### Pentest-Report Dapr 06.2020 Cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. R. Peraglie, J. Larsson ## I ndex Introduction Scope Test Coverage Identified Vulnerabilities DAP-01-002 WP2: Insufficient cluster takeover (Critical) DAP-01-006 WP2: Cross-Site Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 WP2: Invocation Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 WP2: Missing authentication from Dapr API to application (Medium) Miscellaneous Issues DAP-01-001 WP1: Sidecar allows MDNS probes to docker

# Pentest- & Retest-Report Dapr 02.2021 Cure53, Dr.-Ing. M. Heiderich, Dipl.-Inf. G. Kopf & other Team Members ## I ndex Introduction Scope Identified Vulnerabilities DAP-02-001 WP3: Status DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions ## I ntroduction “Dapr is a portable, event-driven runtime that makes it easy for developers to build resilient, microservice From https://dapr.io/#about This report continues a security-driven cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In

PRESENTS ## Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation  ## Authors summary In this engagement, Ada Logics worked on creating a fuzzing suite for Dapr. At the time of this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing in a continuous manner. Ada Logics did that by first integrating Dapr into OSS-Fuzz and add fuzzers for important API's of the Dapr eco system. At the end of the audit, all fuzzers are running continuously

PRESENTS ## Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation ![Image](/uploads/documents/8/b/6/c/8b6c2bce2620cb9804a517e0daeae7c4/p1_2 mitigations 45 ## Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete a holistic audit drawing on several different security model. 4. Perform a SLSA review of Dapr. Our overall assessment of Dapr is highly positive. Dapr follows security best practices in both design and implementation. Dapr performed well in this audit demonstrating

Microsoft Ignite  ## OAM, dapr, and rudr The future of cloud native applications Mark Russinovich CTO, Microsoft Azure @markrussinovich [Image](/uploads/documents/7/8/e/d/78edb81a9976122a3d4c851701bf9145/p2_2.jpg) ## Agenda Open Application Model dapr: Distributed Application Platform Building Cloud Scale, Hybrid Applications ![Image](/uploads/d agnostic application model Ω Open Application Model dapr: Distributed Application Runtime Building blocks for building scalable distributed apps dapr Ω Open Application Model Application model for

## Microsoft Ready ## The Future of Cloud Native Applications with Open Application Model (OAM) and Dapr Mark Russinovich Chief Technology Officer, Microsoft Azure @markrussinovich ## Application models Runtime (Dapr) dapr Building blocks for building scalable distributed apps  ## Microservices made easy with Dapr Use common cloud and edge applications Microsoft is introducing two new specs, the Open Application Model and Dapr, with the aim of making building cloud, edge and Kubernetes apps easier. ### f in ☐ ☑ ☒ ☒ By Mary

jpg) Service Mesh Runtime 定位 分布式能力原语合集 交互方式 具有明确语义的 API 通信协议 Http/gRPC 标准协议 能力丰富度 高 ## Dapr  • 提供多种分布式能力 • 对接了丰富的基础组件 方案 2：共存 POD container MOSN container App container Dapr • 缺失 Service Mesh 能力 • 稳定性有待验证 container App container MOSN container Dapr • 运维成本飙升 • 稳定性更难保证 ## 《The ABC of Lock-In》 2012 年 2 月，一篇文章讲了一个有趣的故事 [Image](/uploads/documents/b/0/b/9/b0b93d23684d3dbee9db7c3c447ce82a/p29_2.jpg) Write once. Run anywhere with dapr Application Code 

Prometheus 和 Alertmanager 进行 Autoscaling，也并非最专业和敏捷的做法 近年来云原生 Serverless 相关领域陆续涌现出了很多优秀的开源项目： KEDA、Dapr、Cloud Native Buildpacks (CNB)、Tekton、Shipwright ## Serverless 新愿景 新一代开源函数计算平台 - 契机 现有开源 Serverless 运行时： KEDA + Deployment / Job ■ Dapr ## KEDA KEDA dapr ## Function Serving - Dapr ■ Function Without Dapr 5 种语言 x 10 个 Message Queue = 50 种实现 ■ Function With Dapr 5 种语言 x 1 个抽象 Message Queue (用 1 计算平台搭建实践：OpenFunction ■ 使用 Tekton、Cloud Native Buildpacks、Shipwright 搭建 OCI 镜像构建流水线 ■ 使用 Knative、Dapr、KEDA 等云原生技术驱动具备自动伸缩能力的同步函数与异步函数 以 Argo Events、Knative Eventing 为参考的轻量级 Serverless 事件框架 ■ K8s 上的图数据库基于

really like the idea of allowing the embedding of Dapr style programs within Envoy that all exist out of the primary tree. L7 GoLang extension 方便引入 Dapr 能力 I really want to figure out how to intersect jpg) - 复用 Envoy 高效网络通道，如为 Dapr 能力提供底层 gRPC 通道 - 具备硬件加速集成能力 - 内存管理 Zero Copy - 同时具备云原生 xDS、REST API服务元数据管理通道能力 - MOSN/GoLang 和 Envoy 生态拉通 实现多个社区技术共享，增强Service Mesh、Dapr等领域的生态 ## MoE 运行效果 MoE 部署架构

nts/d/a/a/6/daa6b955a7e7614d8e8dde4ebcdf0f5c/p3_1.jpg) Loong Dai • Intel 云原生工程师 • 微软 MVP • Dapr、Thanos、Golangci-lint 的 Maintainer - 现在主要专注于服务网格领域，探索云原生软硬件结合新范式 • Github ID: daixiang0 ![Image