2023 Threat model Dapr is a framework for building cloud-native applications. It consists of a runtime and a set of building blocks that allow users to move infrastructure-related tasks out of their applications multiple microservices. Illustrated high-level overview Having outlined the main parts of Dapr, the runtime and the components, we can look at a high-level view of Dapr: 6 Dapr security audit 2023 At the in github.com/dapr/dapr/cmd/daprd2. We now do a quick code walk through of how Dapr starts the runtime and sets up the HTTP and gRPC endpoints and the components. The purpose of this brief section is

projects: 1) the Dapr Runtime, 2) Dapr kit and 3) Components-Contrib. Results summarised 39 fuzzers developed All fuzzers added to Daprs OSS-Fuzz integration Fuzzing covers the Dapr Runtime, Kit and Components-Contrib audits 2 Executive summary 3 Table of Contents 4 Dapr fuzzing 5 Issues found by fuzzers 13 Runtime stats 18 Dapr fuzzing In this section we present details on the Dapr fuzzing set up, and in particular FuzzFSMPlacementState github.com/dapr/dapr/pkg/placement/raft 4 FuzzDaprRuntime github.com/dapr/dapr/pkg/runtime 5 FuzzInvokeRemote github.com/dapr/dapr/pkg/messaging 6 FuzzParseAccessControlSpec github.com/dapr/dapr/pkg/acl

interact with other services and data stores Programming Models dapr: Distributed Application Runtime Building blocks for building scalable distributed apps Open Application Model (OAM) Platform Trait Component A Trait Deploying an OAM application to rudr DEMO Distributed Application Runtime State of Enterprise Developers Being asked to develop resilient, scalable, microservice-based adoptable equivalents that can run anywhere Introducing Dapr A portable, event-driven, serverless runtime for building distributed applications across cloud and edge Runs on multiple environments for

10709 Berlin cure53.de · mario@cure53.de Introduction “Dapr is a portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications large-scale and thorough security assessment targeting the Microsoft Distributed Application Runtime (Dapr) software complex1. Carried out by Cure53 in summer 2020, the project entailed comprehensive deploy a securityContext for the running pod, in order to establish basic hardening to the runtime environment. Furthermore, it is recommended to craft and set up the security boundaries for the

application to interact with other services and data stores Programming models Distributed Application Runtime (Dapr) Open Application Model (OAM) https://oam.dev State of Cloud Native Application Platforms http://localhost:3500/v1.0/state/inventory Runs as local “sidecar library” dynamically loaded at runtime for each service Service-to- service invocation State management Publish and subscribe T A I N E R Application code 1 Pod Update component changes to runtime Updates actor partition placement Injects Dapr runtime Components Dapr Kubernetes-hosted Sidecar architecture Component

miscellaneous issues from previous audit (Low) Conclusions Introduction “Dapr is a portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications on the scope back in June 2020. It should be clarified that Dapr is a distributed application runtime for cloud and edge deployments. In this context, the work was requested by Microsoft and carried test, including also a longer-term perspective on the security premise that the Dapr application runtime for cloud and edge deployments has exposed over time. Cure53, Berlin · 02/09/21