![]() ![]() Another challenge in grey-box DBMS fuzzing is the semantics filling of SQL statements. Hence, scheduling seeds by speed and size, the seed scheduling strategy in the existing grey-box DBMS fuzzer, is inefficient. In DBMS fuzzing, different seeds have different correctness, and seeds with different correctness contribute differently to fuzzing. However, less attention has been paid to the seed scheduling strategy in the DBMS fuzzing area. An important one is improving the seed scheduling strategy. In recent years, many new solutions have been proposed for grey-box fuzzer to improve fuzzing efficiency. After mutation, it fills inputs with new semantics to improve the syntactic and semantic correctness. It introduces the structure-aware mutator for SQL statements into AFL. Squirrel, a recent work focusing on DBMS fuzzing, has solved this problem to some extent, making it the state-of-art grey-box DBMS fuzzer. ![]() However, since fuzzer, like AFL, was not initially designed for DBMS fuzzing, the SQL statements generated by AFL often have syntactic or semantic errors, making it hard to trigger the deep logic of DBMSs (such as the optimizer). For example, SQLite used AFL as a standard part of the testing strategy until it was superseded by better fuzzers. The well-known AFL collects the code coverage of the program during fuzzing by instrumentation, and DBMS vendors have applied it to DBMS testing. Therefore, compared with black-box fuzzer, grey-box fuzzer can explore the deep states of the program gradually. With an initial seed queue, the grey-box fuzzer performs a series of mutations on seeds to generate new inputs and saves the inputs that trigger a new state (or crash) of the program for future mutation. The main difference between grey-box fuzzing and black-box fuzzing is that the former leverages instrumentation to glean information about the program, such as code coverage. Researchers have studied grey-box fuzzing actively in recent years. Since black-box fuzzing does not require the source code of the DBMS, it can test some commercial DBMSs that are not open source. Despite inefficiency, this technique still has a wide range of uses. Since the generation of SQL statements is entirely random, considering the complexity of the DBMS, most of the inputs generated by the black-box fuzzer will be difficult to trigger the deep program logic, in which bugs often hide. The disadvantage of black-box fuzzing has been thoroughly discussed by the academic circle, which is inefficiency. The current input is saved for subsequent analysis when unexpected behavior occurs, such as a crash. It randomly generates a large number of SQL statements and executes them in the DBMS. A black-box fuzzer treats the program as a black box and is unaware of internal program structure. Security researchers have found a considerable number of bugs using this technique. The results show that Squill outperforms the previous fuzzer in terms of both code coverage and bug discovery.īlack-box fuzzing, or generation-based fuzzing, has been extensively used in finding DBMS bugs, such as SQLsmith and SQLancer. Overall, 19 of the bugs are fixed with 9 CVEs assigned. ![]() In total, Squill detected 30 bugs in MySQL, 27 in MariaDB, and 6 in OceanBase. In our experiment, Squill explored 29% more paths and found 3.4× more bugs than the existing tool. We implemented Squill based on Squirrel and evaluated it on three popular DBMSs: MySQL, MariaDB, and OceanBase. Second, Squill embeds semantics-aware instantiation to correctly fill semantics to SQL statements with nested structures by collecting the context information of AST nodes. First, we propose correctness-guided mutation to utilize the correctness of seeds as feedback to guide fuzzing. This paper proposes a fuzzing solution named Squill to address these challenges. Moreover, current tools cannot correctly generate SQL statements with nested structures, which limits their effectiveness. However, the seed scheduling strategy of existing fuzzing techniques does not consider the seeds’ correctness, which is inefficient in finding vulnerabilities in DBMSs. In recent years, grey-box fuzzing has been adopted to detect DBMS bugs for its high effectiveness. Thus, detecting security bugs or vulnerabilities of DBMSs is an essential task. Database Management Systems (DBMSs) are the core of management information systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |