@Article{cmc.2024.055180,
AUTHOR = {Tao Zheng, Rui Tang, Xingshu Chen, Changxiang Shen},
TITLE = {KubeFuzzer: Automating RESTful API Vulnerability Detection in Kubernetes},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {81},
YEAR = {2024},
NUMBER = {1},
PAGES = {1595--1612},
URL = {http://www.techscience.com/cmc/v81n1/58334},
ISSN = {1546-2226},
ABSTRACT = {RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms. Existing tools struggle with generating lengthy, high-semantic request sequences that can pass Kubernetes API gateway checks. To address this, we propose KubeFuzzer, a black-box fuzzing tool designed for Kubernetes RESTful APIs. KubeFuzzer utilizes Natural Language Processing (NLP) to extract and integrate semantic information from API specifications and response messages, guiding the generation of more effective request sequences. Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86% to 36.34%, increases the successful response rate by 6.7% to 83.33%, and detects 16.7% to 133.3% more bugs compared to three leading techniques. KubeFuzzer identified over 1000 service crashes, which were narrowed down to 7 unique bugs. We tested these bugs on 10 real-world Kubernetes projects, including major providers like AWS (EKS), Microsoft Azure (AKS), and Alibaba Cloud (ACK), and confirmed that these issues could trigger service crashes. We have reported and confirmed these bugs with the Kubernetes community, and they have been addressed.},
DOI = {10.32604/cmc.2024.055180}
}