MicroFuzz: An Efficient Fuzzing Framework for Microservices
Fuzzing is a widely adopted technique in the software industry to enhance security and software quality. However, most existing fuzzers are specifically designed for monolithic software architectures, and face significant limitations when it comes to serving distributed Microservices applications (Apps). These limitations primarily revolve around issues of inconsistency, communication and applicability which arise due to the differences in monolithic and distributed software architecture.
This paper presents a novel fuzzing framework, called MicroFuzz, specifically designed for Microservices. \textit{Mocking-Assisted Seed Execution}, \textit{Distributed Tracing}, \textit{Seed Refresh} and \textit{Pipeline Parallelism} approaches are adopted to address the environmental complexities and dynamics of Microservices and improve the efficiency of fuzzing. MicroFuzz has been successfully implemented and deployed in AntGroup, a prominent FinTech company. Its performance has been evaluated in three distinct industrial scenarios: normalized fuzzing, iteration testing, and taint verification.
Throughout five months of operation, MicroFuzz has diligently analyzed a substantial codebase, consisting of 261 Apps with over 74.6 million lines of code (LOC). The framework’s effectiveness is evident in its detection of 5,718 potential quality or security risks, with 1,764 of them confirmed and fixed as actual security threats by software specialists. Moreover, MicroFuzz significantly increased program coverage by 12.24% and detected program behavior by 38.42% in the iteration testing.
Thu 18 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Fuzzing 2Software Engineering in Practice / Research Track at Fernando Pessoa Chair(s): Thuan Pham The University of Melbourne | ||
14:00 15mTalk | Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers Research Track Shuohan Wu Hong Kong Polytechnic University, zihao li The Hong Kong Polytechnic Universituy, Luyi Yan Hong Kong Polytechnic University, Weimin Chen The Hong Kong Polytechnic University, Muhui Jiang The Hong Kong Polytechnic University, Chenxu Wang Xi'an Jiaotong University, Xiapu Luo The Hong Kong Polytechnic University, Hao Zhou Hong Kong Polytechnic University | ||
14:15 15mTalk | RPG: Rust Library Fuzzing with Pool-based Fuzz Target Generation and Generic Support Research Track Zhiwu Xu Shenzhen University, Bohao Wu CSSE, Shenzhen University, Cheng Wen Guangzhou Institute of Technology, Xidian University, Bin Zhang Shenzhen University, Shengchao Qin Fermat Labs, Huawei, Mengda He Fermat Labs, Huawei DOI Pre-print | ||
14:30 15mTalk | Extrapolating Coverage Rate in Greybox Fuzzing Research Track Danushka Liyanage Monash University, Australia, Seongmin Lee Max Planck Institute for Security and Privacy (MPI-SP), Marcel Böhme MPI-SP, Bochum, Kla Tantithamthavorn Monash University DOI Pre-print | ||
14:45 15mTalk | FuzzInMem: Fuzzing Programs via In-memory Structures Research Track Xuwei Liu Purdue University, USA, Wei You Renmin University of China, Yapeng Ye Purdue University, Zhuo Zhang Purdue University, Jianjun Huang Renmin University of China, Xiangyu Zhang Purdue University | ||
15:00 15mTalk | Fuzz4All: Universal Fuzzing with Large Language Models Research Track Chunqiu Steven Xia University of Illinois at Urbana-Champaign, Matteo Paltenghi University of Stuttgart, Jia Le Tian UIUC, Michael Pradel University of Stuttgart, Lingming Zhang University of Illinois at Urbana-Champaign Pre-print | ||
15:15 15mTalk | MicroFuzz: An Efficient Fuzzing Framework for Microservices Software Engineering in Practice | ||