Fuzzing of Polymorphic Systems within Microsevice Structures

Today fuzzing (fuzzing-testing) is the main technique for testing software, systems and code functions. Fuzzing allows identify vulnerabilities or software failures. However, this practice may require the large resources involvement and network performance in large organizations where the number of systems may be large. Developers and information security specialists are simultaneously required to comply with time-to-market deadlines, requirements of various regulators and recommendations of standards. In current paper is proposed new fuzzing method, which is designed to solve the problem above. In current aproach is proposed use fuzzing testing for whole computing network at ones in large organizations if them operate with microservices. Polymorphic systems in this paper are understood like systems that consist of various API (Application Programming Interface) functions that operate with various types of data, not within single software, but inside subsystems with a set of several microservices. In this case, a lot of various network protocols, data types and formats can be used. With such a variety of features, there is a problem of detecting errors or vulnerabilities inside systems, beacause debugging or trace interfaces are not always developed in the microservice softwares. So, in this paper it is proposed to use also the method of collecting and analyzing statistics of time intervals of processing mutated data by microservices. For fuzzing tests, it is proposed to use mutated lists of exploit payloads. Time analyzing between client-server requests and the responses helps to identify patterns that showed the presence of potentially dangerous vulnerabilities. This paper discribes fuzzing of API functions only in the HTTP protocol (Hypertext Transfer Protocol). Current approach does not have a negative impact on the effectiveness of development or deadlines. Methods and solution described in the paper are recommended to be used in large organizations as an additional or basic information security solution in order to prevent critical infrastructure failures and financial losses.

1. Ниньо-Мартинес В., Очаран-Эрнандес Х., Лимон К., Перес-Арригата Х. Развертывание микросервисов. Труды Института системного программирования РАН. 2023;35(1):57-72. DOI: 10.15514/ISPRAS-2023-35(1)-4.

2. Вальдивия Х., Лора-Гонсалес А., Лимон К., Кортес-Вердин К., Очаран-Эрнандес Х. Паттерны микросервисной архитектуры: многопрофильный обзор литературы. Труды Института системного программирования РАН. 2021;33(1):81-96. DOI: 10.15514/ISPRAS-2021-33(1)-6.

3. Umeugo, Wisdom. (2023). Secure software development lifecycle: a case for adoption in software smes. International Journal of Advanced Research in Computer Science. 14. 5-12. 10.26483/ijarcs.v14i1.6949.

4. Li J., Li J., Zhao B., Zhang C. Fuzzing: a survey // Cybersecurity, 2018, Vol. 1, No 1, p. 6, DOI: 10.1186/s42400-018-0002-y.

5. Методика динамического сканирования приложений. DAST. Available at: https://owasp.org/www-project-devsecops-guideline/latest/02b-Dynamic-Application-Security-Testing, accessed 04.01.2024.

6. Шарков И.В., Падарян В.А., Хенкин П.В. Об особенностях фаззинг-тестирования сетевых интерфейсов в условиях отсутствия исходных текстов. Труды Института системного программирования РАН. 2021;33(4):211-226. DOI: 10.15514/ISPRAS-2021-33(4)-15.

7. Саргсян С.С., Варданян В.Г., Акопян Д.А., Агабалян А.М., Меграбян М.С., Курмангалеев Ш.Ф., Герасимов А.Ю., Ермаков М.К., Вартанов С.П. Платформа автоматического фаззинга программного интерфейса приложений. Труды Института системного программирования РАН. 2020;32(2):161-173. DOI: 10.15514/ISPRAS-2020-32(2)-13.

8. ISA/IEC 62443-4-1. Available at: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards, accessed 04.01.2024.

9. ISO/IEC/IEEE 291119. Available at: https://cdn.standards.iteh.ai/samples/81291/6694557ff8304df8841bb191a00ecc6f/ISO-IEC-IEEE-29119-1-2022.pdf, accessed 04.01.2024.

10. ISO 27001. Available at: https://www.iso.org/standard/27001, accessed 04.01.2024.

11. ГОСТ Р 56939-2016. Разработка безопасного программного обеспечения. Общие требования. Дата введения 2017-06-01.

12. Методический документ. "Методика оценки угроз безопасности информации". Утвержден ФСТЭК России. Москва. 5 февраля 2021 г.

13. ГОСТ Р 58143-2018. Информационная технология. Методы и средства обеспечения безопасности. Детализация анализа уязвимостей программного обеспечения в соответствии с ГОСТ Р ИСО/МЭК 15408 и ГОСТ Р ИСО/МЭК 18045. Часть 2. Тестирование проникновения. ОКС 35.020. Дата введения 2018-11-01.

14. The Swagger API project. Apache License 2.0. Available at: https://swagger.io, accessed 04.01.2024.

15. OpenAPI Specification v3.1.0. Published 15 February 2021. Available at: https://spec.openapis.org/oas/latest.html, accessed 04.01.2024.

16. OWASP Top-10. 2024. Available at: https://owasp.org/www-project-top-ten/, accessed 04.01.2024.

17. OWASP. Fuzz Vectors. 2024. Available at: https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/C-Fuzz_Vectors, accessed 04.01.2024.

18. Software Development Life Cycle (SDLC) Methodologies for Information Systems Project Management - Mohammad Ikbal Hossain - IJFMR Volume 5, Issue 5, September-October 2023. DOI: 10.36948/ijfmr.2023.v05i05.6223.

