SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 50

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As a solution, you should always ensure that your RNG is properly seeded. Seeding an RNG means that it will generate different sequences of random numbers at any call.

Rule MSC30-C. Do not use the rand() function for generating pseudorandom numbers addresses RNGs from a different perspective, which is the cycle of the random number sequence. In other words, during a single run of an RNG, the time interval after which the RNG generates the same random numbers. The rule MSC30-C deprecates the rand() function , as because it generates numbers that have a comparatively short cycle. The same rule proposes the use of the random() function for POSIX and CryptGenRandom() function for Windows.

The current rule (MSC32-C) examines, in terms of seeding, all three RNGs mentioned in rule MSC30-C. Noncompliant code examples correspond to the use of an RNG without a seed, while compliant solutions correspond to the same RNG being properly seeded. Rule MSC32-C complies to rule MSC30-C and does not recommend the use of the rand() function. Nevertheless, if it is unavoidable to use rand(), it should at least be properly seeded.

...

Although the rand() function is now properly seeded, this solution is still noncompliant because the numbers generated by rand() have a comparatively short cycle, and the numbers may can be predictable. (See guideline rule MSC30-C. Do not use the rand() function for generating pseudorandom numbers.)

...

This noncompliant code example generates a sequence of 10 pseudorandom numbers using the random() function. When random() is not seeded, it behaves like rand() and , thus produces producing the same sequence of random numbers at different calls.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related

...

Guidelines

CERT C++ Secure Coding Standard: MSC32-CPP. Ensure your random number generator is properly seeded

MITRE CWE: CWE-327 , "Use of a Broken or Risky Cryptographic Algorithm"

MITRE CWE: CWE-330, "Use of Insufficiently Random Values"

Bibliography

Wiki Markup
\[[C+\+ Reference|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-CPPReference]\] Standard C Library

Wiki Markup

\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 327 |http://cwe.mitre.org/data/definitions/327.html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values"
\[[MSDN|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-MSDN]\] "[CryptGenRandom Function|http://msdn.microsoft.com/en-us/library/aa379942.aspx]"

...