Page History

...

On Windows platforms, the BcryptGenRandomBCryptGenRandom() function can be used to generate cryptographically strong random numbers. The Microsoft Developer Network BCryptGenRandom() reference [MSDN] states:

The default random number provider implements an algorithm for generating random numbers that complies with the NIST SP800-90 standard, specifically the CTR_DRBG portion of that standard.

Code Block

bgColor	#ccccff
lang	c

#include <Windows.h>
#include <bcrypt.h>
#include <stdio.h>

#pragma comment(lib, "Bcrypt")

...

void func(void) {
  BCRYPT_ALG_HANDLE Prov;
  int Buffer;
  if (!BCRYPT_SUCCESS(
          BCryptOpenAlgorithmProvider(&Prov, BCRYPT_RNG_ALGORITHM,
                                      NULL, 0))) {
    /* handle error */
  }
  if (!BCRYPT_SUCCESS(BCryptGenRandom(Prov, (PUCHAR) (&Buffer),
                                      sizeof(Buffer), 0))) {
    /* handle error */
  }
  printf("Random number: %d\n", Buffer);
  BCryptCloseAlgorithmProvider(Prov, 0);
}

Risk Assessment

The use of the rand() function can result in predictable random numbers.

...

_VSupported, but no explicit checkerUsing a cryptographically weak PRQA QA-CFully implemented

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée

_V

stdlib-use-rand

Fully checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-MSC30

Clang

Include Page

	Clang_40_V
	Clang_40_V

cert-msc30-c

Checked by clang-tidy

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

BADFUNC.RANDOM.RAND

Use of rand

Compass/ROSE

Coverity

Include Page

	Coverity_V
	Coverity_V

DONTCALL

Implemented - weak support

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-msc30-c

Fully implemented

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.MSC30

Fully implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5022

C++5029

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

CERT.MSC.STD_RAND_CALL

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

44 S

Enhanced enforcement

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-MSC30-a

Do not use the rand() function for generating pseudorandom numbers

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

Vulnerable pseudo-random number generator

CERT C: Rule MSC30-C

Checks for vulnerable pseudo-random number generator

(rule fully covered)

RuleChecker

Include Page

PRQA QA-C_v

	RuleChecker_V
	RuleChecker_V

stdlib-use-rand

Fully checked

PRQA QA-C_v

5022

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Invocation of other dangerous functions, besides rand().

Bibliography

[MSDN]	"CryptGenRandom Function""srand_s BCryptGenRandom() Function"
[OpenBSD]	`arc4random()`

...

Space shortcuts

Page tree

Versions Compared

Old Version 129

New Version Current

Key

Risk Assessment

Related Vulnerabilities

Bibliography