Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prohibit hardcoded/static passwords, IVs or salts #8

Open
fwendland opened this issue May 6, 2020 · 0 comments
Open

Prohibit hardcoded/static passwords, IVs or salts #8

fwendland opened this issue May 6, 2020 · 0 comments
Labels
enhancement New feature or request mark Concerns MARK files in Codyze

Comments

@fwendland
Copy link
Collaborator

Problem:
Programms may use hardcoded/static passwords, IVs or salts for cryptographic operations. For example, devices may ship with a default password that is coded into the software/firmware. These information often cause vulnerabilities when users don't change the default values.

Example:

byte[] salt = new byte[] { 0x2b, 0x5f, 0x13, 0x20 };
String masterPass = "Test";

// complain about use of hardcoded/static values
KeySpec pbeKeySpec = new PBEKeySpec(masterPass.toCharArray(), salt, 1000);

Proposed solution:
A MARK rule prohibit the use of hardcoded/static passwords, IVs or salts.

Possible blockers:
May require a new builtin function to recognize a hardcoded/static value.
@fwendland fwendland added enhancement New feature or request mark Concerns MARK files in Codyze labels May 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request mark Concerns MARK files in Codyze
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fwendland