SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Georgios Katsis

Saved on

compared with

New Version 10

changes.mady.by.user Georgios Katsis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

It is widely known John von Neumann's quote:

 "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."

Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms  to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed in order to generate an output value and a new seed as well which is going to be used to generate the next value and so on.

The Java API provides a PRNG, the java.util.Random class. This PRNG built is portable and repeatable. As a consequence of that, if two Random instances are created using the same seed, they will generate identical sequences of numbers in all Java implementations.

Noncompliant Code Example

In case you use the same seed value, you will always get the same sequence of numbers, thus they will not be so "random" ones.

Code Block
bgColor#FFCCCC
import java.util.Random;
// ...

Random number = new Random(123L);
//...
for (int i=0; i<20; i++)
{
   // generate another random integer in the range [0,20]
   int n = number.nextInt(21);
   System.out.println(n);
}

Noncompliant Code Example

 Using a null seed value may prevent such problems. Java's default seed uses system's time in milliseconds. However, you should neither use two different generators with a null seed value nor "resetting" generator's instance more than once (using new Random() multiple times) as you may get identical numbers in the former case and number not actually random in the latter one.

Code Block
bgColor#FFCCCC
import java.util.Random;
// ...

Random number = new Random();
//...
for (int i=0; i<20; i++)
{
   // re-seed generator
   number = new Random();
   // generate another random integer in the range [0,20]
   int n = number.nextInt(21);
   System.out.println(n);
}




For non-critical cases, e.g. adding some randomness to a game, Random class is considered fine. However, it is not random enough to be used by more serious applications, e.g. cryptography.

Compliant Solution

This compliant solution uses java.security.SecureRandom class in order to produce high quality random numbers.

Code Block
bgColor#ccccff
import java.security.SecureRandom;
// ...

static SecureRandom number = SecureRandom.getInstance ("SHA-1");
// ...
// generate 20 integers 0..20
for (int i=0; i<20; i++)
{
  System.out.println(number.nextInt(21));
}

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC30-J

medium

unlikely

medium

P4

L3 

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as MSC30-C. Do not use the rand() function for generating pseudorandom numbers.

References

Wiki Markup
\[[API 06|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\]&nbsp;[Class Random|http://java.sun.com/javase/6/docs/api/java/util/Random.html]

Wiki Markup
\[[API 06|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\] [Class SecureRandom|http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html]

Wiki Markup
\[[Find Bugs 08|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-FindBugs08]\] BC: Random objects created and uses only once