Enterprise Developers Being asked to develop resilient, scalable, microservice-based apps Functions and Actors are powerful programming models They write in many languages They want to leverage code e.g. http://localhost:3500/v1.0/invoke/myapp/method/neworder Dapr runs as local “side-car library” dynamically loaded at runtime for each service HTTP/gRPC Application code Distributed tracing invocation Actors API Dapr: Build apps using any language with any framework Any code or framework… Functions S e r v i c e s w r i t t e n i n .NET Core Microservice application Service-to- service

protocols from user service code e.g. http://localhost:3500/v1.0/state/inventory Runs as local “sidecar library” dynamically loaded at runtime for each service Service-to- service invocation State management OpenCensus Distributed Calculator D E M O Functions with Dapr Event-driven Stateless Easy replication and sharing Input/Triggers App Output/Bindings Functions with Dapr D E M O Host/Pod Virtual Actors

Components-Contrib sub projects. 3 issues were found. ● 1 index out of range ● 2 panics in Go standard library Table of Contents CNCF security and fuzzing audits 2 Executive summary 3 Table of Contents 4 Malicious raw key triggers out of range panic in Go standard library Fixed 3 Key with empty seed will trigger panic in Go standard library Fixed Index out of range in raft log reading OSS-Fuzz bug tracker: payload to trigger issue ADA-DAP-FUZZ-1 Malicious raw key triggers out of range panic in Go standard library OSS-Fuzz bug tracker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58954 Mitigation: Fixed

threat actors below; For example, a fully untrusted user can also be a contributor to a 3rd-party library used by Dapr. actors for Dapr. A threat actor can assume multiple profiles from the tab Actor Description malicious PRs to a library in Component-contribs dependency tree or perform a dependency confusion attack - which is a manoeuvre where an attacker takes over a library to harm a user of the library. Another important found 7 security issues during this goal, one of which was a security vulnerability in a 3rd-party library which was assigned CVE-2023-374756. Issue 1, 2, 3, and 4 are umbrella issues of a specific class

demonstrated that bypassing access control lists is possible and can signify that invoking certain functions is infeasible. The identified issues were reported to the customer and not only fixed but also verified