...
This noncompliant code example generates a sequence of 10 pseudorandom numbers using the Mersenne Twister engine. No matter how many times this code is executed, it always produces the same sequence because the default seed is used for the engine:.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <random> #include <iostream> void f() { std::mt19937 engine; for (int i = 0; i < 10; ++i) { std::cout << engine() << ", "; } } |
The output is as follows:of this example follows.
Code Block |
---|
1st run: 3499211612, 581869302, 3890346734, 3586334585, 545404204, 4161255391, 3922919429, 949333985, 2715962298, 1323567403, 2nd run: 3499211612, 581869302, 3890346734, 3586334585, 545404204, 4161255391, 3922919429, 949333985, 2715962298, 1323567403, ... nth run: 3499211612, 581869302, 3890346734, 3586334585, 545404204, 4161255391, 3922919429, 949333985, 2715962298, 1323567403, |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <random> #include <iostream> void f() { std::random_device dev; std::mt19937 engine(dev()); for (int i = 0; i < 10; ++i) { std::cout << engine() << ", "; } } |
The output is as follows: of this example follows.
Code Block |
---|
1st run: 3921124303, 1253168518, 1183339582, 197772533, 83186419, 2599073270, 3238222340, 101548389, 296330365, 3335314032, 2nd run: 2392369099, 2509898672, 2135685437, 3733236524, 883966369, 2529945396, 764222328, 138530885, 4209173263, 1693483251, 3rd run: 914243768, 2191798381, 2961426773, 3791073717, 2222867426, 1092675429, 2202201605, 850375565, 3622398137, 422940882, ... |
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC51-CPP | Medium | Likely | Low | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
| default-construction | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC++-MSC51 | |||||||
CodeSonar |
| HARDCODED.SEED | Hardcoded Seed in PRNG | ||||||
Helix QAC |
| C++5041 | |||||||
Klocwork |
| AUTOSAR.STDLIB.RANDOM.NBR_GEN_DEFAULT_INIT | |||||||
Polyspace Bug Finder |
| CERT C++: MSC51-CPP | Checks for:
Rule partially covered. | ||||||
Parasoft C/C++test |
| CERT_CPP-MSC51-a | Properly seed pseudorandom number generators | ||||||
PVS-Studio |
| V1057 | |||||||
RuleChecker |
| default-construction | Partially checked |
Related Vulnerabilities
Using a predictable seed value, such as the current time, result in numerous vulnerabilities, such as the one described by CVE-2008-1637.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C Coding Standard | MSC32-C. Properly seed pseudorandom number generators |
MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values CWE-337, Predictable Seed in PRNG |
Bibliography
[ISO/IEC 9899:2011] | Subclause 7.22.2, "Pseudo-random Sequence Generation Functions" |
[ISO/IEC 14882-2014] | Subclause 26.5, "Random Number Generation" |
...
...