TL;DR
Squirrel is a novel fuzzing framework that combines language validity and coverage feedback to effectively test database management systems, discovering numerous bugs and fixing CVEs.
Contribution
It introduces an IR-based approach with type-aware mutations and semantic dependency analysis for syntactically and semantically correct SQL query generation.
Findings
Found 63 bugs across four DBMSs, with 52 fixed and 12 CVEs assigned.
Achieved 2.4x-243.9x higher semantic correctness than existing fuzzers.
Explored 2.0x-10.9x more new code paths compared to mutation-based tools.
Abstract
Fuzzing is an increasingly popular technique for verifying software functionalities and finding security vulnerabilities. However, current mutation-based fuzzers cannot effectively test database management systems (DBMSs), which strictly check inputs for valid syntax and semantics. Generation-based testing can guarantee the syntax correctness of the inputs, but it does not utilize any feedback, like code coverage, to guide the path exploration. In this paper, we develop Squirrel, a novel fuzzing framework that considers both language validity and coverage feedback to test DBMSs. We design an intermediate representation (IR) to maintain SQL queries in a structural and informative manner. To generate syntactically correct queries, we perform type-based mutations on IR, including statement insertion, deletion and replacement. To mitigate semantic errors, we analyze each IR to identify…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
