Affiliation:
1. Kristiania University College, Oslo, Norway
2. Kristiania University College and Oslo Metropolitan University, Oslo, Norway
3. Meituan, Beijing, China
Abstract
Remote Procedure Call (RPC) is a communication protocol to support client-server interactions among services over a network. RPC is widely applied in industry for building large-scale distributed systems, such as Microservices. Modern RPC frameworks include, for example, Thrift, gRPC, SOFARPC, and Dubbo. Testing such systems using RPC communications is very challenging, due to the complexity of distributed systems and various RPC frameworks the system could employ. To the best of our knowledge, there does not exist any tool or solution that could enable automated testing of modern RPC-based services. To fill this gap, in this article we propose the first approach in the literature, together with an open source tool, for fuzzing modern RPC-based APIs. The approach is in the context of white-box testing with search-based techniques. To tackle schema extraction of various RPC frameworks, we formulate a RPC schema specification along with a parser that allows the extraction from source code of any JVM RPC-based APIs. Then, with the extracted schema we employ a search to produce tests by maximizing white-box heuristics and newly defined heuristics specific to the RPC domain. We built our approach as an extension to an open source fuzzer (i.e.,
EvoMaster
), and the approach has been integrated into a real industrial pipeline that could be applied to a real industrial development process for fuzzing RPC-based APIs. To assess our novel approach, we conducted an empirical study with two artificial and four industrial web services selected by our industrial partner. In addition, to further demonstrate its effectiveness and application in industrial settings, we report results of employing our tool for fuzzing another 50 industrial APIs autonomously conducted by our industrial partner in their testing processes. Results show that our novel approach is capable of enabling automated test case generation for industrial RPC-based APIs (i.e., 2 artificial and 54 industrial). We also compared with a simple gray-box technique and existing manually written tests. Our white-box solution achieves significant improvements on code coverage. Regarding fault detection, by conducting a careful review with our industrial partner of the tests generated by our novel approach in the selected four industrial APIs, a total of 41 real faults were identified, which have now been fixed. Another 8,377 detected faults are currently under investigation.
Funder
European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme
Publisher
Association for Computing Machinery (ACM)
Reference79 articles.
1. [n. d.]. AFL. https://github.com/google/AFL. Accessed August 26 2022.
2. [n. d.]. Dubbo. https://dubbo.apache.org/en/. Accessed August 26 2022.
3. [n. d.]. EvoMaster. https://github.com/EMResearch/EvoMaster. Accessed August 26 2022.
4. [n. d.]. EvoMaster Benchmark (EMB). https://github.com/EMResearch/EMB. Accessed August 26 2022.
5. [n. d.]. GraphQL Foundation. https://graphql.org/foundation/. Accessed August 26 2022.
Cited by
12 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Vulnerability mining method of SOAP based on black‐box fuzzing;Internet Technology Letters;2024-09-11
2. Practitioners’ Expectations on Automated Test Generation;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11
3. Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs;ACM Transactions on Software Engineering and Methodology;2024-06-27
4. StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications;Electronics;2024-06-25
5. Search-Based Security Testing of Enterprise Microservices;2024 IEEE Conference on Software Testing, Verification and Validation (ICST);2024-05-27