KubeFuzzer:Automating RESTful API Vulnerability Detection in Kubernetes

作     者：Tao Zheng Rui Tang Xingshu Chen Changxiang Shen 

作者机构：School of Cyber Science and EngineeringSichuan UniversityChengdu610065China Cyber Science Research InstituteSichuan UniversityChengdu610065China Key Laboratory of Data Protection and Intelligent Management(Sichuan University)Ministry of EducationChengdu610065China 

出 版 物：《Computers, Materials & Continua》 (计算机、材料和连续体（英文）)

年 卷 期：2024年第81卷第10期

页      面：1595-1612页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 

基　　金：supported by the National Natural Science Foundation of China(No.62202320) the Fundamental Research Funds for the Central Universities(Nos.SCU2023D008,2023SCU12129) the Natural Science Foundation of Sichuan Province(No.2024NSFSC1449) the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129) the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education 

主　　题：Kubernetes RESTful APIs API fuzzing black-box fuzzing 

摘      要：RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes *** tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gateway *** address this,we propose KubeFuzzer,a black-box fuzzing tool designed for Kubernetes RESTful *** utilizes Natural Language Processing(NLP)to extract and integrate semantic information from API specifications and response messages,guiding the generation of more effective request *** evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86%to 36.34%,increases the successful response rate by 6.7%to 83.33%,and detects 16.7%to 133.3%more bugs compared to three leading *** identified over 1000 service crashes,which were narrowed down to 7 unique *** tested these bugs on 10 real-world Kubernetes projects,including major providers like AWS(EKS),Microsoft Azure(AKS),and Alibaba Cloud(ACK),and confirmed that these issues could trigger service *** have reported and confirmed these bugs with the Kubernetes community,and they have been addressed.