Фаззинг полиморфных систем в структурах микросервисов

Abstract

Today fuzzing (fuzzing-testing) is the main technique for testing software, systems and code functions. Fuzzing allows identify vulnerabilities or software failures. However, this practice may require the large resources involvement and network performance in large organizations where the number of systems may be large. Developers and information security specialists are simultaneously required to comply with time-to-market deadlines, requirements of various regulators and recommendations of standards. In current paper is proposed new fuzzing method, which is designed to solve the problem above. In current aproach is proposed use fuzzing testing for whole computing network at ones in large organizations if them operate with microservices. Polymorphic systems in this paper are understood like systems that consist of various API (Application Programming Interface) functions that operate with various types of data, not within single software, but inside subsystems with a set of several microservices. In this case, a lot of various network protocols, data types and formats can be used. With such a variety of features, there is a problem of detecting errors or vulnerabilities inside systems, beacause debugging or trace interfaces are not always developed in the microservice softwares. So, in this paper it is proposed to use also the method of collecting and analyzing statistics of time intervals of processing mutated data by microservices. For fuzzing tests, it is proposed to use mutated lists of exploit payloads. Time analyzing between client-server requests and the responses helps to identify patterns that showed the presence of potentially dangerous vulnerabilities. This paper discribes fuzzing of API functions only in the HTTP protocol (Hypertext Transfer Protocol). Current approach does not have a negative impact on the effectiveness of development or deadlines. Methods and solution described in the paper are recommended to be used in large organizations as an additional or basic information security solution in order to prevent critical infrastructure failures and financial losses.