Papers
Topics
Authors
Recent
Search
2000 character limit reached

MicroFuzz: An Efficient Fuzzing Framework for Microservices

Published 10 Jan 2024 in cs.SE | (2401.05529v1)

Abstract: This paper presents a novel fuzzing framework, called MicroFuzz, specifically designed for Microservices. Mocking-Assisted Seed Execution, Distributed Tracing, Seed Refresh and Pipeline Parallelism approaches are adopted to address the environmental complexities and dynamics of Microservices and improve the efficiency of fuzzing. MicroFuzz has been successfully implemented and deployed in Ant Group, a prominent FinTech company. Its performance has been evaluated in three distinct industrial scenarios: normalized fuzzing, iteration testing, and taint verification.Throughout five months of operation, MicroFuzz has diligently analyzed a substantial codebase, consisting of 261 Apps with over 74.6 million lines of code (LOC). The framework's effectiveness is evident in its detection of 5,718 potential quality or security risks, with 1,764 of them confirmed and fixed as actual security threats by software specialists. Moreover, MicroFuzz significantly increased program coverage by 12.24% and detected program behavior by 38.42% in the iteration testing.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. 2021. Apache RocketMQ. https://rocketmq.apache.org/
  2. Alibaba. 2021. OceanBase. https://dbdb.io/db/oceanbase
  3. Static Analysis of Java Enterprise Applications: Frameworks and Caches, the Elephants in the Room. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (London, UK) (PLDI 2020). Association for Computing Machinery, New York, NY, USA, 794–807. https://doi.org/10.1145/3385412.3386026
  4. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI ’14). Association for Computing Machinery, New York, NY, USA, 259–269. https://doi.org/10.1145/2594291.2594299
  5. Jonathan Bell and Gail Kaiser. 2014. Phosphor: Illuminating Dynamic Data Flow in Commodity Jvms. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications (Portland, Oregon, USA) (OOPSLA ’14). Association for Computing Machinery, New York, NY, USA, 83–101. https://doi.org/10.1145/2660193.2660212
  6. Marcel Böhme. 2018. STADS: Software Testing as Species Discovery. ACM Trans. Softw. Eng. Methodol. 27, 2, Article 7 (jun 2018), 52 pages. https://doi.org/10.1145/3210309
  7. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, New York, NY, USA, 2329–2344. https://doi.org/10.1145/3133956.3134020
  8. Coverage-Based Greybox Fuzzing as Markov Chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS ’16). Association for Computing Machinery, New York, NY, USA, 1032–1043. https://doi.org/10.1145/2976749.2978428
  9. EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1967–1983. https://www.usenix.org/conference/usenixsecurity19/presentation/chen-yuanliang
  10. µFUZZ: Redesign of Parallel Fuzzing using Microservice Architecture. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 1325–1342. https://www.usenix.org/conference/usenixsecurity23/presentation/chen-yongheng
  11. Dytan: A Generic Dynamic Taint Analysis Framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (London, United Kingdom) (ISSTA ’07). Association for Computing Machinery, New York, NY, USA, 196–206. https://doi.org/10.1145/1273463.1273490
  12. Large Language Models are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models. arXiv:2212.14834 [cs.SE]
  13. Large Language Models are Edge-Case Fuzzers: Testing Deep Learning Libraries via FuzzGPT. arXiv:2304.02014 [cs.SE]
  14. AFL++: Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.
  15. GeaBase: A High-Performance Distributed Graph Database for Industry-Scale Applications. In 2017 Fifth International Conference on Advanced Cloud and Big Data (CBD). 170–175. https://doi.org/10.1109/CBD.2017.37
  16. CollAFL: Path Sensitive Fuzzing. In 2018 IEEE Symposium on Security and Privacy (SP). 679–696. https://doi.org/10.1109/SP.2018.00040
  17. Learn&Fuzz: Machine Learning for Input Fuzzing. CoRR abs/1701.07232 (2017). arXiv:1701.07232 http://arxiv.org/abs/1701.07232
  18. Google. 2018. honggfuzz. hhttps://github.com/google/honggfuzz
  19. Google. 2022. ClusterFuzz Trophies. https://google.github.io/clusterfuzz#trophies
  20. Ant Group. 2020. Introduction to SOFAStack Microservices).
  21. Ant Group. 2021a. AntScheduler. https://github.com/mcalus3/AntScheduler
  22. Ant Group. 2021b. SOFAMQ. https://github.com/sofastack-guides/sofamq-demo
  23. Ant Group. 2021c. SOFASTACK. https://github.com/sofastack
  24. Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC ’20). Association for Computing Machinery, New York, NY, USA, 360–372. https://doi.org/10.1145/3427228.3427266
  25. Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). 475–485. https://doi.org/10.1145/3238147.3238176
  26. Hareton K. N. Leung and Lee J. White. 1989. Insights into regression testing (software testing). Proceedings. Conference on Software Maintenance - 1989 (1989), 60–69.
  27. Steelix: Program-State Based Binary Fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (Paderborn, Germany) (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 627–637. https://doi.org/10.1145/3106237.3106295
