Open Access

ARTICLE

KubeFuzzer: Automating RESTful API Vulnerability Detection in Kubernetes

Tao Zheng¹, Rui Tang^1,2,3, Xingshu Chen^1,2,3,*, Changxiang Shen¹

1 School of Cyber Science and Engineering, Sichuan University, Chengdu, 610065, China
2 Cyber Science Research Institute, Sichuan University, Chengdu, 610065, China
3 Key Laboratory of Data Protection and Intelligent Management (Sichuan University), Ministry of Education, Chengdu, 610065, China

* Corresponding Author: Xingshu Chen. Email:

Computers, Materials & Continua 2024, 81(1), 1595-1612. https://doi.org/10.32604/cmc.2024.055180

Received 19 June 2024; Accepted 14 September 2024; Issue published 15 October 2024

Abstract

RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms. Existing tools struggle with generating lengthy, high-semantic request sequences that can pass Kubernetes API gateway checks. To address this, we propose KubeFuzzer, a black-box fuzzing tool designed for Kubernetes RESTful APIs. KubeFuzzer utilizes Natural Language Processing (NLP) to extract and integrate semantic information from API specifications and response messages, guiding the generation of more effective request sequences. Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86% to 36.34%, increases the successful response rate by 6.7% to 83.33%, and detects 16.7% to 133.3% more bugs compared to three leading techniques. KubeFuzzer identified over 1000 service crashes, which were narrowed down to 7 unique bugs. We tested these bugs on 10 real-world Kubernetes projects, including major providers like AWS (EKS), Microsoft Azure (AKS), and Alibaba Cloud (ACK), and confirmed that these issues could trigger service crashes. We have reported and confirmed these bugs with the Kubernetes community, and they have been addressed.

---

Keywords

---