ctf.core: Use secureRandom for reaper
Using pseudorandom number generators (PRNGs) is security-sensitive.
For example, it has led in the past to the following vulnerabilities:
* CVE-2013-6386
* CVE-2006-3419
* CVE-2008-4102
When software generates predictable values in a context requiring
unpredictability, it may be possible for an attacker to guess the
next value that will be generated, and use this guess to impersonate
another user or access sensitive information.
As the java.util.Random class relies on a pseudorandom number generator,
this class and relating java.lang.Math.random() method should not be
used for security-critical applications or for protecting sensitive
data. In such context, the java.security.SecureRandom class which relies
on a cryptographically strong random number generator (RNG) should
be used in place.
Change-Id: I01b6165186a10f90e378c507b47d341cfa50608c
Signed-off-by: Matthew Khouzam <matthew.khouzam@ericsson.com>
Reviewed-on: https://git.eclipse.org/r/c/tracecompass/org.eclipse.tracecompass/+/182898
Tested-by: Trace Compass Bot <tracecompass-bot@eclipse.org>
Tested-by: Patrick Tasse <patrick.tasse@gmail.com>
Reviewed-by: Patrick Tasse <patrick.tasse@gmail.com>
diff --git a/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java b/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java
index 81a57a9..89c97e0 100644
--- a/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java
+++ b/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java
@@ -16,6 +16,7 @@
import static org.eclipse.tracecompass.common.core.NonNullUtils.checkNotNull;
+import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -70,7 +71,7 @@
public CtfIteratorManager(CtfTmfTrace trace) {
fMap = new HashMap<>();
fRandomAccess = new ArrayList<>();
- fRnd = new Random(System.nanoTime());
+ fRnd = new SecureRandom();
fTrace = trace;
}