A model-based fuzzing approach for DBMS

Author

Jiajie Wang ; Puhan Zhang ; Lei Zhang ; Haowen Zhu ; Ye Xiaojun

Author_Institution

China Inf. Technol. Security Evaluation Center, Beijing, China

fYear

2013

fDate

14-16 Aug. 2013

Firstpage

426

Lastpage

431

Abstract

As one of critical components of information infra-structure, database management system (DBMS) faces various security challenges. Although fuzz testing has been used in the security evaluation of DBMS, most of current fuzzers focus on SQL syntax more than multi-phase interaction between the client and server of DBMS. This paper presents a model-based fuzzing approach to discover vulnerabilities of DBMSs, which supports state-aware and multi-phase fuzz testing. Based on the model-based fuzzing framework, a finite state machine model EXT-DBFSM is proposed to manipulate the fuzzing process and guarantee the validation of test cases. The approach is implemented and experimented on several DBMSs. The result has proved effectiveness of this approach, 14 vulnerabilities are discovered, including 10 unreleased ones.

Keywords

client-server systems; database management systems; finite state machines; program testing; security of data; DBMS security evaluation; DBMS vulnerability discovery; EXT-DBFSM; SQL syntax; client-server interaction; database management system; finite state machine model; fuzzing process manipulation; information infrastructure; model-based fuzzing approach; multiphase fuzz testing; multiphase interaction; security challenge; state-aware fuzz testing; Automata; Monitoring; Protocols; Security; Servers; Syntactics; Testing; fuzzing framework; model-based testing; security testing for DBMS; vulnerability discovery;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Networking in China (CHINACOM), 2013 8th International ICST Conference on

Conference_Location

Guilin

Type

conf

DOI

10.1109/ChinaCom.2013.6694634

Filename

6694634