Dapr september 2023 security audit report

手机扫码，畅享阅读

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski <adam@adalogics.com> David Korczynski <david@adalogics.com> Date: 6th September 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete a holistic audit drawing on several different security disciplines. The audit was split into the following goals: 1. Formalise a threat model of the code assets in scope. 2. Do a manual code audit of the code assets in scope. 3. Evaluate Daprs fuzzing suite against the formalised threat model. 4. Perform a SLSA review of Dapr. Our overall assessment of Dapr is highly positive. Dapr follows security best practices in both design and implementation. Dapr performed well in this audit demonstrating a strong security posture. The audit found 7 issues, of which 4 are umbrella issues covering multiple cases of similar issues across different components in the same Dapr building blocks. None of the issues were of critical or high severity. We found a vulnerability in a 3rd-party dependency which was assigned a CVE1 of high severity, however it did not impact Dapr in a critical or high severity manner, and affects only a small group of Dapr users in a component that is not enabled by default. The vulnerability had the potential to crash a Dapr sidecar with an out-of-memory denial of service attack vector. We found the vulnerability a�er performing the threat modelling goal and understanding the flow of untrusted data through a Dapr deployment, and then adding a fuzzer for the affected component. We added a total of five fuzzers to Daprs OSS-Fuz...