Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de Pentest-Report Dapr 06.2020 Cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. R. Peraglie, J. Larsson Index Introduction cluster takeover (Critical) DAP-01-006 WP2: Cross-Site Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 WP2: Invocation Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 WP2: Missing authentication from Dapr API to application (Medium) Miscellaneous Issues DAP-01-001 WP1: Sidecar allows MDNS probes to docker

Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de Pentest- & Retest-Report Dapr 02.2021 Cure53, Dr.-Ing. M. Heiderich, Dipl.-Inf. G. Kopf & other Team Members Index I ntroduction DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions Introduction “Dapr is a portable, event-driven runtime that makes it easy for developers to build resilient, microservice From https://dapr.io/#about This report continues a security-driven cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In

PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th summary In this engagement, Ada Logics worked on creating a fuzzing suite for Dapr. At the time of this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing efforts in a continuous manner. Ada Logics did that by first integrating Dapr into OSS-Fuzz and add fuzzers for important APIʼs of the Dapr eco system. At the end of the audit, all fuzzers are running continuously

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 6th September 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete

Microsoft Ignite OAM, dapr, and rudr The future of cloud native applications Mark Russinovich @markrussinovich Open Application Model dapr: Distributed Application Platform Building Cloud Scale, developers write their application to interact with other services and data stores Programming Models dapr: Distributed Application Runtime Building blocks for building scalable distributed apps Open Application don’t have composable and incrementally adoptable equivalents that can run anywhere Introducing Dapr A portable, event-driven, serverless runtime for building distributed applications across cloud

The Future of Cloud Native Applications with Open Application Model (OAM) and Dapr @markrussinovich Application models Describes the topology of your application and its components The way developers interact with other services and data stores Programming models Distributed Application Runtime (Dapr) Open Application Model (OAM) https://oam.dev State of Cloud Native Application Platforms Prometheus Operator ROS (Alibaba Cloud Resources) Stateless Component Kubernetes Cluster https://dapr.io State of Enterprise Developers What is holding back micro-service development? Hard to incrementally

网络代理 定位 流量拦截 交互方式 私有协议 通信协议 高 能力丰富度 Http/gRPC 标准协议 19 Dapr Dapr 20 • 提供多种分布式能力 • 对接了丰富的基础组件 • 厂商解绑，跨云部署 21 事情没有那么 简单 Dapr 没解决什么 22 App 怎么落地 方案 1：替换 方案 2：共存 《The ABC of Lock-In》 2012 POD container App container container Dapr • 缺失 Service Mesh 能力 • 运维成本飙升 • 稳定性有待验证 • 稳定性更难保证 MOSN POD container App container container Dapr MOSN 23 Layotto Layotto 架构 24 Layotto HTTP 业务逻辑 gRPC Client App gRPC Server Config Pub/Sub RPC State Lock ... Config MQ RPC 阿里、蚂蚁 、Dapr 共建 优先复用 其次开发 Envoy Components Layotto 移植性 25 Application Code App App App Layotto App

Serverless 的新愿景？ 什么是 Serverless ？ Serverless / FaaS 领域开源项⽬现状 近年来云原⽣ Serverless 相关领域陆续涌现出了很多优秀的开源项⽬： KEDA、Dapr、Cloud Native Buildpacks（CNB）、Tekton、Shipwright 现有开源 FaaS 项⽬: 绝⼤多数启动较早，⼤部分都在 Knative 出现前就已经存在了 Knative: Event driven 运⾏时： KEDA + Deployment / Job Dapr Function Serving - Dapr Function Without Dapr 5 种语⾔ x 10 个 Message Queue = 50 种实现 Function With Dapr 5 种语⾔ x 1 个抽象 Message Queue (⽤ 1 种⽅式即 HTTP/GRPC Serverless 计算平台搭建实践：OpenFunction 使⽤ Tekton、Cloud Native Buildpacks、Shipwright 搭建 OCI 镜像构建流⽔线 使⽤ Knative、Dapr、KEDA 等云原⽣技术驱动具备⾃动伸缩能⼒的同步函数与异步函数 以 Argo Events、Knative Eventing 为参考的轻量级 Serverless 事件框架 K8s 上的图数据库基于

核心支付链路覆 盖 MOSN 宣布独立运营 CNCF landscape V0.13.0 发布， 进行云原生组 件生态融合 Istio 官方推荐 数据面 MOSN 和 Envoy、 Dapr、WASM 开始展开生态合作 商业化落地 江西农信 Mesh 阿里云 CDN 2019年双11 2019年12月 2020年6月 2020年7月 2020年12月 2021年 MOSN REST API服务元数据管理 通道能力 • 复用 Envoy 高效网络通道，如为 Dapr 能力提供底层 gRPC 通道 • 具备硬件加速集成能力 • 内存管理 Zero Copy • MOSN/GoLang 和 Envoy 生态拉通 • 实现多个社区技术共享， 增强 Service Mesh、Dapr 等领域的生态 性能 较高 MOE 实践介绍 — 部署架构 MOE 实践介绍 — https://github.com/mosn/layotto MOE — L4 扩展支持 在 MOE 支持 L4 扩展后，可方便使得 Envoy 集成 Layotto 或 Dapr 能力，从而同时具备 service mesh 与 application runtime 能 力。 定位：云原生网络代理平台 理念：通用能力回馈社区，同社区共建标准 来吧，提个 PR 就是

、REST API服务元数据管理通道能力 • 复用 Envoy 高效网络通道，如为 Dapr 能力提供底层 gRPC 通道 • 具备硬件加速集成能力 • 内存管理 Zero Copy • MOSN/GoLang 和 Envoy 生态 拉通 • 实现多个社区技术共享，增强 Service Mesh、Dapr 等领域的 生态 性能 较高 MoE 运行效果 MoE 部署架构 MoE 为运行效果