MicroFuzz: An Efficient Fuzzing Framework for Microservices

Peng Di,Bingchang Liu,Yiyi Gao
DOI: https://doi.org/10.1145/3639477.3639723
2024-01-11
Abstract:This paper presents a novel fuzzing framework, called MicroFuzz, specifically designed for Microservices. Mocking-Assisted Seed Execution, Distributed Tracing, Seed Refresh and Pipeline Parallelism approaches are adopted to address the environmental complexities and dynamics of Microservices and improve the efficiency of fuzzing. MicroFuzz has been successfully implemented and deployed in Ant Group, a prominent FinTech company. Its performance has been evaluated in three distinct industrial scenarios: normalized fuzzing, iteration testing, and taint verification.Throughout five months of operation, MicroFuzz has diligently analyzed a substantial codebase, consisting of 261 Apps with over 74.6 million lines of code (LOC). The framework's effectiveness is evident in its detection of 5,718 potential quality or security risks, with 1,764 of them confirmed and fixed as actual security threats by software specialists. Moreover, MicroFuzz significantly increased program coverage by 12.24% and detected program behavior by 38.42% in the iteration testing.
Software Engineering
What problem does this paper attempt to address?
### Problems the Paper Aims to Solve This paper aims to address the technical challenges of fuzzing in microservice architectures. Specifically: 1. **Inconsistency Issues**: - Existing fuzzing tools are primarily designed for monolithic architectures and face execution path inconsistency issues when dealing with microservice architectures. Due to the unpredictable runtime logic of microservice frameworks and the independent development and redeployment of microservice applications, which may lead to temporary failures in cross-application calls, these factors result in inconsistencies in microservices. 2. **Communication Issues**: - Microservice applications are typically deployed separately in different containers, so the communication overhead between the target application and the fuzzer is crucial for efficiency. Traditional fuzzing tools often overlook the network consumption issues specific to microservices, and coordinating different fuzzing components while hiding the significant time delays caused by such architectural differences is a daunting task. 3. **Applicability Issues**: - Existing fuzzing tools cannot meet the cost requirements of large-scale industrial codebases. For example, AntGroup's microservice software contains over 3000 microservice applications and billions of lines of code. To minimize fuzzing costs, it is necessary to determine when to terminate the fuzzing process on thousands of applications and evaluate the impact of termination on the effectiveness of fuzzing. To address these issues, the paper proposes a new fuzzing framework called MicroFuzz, which tackles the above challenges through the following technical means: - **Mocking-Assisted Seed Execution**: Used to handle the complexity and dynamism in microservice environments. - **Distributed Tracing**: Collects comprehensive coverage information. - **Seed Refresh & Life-cycle Management**: Periodically refreshes seed inputs to improve efficiency. - **Pipeline Parallelism**: Decouples different stages of fuzzing to enhance overall efficiency. After five months of actual deployment, MicroFuzz successfully detected and confirmed 1764 security threats at AntGroup, significantly improved program coverage, and demonstrated its effectiveness in iterative testing scenarios.