CWE-330: Use of Insufficiently Random Values Documentation #698
+102
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: ebakrra <bartlomiej.karas@ericsson.com>
myteron
requested changes
Dec 5, 2024
There was a problem hiding this comment.
Updated main readme.md !
Loads of empty lines with a single space. Please install black, format code and C&P into readme.md.
Suggest to update the MT to the publication, that is assuming the existing reference did not provide any more insights.
some formatting issues
Updated the blank spaces. Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: myteron <myteron@gmail.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: myteron <myteron@gmail.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: myteron <myteron@gmail.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: myteron <myteron@gmail.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: myteron <myteron@gmail.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
myteron
requested changes
Dec 11, 2024
docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py
Outdated
Show resolved
Hide resolved
Signed-off-by: myteron <myteron@gmail.com>
Signed-off-by: myteron <myteron@gmail.com>
Signed-off-by: myteron <myteron@gmail.com>
Signed-off-by: myteron <myteron@gmail.com>
Signed-off-by: myteron <myteron@gmail.com>
Signed-off-by: myteron <myteron@gmail.com>
…communicate via review Signed-off-by: Helge Wehder <helge.wehder@ericsson.com>
myteron
approved these changes
Dec 12, 2024
s19110
suggested changes
Dec 23, 2024
Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
Had one too many blank lines! Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com>
| Python's `random` module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` | ||
| [[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. | ||
|
|
||
| Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. |
There was a problem hiding this comment.
Suggested change
| Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. | |
| Therefore, the `random` module is unsuitable for applications requiring security as it does not incorporate cryptographic randomness, which means it is predictable. Its use makes it easy for attackers to deduce the internal state of the generator and predict future outputs. | |
"Reverse engineering" isn't the issue. The problem is that you're using the wrong algorithm.
|
|
||
| Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. | ||
|
|
||
| Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. |
There was a problem hiding this comment.
Suggested change
| Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. | |
| Instead, for generating random numbers for security purposes, use an appropriate option, such as Python's `secrets` module. | |
The random algorithm is robust, it's just robustly wrong when you use it for the wrong purpose.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Documentation for CWE-330, and a few minor code changes