Pseudo-Random Number Bugs (PRN) CLASS

Definition

We define Pseudo-Random Number Bugs (PRN) as:

The software generated output does not satisfy all use-specificpseudo-randomness requirements.

The output sequence is of random bits or numbers from a PRNG.

See also the BF Model of Cryptographic Store or Transfer.

Type

High (semantic).

Taxonomy

Fig. 1 depicts PRN causes, attributes and consequences.

Attributes

Function – Conditioning, Mixing, Entropy Assessment, Seeding, Reseeding, Generate, Converting.

Algorithm – Concatenation, Hash Function, Block Cipher, XOR.

Used For – ASLR (Address Space Layout Randomization), Generation, Initialization, Input to Algorithm.

This is what the output sequence is used for. It could be used for ASLR, generation of passwords or cryptographic keying material (keys, nonces) , initialization of cryptographic primitives (e.g., an initialization vector for cipher block chaining mode of encryption; or a salt for hashing), or input to simulation, statistics, mathematics (e.g., Monte Carlo integration), or general algorithms.

Pseudo-Randomness Requirement – Unpredictability/ Indistinguishability, Prediction/ Backtracking Resistance, Sufficient Space Size, Use Specific Statistical Tests. This is the failed requirement.

Related BF Classes

BF classes related to PRN are: TRN, ENC, VRF, KMN, IEX.

Related CWEs and SFP

CWEs related to PRN are: CWE-330, CWE-331, CWE-332, CWE-334, CWE-335, CWE-336, CWE-337, CWE-338, CWE-339, CWE-340, CWE-341,CWE-342, CWE-343.

The only related SFP cluster is SFP Primary Cluster: Predictability.

BF Descriptions of PRN Related CWEs are provided here.

Application

Application examples are provided here.

References

[1] Bojanova, I., Yesha, Y., Black, P. E., Randomness Classes in Bugs Framework (BF): True-Random Number Bugs (TRN) and Pseudo-Random Number Bugs (PRN). IEEE COMPSAC 2018, NII, Tokyo, Japan. July 23-27, 2018.