PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th report is licensed under Creative Commons 4.0 (CC BY 4.0) CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts CNCF has been investing in security audits, fuzzing and so�ware supply chain security that has helped proactively discover and fix hundreds of issues. Fuzzing is a proven technique for finding security

contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive the code assets in scope. 2. Do a manual code audit of the code assets in scope. 3. Evaluate Daprs fuzzing suite against the formalised threat model. 4. Perform a SLSA review of Dapr. Our overall assessment summarised 7 security issues found All issues except for 1 have been fixed Five fuzzers added to Daprs fuzzing suite 1 CVE assigned Threat model included in report SLSA compliance review included in report

Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was started with a kickoff meeting, and following Audit, 2023 Fuzzing The second goal of the audit was to assess and improve the fuzz test suite of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing fuzzing set up. At