cryptographic hash is a function which takes a string of bytes and returns a small, fixed-size value. Hash functions guarantee that the same input always results in the same output. When used for security, the most the difference between the legitimate and malicious files based on the hash. The following hash functions are not considered cryptographically secure and should not be used: • All MD-family hashes (such dangers of SHA1 please see https://shattered.io/ Reproduction Steps The following list identifies functions in the Istio project that are using insecure hashing algo- rithms: • istio/istio/mixer/adapter/list/list

file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are communicates with Istiod to automate key and certificate rotation, like so: Istio-agent has two functions: 1. To receive SDS requests from Envoy and send certificate signing requests to the CA which typically verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium High Yes 10 H2c handlers are uncapped

ebpf Background Knowledge Prog type ● SOCK_OPS ➢ Set callbacks for TCP state changing ➢ Help functions: BPF_MAP_UPDATE_ELEM, BPF_SOCK_HASH_UPDATE ● SK_MSG ➢ Attach to a SOCKHASH map, capture the packets packets sent by a socket in SOCKHASH map and determine its destination socket ➢ Help functions: BPF_MSG_REDIRECT_HASH Istio Meetup China Work Flow of Acceleration ● sock_ops o Capture socket in specific

implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol

Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side load-balancing library + Headless Services Headless services are to us what ClusterIP services are to common people! However Calling authn/z service on each call? Depending on the answers, the application RPS measured in library may vary between 2 and n times when using Istio. 61 Istio proxy performance and capacity Adopting requests: 10000 RPS at library level Istio RPS: 20000 RPS Service with 5 requests: 10000 RPS at library level Istio RPS: 50000 RPS 63 Istio proxy performance and

com/apache/incubator-skywalking/blob/master/docs/en/ concepts-and-designs/oal.md • Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic

builds on Kubernetes and Istio to support deploying and serving of serverless applications and functions. http://www.servicemesher.com

and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous Odyssey…

Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ 将WebAssembly模块推入到OCI注册库中; ○ 或者从OCI注册库中拉取WebAssembly模块; ● oras cli类似于docker cli 10