Integrating continuous security analysis into Linkerd2-proxy and dependencies

In March and April 2021 we performed a fuzzing audit of Linkerd2-proxy and its dependencies. Linkerd2-proxy is a state-of-the-art proxy written in the Rust language and is the backbone proxy for the Linkerd service mesh.

The main goal of this audit was to set up an infrastructure that continuously analyse the security of Linkerd2-proxy and its dependencies by way of fuzzing. This differs from a traditional security audit in that the fuzzing audit is purely focused on setting up procedures for automated security analysis that will continue to run long after the audit has taken place. The benefit of this is that security is integrated tightly into the software and the analysis keeps expanding over time as the fuzzers explore more of the code.

The audit resulted in fuzzing getting integrated into Linkerd2-proxy itself as well as 7 of its key dependencies. Naturally, the fuzzers integrated into these projects also execute and analyse code in other dependencies, and effectively a larger scope of the code is now continuously analysed for bugs every day. We discovered two issues in Linkerd2-proxy code as well as several issues in its dependencies.

You can read about the audit in full on the Linkerd2 blog here.

You can read the full audit report on the Linkerd2-proxy Github repository here.