In this paper, an invocation chain technology is used to test the security of fog computing systems. Atomic attacks based on the attack graph are combined according to the type, time sequence, and causal relationship. Different test sequences have gone through according to the principle of depth-first. In addition, the vulnerability assessment based on an invocation chain is evaluated to verify whether it can detect existing or unknown vulnerability in fog computing systems. Finally, the experimental results show that the invocation chain test and evaluation method based on the attack graph can evaluate the system risk quantitatively rather than qualitatively by calculating comprehensive probability on all test sequences.