You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vmm-sys-util crate exposes a module called rand which exposing rand_alphanumerics() and rand_bytes(). As their name suggests, these functions generate random sequences of OsString and u8 values, however, they rely on the RDTSC for x86_64 systems and libc’s clock_gettime() for randomness. Frequently, people assume that bytes or sequences labeled as random are unpredictable and might use them for security-sensitive purposes. This could pose a problem in specific situations.
We found no relevant code in rust-vmm that would present itself as problematic, however, the rand_alphanumerics() is already being used to construct temporary files on Windows (c.f. vmm-sys-util/src/tempfile.rs), which are usually expected to be unpredictable.
Recommends to use, and if needed, wrap the rand or any other hardened crate providing a better source of randomness.
The text was updated successfully, but these errors were encountered:
From @y-x41
The vmm-sys-util crate exposes a module called rand which exposing rand_alphanumerics() and rand_bytes(). As their name suggests, these functions generate random sequences of OsString and u8 values, however, they rely on the RDTSC for x86_64 systems and libc’s clock_gettime() for randomness. Frequently, people assume that bytes or sequences labeled as random are unpredictable and might use them for security-sensitive purposes. This could pose a problem in specific situations.
We found no relevant code in rust-vmm that would present itself as problematic, however, the rand_alphanumerics() is already being used to construct temporary files on Windows (c.f. vmm-sys-util/src/tempfile.rs), which are usually expected to be unpredictable.
Recommends to use, and if needed, wrap the rand or any other hardened crate providing a better source of randomness.
The text was updated successfully, but these errors were encountered: