man page for random() mentions arc4random(), which seems
like another good choice.
--
Chris Page - Software Wrangler - Dylan Pundit
Open Source Dylan Compilers: <http://www.gwydiondylan.org/>
Dylan Blogging: <http://homepage.mac.com/chrispage/iblog/>
Dylan Stuff: <http://www.cafepress.com/chrispage>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden