Industry Practice of Coverage-Guided Enterprise-Level DBMS Fuzzing

TL;DR

This paper presents Ratel, a coverage-guided fuzzing tool tailored for enterprise-level DBMSs, demonstrating significant improvements in bug detection and code coverage over existing industry and academic fuzzers.

Contribution

The paper introduces Ratel, a novel coverage-guided fuzzing framework specifically designed for complex enterprise DBMSs, addressing industry-specific challenges and outperforming existing tools.

Findings

Ratel achieved up to 583% more code coverage than existing fuzzers.

Discovered 79 previously unknown bugs across three enterprise DBMSs.

Enhanced fuzzing robustness and root cause analysis capabilities.

Abstract

As an infrastructure for data persistence and analysis, Database Management Systems (DBMSs) are the cornerstones of modern enterprise software. To improve their correctness, the industry has been applying blackbox fuzzing for decades. Recently, the research community achieved impressive fuzzing gains using coverage guidance. However, due to the complexity and distributed nature of enterprise-level DBMSs, seldom are these researches applied to the industry. In this paper, we apply coverage-guided fuzzing to enterprise-level DBMSs from Huawei and Bloomberg LP. In our practice of testing GaussDB and Comdb2, we found major challenges in all three testing stages. The challenges are collecting precise coverage, optimizing fuzzing performance, and analyzing root causes. In search of a general method to overcome these challenges, we propose Ratel, a coverage-guided fuzzer for enterprise-level DBMSs. With its industry-oriented design, Ratel improves the feedback precision, enhances the robustness of input generation, and performs an on-line investigation on the root cause of bugs. As a result, Ratel outperformed other fuzzers in terms of coverage and bugs. Compared to industrial black box fuzzers SQLsmith and SQLancer, as well as coverage-guided academic fuzzer Squirrel, Ratel covered 38.38%, 106.14%, 583.05% more basic blocks than the best results of other three fuzzers in GaussDB, PostgreSQL, and Comdb2, respectively. More importantly, Ratel has discovered 32, 42, and 5 unknown bugs in GaussDB, Comdb2, and PostgreSQL.