Prohibit hardcoded/static passwords, IVs or salts

[fwendland]

Problem: Programms may use hardcoded/static passwords, IVs or salts for cryptographic operations. For example, devices may ship with a default password that is coded into the software/firmware. These information often cause vulnerabilities when users don't change the default values.

Example:

byte[] salt = new byte[] { 0x2b, 0x5f, 0x13, 0x20 };
String masterPass = "Test";

// complain about use of hardcoded/static values
KeySpec pbeKeySpec = new PBEKeySpec(masterPass.toCharArray(), salt, 1000);

Proposed solution: A MARK rule prohibit the use of hardcoded/static passwords, IVs or salts.

Possible blockers: May require a new builtin function to recognize a hardcoded/static value.