[Review] DynSQL: Stateful Fuzzing for Database Management Systems with Complex and Valid SQL Query Generation
The paper designs a stateful DBMS fuzzer called DynSQL. DynSQL adopts two new methods: Dynamic Query Interaction and Error Feedback.
Instead of generating all of the SQL queries before performing them, Dynamic Query Interaction allows the fuzzer to fuzz the DBMSs “step-by-step”, that is, dynamically determine the next statement after executing every prior statement.
Also, Error Feedback allows the seed generation to generate more valid SQL statements and queries.
Background:
Former DBMS testing tools: SQLsmith, SQUIRREL, SQLancer.
Existing DBMS fuzzers are still limited in generating complex and valid queries to find deep bugs in DBMSs.
SQLsmith generates only one statement in each query, SQUIRREL produces over 50% invalid queries and tends to generate simple statements.
SQLancer aims to figuring out logic bugs of DBMSs rather than general bugs.