MicroFuzz: An Efficient Fuzzing Framework for Microservices
Peng Di, Bingchang Liu, Yiyi Gao
TL;DR
MicroFuzz tackles the unique challenges of fuzzing large-scale microservice software, where nondeterministic behavior and cross-app interactions hinder traditional fuzzers. It introduces Mocking-Assisted Seed Execution, Distributed Tracing, Seed Refresh, and Pipeline Parallelism to enable efficient, scalable fuzzing in cloud deployments. In an industrial deployment at Ant Group, MicroFuzz analyzed 261 Apps across five months, uncovering 5,718 potential quality or security risks with 1,764 confirmed, and increasing line coverage by 12.24% while exposing 38.42% more program paths in iteration testing. The results demonstrate the framework's practical impact on industrial QA and security workflows and its ability to scale to thousands of microservices.
Abstract
This paper presents a novel fuzzing framework, called MicroFuzz, specifically designed for Microservices. Mocking-Assisted Seed Execution, Distributed Tracing, Seed Refresh and Pipeline Parallelism approaches are adopted to address the environmental complexities and dynamics of Microservices and improve the efficiency of fuzzing. MicroFuzz has been successfully implemented and deployed in Ant Group, a prominent FinTech company. Its performance has been evaluated in three distinct industrial scenarios: normalized fuzzing, iteration testing, and taint verification.Throughout five months of operation, MicroFuzz has diligently analyzed a substantial codebase, consisting of 261 Apps with over 74.6 million lines of code (LOC). The framework's effectiveness is evident in its detection of 5,718 potential quality or security risks, with 1,764 of them confirmed and fixed as actual security threats by software specialists. Moreover, MicroFuzz significantly increased program coverage by 12.24% and detected program behavior by 38.42% in the iteration testing.