##### Page tree
Go to start of banner

# MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers

Pseudorandom number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random.

The C Standard `rand()` function, exposed through the C++ standard library through `<cstdlib>` as `std::rand()`, makes no guarantees as to the quality of the random sequence produced. The numbers generated by some implementations of `std::rand()` have a comparatively short cycle, and the numbers can be predictable. Applications that have strong pseudorandom number requirements must use a generator that is known to be sufficient for their needs.

## Noncompliant Code Example

The following noncompliant code generates an ID with a numeric part produced by calling the `rand()` function. The IDs produced are predictable and have limited randomness. Further, depending on the value of `RAND_MAX`, the resulting value can have modulo bias.

```#include <cstdlib>
#include <string>

void f() {
std::string id("ID"); // Holds the ID, starting with the characters "ID" followed
// by a random integer in the range [0-10000].
id += std::to_string(std::rand() % 10000);
// ...
}```

## Compliant Solution

The C++ standard library provides mechanisms for fine-grained control over pseudorandom number generation. It breaks random number generation into two parts: one is the algorithm responsible for providing random values (the engine), and the other is responsible for distribution of the random values via a density function (the distribution). The distribution object is not strictly required, but it works to ensure that values are properly distributed within a given range instead of improperly distributed due to bias issues. This compliant solution uses the Mersenne Twister algorithm as the engine for generating random values and a uniform distribution to negate the modulo bias from the noncompliant code example.

```#include <random>
#include <string>

void f() {
std::string id("ID"); // Holds the ID, starting with the characters "ID" followed
// by a random integer in the range [0-10000].
std::uniform_int_distribution<int> distribution(0, 10000);
std::random_device rd;
std::mt19937 engine(rd());
id += std::to_string(distribution(engine));
// ...
}
```

This compliant solution also seeds the random number engine, in conformance with MSC51-CPP. Ensure your random number generator is properly seeded.

## Risk Assessment

Using the `std::rand()` function could lead to predictable random numbers.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC50-CPP

Medium

Unlikely

Low

P6

L2

## Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

6.9.0

CertC++-MSC50
Clang
4.0 (prerelease)
`cert-msc50-cpp`Checked by `clang-tidy`
CodeSonar
5.2p0
BADFUNC.RANDOM.RANDUse of `rand`
Compass/ROSE

ECLAIR

1.2

CC2.MSC30

Fully implemented

LDRA tool suite
9.7.1

44 S

Enhanced Enforcement

Parasoft C/C++test
10.4.2
CERT_CPP-MSC50-a

Do not use the rand() function for generating pseudorandom numbers

Polyspace Bug Finder

R2019b

CERT C++: MSC50-CPPChecks for use of vulnerable pseudo-random number generator (rule partially covered)
PRQA QA-C++
4.4
5028Fully implemented

## Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

## Related Guidelines

 SEI CERT C++ Coding Standard MSC51-CPP. Ensure your random number generator is properly seeded SEI CERT C Coding Standard MSC30-C. Do not use the rand() function for generating pseudorandom numbers CERT Oracle Secure Coding Standard for Java MSC02-J. Generate strong random numbers MITRE CWE CWE-327, Use of a Broken or Risky Cryptographic AlgorithmCWE-330, Use of Insufficiently Random Values

## Bibliography

 [ISO/IEC 9899:2011] Subclause 7.22.2, "Pseudo-random Sequence Generation Functions" [ISO/IEC 14882-2014] Subclause 26.5, "Random Number Generation"