SQUIRREL: Testing Database Management Systems with Language Validity and Coverage Feedback

Fuzzing is an increasingly popular technique for verifying software functionalities and finding security vulnerabilities. However, current mutation-based fuzzers cannot effectively test database management systems (DBMSs), which strictly check inputs for valid syntax and semantics. Generation-based testing can guarantee the syntax correctness of the inputs, but it does not utilize any feedback, like code coverage, to guide the path exploration. In this paper, we develop Squirrel, a novel fuzzing framework that considers both language validity and coverage feedback to test DBMSs. We design an intermediate representation (IR) to maintain SQL queries in a structural and informative manner. To generate syntactically correct queries, we perform type-based mutations on IR, including statement insertion, deletion and replacement. To mitigate semantic errors, we analyze each IR to identify the logical dependencies between arguments, and generate queries that satisfy these dependencies. We evaluated Squirrel on four popular DBMSs: SQLite, MySQL, PostgreSQL and MariaDB. Squirrel found 51 bugs in SQLite, 7 in MySQL and 5 in MariaDB. 52 of the bugs are fixed with 12 CVEs assigned. In our experiment, Squirrel achieves 2.4×-243.9× higher semantic correctness than state-of-the-art fuzzers, and explores 2.0×-10.9× more new edges than mutation-based tools. These results show that Squirrel is effective in finding memory errors of database management systems.

[1]  Peng Li,et al.  SAVIOR: Towards Bug-Driven Hybrid Testing , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[2]  Kostya Serebryany Sanitize, Fuzz, and Harden Your C++ Code , 2016 .

[3]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[4]  Bikash Chandra,et al.  Data generation for testing and grading SQL queries , 2015, The VLDB Journal.

[5]  Sarfraz Khurshid,et al.  Automated SQL query generation for systematic testing of database engines , 2010, ASE.

[6]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[7]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[8]  Chao Zhang,et al.  GREYONE: Data Flow Sensitive Fuzzing , 2020, USENIX Security Symposium.

[9]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[11]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[12]  Shrainik Jain,et al.  Snowtrail: Testing with Production Queries on a Cloud Database , 2018, DBTest@SIGMOD.

[13]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[14]  Nick Koudas,et al.  Generating targeted queries for database testing , 2008, SIGMOD Conference.

[15]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[16]  Leo Giakoumakis,et al.  A genetic approach for random testing of database systems , 2007, VLDB.

[17]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Sang Kil Cha,et al.  CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines , 2019, NDSS.

[19]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[20]  Wim Vanhoof,et al.  Test input generation for database programs using relational constraints , 2012, DBTest '12.

[21]  Michael Stonebraker,et al.  Intel "big data" science and technology center vision and execution plan , 2013, SGMD.

[22]  Yang Liu,et al.  Superion: Grammar-Aware Greybox Fuzzing , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[23]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[24]  Guoliang Li,et al.  QTune: A Query-Aware Database Tuning System with Deep Reinforcement Learning , 2019, Proc. VLDB Endow..

[25]  Dong Hun Lee,et al.  Performance Monitoring in SAP HANA's Continuous Integration Process , 2016, PERV.

[26]  Carsten Binnig,et al.  A framework for testing DBMS features , 2010, The VLDB Journal.

[27]  Lei Zhang,et al.  A model-based fuzzing approach for DBMS , 2013, 2013 8th International Conference on Communications and Networking in China (CHINACOM).

[28]  Thorsten Holz,et al.  GRIMOIRE: Synthesizing Structure while Fuzzing , 2019, USENIX Security Symposium.

[29]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[30]  Donald R. Slutz,et al.  Massive Stochastic Testing of SQL , 1998, VLDB.

[31]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[32]  Zhendong Su,et al.  Testing Database Engines via Pivoted Query Synthesis , 2020, OSDI.

[33]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[34]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[35]  Yves Le Traon,et al.  Semantic fuzzing with zest , 2018, ISSTA.

[36]  Taesoo Kim,et al.  APOLLO: Automatic Detection and Diagnosis of Performance Regressions in Database Systems , 2019, Proc. VLDB Endow..

[37]  Ahmad-Reza Sadeghi,et al.  NAUTILUS: Fishing for Deep Bugs with Grammars , 2019, NDSS.