Treffer: Fuzzing of Polymorphic Systems within Microsevice Structures.

Today fuzzing (fuzz-testing) is the main technique for testing software, systems and functions. In particular, it is a part of dynamic analysis (DAST – Dynamic Application Security Testing). Fuzzing allows for identifying information security (IS) flaws or software failures. However, this practice may require large resources involvement and high-performance computers in large organizations where the number of systems may be large. Development teams and information security specialists are required to simultaneously meet time-to-market deadlines, regulatory requirements, and standard recommendations. To address fuzz testing challenges while simultaneously meeting deadlines, a new fuzzing method is proposed that should be applied to the entire IT network of large organizations that use microservices. In this paper, polymorphic systems are defined as those that implement various API (Application Programming Interface) functions accepting various types of input data not within a single piece of software but rather within subsystems with a set of multiple microservices. In this case, various network protocols, formats, and data types may be used. With such a diversity of features, the problem of identifying flaws in the system arises, since debugging or feedback interfaces are not always functionally provided within the software. To address this issue, in this paper, we propose a method for collecting and analyzing statistics on the time intervals during which mutated data is processed by microservices. For fuzz tests, it is proposed to use mutated requests, where the initial state of the data to be mutated is the payload of known or typical information security flaws. By analyzing the time intervals between client-server requests and responses, it was possible to identify patterns that indicate the presence of potentially dangerous information security flaws. Fuzzing of API functions over HTTP (Hypertext Transfer Protocol) is considered. The proposed approach does not negatively affect the development efficiency and timelines. The method and solution described in this paper are recommended for use in large organizations as a supplemental or primary information security solution to prevent critical infrastructure failures and financial losses. [ABSTRACT FROM AUTHOR]