PRESENTS ## Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation  ## Authors 0 (CC BY 4.0) ## CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts CNCF has been investing in security audits, fuzzing and software supply chain security that has helped proactively discover and fix hundreds of issues. Fuzzing is a proven technique for finding security

## Mix Assertion, Logging, Unit Testing and Fuzzing with ZeroErr Build Safer Modern C++ Application Speaker: Xiaofan Sun Date: Sep 19, 2024 ## Self-Introduction • Got my Ph.D. from UC, Riverside last additional context information if needed • Make sure specific path is taken ## Structure-Aware Fuzzing Generation-based fuzzers usually target a single input type - string. All input is reading from the test. ## Benefits of Integration • Fuzzing test case can use all those features • Fuzzing do not need additional assertion implementation - Writing fuzzing test case as well as unit test case so

@malwareunicorn ## Day in the Life: Vulnerability Research • Looking at code 75% • Instrumenting fuzzing harnesses 5% • Making POC when needed 1% • Tackling cross-org issues to combat a whole bug class system attempts to extend a metadata block. - Could have been easily discovered with the help of fuzzing - Driver had extensive use of try/catch blocks to catch exceptions. - Access violation exceptions Keep dependencies up to date • Use static code analysis tools built into your CICD pipeline • Use fuzzing in your CICD pipeline ## Strategies for Secure C++ Development ## Exploit Mitigation Timeline !

failure. Want to unleash the memory vulnerability beast? Put your test units on steroids, by spinning fuzzing jobs with ASan in Azure, leveraging the power of the Cloud from the comfort of your Visual Studio |build system|dynamic analyzer (runtime)| |package manager|code reviews platform| |SCM client|\+ fuzzing| ## Why Do I Care? 17 year old code base under active development 3.5 million lines of C++ code coverage for the runtime analysis (all possible scenarios) the biggest impact when combined with fuzzing ## Dynamic Analysis sometimes intrusive: you need to compile the program in a special mode • runtime

summary 2 Notable findings 3 Project Summary 4 Audit Scope 4 Threat model formalisation 5 Fuzzing 14 Issues found 16 SLSA review 38 Conclusions 40 ## Executive summary In March and April 2023 VTA_{admin} code. 3. Manually audit the remaining Vitess code base. 4. Assess and improve Vitess’s fuzzing suite. 5. Carry out a SLSA compliance review. These five goals are fairly different. While they which the threat model goal helped to assess. The threat model was also a force-multiplier for the fuzzing work that led to the discovery of a few missed edge cases when fixing the two CVE's. The audit

Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 ## Executive summary In May and June code assets in scope. 2. Do a manual code audit of the code assets in scope. 3. Evaluate Daprs fuzzing suite against the formalised threat model. 4. Perform a SLSA review of Dapr. Our overall assessment security issues found| |---| |All issues except for 1 have been fixed| |Five fuzzers added to Daprs fuzzing suite| |1 CVE assigned| |Threat model included in report| |SLSA compliance review included in report|

safety Temporal safety |||| |---|---|---| • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy - fbounds-safety, buffer hardening ## Spatial Spatial safety |☐|☐|☐| |---|---|---| • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy - fbounds-safety, buffer hardening Temporal ## Spatial safety |☐|☐|☐| |---|---|---| • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy - fbounds-safety, buffer hardening Temporal

Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was started with a kickoff meeting, and following team. ## Fuzzing The second goal of the audit was to assess and improve the fuzz test suite of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing fuzzing setup. At

Victor Ciura – Fuzzing/Testing venue  Fri 9/18 12:00 – 13:00 Introducing Microsoft’s New Open Source Fuzzing Platform Justin Justin Campbell, Michael Walker – Fuzzing/Testing venue Visit https://aka.ms/asan to learn more ## Control Flow Guard (CFG) Enforce control flow integrity • Windows 8.1 & Windows 10 • MSVC compiler Development with Codespaces – Nick Uhlenhuth ## Friday 18th • Introducing Microsoft’s New Open Source Fuzzing Platform – Justin Campbell & Michael Walker

1.jpg)  ## Fuzzing ## Fuzzing is an automated testing technique for hardening safety-critical software Typically used where parse(data) return 0 } Hit your target function with cleverly-constructed random data. Differential fuzzing: compare against a reference implementation. ### github.com/mmcloughlin/cryptofuzz ## func Fuzz(data