Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Calling a PRNG in the same initial state, either without seeding it explicitly or by seeding it with the same value, results in generating the same sequence of random numbers in different runs of the program. If Consider a PRNG function that is called 10 times consecutively seeded with some initial seed value and is consecutively called to produce a sequence of 10 random numbers without being seeded, running the code for the first time produces the sequence S = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10}. If . If the PRNG is subsequently seeded with the same initial seed value, then it will generate the same sequentce sequence S.

As a result, after the first run of an improperly seeded PRNG, an attacker can predict the sequence of random numbers that will be generated in the future runs. Improperly seeding or failing to seed the PRNG can lead to vulnerabilities, especially in security protocols.

...

Call srandom() before invoking random() to seed the random sequence generated by random(). This compliant solution produces different random number sequences each time the program is runfunction is called, depending on the resolution of the system clock:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
 
void func(void) {
  struct timespec ts;
  if (timespec_get(&ts, TIME_UTC) == 0) {
    /* Handle error */
  }
  else {
    srandom(ts.tv_nsec ^ ts.tv_sec);
    for (unsigned int i = 0; i < 10; ++i) {
      /* Generates different sequences at different runs */
      printf("%ld, ", random());
    }
  }
}

The output is as follows:

...

This may not be sufficiently random for concurrent execution, where it which may lead to correlated generated series in different threads, or for small embedded systems that have an unsigned int type with a width of 16 bits. (The POSIX standard specifies a minimum width of 32 bits for unsigned int. However, prior to the 2001 edition, POSIX.1 allowed 16 bit unsigned int).  Depending . Depending on the application and the desired level of security, a programmer may choose alternative ways to seed PRNGs. In general, hardware is more capable than software of generating real random numbers (for example, by sampling the thermal noise of a diode).

Compliant Solution (Windows)

The CryptGenRandomThe BCryptGenRandom() function  function does not run the risk of not being properly seeded because its arguments serve as seeders:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <Windows.h>
#include <wincrypt<Bcrypt.h>
#include <Ntstatus.h>
#include <stdio<Wincrypt.h>
 
void func(void) {
  HCRYPTPROV hCryptProvBCRYPT_ALG_HANDLE hAlgorithm = NULL;
  long rand_buf;
  /*PUCHAR ExamplepbBuffer of instantiating the CSP */
  if (CryptAcquireContext(&hCryptProv, NULL, NULL,= (PUCHAR) &rand_buf;
  ULONG cbBuffer                       PROV_RSA_FULL, 0)) {= sizeof(rand_buf);
  ULONG dwFlags printf("CryptAcquireContext succeeded.\n")= BCRYPT_USE_SYSTEM_PREFERRED_RNG;
  } else {
    printf("Error during CryptAcquireContext!\n")NTSTATUS status;
  }

  for (unsigned int i = 0; i < 10; ++i) {
    status if= BCryptGenRandom(!CryptGenRandom(hCryptProvhAlgorithm, sizeof(rand_buf),
  pbBuffer, cbBuffer, dwFlags);
    if (status                 (BYTE *)&rand_buf))== STATUS_SUCCESS) {
      printf("Error\n"%ld, ", rand_buf);
    } else {
      printf("%ld, ", rand_buf);/* Handle Error */
    }
  }
}

The output is as follows:

Code Block
1st run: -1597837311683378946, 9061306821957231690, -13080318861933176011, 1048837407-1745403355, -931041900883473417, -658114613882992405, -1709220953169629816, -10196972891824800038, 1802206541899851668,
         406505841,1702784647, 
2nd run: 885904119-58750553, -6873795561921870721, -17822968541973269161, 14437019161512649964, -624291047673518452, 2049692692234003619, -9904515631622633366, 1312389688, -1423078042125631172, 12570792112067680022,
         897185104,
3rd run: 190598304-189899579, -15374094641220698973, 1594174739752205360, -4244019161826365616, -197515347479310867, 8269129271430950090, 1705549595-283206168, -1515331215941773185, 474951399129633665,
         1982500583,543448789, 

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC32-C

Medium

Likely

Low

P18

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MSC32
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

HARDCODED.SEED
MISC.CRYPTO.TIMESEED

Hardcoded Seed in PRNG
Predictable Seed in PRNG

Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-msc32-cFully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5031

C++5036


Klocwork
Include Page
Klocwork_V
Klocwork_V

CERT.MSC.SEED_RANDOM


PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2460, 2461, 2760

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MSC32-C


Checks for:

  • Deterministic random output from constant seed
  • Predictable random output from predictable seed

Rule fully covered.

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-MSC32-d

Properly seed pseudorandom number generators

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMSC30-C. Do not use the rand() function for generating pseudorandom numbersPrior to 2018-01-12: CERT
C++ Secure Coding Standard
: Unspecified Relationship
CERT CMSC51
MSC32
-CPP. Ensure your random number generator is properly seeded
MITRE CWE
Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-327, Use of a Broken or Risky Cryptographic Algorithm2017-05-16: CERT: Rule subset of CWE
CWE 2.11CWE-330, Use of Insufficiently Random Values2017-06-28: CERT: Rule subset of CWE
CWE 2.11CWE-331, Insufficient Entropy2017-06-28: CERT: Exact

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-327 and MSC32-C


  • Intersection( MSC30-C, MSC32-C) = Ø



  • MSC32-C says to properly seed pseudorandom number generators. For example, if you call rand(), make sure to seed it properly by calling srand() first. So far, we haven’t found any calls to rand().



  • Failure to seed a PRNG causes it to produce reproducible (hence insecure) series of random numbers.



  • CWE-327 = Union( MSC32-C, list) where list =



  • Invocation of broken/risky crypto algorithms that are not properly seeded




CWE-330 and MSC32-C

Independent( MSC30-C, MSC32-C, CON33-C)

CWE-330 = Union( MSC30-C, MSC32-C, CON33-C, list) where list = other improper use or creation of random values. (EG the would qualify)

MSC30-C, MSC32-C and CON33-C are independent, they have no intersections. They each specify distinct errors regarding PRNGs.

Bibliography

...


...

Image Modified Image Modified Image Modified