OSTIF is pleased to announce the completion of a security audit of the open source project RustVMM in collaboration with X-41 D-Sec GmbH, with funding by Amazon Web Services. The project offers crates to build customized Virtual Machine Monitors (thus, VMM), which can be vulnerable to malicious actors through its components’ exposure to untrusted code. Therefore, security of the code is imperative as to not endanger users’ or project infrastructure.

RustVMM’s source code was manually reviewed in September of 2023 by the X41 team. Eleven crates were in the scope of the audit, and in the report the engineer team notes that code quality is high, with RustVMM’s design and implementation written with security as a priority. As a result, there were only issues without direct security impact reported by the audit, six in total. This number was confirmed by multiple, independently-working auditors reviewing RustVMM’s code for this report. This is a credit to the developers, maintainers, and community of the project, as well as to the choice of language, Rust, which is respected for its memory-management capabilities. While X41 offers a few suggestions for future security work, as well as the resolution of the identified issues, overall the sentiment is overwhelmingly positive as to the security health of the project.

Audits are incredibly important for ongoing security health. They are impactful to the projects and their communities, no matter the number or criticality of findings. Security audits help maintainers plan for future work of all types, understand code weaknesses, and address issues before they can develop more critical impacts. Projects that do not undergo security audits are less likely to have custom  documentation and recommendations uniquely provided by security experts. This can lead them to be underdeveloped, less secure, and more likely to experience exploitation by bad actors. 

OSTIF would like to thank the team at X41 D-Sec, specifically Dr. Robert Femmer and Hannes Moesl-Canaval, M.Sc., for their hard work on this audit and their continued work with us on open source security. Further gratitude goes to the RustVMM community and maintainers, who deserve recognition for their contributions and efforts in getting the project to the level of security it exists in. Finally, our deep thanks to Amazon Web Services for their support of our work and open source security efforts. 

Read the audit report HERE

Read X41-DSec’s post HERE