February 9th, 2003, 09:22 PM
i've always found the idea of the 'garbage' values quite interesting - the values that variables have before initialisation. is there any use for them? maybe in creating random numbers, which seems to be quite a hard thing to do? - creating true random numbers? am i right in thinking that the garbage values are the values that the memory had before your code came along? if that is the case why aren't they usually just 0? are they the remnants of another app maybe? do they depend on which platform you're on?
int x, array;
for(x=0; x<100; x++)
printf("%d ", array[x]);
___________mac os x
-1073742660 -1073742664 0 -1073742668 -1073742672
-1880833760 13788 -1881090976 -1073742752 0 -1881090472 0 1539
4096 -1073742304 -1881061032 -1073742752 -1879004448
-1880824864 -1881060560 -1073742752 -1073742296 -1881060552 0
-1073742736 72 -1881051448 2051 1539 0 0 0 0 8228 13668 14185
-1880833760 -1879004448 -1880824864 -1881080400 -1073742624
-1880838348 -1881078908 -1880833760 -1073742656 0 -1073742308 8
1 1140850688 0 0 0 0 0 8 1 -1073742296 -1073742304 -1881066664
-1878034140 -1880838725 -1880833760 -1880833760 -1073742576 0
-1073742308 8 1 -1073742296 -1073742304 -1073742624 -1073742496
0 -1881141568 -1879018832 -1073742496 1795 -1879018592 6900
-1073742496 -1073742296 6932 7368 -1073742496 0 -1881052852
-1073742432 -1880849072 -1880848696 -1880849072 47 8057 0 0
-1073742296 -1881066684 0 -1073742308 8
February 10th, 2003, 12:42 PM
i believe that they are whatever was stored in memory location previously, but im not 100% sure. and to create true random numbers every time a program runs, try this:
x = rand();
-using the time() func. gets a the seed from the current time on the computer clock, thus making it true randomness.
February 10th, 2003, 01:28 PM
hopefully not! this would be a big time security problem...
on the one hand i doubt you can predict them, on the other - donīt use them for creating random values. maybe for seeding the random number generator, but still, they might be the same after each reboot... (never tried anything like that, by definition they are "undefined", thus donīt rely on anything related to them. not on them being the same nor on them being different.)
February 11th, 2003, 09:09 PM
they are remnants
The garbage value is whatever was there before. An OS is not going to bother "sweeping" a memory location clean, but rather registers the fact that an area is again available to be used.
There is not much you can do about leaving data behind, in terms of another app, unless YOU explicitly clear data values to NULL (\0) or 0 on your way out. Even this suggestion is dubious as you can never tell where the OS is going to plunk your binary in memory.
February 12th, 2003, 04:31 PM
Re: they are remnants
makes sense. what else would they be? so in posting those values above, i could have made something very personal public. oh well.
hmm, they don't seem quite so fascinating to me, now their mystique has been removed. but still interesting.
February 12th, 2003, 04:46 PM
Does this also mean: For any variable that contains sensitive information like passwords, you really should overwrite it with "0"s after you don't need it anymore?
I think: I write a program. It scans for strings in the whole memory area it can access. In a shared-hosting environment eg., would i find other people's passwords and program code then?
... scary ... really scary ...
I never thought about this before... I need to check this for the apache web server / php interpreter, maybe this needs to be added to "#1 security measures". Does anyone know if this problem is unique to certain OSs and if the php developers eg. did address this already?
February 13th, 2003, 02:10 AM
>>would i find other people's passwords and program code then?
AFAIK Win NT based systems leave the password in encrypted form at all times after it has been entered. The password is loaded from file encrypted and the input encrypted and then both compared.
Finding the right 8 or so bytes in 100Mb of used mem might not be easy.
In my apps I always encrypt or overwrite the data with an un-initialsed section of mem. Just in case.
>>and to create true random numbers every time a program runs, try this:
Try sending in the same value to the seed and see how much 'true randomness' you realy have. (rand() is just a list of numbers and the seed is the starting position)
The essence of Christianity is told us in the Garden of Eden history. The fruit that was forbidden was on the Tree of Knowledge. The subtext is, All the suffering you have is because you wanted to find out what was going on. You could be in the Garden of Eden if you had just kept your f***ing mouth shut and hadn't asked any questions.
February 13th, 2003, 06:56 AM
x = rand();
This DOESN'T give true random numbers infamous, it's still psuedo random. The only way to get 100% true random numbers is to use special hardware.
February 13th, 2003, 04:29 PM
why doesnt the clock seed create true random numbers?
February 13th, 2003, 04:38 PM
because "true random" says "unpredictable", but the numbers generated from rand() come from a mathematical formula. if you can predict the seed, you know all of the following numbers... Theyīll be always the same.
You could argument: But noone can predict the exact milliseconds when i started this program. I answer: But if you know it +/- some minutes (maybe even hours?), a standard PC can brute-force all of them ;)
February 14th, 2003, 12:31 PM
interesting M Hircsh. my next question would then be, how does one go about generating true random numbers? or how exactly does this software work that achieves this? any relation to the 1way functions that are used in generating public/private keys in encryption?
February 14th, 2003, 01:58 PM
rand() has always been known to be pseudorand(). rand() takes numbers from a pre-written list of numbers in your computer. srand decides where you jump into that long list. not sure if the list of 'random' numbers are different on each computer or not? [edit> almost definetely not thinking about it now.] also not sure how many numbers make up this 'random' number list?
i believe that some people believe that random numbers gained via any algorithm simply aren't going to be random, which i'm inclined to think myself. if you google for c code random number generator, you can find code that's *pages* long that say they generate random numbers. pgp, when i made an encryted disk partition, required me to jiggle my mouse round for a while to get a random number.
Last edited by balance; February 14th, 2003 at 02:21 PM.
February 14th, 2003, 02:06 PM
moving your mouse and/or typing on the keyboard is much more random that using the time as seed...
infamous41md, you can not create true random numbers using software at all. There is special hardware on the market for this task.
February 14th, 2003, 02:20 PM
One way to do this is to use noise diodes (i.e.) diodes that are set up in a circuit past their normal characteristics, where they generate white noise. http://www.avtechpulse.com/faq.html/IV.8/
There was this story of one swedish computer (built by SAAB in the mid 50s, if I recall correctly) which supposedly had a random channel which used noise diodes. Programs could read input from the random channel to get a stream of random numbers. Apparently no one used this feature though, because once the diodes heated up, they would all return 1 bits :)
Here's how to build a random bit generator:
February 14th, 2003, 02:23 PM
built by saab! amazing. you would have thought that some sort of random number generator would have become a standard built in hardware feature of computers? i'm surprised it hasn't.