SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 69

changes.mady.by.user Justin Loo

Saved on

compared with

New Version 70

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Calling a PRNG in the same initial state, either without seeding it explicitly or by seeding it with the same value, results in generating the same sequence of random numbers in different runs of the program. Suppose If a PRNG function is called 10 times consecutively to produce a sequence of 10 random numbers . Suppose also that this PRNG is not seeded. Running without being seeded, running the code for the first time produces the sequence S = <r1{r1, r2, r3, r4, r5, r6, r7, r8, r9, r10>. Running the code a second time produces exactly the same S sequence. Generally, any subsequent runs of the code r10}. If the PRNG is subsequently seeded with the same initial seed value, then it will generate the same sequentce S sequence.

As a result, after the first run of the an improperly seeded PRNG, an attacker can predict the sequence of random numbers that will be generated in the future runs. Improperly seeding or failing to seed the PRNG can lead to vulnerabilities, especially in security protocols.

The solution is to always to ensure that your the PRNG is always properly seeded. Seeding a PRNG means that it A properly seeded PRNG will generate a different sequences sequence of random numbers at any call.each time it is run.

Not It is worth noting that not all random number generators can be seeded. True random number generators that rely on hardware to produce completely unpredictable results do not need to be and cannot be seeded. Some high-quality PRNGs, such as the /dev/random device on some UNIX systems, also cannot be seeded. This rule applies only to algorithmic pseudorandom number generators that can be seeded.

...

This noncompliant code example generates a sequence of 10 pseudorandom numbers using the random() function. When random() is not seeded, it behaves like rand(), producing the same sequence of random numbers at different callseach time any program that uses it is run.

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <stdlib.h>
 
void func(void) {
  for (unsigned int i = 0; i < 10; ++i) {
    /* Always generates the same sequence */
    printf("%ld, ", random());
  }
}

...

Compliant Solution (POSIX)

Use Call srandom() before invoking random() to seed the random sequence generated by random(). The code This compliant solution produces different random number sequences at different calls.each time the program is run:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
 
void func(void) {
  struct timespec /*ts;
   * Create seed based on current time counted as
   * seconds from 01/01/1970.
   */
  srandom(time(NULL));
  if (timespec_get(&ts, TIME_UTC) == 0) {
    /* Handle error */
  }
  else {
    srandom(ts.tv_nsec ^ ts.tv_sec);
    for (unsigned int i = 0; i < 10; ++i) {
      /* Generates different sequences at different runs */
    printf printf("%ld, ", random());
  }
}

The output is as follows:

Code Block
1st run: 198682410, 2076262355, 910374899, 428635843, 2084827500, 1558698420, 4459146, 733695321, 2044378618, 1649046624,
2nd run: 1127071427, 252907983, 1358798372, 2101446505, 1514711759, 229790273, 954268511, 1116446419, 368192457,
         1297948050,
3rd run: 2052868434, 1645663878, 731874735, 1624006793, 938447420, 1046134947, 1901136083, 418123888, 836428296,
         2017467418,

In the previous examples, seeding in rand() and random() is performed using the time() function, which returns the current time calculated as the number of seconds that have passed since January 1, 1970This may not be sufficiently random for concurrent execution, where it may lead to correlated generated series in different threads, or for small embedded systems that have an unsigned int type with a width of 16 bits. Depending on the application and the desirable desired level of security, a programmer may choose alternative ways to seed PRNGs. In general, hardware is more capable than humans software of generating real random numbers (for example, by generating a sequence of bits by sampling the thermal noise of a diode and using the result as a seed).

Compliant Solution (Windows)

The CryptGenRandom() function does not run the risk of not being properly seeded because its arguments serve as seeders.:

Code Block
bgColor#ccccff
langc
#include <Windows.h>
#include <wincrypt.h>
#include <stdio.h>
 
void func(void) {
  HCRYPTPROV hCryptProv;
  long rand_buf;
  /* Example of instantiating the CSP */
  if (CryptAcquireContext(&hCryptProv, NULL, NULL, PROV
                          PROV_RSA_FULL, 0)) {
    printf("CryptAcquireContext succeeded.\n");
  } else {
    printf("Error during CryptAcquireContext!\n");
  }

  for (unsigned int i = 0; i < 10; ++i) {
    if (!CryptGenRandom(hCryptProv, sizeof(rand_buf),
                        (BYTE *)&rand_buf)) {
      printf("Error\n");
    } else {
      printf("%ld, ", rand_buf);
    }
  }
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC32-C

Medium

Likely

Low

P18

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C Secure Coding StandardMSC30-C. Do not use the rand() function for generating pseudorandom numbers
CERT C++ Secure Coding StandardMSC32-CPP. Ensure your random number generator is properly seeded
MITRE CWECWE-327, Use of a broken or risky cryptographic algorithmBroken or Risky Cryptographic Algorithm
CWE-330, Use of insufficiently random valuesInsufficiently Random Values

Bibliography

[MSDN]"CryptGenRandom Function"

...