...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT CSEI CERT C++ Coding Standard | MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | 2017-05-16: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-330, Use of Insufficiently Random ValuesCWE-331, Insufficient Entropy | 2017-06-28: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 2017-06-28: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-676 | 2017-05-18: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-327 and MSC30-C
- CWE-327 forbids “broken or risky cryptographic algorithms” but does not specify what constitutes such an algo.
- Per CERT judgement, rand() qualifies, so:
- CWE-327 = Union( MSC30-C, list) where list =
- Invocation of broken/risky crypto algorithms besides rand()
CWE-338 and MSC30-C
CWE-338 = Union( MSC30-C, list) where list =
- Use of a weak PRNG besides standard C rand().
CWE-330 and MSC30-C
Independent( MSC30-C, MSC32-C, CON33-C)
CWE-330 = Union( MSC30-C, MSC32-C, CON33-C, list) where list = other improper use or creation of random values. (EG the would qualify)
MSC30-C, MSC32-C and CON33-C are independent, they have no intersections. They each specify distinct errors regarding PRNGs.
CWE-676 and MSC30-C
- Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)
- MSC30-C implies that rand() is dangerous.
- CWE-676 = Union( MSC30-C, list) where list =
- Invocation of other dangerous functions, besides rand().
Bibliography
...