PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th report is licensed under Creative Commons 4.0 (CC BY 4.0) CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts CNCF has been investing in security audits, fuzzing and so�ware supply chain security that has helped proactively discover and fix hundreds of issues. Fuzzing is a proven technique for finding security

Mix Assertion, Logging, Unit Testing and Fuzzing with ZeroErr Build Safer Modern C++ Application Speaker: Xiaofan Sun Date: Sep 19, 2024Self-Introduction • Got my Ph.D. from UC, Riverside capture additional context information if needed • Make sure specific path is takenStructure-Aware Fuzzing Generation-based fuzzers usually target a single input type - string. All input is reading from running the test.Benefits of Integration • Fuzzing test case can use all those features • Fuzzing do not need additional assertion implementation • Writing fuzzing test case as well as unit test case so

Executive summary 2 Notable findings 3 Project Summary 4 Audit Scope 4 Threat model formalisation 5 Fuzzing 14 Issues found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary VTAdmin code. 3. Manually audit the remaining Vitess code base. 4. Assess and improve Vitessʼs fuzzing suite. 5. Carry out a SLSA compliance review. These five goals are fairly different. While they which the threat model goal helped to assess. The threat model was also a force-multiplier for the fuzzing work that led to the discovery of a few missed edge cases when fixing the two CVEʼs. The audit started

contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive the code assets in scope. 2. Do a manual code audit of the code assets in scope. 3. Evaluate Daprs fuzzing suite against the formalised threat model. 4. Perform a SLSA review of Dapr. Our overall assessment summarised 7 security issues found All issues except for 1 have been fixed Five fuzzers added to Daprs fuzzing suite 1 CVE assigned Threat model included in report SLSA compliance review included in report

Want to unleash the memory vulnerability beast? Put your test units on steroids, by spinning fuzzing jobs with ASan in Azure, leveraging the power of the Cloud from the comfort of your Visual Studio manager static analyzer dynamic analyzer (runtime) automated refactoring tools build system + fuzzing code reviews platform12 17 year old code base under active development 3.5 million lines of C++ coverage for the runtime analysis (all possible scenarios) the biggest impact when combined with fuzzing46 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? 0 false positives! Dynamic

SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed 1% ● Tackling cross-org issues to combat a whole bug class system attempts to extend a metadata block. ● Could have been easily discovered with the help of fuzzing ● Driver had extensive use of try/catch blocks to catch exceptions. ● Access violation exceptions dependencies up to date • Use static code analysis tools built into your CICD pipeline • Use fuzzing in your CICD pipelineStrategies for Secure C++ DevelopmentExploit Mitigation Timeline 2003 SAFESEH

safetySpatial safety Temporal safetySpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal Temporal safetySpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal safety safety MSpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal safety p

Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was started with a kickoff meeting, and following Audit, 2023 Fuzzing The second goal of the audit was to assess and improve the fuzz test suite of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing fuzzing set up. At

of Sanitizers? Victor Ciura – Fuzzing/Testing venue Fri 9/18 12:00 – 13:00 Introducing Microsoft’s New Open Source Fuzzing Platform Justin Campbell, Michael Walker – Fuzzing/Testing venue Visit https://aka Development with Codespaces – Nick Uhlenhuth Friday 18th • Introducing Microsoft’s New Open Source Fuzzing Platform – Justin Campbell & Michael Walker

lines of amd64 assembly in crypto 10,474 lines of amd64 assembly in golang.org/x/crypto Fuzzing Fuzzing is an automated testing technique for hardening safety-critical software Typically used where parse(data) return 0 } Hit your target function with cleverly-constructed random data. Differential fuzzing: compare against a reference implementation. github.com/mmcloughlin/cryptofuzz func Fuzz(data