The C Standard function rand (available in stdlib.h) does not have good random number properties. The numbers generated by rand have a comparatively short cycle, and the numbers may be predictable.
Non-Compliant Code Example
The following code will generate predictable numbers with limited randomness.
int r; ... r = rand(); ...
Compliant Solution
A better pseudo random number generator is the BSD function random.
int r; srandom(time(0)); // seed the PRNG with the current time ... r = random(); ...
The rand48 family of functions provides another alternative.
Note. These pseudo random number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random. For true randomness, Linux users can use the character devices /dev/random or /dev/urandom, but it is advisable to retrieve only a small number of characters from these devices. (The device /dev/random may block for a long time if there are not enough events going on to generate sufficient randomness; /dev/urandom does not block.)
Risk Assessment
Using the rand function may lead to programming problems (for example, non-unique unique IDs) or weak cryptography.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC30-C |
1 (low) |
1 (low) |
1 (high) |
P1 |
L3 |
References
- ISO/IEC 9899-1999 Section 7.20.2.1, "The rand function"