Processing and Analytics Vasiliki (Vasia) Kalavri
 vkalavri@bu.edu Spring 2020 4/16: Skew mitigation ??? Vasiliki Kalavri | Boston University 2020 Key partitioning 2 w2 w1 w3 round-robin hash-based

happens, OSS-Fuzz will notify the Dapr team with a stacktrace and a reproducer testcase. # Title Mitigation 1 Index out of range in ra� log reading Fixed 2 Malicious raw key triggers out of range panic log reading OSS-Fuzz bug tracker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58799 Mitigation: Fixed in https://github.com/dapr/dapr/pull/6343 ID: ADA-DAP-FUZZ-1 Description A fuzzer found standard library OSS-Fuzz bug tracker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58954 Mitigation: Fixed in: https://github.com/golang/go/issues/60411#event-9334104392 ID: ADA-DAP-FUZZ-2 Description

certs. No CA cert is saved to verify the communication between kube-apiserver and kubelet . Mitigation Make sure nodes with role:controlplane are on the same local network as your nodes with role:worker | match("--kubelet-certificate-authority=.*").string' Returned Value: none Result: Fail (See Mitigation) 1.1.22 - Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments Result: Pass 1.5.7 - Ensure that a unique Certificate Authority is used for etcd (Not Scored) Mitigation RKE supports connecting to an external etcd cluster. This external cluster could be configured

exploit this by repeatedly sending large http requests that would keep the STS server offline. Mitigation This issue raises the question whether debug mode should ever be used in production. If it should started out the review by requesting internal documentation that had been produced as part of the mitigation process. We then looked for public documentation related to the issues in the audit report. Finally of that, no fixes had been tracked at a per-issue level either. Some documentation about Istioʼs mitigation of the identified issues is the blog post written about the audit and how the issues were approached:

57Bottleneck mitigation { scoped_lock Lock( _Mutex ); int Idx = _Textures.Find( Filename ); if ( Idx != -1 ) return Idx; } auto Texture = Load( Filename ) ); ... 58Bottleneck mitigation ... { scoped_lock

envelope • Unit of mitigation • Language-level error handling mechanisms might not be appropriate tools for error handling • Language boundaries line up with units of mitigation • E.g., bad_alloc

complex and tightly integrated hardware and software. However, Agile inherently serves as a risk mitigation strategy, since early working software products reduce risk by validating requirements and performance regularly identify, assess, mitigate, and track risks. Risks will need to be actively managed with mitigation strategies integrated into acquisition strategies and key program processes throughout the program DBS)) Operational Test Plan MAIS & ACAT III Recommend combining with TEMP. Orbital Debris Mitigation Risk Report MAIS & ACAT III (Required for space programs only) Recommend combining with

Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks NA Overall Level 1 [140] Section 4.5 Physical Security is not applicable Module does not implement attack mitigations outside the scope of [140], hence [140] Section 4.11 Mitigation of Other Attacks is not applicable per [140IG] G.3. FIPS 140-2 Security Policy Rancher Kubernetes

CICD pipeline • Use fuzzing in your CICD pipelineStrategies for Secure C++ DevelopmentExploit Mitigation Timeline 2003 SAFESEH 2004 GS Cookie 2006 ASLR 2008 SEHOP Structured Exception Handler Flow Guard (RFG) Delayed Free CFG Control Flow Guard DEP Code Integrity (CI) SandboxExploit Mitigation Timeline 2017 ACG Arbitrary Code Guard 2022 2023 Castguard Coming soon Shadow Stack Control-flow

will be discussed in a chronological order alongside technical descriptions, as well as PoC and mitigation advice when applicable. Since most issues are reflective of a custom configuration and of the GetSecretRequest struct before nesting it into the HTTP path. A full description of this mitigation is described in issues DAP-01-003 and DAP-01-007. Cure53, Berlin · 07/01/20