19. Payloads All The Things. Web Application Security, Pentest and Red Team Cheatsheet. 2023. Available at: https://swisskyrepo.github.io/Payloads-AllTheThings/, accessed 04.01.2024.

20. Docker. Available at: https://www.docker.com/, accessed 04.01.2024.

21. Myeongsoo Kim, Qi Xin, Saurabh Sinha, and Alessandro Orso. 2022. Automated Test Generation for REST APIs: No Time to Rest Yet. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’22), July 18–22, 2022, Virtual, South Korea. ACM, New York, NY, USA, 13 pages. DOI: 10.1145/3533767.3534401.

22. APIFuzzer. Available at: https://github.com/KissPeter/APIFuzzer, accessed 04.01.2024.

23. Laranjeiro, Nuno & Agnelo, João & Bernardino, Jorge. (2021). A Black Box Tool for Robustness Testing of REST Services. IEEE Access. PP. 1-1. DOI: 10.1109/ACCESS.2021.3056505.

24. Dredd. Available at: https://github.com/apiaryio/dredd, accessed 04.01.2024.

25. Andrea Arcuri. 2020. Automated Black-and White-Box Testing of RESTful APIs With EvoMaster. IEEE Software 38, 3 (2020), 72–78. DOI: https://doi.org/10.1145/3293455.

26. Martin-Lopez, Alberto & Segura, Sergio & Ruiz-Cortés, Antonio. (2020). RESTest: Black-Box Constraint-Based Testing of RESTful Web APIs. 459-475. DOI: 10.1007/978-3-030-65310-1_33.

27. Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. 2019. Restler: Stateful rest api fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, Montreal, QC, Canada, 748–758. DOI: 10.1109/ICSE.2019.00083.

28. Emanuele Viglianisi, Michael Dallago, and Mariano Ceccato. 2020. RestTestGen: automated black-box testing of RESTful APIs. In 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). IEEE, 142–152. DOI: 10.1109/ICST46399.2020.00024.

29. Zac Hatfield-Dodds and Dmitry Dygalo. 2021. Deriving Semantics-Aware Fuzzers from Web API Schemas. arXiv preprint arXiv:2112.10328 (2021). Available at: https://www.researchgate.net/publication/357202018_Deriving_Semantics-Aware_Fuzzers_from_Web_API_Schemas.

30. tcases REST API tool. Available at: https://github.com/Cornutum/tcases/tree/master/tcases-openapi, accessed 02.01.2024.

31. honggfuzz. Available at: https://honggfuzz.dev/, accessed 02.01.2024.

32. radamsa. Available at: https://gitlab.com/akihe/radamsa, accessed 02.01.2024.

33. AFL. Available at: https://github.com/google/AFL, accessed 02.01.2024.

34. LibFuzzer. Available at: https://llvm.org/docs/LibFuzzer.html, accessed 02.01.2024.

35. oss-fuzz. Available at: https://github.com/google/oss-fuzz, accessed 02.01.2024.

36. sulley. Available at: https://github.com/OpenRCE/sulley, accessed 02.01.2024.

37. boofuzz. Available at: https://github.com/jtpereyda/boofuzz, accessed 02.01.2024.

38. Bfuzz. Available at: https://github.com/RootUp/Bfuzz, accessed 02.01.2024.

39. ffuf. Available at: https://github.com/ffuf/ffuf, accessed 02.01.2024.

40. wfuzz. Available at: https://github.com/xmendez/wfuzz, accessed 02.01.2024.

41. nuclei. Available at: https://github.com/projectdiscovery/nuclei, accessed 02.01.2024.

42. Matheos Mattsson 40476. Master Thesis in Computer Engineering. Supervisor: Dragos Truscan. Faculty of Science and Engineering. Åbo Akademi University. 2021. A comparison of FFUF and Wfuzz for fuzz testing web applications. Available at: https://www.doria.fi/bitstream/handle/10024/181265/mattsson_matheos.pdf, accessed 07.01.2024.

43. Burp Suite. Available at: https://portswigger.net/burp/pro, accessed 05.01.2024.

44. OWASP ZAP. Available at: https://www.zaproxy.org/, accessed 05.01.2024.

45. PT BlackBox. Available at: https://www.ptsecurity.com/ru-ru/products/blackbox/, accessed 02.01.2024.

46. Netsparker. Available at: https://github.com/netsparker, accessed 03.01.2024.

47. appScreener. Available at: https://rt-solar.ru/products/solar_appscreener/, accessed 02.01.2024.

48. Аcunetix. Available at: https://www.acceron.net/index.php/products/acunetix, accessed 02.01.2024.

49. Jeffrey Fairbanks, Akshharaa Tharigonda, Nasir U. Eisty. Analyzing the Effects of CI/CD on Open Source Repositories in GitHub and GitLab. 2023. https://doi.org/10.48550/arXiv.2303.16393.

50. Myrbakken, Håvard & Colomo-Palacios, Ricardo. (2017). DevSecOps: A Multivocal Literature Review. 17-29. DOI: 10.1007/978-3-319-67383-7_2.

51. База данных общеизвестных уязвимостей информационной безопасности. Available at: https://cve.mitre.org/, accessed 03.01.2024.

52. АО Газпромбанк, https://www.gazprombank.ru/, accessed 03.01.2024.