[Review] DynSQL: Stateful Fuzzing for Database Management Systems with Complex and Valid SQL Query Generation

[Review] DynSQL: Stateful Fuzzing for Database Management Systems with Complex and Valid SQL Query Generation

Link here

The paper designs a stateful DBMS fuzzer called DynSQL. DynSQL adopts two new methods: Dynamic Query Interaction and Error Feedback.

Instead of generating all of the SQL queries before performing them, Dynamic Query Interaction allows the fuzzer to fuzz the DBMSs “step-by-step”, that is, dynamically determine the next statement after executing every prior statement.

Also, Error Feedback allows the seed generation to generate more valid SQL statements and queries.

Background:

Former DBMS testing tools: SQLsmith, SQUIRREL, SQLancer.

Existing DBMS fuzzers are still limited in generating complex and valid queries to find deep bugs in DBMSs.

SQLsmith generates only one statement in each query, SQUIRREL produces over 50% invalid queries and tends to generate simple statements.

SQLancer aims to figuring out logic bugs of DBMSs rather than general bugs.

Read more
[Review] autofz: Automated Fuzzer Composition at Runtime

[Review] autofz: Automated Fuzzer Composition at Runtime

Link here

This paper proposes a new fuzzing mechanism which integrates several fuzzers to perform a unique fuzzing process. For every workload, one or several optimal mixture of fuzzers are employed for fuzzing. Unlike the early work, autofz:

  1. Do not need presetting and human efforts.
  2. Allocate fuzzers for every workload, rather than every program.

Background:

  • A large amount of fuzzers have been created, which makes it difficult to choose a proper fuzzer for a specific fuzzing.
  • No universal fuzzer perpetually outperforms others, so choosing a optimal fuzzer will be difficult.
  • The efficiency of a fuzzer may not last for the whole fuzzing process.
  • Fuzzing is a random process, a optimal fuzzer may not always be that case.
Read more
[Review] MINER: A Hybrid Data-Driven Approach for REST API Fuzzing

[Review] MINER: A Hybrid Data-Driven Approach for REST API Fuzzing

Link here

This paper proposed a new approach for API fuzzing, which:

  1. Focuses more on the long sequence query.
  2. Induces a customized attention model to support fuzzing process.
  3. Implements a new data-driven security rule checker to capture the new kind of errors caused by undefined parameters.

[1]: REST standard, usually including GET, POST, PUT, DELETE.

Motivation:

Cloud service testing is important, but early works(like RESTler) fail to generate long request sequence for testing, which is not enough to detect deep errors hidden in hard-to-reach states of cloud services. MINER applies length oriented mechanisms to generate long request sequence, and applies a attention model to help pass the semantic checking. Further more, it applies a data-driven security rule checker to capture the new kind of errors caused by undefined parameters.

Read more