...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship | |
|---|---|---|---|
| CERT C Secure Coding Standard | MSC30-C. Do not use the rand() function for generating pseudorandom numbers | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CERT CSEI CERT C++ Coding Standard | MSC51-CPP. Ensure your random number generator is properly seeded | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CWE 2.11MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | 2017-05-16: CERT: Rule subset of CWE | |
| CWE 2.11 | CWE-330, Use of Insufficiently Random Values | 2017-06-28: CERT: Rule subset of CWE | |
| CWE 2.11 | CWE-331, Insufficient Entropy | 2017-06-28: CERT: Exact |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE
...
-327 and MSC32-C
- Intersection( MSC30-C, MSC32-C) = Ø
- MSC32-C says to properly seed pseudorandom number generators. For example, if you call rand(), make sure to seed it properly by calling srand() first. So far, we haven’t found any calls to rand().
- Failure to seed a PRNG causes it to produce reproducible (hence insecure) series of random numbers.
- CWE-327 = Union( MSC32-C, list) where list =
- Invocation of broken/risky crypto algorithms that are not properly seeded
CWE-330 and MSC32-C
Independent( MSC30-C, MSC32-C, CON33-C)
CWE-330 = Union( MSC30-C, MSC32-C, CON33-C, list) where list = other improper use or creation of random values. (EG the would qualify)
MSC30-C, MSC32-C and CON33-C are independent, they have no intersections. They each specify distinct errors regarding PRNGs.
Bibliography
...