CWE Rule 335
Description
Rule Description
The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
Polyspace Implementation
The rule checker checks for these issues:
Deterministic random output from constant seed
Predictable random output from predictable seed
Examples
This issue occurs when you use standard random number generator functions that have deterministic output given a constant seed.
The checker detects this issue with the following random number generator functions:
C Standard Library functions such as
srand
,srandom
andinitstate
OpenSSL functions such as
RAND_seed
andRAND_add
C++ Standard Library functions such as
std::linear_congruential_engine<>::seed()
andstd::mersenne_twister_engine<>::seed()
(and also the constructors of these class templates)
With constant seeds, random number generator functions produce the same output every time your program is run. A hacker can disrupt your program if they know how your program behaves.
Use a different random standard function or use a nonconstant seed.
Some standard random routines are inherently cryptographically weak, and should not be used for security purposes.
#include <stdlib.h>
void random_num(void)
{
srand(12345U); //Noncompliant
/* ... */
}
This example initializes a random number generator using srand
with
a constant seed. The random number generation is deterministic,
making this function cryptographically weak.
One possible correction is to use a random number generator
that does not require a seed. This example uses rand_s
.
#define _CRT_RAND_S
#include <stdlib.h>
#include <stdio.h>
unsigned int random_num_time(void)
{
unsigned int number;
errno_t err;
err = rand_s(&number);
if(err != 0)
{
return number;
}
else
{
return err;
}
}
This issue occurs when you use standard random number generator functions with a nonconstant
but predictable seed. Examples of predictable seed generators are
time
, gettimeofday
, and
getpid
.
The checker detects this issue with the following random number generator functions:
C Standard Library functions such as
srand
,srandom
andinitstate
C++ Standard Library functions such as
std::linear_congruential_engine<>::seed()
andstd::mersenne_twister_engine<>::seed()
(and also the constructors of these class templates)
When you use predictable seed values for random number generation, your random numbers are also predictable. A hacker can disrupt your program if they know how your program behaves.
You can use a different function to generate less predictable seeds.
You can also use a different random number generator that does
not require a seed. For example, the Windows® API function rand_s
seeds
itself by default. It uses information from the entire system, for
example, system time, thread ids, system counter, and memory clusters.
This information is more random and a user cannot access this information.
Some standard random routines are inherently cryptographically weak, and should not be used for security purposes.
#include <stdlib.h>
#include <time.h>
void seed_rng(int seed)
{
srand(seed); //Noncompliant
}
int generate_num(void)
{
seed_rng(time(NULL) + 3);
/* ... */
}
This example uses srand
to start the random
number generator with seed
as the seed. However, seed
is
predictable because the function time
generates
it. So, an attacker can predict the random numbers generated by srand
.
One possible correction is to use a random number generator
that does not require a seed. This example uses rand_s
.
#define _CRT_RAND_S
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
int generate_num(void)
{
unsigned int number;
errno_t err;
err = rand_s(&number);
if(err != 0)
{
return number;
}
else
{
return err;
}
}
Check Information
Category: Random Number Issues |
Version History
Introduced in R2023a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
웹사이트 선택
번역된 콘텐츠를 보고 지역별 이벤트와 혜택을 살펴보려면 웹사이트를 선택하십시오. 현재 계신 지역에 따라 다음 웹사이트를 권장합니다:
또한 다음 목록에서 웹사이트를 선택하실 수도 있습니다.
사이트 성능 최적화 방법
최고의 사이트 성능을 위해 중국 사이트(중국어 또는 영어)를 선택하십시오. 현재 계신 지역에서는 다른 국가의 MathWorks 사이트 방문이 최적화되지 않았습니다.
미주
- América Latina (Español)
- Canada (English)
- United States (English)
유럽
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)