Pseudorandom number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random.
The C Standard
rand() function, exposed through the C++ standard library through
std::rand(), makes no guarantees as to the quality of the random sequence produced. The numbers generated by some implementations of
std::rand() have a comparatively short cycle, and the numbers can be predictable. Applications that have strong pseudorandom number requirements must use a generator that is known to be sufficient for their needs.
Noncompliant Code Example
The following noncompliant code generates an ID with a numeric part produced by calling the
rand() function. The IDs produced are predictable and have limited randomness. Further, depending on the value of
RAND_MAX, the resulting value can have modulo bias.
The C++ standard library provides mechanisms for fine-grained control over pseudorandom number generation. It breaks random number generation into two parts: one is the algorithm responsible for providing random values (the engine), and the other is responsible for distribution of the random values via a density function (the distribution). The distribution object is not strictly required, but it works to ensure that values are properly distributed within a given range instead of improperly distributed due to bias issues. This compliant solution uses the Mersenne Twister algorithm as the engine for generating random values and a uniform distribution to negate the modulo bias from the noncompliant code example.
This compliant solution also seeds the random number engine, in conformance with MSC51-CPP. Ensure your random number generator is properly seeded.
std::rand() function could lead to predictable random numbers.
|Axivion Bauhaus Suite
|LDRA tool suite
Do not use the rand() function for generating pseudorandom numbers
|Polyspace Bug Finder
|CERT C++: MSC50-CPP
|Checks for use of vulnerable pseudo-random number generator (rule partially covered)
|SEI CERT C++ Coding Standard
|MSC51-CPP. Ensure your random number generator is properly seeded
|SEI CERT C Coding Standard
|MSC30-C. Do not use the rand() function for generating pseudorandom numbers
|CERT Oracle Secure Coding Standard for Java
|MSC02-J. Generate strong random numbers
|CWE-327, Use of a Broken or Risky Cryptographic Algorithm
CWE-330, Use of Insufficiently Random Values
|Subclause 7.22.2, "Pseudo-random Sequence Generation Functions"
|Subclause 26.5, "Random Number Generation"