Calling a Random Number Generator (RNG) that is not seeded, will result in generating the same sequence of random numbers in different runs of the program.
Suppose there is a code that calls 10 times an RNG function to produce a sequence of 10 random numbers. Suppose, also, that this RNG is not seeded. Running the code for the first time will produce the sequence S = <r1, r2, r3, r4, r5, r6, r7, r8, r9, r10>. Running the code again for a second time will produce the exact same sequence S. Generally, any subsequent runs of the code will genarate the same sequence S.
As a result, an Knowing the sequence of random numbers that will be generated before hand can lead to many vulnerabilities, especially when security protocols are concerned.
Calling rand() function several times to produce a sequence of pseudorandom numbers generates the same sequence in different runs of the program.
This can lead to security threat since, after the first run, an attacker may predict the generated sequence.
Noncompliant Code Example
This noncompliant code example generates a sequence of 10 pseudorandom numbers. No matter how many times this code is executed, it always produces the same sequence.
for (int i=0; i<10; i++) {
printf("%d\n", rand()); /* Always generates the same sequence */
}
Compliant Solution
Use srand() before rand() to seed the random sequence generated by rand().
srand(time(NULL)); /* Create seed based on current time */
for (int i=0; i<10; i++) {
printf("%d\n", rand()); /* Generates different sequences at different runs */
}
Risk Assessment
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC18-C |
|
likely |
|
|
|
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This recommendation appears in the C++ Secure Coding Standard as MSC32-CPP. Ensure your random number generator is properly seeded.
References
C++Reference