RESTLess：利用云服务计算中的 LLM 增强最新 REST API 模糊测试

IF 5.5 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Services Computing Pub Date : 2024-11-01 DOI:10.1109/TSC.2024.3489441

Tao Zheng;Jiang Shao;Jinqiao Dai;Shuyu Jiang;Xingshu Chen;Changxiang Shen

{"title":"RESTLess：利用云服务计算中的 LLM 增强最新 REST API 模糊测试","authors":"Tao Zheng;Jiang Shao;Jinqiao Dai;Shuyu Jiang;Xingshu Chen;Changxiang Shen","doi":"10.1109/TSC.2024.3489441","DOIUrl":null,"url":null,"abstract":"REST API Fuzzing is an emerging approach for automated vulnerability detection in cloud services. However, existing SOTA fuzzers face challenges in generating lengthy sequences comprising high-semantic requests, so that they may hardly trigger hard-to-reach states within a cloud service. To overcome this problem, we propose RESTLess, a flexible and efficient approach with hybrid optimization strategies for REST API fuzzing enhancement. Specifically, to pass the cloud gateway syntax semantic checking, we construct a dataset of valid parameters of REST API with Large Language Model named RTSet, then utilize it to develop an efficient REST API specification semantic enhancement approach. To detect vulnerability hidden under complex API operations, we design a flexible parameter rendering order optimization algorithm to increase the length and type of request sequences. Evaluation results highlight that RESTLess manifests noteworthy enhancements in the semantic quality of generated sequences in comparison to existing tools, thereby augmenting their capabilities in detecting vulnerabilities effectively. We also apply RESTLess to nine real-world cloud service such as Microsoft Azure, Amazon Web Services, Google Cloud, etc., and detecte 38 vulnerabilities, of which 16 have been confirmed and fixed by the relevant vendors.","PeriodicalId":13255,"journal":{"name":"IEEE Transactions on Services Computing","volume":"17 6","pages":"4225-4238"},"PeriodicalIF":5.5000,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"RESTLess: Enhancing State-of-the-Art REST API Fuzzing With LLMs in Cloud Service Computing\",\"authors\":\"Tao Zheng;Jiang Shao;Jinqiao Dai;Shuyu Jiang;Xingshu Chen;Changxiang Shen\",\"doi\":\"10.1109/TSC.2024.3489441\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"REST API Fuzzing is an emerging approach for automated vulnerability detection in cloud services. However, existing SOTA fuzzers face challenges in generating lengthy sequences comprising high-semantic requests, so that they may hardly trigger hard-to-reach states within a cloud service. To overcome this problem, we propose RESTLess, a flexible and efficient approach with hybrid optimization strategies for REST API fuzzing enhancement. Specifically, to pass the cloud gateway syntax semantic checking, we construct a dataset of valid parameters of REST API with Large Language Model named RTSet, then utilize it to develop an efficient REST API specification semantic enhancement approach. To detect vulnerability hidden under complex API operations, we design a flexible parameter rendering order optimization algorithm to increase the length and type of request sequences. Evaluation results highlight that RESTLess manifests noteworthy enhancements in the semantic quality of generated sequences in comparison to existing tools, thereby augmenting their capabilities in detecting vulnerabilities effectively. We also apply RESTLess to nine real-world cloud service such as Microsoft Azure, Amazon Web Services, Google Cloud, etc., and detecte 38 vulnerabilities, of which 16 have been confirmed and fixed by the relevant vendors.\",\"PeriodicalId\":13255,\"journal\":{\"name\":\"IEEE Transactions on Services Computing\",\"volume\":\"17 6\",\"pages\":\"4225-4238\"},\"PeriodicalIF\":5.5000,\"publicationDate\":\"2024-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Services Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10740182/\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Services Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10740182/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

REST API模糊测试是一种在云服务中自动检测漏洞的新兴方法。然而，现有的SOTA模糊器在生成包含高语义请求的长序列方面面临挑战，因此它们很难触发云服务中难以到达的状态。为了克服这个问题，我们提出了一种灵活有效的REST API模糊测试增强混合优化策略RESTLess。具体而言，为了通过云网关语法语义检查，我们利用RTSet大语言模型构建了REST API有效参数的数据集，并利用该数据集开发了一种高效的REST API规范语义增强方法。为了检测复杂API操作下隐藏的漏洞，我们设计了一种灵活的参数呈现顺序优化算法，增加请求序列的长度和类型。评估结果强调，与现有工具相比，RESTLess在生成序列的语义质量方面表现出显著的增强，从而增强了它们有效检测漏洞的能力。我们还将RESTLess应用于微软Azure、亚马逊Web服务、谷歌cloud等9个真实云服务，检测到38个漏洞，其中16个已被相关厂商确认并修复。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

RESTLess: Enhancing State-of-the-Art REST API Fuzzing With LLMs in Cloud Service Computing

REST API Fuzzing is an emerging approach for automated vulnerability detection in cloud services. However, existing SOTA fuzzers face challenges in generating lengthy sequences comprising high-semantic requests, so that they may hardly trigger hard-to-reach states within a cloud service. To overcome this problem, we propose RESTLess, a flexible and efficient approach with hybrid optimization strategies for REST API fuzzing enhancement. Specifically, to pass the cloud gateway syntax semantic checking, we construct a dataset of valid parameters of REST API with Large Language Model named RTSet, then utilize it to develop an efficient REST API specification semantic enhancement approach. To detect vulnerability hidden under complex API operations, we design a flexible parameter rendering order optimization algorithm to increase the length and type of request sequences. Evaluation results highlight that RESTLess manifests noteworthy enhancements in the semantic quality of generated sequences in comparison to existing tools, thereby augmenting their capabilities in detecting vulnerabilities effectively. We also apply RESTLess to nine real-world cloud service such as Microsoft Azure, Amazon Web Services, Google Cloud, etc., and detecte 38 vulnerabilities, of which 16 have been confirmed and fixed by the relevant vendors.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Services Computing COMPUTER SCIENCE, INFORMATION SYSTEMS-COMPUTER SCIENCE, SOFTWARE ENGINEERING

CiteScore

11.50

自引率

6.20%

发文量

278

审稿时长

>12 weeks

期刊介绍： IEEE Transactions on Services Computing encompasses the computing and software aspects of the science and technology of services innovation research and development. It places emphasis on algorithmic, mathematical, statistical, and computational methods central to services computing. Topics covered include Service Oriented Architecture, Web Services, Business Process Integration, Solution Performance Management, and Services Operations and Management. The transactions address mathematical foundations, security, privacy, agreement, contract, discovery, negotiation, collaboration, and quality of service for web services. It also covers areas like composite web service creation, business and scientific applications, standards, utility models, business process modeling, integration, collaboration, and more in the realm of Services Computing.