CWE Rule 798

Use of Hard-coded Credentials

Since R2023a

Description

Rule Description

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Polyspace Implementation

The rule checker checks for these issues:

Constant cipher key
Hard-coded sensitive data

Examples

expand all

Constant cipher key

Issue

This issue occurs when you use a constant for the encryption or decryption key.

Risk

If you use a constant for the encryption or decryption key, an attacker can retrieve your key easily.

You use a key to encrypt and later decrypt your data. If a key is easily retrieved, data encrypted using that key is not secure.

Fix

Produce a random key by using a strong random number generator.

For a list of random number generators that are cryptographically weak, see Vulnerable pseudo-random number generator.

Example — Constants Used for Key



#include <openssl/evp.h>
#include <stdlib.h>
#define SIZE16 16

int func(EVP_CIPHER_CTX *ctx, unsigned char *iv){
    unsigned char key[SIZE16] = {'1', '2', '3', '4','5','6','b','8','9',
                                 '1','2','3','4','5','6','7'};
    return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1);  //Noncompliant
}

In this example, the cipher key, key, has constants only. An attacker can easily retrieve a constant key.

Correction — Use Random Key

Use a strong random number generator to produce the cipher key. The corrected code here uses the function RAND_bytes declared in openssl/rand.h.



#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdlib.h>
#define SIZE16 16

int func(EVP_CIPHER_CTX *ctx, unsigned char *iv){
    unsigned char key[SIZE16];
    RAND_bytes(key, 16);
    return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1); 
}

Hard-coded sensitive data

Issue

This issue occurs when data that is potentially sensitive is directly exposed in the code, for instance, as string literals. The checker identifies certain data as sensitive from their use in certain functions such as password encryption functions.

Following data can be potentially sensitive.

Type of Data	Functions That Indicate Sensitive Nature of Information
Host name	`sethostname`, `setdomainname`, `gethostbyname`, `gethostbyname2`, `getaddrinfo`, `gethostbyname_r`, `gethostbyname2_r` (string argument) `inet_aton`, `inet_pton`, `inet_net_pton`, `inet_addr`, `inet_network` (string argument) `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (2nd argument)
Password	`CreateProcessWithLogonW`, `LogonUser` (1st argument) `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (3rd argument)
Database	MySQL: `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (4th argument) SQLite: `sqlite3_open`, `sqlite3_open16`, `sqlite3_open_v2` (1st argument) PostgreSQL: `PQconnectdb` Microsoft SQL: `SQLDriverConnect` (3rd argument)
User name	`getpw`, `getpwnam`, `getpwnam_r`, `getpwuid`, `getpwuid_r`
Salt	`crypt`, `crypt_r` (2nd argument)
Cryptography keys and initialization vectors	OpenSSL: `EVP_CipherInit`, `EVP_EncryptInit`, `EVP_DecryptInit` (3rd argument) `EVP_CipherInit_ex`, `EVP_EncryptInit_ex`, `EVP_DecryptInit_ex` (4th argument)
Seed	`srand`, `srandom`, `initstate` (1st argument) OpenSSL: `RAND_seed`, `RAND_add`

Risk

Information that is hardcoded can be queried from binaries generated from the code.

Fix

Avoid hard coding sensitive information.

Example — Sensitive Data Exposed Through String Literals

// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 
const char *host = "localhost";
char *user = "guest";
char *passwd;

DbHandle connect_to_database_server(const char *db)
{
    passwd = (char*)"guest";
    return (DbHandle)
        mysql_real_connect (sql, host, user, passwd, db, 0, 0x0, 0); //Noncompliant 
}

In this example, the arguments host (host name), user (user name), and passwd (password) are string literals and directly exposed in the code.

Querying the generated binary for ASCII strings can reveal this information.

Correction – Read Sensitive Data from Secured Configuration Files

One possible correction is to read the data from a configuration file. In the following corrected example, the call to function connect_to_database_server_init presumably reads the host name, user name, and password into its arguments from a secured configuration file.

// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 

int connect_to_database_server_init(const char **host,
                                    const char **user,
                                    const char **passwd,
                                    const char **db);

DbHandle connect_to_database_server(const char *db)
{
    const char *host_from_cfg;
    const char *user_from_cfg;
    const char *passwd_from_cfg;
    const char *db_from_cfg;
    if (connect_to_database_server_init(&host_from_cfg,
                                        &user_from_cfg,
                                        &passwd_from_cfg,
                                        &db_from_cfg))
    {
        return (DbHandle)
            mysql_real_connect (sql, host_from_cfg, user_from_cfg, 
                        passwd_from_cfg, db_from_cfg,  0, 0x0, 0);
    }
    else
        return (DbHandle)0x0;
}

Check Information

Category: Credentials Management Errors

Version History

Introduced in R2023a