Google Git
Sign in
eclipse / gerrit / tracecompass / org.eclipse.tracecompass / 8f7f93ff811d70cee6e978fcf02df3af0455233a^! / .
commit8f7f93ff811d70cee6e978fcf02df3af0455233a[log] [tgz]
authorMatthew Khouzam <matthew.khouzam@ericsson.com>Thu Jul 08 10:47:21 2021 -0400
committerMatthew Khouzam <matthew.khouzam@ericsson.com>Wed Jul 28 16:00:30 2021 -0400
tree206d79ba72287649ddde3042db14f24d7eb64fc4
parent5d2a7b9cdb52d30f5ab916d706a8c50fac4c2b8e [diff]
ctf.core: Use secureRandom for reaper

Using pseudorandom number generators (PRNGs) is security-sensitive.
For example, it has led in the past to the following vulnerabilities:

*    CVE-2013-6386
*    CVE-2006-3419
*    CVE-2008-4102

When software generates predictable values in a context requiring
unpredictability, it may be possible for an attacker to guess the
next value that will be generated, and use this guess to impersonate
another user or access sensitive information.

As the java.util.Random class relies on a pseudorandom number generator,
this class and relating java.lang.Math.random() method should not be
used for security-critical applications or for protecting sensitive
data. In such context, the java.security.SecureRandom class which relies
on a cryptographically strong random number generator (RNG) should
be used in place.

Change-Id: I01b6165186a10f90e378c507b47d341cfa50608c
Signed-off-by: Matthew Khouzam <matthew.khouzam@ericsson.com>
Reviewed-on: https://git.eclipse.org/r/c/tracecompass/org.eclipse.tracecompass/+/182898
Tested-by: Trace Compass Bot <tracecompass-bot@eclipse.org>
Tested-by: Patrick Tasse <patrick.tasse@gmail.com>
Reviewed-by: Patrick Tasse <patrick.tasse@gmail.com>

diff --git a/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java b/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java
index 81a57a9..89c97e0 100644
--- a/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java
+++ b/ctf/org.eclipse.tracecompass.tmf.ctf.core/src/org/eclipse/tracecompass/internal/tmf/ctf/core/trace/iterator/CtfIteratorManager.java

@@ -16,6 +16,7 @@
 
 import static org.eclipse.tracecompass.common.core.NonNullUtils.checkNotNull;
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -70,7 +71,7 @@
     public CtfIteratorManager(CtfTmfTrace trace) {
         fMap = new HashMap<>();
         fRandomAccess = new ArrayList<>();
-        fRnd = new Random(System.nanoTime());
+        fRnd = new SecureRandom();
         fTrace = trace;
     }