|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## No guarantees |
| 4 | + |
| 5 | +Support is provided on a best-effort bases only. |
| 6 | +No binding guarantees can be provided. |
| 7 | + |
| 8 | +## Security premises |
| 9 | + |
| 10 | +Rand provides the trait `rand_core::CryptoRng` aka `rand::CryptoRng` as a marker |
| 11 | +trait. Generators implementating `RngCore` *and* `CryptoRng`, and given the |
| 12 | +additional constraints that: |
| 13 | + |
| 14 | +- Instances of seedable RNGs (those implementing `SeedableRng`) are |
| 15 | + constructed with cryptographically secure seed values |
| 16 | +- The state (memory) of the RNG and its seed value are not be exposed |
| 17 | + |
| 18 | +are expected to provide the following: |
| 19 | + |
| 20 | +- Given all prior output from the RNG, for each bit of non-error output from |
| 21 | + an `RngCore` method, there exists no known computationally-feasible |
| 22 | + algorithm to predict the bit with probability significantly greater than 50% |
| 23 | +- There are strong expectations that no such algorithm exists |
| 24 | + |
| 25 | +For some RNGs, notably `OsRng`, `ThreadRng` and those wrapped by `ReseedingRng`, |
| 26 | +we provide limited mitigations against side-channel attacks: |
| 27 | + |
| 28 | +- After a process fork on Unix, there is an upper-bound on the number of bits |
| 29 | + output by the RNG before the processes diverge, after which outputs from |
| 30 | + each process's RNG are uncorrelated |
| 31 | +- After the state (memory) of an RNG is leaked, there is an upper-bound on the |
| 32 | + number of bits of output by the RNG before prediction of output by an |
| 33 | + observer again becomes computationally-infeasible |
| 34 | + |
| 35 | +Additionally, derivations from such an RNG (including the `Rng` trait, |
| 36 | +implementations of the `Distribution` trait, and `seq` algorithms) should not |
| 37 | +introduce signficant bias other than that expected from the operation in |
| 38 | +question (e.g. bias from a weighted distribution). |
| 39 | + |
| 40 | +## Supported Versions |
| 41 | + |
| 42 | +We will attempt to uphold these premises in the following crate versions, |
| 43 | +provided that only the latest patch version is used, and with potential |
| 44 | +exceptions for theoretical issues without a known exploit: |
| 45 | + |
| 46 | +| Crate | Versions | Exceptions | |
| 47 | +| ------- | ------------------ | |
| 48 | +| `rand` | 0.7 | | |
| 49 | +| `rand` | 0.5, 0.6 | Jitter | |
| 50 | +| `rand` | 0.4 | Jitter, ISAAC | |
| 51 | +| `rand_core` | 0.2 - 0.5 | | |
| 52 | +| `rand_chacha` | 0.1 - 0.2 | | |
| 53 | +| `rand_hc` | 0.1 - 0.2 | |
| 54 | + |
| 55 | +Explanation of exceptions: |
| 56 | + |
| 57 | +- Jitter: `JitterRng` is used as an entropy source when the primary source |
| 58 | + fails; this source may not be secure against side-channel attacks, see #699. |
| 59 | +- ISAAC: the [ISAAC](https://burtleburtle.net/bob/rand/isaacafa.html) RNG used |
| 60 | + to implement `thread_rng` is difficult to analyse and thus cannot provide |
| 61 | + strong assertions of security. |
| 62 | + |
| 63 | +## Known issues |
| 64 | + |
| 65 | +In `rand` version 0.3 (0.3.18 and later), if `OsRng` fails, `thread_rng` is |
| 66 | +seeded from the system time in an insecure manner. |
| 67 | + |
| 68 | +## Reporting a Vulnerability |
| 69 | + |
| 70 | +To report a vulnerability, [open a new issue](https://github.com/rust-random/rand/issues/new). |
| 71 | +Once the issue is resolved, the vulnerability should be [reported to RustSec](https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md). |
0 commit comments