Seeding and Mocking in White-Box Fuzzing Enterprise RPC APIs: An Industrial Case Study
Microservices is now becoming a promising architecture to build large-scale web services in industry. Due to the high complexity of enterprise microservices, industry has an urgent need to have a solution to enable automated testing of such systems. EvoMaster is an open-source fuzzer, equipped with...
Saved in:
| Published in | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] pp. 2024 - 2034 |
|---|---|
| Main Authors | , , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
ACM
27.10.2024
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2643-1572 |
| DOI | 10.1145/3691620.3695265 |
Cover
Loading…
| Abstract | Microservices is now becoming a promising architecture to build large-scale web services in industry. Due to the high complexity of enterprise microservices, industry has an urgent need to have a solution to enable automated testing of such systems. EvoMaster is an open-source fuzzer, equipped with the state-of-the-art techniques for supporting automated system-level testing of Web APIs. It has been assessed as the most performant tool in two recent empirical studies in terms of line coverage and fault detection. In this paper, we carried out an empirical experiment to investigate how to better apply the state-of-the-art academic prototype (i.e., EvoMaster) in industrial context. We extended the tool to handle seeding of existing industrial tests, and mocking of external services with their data handled as part of the input fuzzing. We studied two configurations of EvoMaster, using two time budgets, on 40 enterprise RPC-based APIs (involving 5.6 million lines of code for their core business logic) at Meituan. Results show that, compared to existing practice of manual system-level testing and tests produced by record and replay of online traffic, EvoMaster demonstrates clear additional benefits. EvoMaster with the best configuration is capable of covering up to 32.4% line coverage, covering more than 10% line coverage on 36 out of 40 (90%) case studies, and identifying on average 3520 potential faults in these 40 APIs. In addition, we also identified and discussed important challenges in fuzzing enterprise microservices that must be addressed in the future.CCS CONCEPTS* Software and its engineering → Search-based software engineering; Software verification and validation. |
|---|---|
| AbstractList | Microservices is now becoming a promising architecture to build large-scale web services in industry. Due to the high complexity of enterprise microservices, industry has an urgent need to have a solution to enable automated testing of such systems. EvoMaster is an open-source fuzzer, equipped with the state-of-the-art techniques for supporting automated system-level testing of Web APIs. It has been assessed as the most performant tool in two recent empirical studies in terms of line coverage and fault detection. In this paper, we carried out an empirical experiment to investigate how to better apply the state-of-the-art academic prototype (i.e., EvoMaster) in industrial context. We extended the tool to handle seeding of existing industrial tests, and mocking of external services with their data handled as part of the input fuzzing. We studied two configurations of EvoMaster, using two time budgets, on 40 enterprise RPC-based APIs (involving 5.6 million lines of code for their core business logic) at Meituan. Results show that, compared to existing practice of manual system-level testing and tests produced by record and replay of online traffic, EvoMaster demonstrates clear additional benefits. EvoMaster with the best configuration is capable of covering up to 32.4% line coverage, covering more than 10% line coverage on 36 out of 40 (90%) case studies, and identifying on average 3520 potential faults in these 40 APIs. In addition, we also identified and discussed important challenges in fuzzing enterprise microservices that must be addressed in the future.CCS CONCEPTS* Software and its engineering → Search-based software engineering; Software verification and validation. |
| Author | Teng, Piyun Xue, Kaiming Wang, Wenhao Arcuri, Andrea Zhang, Man |
