Module cwe_checker_lib::checkers::cwe_332

Expand description

This module implements a check for CWE-332: Insufficient Entropy in PRNG.

This can happen, for instance, if the PRNG is not seeded. A classical example would be calling rand without srand. This could lead to predictable random numbers and could, for example, weaken crypto functionality.

See https://cwe.mitre.org/data/definitions/332.html for a detailed description.

How the check works

For pairs of a secure seeding function and a corresponding random number generator function (e.g. the pair (srand, rand), configurable in config.json) we check whether the program calls the random number generator without calling the seeding function.

False Positives

None known

False Negatives

It is not checked whether the seeding function gets called before the random number generator function.

Structs

Config
The configuration struct contains pairs of symbol names, where the first name is the name of a seeding function and the second name is the name of a corresponding random number generator access function. It is assumed that a program has to call the seeding function first to ensure that the RNG does not generate predictable random numbers.

Statics

CWE_MODULE
The module name and version

Functions

check_cwe
Run the CWE check. See the module-level description for more information.