模糊测试
计算机科学
SQL注入
程序设计语言
数据库
序列(生物学)
重新使用
软件
情报检索
按示例查询
搜索引擎
工程类
遗传学
生物
Web搜索查询
废物管理
作者
Jie Liang,Yaoguang Chen,Zhiyong Wu,Jingzhou Fu,Mingzhe Wang,Yu Jiang,Xiangdong Huang,Ting Chen,Jiashui Wang,Jiajia Li
标识
DOI:10.1109/icde55515.2023.00057
摘要
The SQL specification consists of hundreds of statement types, which leads to difficulties in DBMS fuzzing: state-of-the-art works generally reuse the statements of predefined types; the limited types cannot cover the full input space and test the corresponding logic consequently. In this paper, we propose Lego, a fuzzer to generate SQL sequences with abundant types to improve DBMS fuzzing coverage. The key idea of sequence generation is type-affinity, which indicates the meaningful occurrence of SQL type pairs (e.g., INSERT and SELECT). During each fuzzing iteration, Lego first proactively explores SQL statements of different types and analyzes affinities with coverage feedback. Next, when a new affinity is discovered, Lego synthesizes new SQL sequences containing the types progressively.We evaluate Lego on PostgreSQL, MySQL, MariaDB, and Comdb2 against SQLancer, SQLsmith, and Squirrel. The sequence-oriented fuzzing helps Lego outperform other fuzzers on branch coverage by 44%–198%. More importantly, in the continuous fuzzing, Lego has discovered 102 new vulnerabilities confirmed by the corresponding vendors, including 6 bugs in PostgreSQL, 21 bugs in MySQL, 42 bugs in MariaDB, and 33 bugs in Comdb2. Among them, 22 CVEs have been assigned due to their severe security influences.
科研通智能强力驱动
Strongly Powered by AbleSci AI