| Author_xml | – sequence: 1 givenname: Man surname: Zhang fullname: Zhang, Man email: manzhang@buaa.edu.cn organization: Beihang University,State Key Laboratory of Complex & Critical Software Environment (CCSE),Beijing,China – sequence: 2 givenname: Andrea surname: Arcuri fullname: Arcuri, Andrea email: andrea.arcuri@kristiania.no organization: Kristiania University College and Oslo Metropolitan University,Oslo,Norway – sequence: 3 givenname: Piyun surname: Teng fullname: Teng, Piyun email: tengpiyun@meituan.com organization: Meituan,Beijing,China – sequence: 4 givenname: Kaiming surname: Xue fullname: Xue, Kaiming email: xuekaiming@meituan.com organization: Meituan,Beijing,China – sequence: 5 givenname: Wenhao surname: Wang fullname: Wang, Wenhao email: wangwenhao02@meituan.com organization: Meituan,Beijing,China |
| BookMark | eNotjktLAzEUhaMoWGvXblzkD0zNzTvuxqHVQsVifSxL2tzRYM3IPMD21ztFV9_HOXA45-QkVQkJuQQ2BpDqWmgHmrNxT8W1OiIjZ5yVjBng0ppjMuBaigyU4Wdk1DRxzXpVGkAPyOsSMcT0Tn0K9KHafB48Jvr2EVvMbqsfOu32-0M4SS3W33VskD4tCpovZs0NzROdpdA1bR39lha-L5dtF3YX5LT02wZH_xySl-nkubjP5o93syKfZ55b12beahHQaIfBQvDWhlKUJnipNoBSoxHWaaOc4ciZEWBLs1HKSr2GNetVDMnV325ExFX_7svXuxUwo6UFJX4B2m9ReQ |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/3691620.3695265 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798400712487 |
| EISSN | 2643-1572 |
| EndPage | 2034 |
| ExternalDocumentID | 10764815 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IH 6IK 6IL 6IM 6IN 6J9 AAJGR AAWTH ABLEC ACREN ADYOE ADZIZ AFYQB ALMA_UNASSIGNED_HOLDINGS AMTXH BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-a289t-a863de769ed81da88df3f7da45c1e46e7389675972e207318f7c55846b1b07c53 |
| IEDL.DBID | RIE |
| IngestDate | Wed Jan 15 06:20:43 EST 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a289t-a863de769ed81da88df3f7da45c1e46e7389675972e207318f7c55846b1b07c53 |
| OpenAccessLink | https://doi.org/10.1145/3691620.3695265 |
| PageCount | 11 |
| ParticipantIDs | ieee_primary_10764815 |
| PublicationCentury | 2000 |
| PublicationDate | 2024-Oct.-27 |
| PublicationDateYYYYMMDD | 2024-10-27 |
| PublicationDate_xml | – month: 10 year: 2024 text: 2024-Oct.-27 day: 27 |
| PublicationDecade | 2020 |
| PublicationTitle | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2024 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssib057256116 ssj0051577 |
| Score | 2.2930267 |
| Snippet | Microservices is now becoming a promising architecture to build large-scale web services in industry. Due to the high complexity of enterprise microservices,... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 2024 |
| SubjectTerms | Automated Test Case Generation Fault detection Fault diagnosis Fuzzing Glass box Industries Logic Microservice architectures Microservices Prototypes SBST Software engineering Testing |
| Title | Seeding and Mocking in White-Box Fuzzing Enterprise RPC APIs: An Industrial Case Study |
| URI | https://ieeexplore.ieee.org/document/10764815 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1NS8NAEF1sT57qR8Vv9uA1tUn2I-utlpYqtBS10lvZZCdQhLTYBLS_3tlNYlEQvA1LAssmu--9ZOYNITcsTrtpwm12P6BAQQbhaRUzL1JOgTCIhC1wHk_EaMYe53xeFau7WhgAcMln0LGh-5dvVklhP5XhDpfCmos0SAOVW1msVb88XCJ4-5brlMcw4rSUlZePz_htKJAIBahRhbKO8D-aqTgsGbbIpJ5FmULy1inyuJNsfxk0_nuaB6S9K9uj029AOiR7kB2RVt23gVbb-Ji8PpdXUJ0ZOsYD0cbLjLpmed796oMOi-3WDg7KlMTlBujTtE9704fNHe1ldNfwg_YRBqnNRvxsk9lw8NIfeVV_BU-jzMo9HYnQgBQKDLJWHUUmDVNpNOOJD0yARDKDekLJAAI8CfwolQm3hCX24y6G4QlpZqsMTgllxgdjrXEEIEUwTEkOBpIAGQQo3dVnpG3XabEuLTQW9RKd_zF-QfbxXmZBIpCXpJm_F3CF6J_H1-6pfwEQSKuk |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3dS8MwEA86H_Rpfkz8Ng--dq5tmjS-zbGx6TaGbrK3kTZXGEIrrgXdX--lHw4FwbcjlBBCcr_fpXe_I-SGBVErCj2T3Q8YoCCDsJQMmOXLPAJh4HNT4Dwa8_6MPcy9eVmsntfCAECefAZNY-b_8nUSZuapDG-44EZcZJvsIPAzWZRrVcfHEwjftmE7hSNGpBaiVPOxmXfrcqRCDkapXBpN-B_tVHI06dXJuFpHkUTy2szSoBmuf0k0_nuh-6SxKdyjk29IOiBbEB-SetW5gZYX-Yi8PBdfUBVrOkKXaOxlTPN2edZ98kF72XptBrtFUuJyBfRp0qHtyWB1R9sx3bT8oB0EQmryET8bZNbrTjt9q-ywYCkMtFJL-dzVILgEjbxV-b6O3EhoxbzQBsZBIJ3BiEIKBxz0BbYfidAzlCWwgxaa7jGpxUkMJ4QybYM24jgckCRoJoUHGkIHOQRI1VKnpGH2afFWiGgsqi06-2P8muz2p6PhYjgYP56TPZyHGchwxAWppe8ZXCIXSIOr_AR8AUV1rvQ |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=IEEE%2FACM+International+Conference+on+Automated+Software+Engineering+%3A+%5Bproceedings%5D&rft.atitle=Seeding+and+Mocking+in+White-Box+Fuzzing+Enterprise+RPC+APIs%3A+An+Industrial+Case+Study&rft.au=Zhang%2C+Man&rft.au=Arcuri%2C+Andrea&rft.au=Teng%2C+Piyun&rft.au=Xue%2C+Kaiming&rft.date=2024-10-27&rft.pub=ACM&rft.eissn=2643-1572&rft.spage=2024&rft.epage=2034&rft_id=info:doi/10.1145%2F3691620.3695265&rft.externalDocID=10764815 |