https://github.com/cncf/cncf-fuzzing where questions and queries are welcome. 1 https://github.com/google/oss-fuzz Executive summary In this engagement, Ada Logics worked on creating a fuzzing suite for Dapr. first integrating Dapr into OSS-Fuzz and add fuzzers for important APIʼs of the Dapr eco system. At the end of the audit, all fuzzers are running continuously by way of OSS-Fuzz which will report if they and 3) Components-Contrib. Results summarised 39 fuzzers developed All fuzzers added to Daprs OSS-Fuzz integration Fuzzing covers the Dapr Runtime, Kit and Components-Contrib sub projects. 3 issues

issues found 2 CVEs assigned Formalisation of VTAdmins threat model 3 fuzzers added to Vitessʼs OSS-Fuzz integration 2 Vitess Security Audit, 2023 Notable findings The most notable findings from the audit in 2020 which added coverage to complex text processing routines. Vitess is integrated into OSS-Fuzz which allows the fuzzers to run continuously and notify maintainers in case the fuzzers find bugs the source code for the Vitess fuzzers are the two key so�ware packages that OSS-Fuzz uses to fuzz Vitess. The current OSS-Fuzz set up builds the fuzzers by cloning the upstream Vitess Github repository

and then adding a fuzzer for the affected component. We added a total of five fuzzers to Daprs OSS-Fuzz integration. These will continue to run continuously a�er the conclusion of the audit. An area Fuzzing During the audit, Ada Logics wrote five new fuzzers for Dapr. We added the fuzzers to Daprs OSS-Fuzz integration so that they run continuously a�er the audit concluded. This allows the fuzzers to run testing the latest master branch as it evolves to test whether new bugs get introduced. Short-term, OSS-Fuzz was of value, in that one of the fuzzers found a security vulnerability in a 3rd-party dependency

time to triage and assess criticality. Results summarised 6 fuzzers written and added to Istio's OSS-Fuzz integration 1 CVE found in Golang 1 vulnerability found that affected Googles managed Istio offering Istio is integrated into OSS-Fuzz with 63 fuzzers running continuously. ● All fuzzers are hosted in the Istio repository along with the OSS-Fuzz build script. ● The OSS-Fuzz build is maintained to avoid

vetted parsers (JSON, XML, etc) ● Call to Action: Owners of OSS should onboard to a fuzzing service (OSS-Fuzz)Isolation ● Untrusted Process – Parsing Out-of-Process ● Sandboxing ● AppContainers – Consider What the Fuzz) ● Structure Aware Fuzzing (libprotobuf-mutator) ● Fuzzing as a Service (OneFuzz, OSS-Fuzz)Libfuzzer and ASan The bar is not high, write simple function: FUZZ_EXPORT int __cdecl LLVMFu https://github.com/google/libprotobuf-mutator https://github.com/microsoft/onefuzz https://github.com/google/oss-fuzz© Copyright Microsoft Corporation. All rights reserved.

contrib/libtests/makepng.c /* Insert standard copyright and licence text. */ ## Files: contrib/oss-fuzz/build.sh #!/bin/bash -eu # Copyright 2017-2018 Glenn Randers-Pehrson # Copyright 2016 Google Inc file2.png ..." */ 634 16 Licensing Information User Manual for Release 7.1 ## Files: contrib/oss-fuzz/libpng_read_fuzzer.cc // libpng_read_fuzzer.cc // Copyright 2017-2018 Glenn Randers-Pehrson //