The vmm-sys-util crate exposes a module called rand which exposing rand_alphanumerics() and rand_bytes(). As their name suggests, these functions generate random sequences of OsString and u8 values, however, they rely on the RDTSC for x86_64 systems and libc’s clock_gettime() for randomness. Frequently, people assume that bytes or sequences labeled as random are unpredictable and might use them for security-sensitive purposes. This could pose a problem in specific situations.
We found no relevant code in rust-vmm that would present itself as problematic, however, the rand_alphanumerics() is already being used to construct temporary files on Windows (c.f. vmm-sys-util/src/tempfile.rs), which are usually expected to be unpredictable.
Recommends to use, and if needed, wrap the rand or any other hardened crate providing a better source of randomness.
From @y-x41
The vmm-sys-util crate exposes a module called rand which exposing rand_alphanumerics() and rand_bytes(). As their name suggests, these functions generate random sequences of OsString and u8 values, however, they rely on the RDTSC for x86_64 systems and libc’s clock_gettime() for randomness. Frequently, people assume that bytes or sequences labeled as random are unpredictable and might use them for security-sensitive purposes. This could pose a problem in specific situations.
We found no relevant code in rust-vmm that would present itself as problematic, however, the rand_alphanumerics() is already being used to construct temporary files on Windows (c.f. vmm-sys-util/src/tempfile.rs), which are usually expected to be unpredictable.
Recommends to use, and if needed, wrap the rand or any other hardened crate providing a better source of randomness.