  28. PAFL: Extend Fuzzing Optimizations of Single Mode to Industrial Parallel Mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Lake Buena Vista, FL, USA) (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA, 809–814. https://doi.org/10.1145/3236024.3275525
  29. Record and Replay of Online Traffic for Microservices with Automatic Mocking Point Identification. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice (Pittsburgh, Pennsylvania) (ICSE-SEIP ’22). Association for Computing Machinery, New York, NY, USA, 221–230. https://doi.org/10.1145/3510457.3513029
  30. QATest: A Uniform Fuzzing Framework for Question Answering Systems. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (Rochester, MI, USA) (ASE ’22). Association for Computing Machinery, New York, NY, USA, Article 81, 12 pages. https://doi.org/10.1145/3551349.3556929
  31. LLVM. 2018. libFuzzer. https://llvm.org/docs/LibFuzzer.html
  32. WebRTS: A Dynamic Regression Test Selection Tool for Java Web Applications. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). 822–825. https://doi.org/10.1109/ICSME46990.2020.00102
  33. Redis Ltd. [n. d.]. Redis. https://redis.io/
  34. Microsoft. 2022. Cache-Aside pattern. https://learn.microsoft.com/en-us/azure/architecture/patterns/cache-aside
  35. Sam Newman. 2021. Building microservices. ” O’Reilly Media, Inc.”.
  36. OpenTracing. [n. d.]. . https://opentracing.io/
  37. 1dvul: Discovering 1-day vulnerabilities through binary patches. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 605–616.
  38. NEZHA: Efficient Domain-Independent Differential Testing. In 2017 IEEE Symposium on Security and Privacy (SP). 615–632. https://doi.org/10.1109/SP.2017.27
  39. Towards Systematic and Dynamic Task Allocation for Collaborative Parallel Fuzzing. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 1337–1341. https://doi.org/10.1109/ASE51524.2021.9678810
  40. Not all bytes are equal: Neural byte sieve for fuzzing. CoRR abs/1711.04596 (2017). arXiv:1711.04596 http://arxiv.org/abs/1711.04596
  41. NEUZZ: Efficient Fuzzing with Neural Program Smoothing. In 2019 IEEE Symposium on Security and Privacy (SP). 803–817. https://doi.org/10.1109/SP.2019.00052
  42. F4F: Taint Analysis of Framework-Based Web Applications. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (Portland, Oregon, USA) (OOPSLA ’11). Association for Computing Machinery, New York, NY, USA, 1053–1068. https://doi.org/10.1145/2048066.2048145
  43. Zero-Config Fuzzing for Microservices. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE Computer Society, Los Alamitos, CA, USA, 1840–1845. https://doi.org/10.1109/ASE56229.2023.00036
  44. Facilitating Parallel Fuzzing with Mutually-Exclusive Task Distribution. In Secur. Priv. Commun. Networks, Joaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, and Moti Yung (Eds.). Springer International Publishing, Cham, 185–206.
  45. Wiki. [n. d.]. Dijkstra’s Algorithm. https://en.wikipedia.org/wiki/Dijkstra%27s_algorithm
  46. Wikipedia. [n. d.]. Microservices. Retrieved Feb 14, 2023 from https://en.wikipedia.org/wiki/Microservices
  47. Designing New Operating Primitives to Improve Fuzzing Performance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, New York, NY, USA, 2313–2328. https://doi.org/10.1145/3133956.3134046
  48. S. Yoo and M. Harman. 2012. Regression Testing Minimization, Selection and Prioritization: A Survey. Softw. Test. Verif. Reliab. 22, 2 (mar 2012), 67–120. https://doi.org/10.1002/stv.430
  49. Michal Zalewski. 2014. American Fuzzing Loop. https://lcamtuf.coredump.cx/afl/
  50. Lingming Zhang. 2018. Hybrid Regression Test Selection. In Proceedings of the 40th International Conference on Software Engineering (Gothenburg, Sweden) (ICSE ’18). Association for Computing Machinery, New York, NY, USA, 199–209. https://doi.org/10.1145/3180155.3180198
  51. White-Box Fuzzing RPC-Based APIs with EvoMaster: An Industrial Case Study. ACM Trans. Softw. Eng. Methodol. 32, 5, Article 122 (jul 2023), 38 pages. https://doi.org/10.1145/3585009
  52. Fuzzing Microservices In Industry: Experience of Applying EvoMaster at Meituan. arXiv:2208.03988 [cs.SE]
  53. Incremental Call Graph Construction in Industrial Practice. In 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 471–482.
  54. TestSage: Regression Test Selection for Large-Scale Web Service Testing. In 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST). 430–440. https://doi.org/10.1109/ICST.2019.00052
  55. Scalable Compositional Static Taint Analysis for Sensitive Data Tracing on Industrial Micro-Services. In 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 110–121. https://doi.org/10.1109/ICSE-SEIP58684.2023.00015
  56. UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling. ArXiv abs/2009.06124 (2020). https://api.semanticscholar.org/CorpusID:221655823
  57. FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2255–2269. https://www.usenix.org/conference/usenixsecurity20/presentation/zong

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Authors (3)

  1. Peng Di 
  2. Bingchang Liu 
  3. Yiyi Gao 

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.

Sign Up for Free