SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 48

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 49

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Suppose an RNG function is called 10 times consecutively to produce a sequence of 10 random numbers. Suppose also that this RNG is not seeded. Running the code for the first time produces the sequence S = <r1, r2, r3, r4, r5, r6, r7, r8, r9, r10>. Running the code a second time produces the exact same S sequence S. Generally, any subsequent runs of the code will generate the same S sequence S.

As a result, after the first run of the RNG, an attacker can predict the sequence of random numbers that will be generated in the future runs. This can lead to many vulnerabilities, especially in security protocols.

...

Although the rand() function is now properly seeded, this solution is still noncompliant because the numbers generated by rand() have a comparatively short cycle, and the numbers may be predictable. (see See guideline MSC30-C. Do not use the rand() function for generating pseudorandom numbers.).

Noncompliant Code Example (POSIX)

...

In the previous examples, seeding in rand() and random() is done using the time() function, which returns the current time calculated as the number of seconds that have passed since 01/01/1970. Depending on the application and the desirable level of security, a programmer may choose alternative ways to seed RNGs. In general, hardware is more capable of generating real random numbers. (for For example, generate a sequence of bits by sampling the thermal noise of a diode and use this as a seed.).

Compliant Solution (Windows)

Wiki Markup
[{{CryptGenRandom()}}|http://msdn.microsoft.com/en-us/library/aa379942.aspx] does not run the risk of not being properly seeded. The reason for that is that its arguments serve as seeders. From the Microsoft Developer Network {{CryptGenRandom()}} reference \[[MSDN|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-MSDN]\]:

The CryptGenRandom() function fills a buffer with cryptographically random bytes.

Syntax
Code Block
BOOL WINAPI CryptGenRandom(
  __in     HCRYPTPROV hProv,
  __in     DWORD dwLen,
  __inout  BYTE *pbBuffer
);
Parameters

Wiki Markup
hProv \[in\]
&nbsp;&nbsp;&nbsp; Handle of acryptographic service provider (CSP) created by a call toCryptAcquireContext.
dwLen \[in\]
&nbsp;&nbsp;&nbsp; Number of bytes of random data to be generated.
pbBuffer \[in, out\]
&nbsp;&nbsp;&nbsp; Buffer to receive the returned data. This buffer must be at leastdwLenbytes in length.
&nbsp;&nbsp;&nbsp; Optionally, the application can fill this buffer with data to use as an auxiliary random seed.
\\

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC32-C

medium

likely

low

P18

L1

Automated Detection

Tool

Version

Checker

Description

Section

Compass/ROSE

...

 

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Related Languages

This recommendation appears in the C++ Secure Coding Standard as : MSC32-CPP. Ensure your random number generator is properly seeded.

Bibliography

Wiki Markup
\[[C+\+ Reference|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-CPPReference]\] Standard C Library
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 327 |http://cwe.mitre.org/data/definitions/327.html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values"
\[[MSDN|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-MSDN]\] "[CryptGenRandom Function|http://msdn.microsoft.com/en-us/library/aa379942.aspx]"

...