A Model-Based Fuzzing Approach for DBMS

被引:0
|
作者
Wang, Jiajie [1 ]
Zhang, Puhan [1 ]
Zhang, Lei [1 ]
Zhu, Haowen [2 ]
Ye, Xiaojun [2 ]
机构
[1] China Informat Technol Secur Evaluat Ctr, Beijing, Peoples R China
[2] Tsinghua Univ, Sch Software, Beijing, Peoples R China
来源
2013 8TH INTERNATIONAL ICST CONFERENCE ON COMMUNICATIONS AND NETWORKING IN CHINA (CHINACOM) | 2013年
基金
中国国家自然科学基金;
关键词
security testing for DBMS; fuzzing framework; model-based testing; vulnerability discovery;
D O I
暂无
中图分类号
TM [电工技术]; TN [电子技术、通信技术];
学科分类号
0808 ; 0809 ;
摘要
As one of critical components of information infrastructure, database management system (DBMS) faces various security challenges. Although fuzz testing has been used in the security evaluation of DBMS, most of current fuzzers focus on SQL syntax more than multi-phase interaction between the client and server of DBMS. This paper presents a model-based fuzzing approach to discover vulnerabilities of DBMSs, which supports state-aware and multi-phase fuzz testing. Based on the model-based fuzzing framework, a finite state machine model EXT-DBFSM is proposed to manipulate the fuzzing process and guarantee the validation of test cases. The approach is implemented and experimented on several DBMSs. The result has proved effectiveness of this approach, 14 vulnerabilities are discovered, including 10 unreleased ones.
引用
收藏
页码:426 / 431
页数:6
相关论文
共 50 条
  • [1] A Model-Based Behavioral Fuzzing Approach for Network Service
    Wang, Jiajie
    Guo, Tao
    Zhang, Puhan
    Xiao, Qixue
    2013 THIRD INTERNATIONAL CONFERENCE ON INSTRUMENTATION & MEASUREMENT, COMPUTER, COMMUNICATION AND CONTROL (IMCCC), 2013, : 1129 - 1134
  • [2] Online Model-Based Behavioral Fuzzing
    Schneider, Martin
    Grossmann, Juergen
    Schieferdecker, Ina
    Pietschker, Andrej
    IEEE SIXTH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW 2013), 2013, : 469 - 475
  • [3] Model-Based Whitebox Fuzzing for Program Binaries
    Van-Thuan Pham
    Bohme, Marcel
    Roychoudhury, Abhik
    2016 31ST IEEE/ACM INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING (ASE), 2016, : 543 - 553
  • [4] WinkFuzz: Model-based Script Synthesis for Fuzzing
    Liu, Zian
    Chen, Chao
    Ahmed, Ejaz
    Zhang, Jun
    Liu, Dongxi
    THIRD INTERNATIONAL WORKSHOP ON ADVANCED SECURITY ON SOFTWARE AND SYSTEMS, ASSS 2023, 2023,
  • [5] Model-Based Grey-Box Fuzzing of Network Protocols
    Pan, Yan
    Lin, Wei
    Jiao, Liang
    Zhu, Yuefei
    SECURITY AND COMMUNICATION NETWORKS, 2022, 2022
  • [6] Griffin: Grammar-Free DBMS Fuzzing
    Fu, Jingzhou
    Liang, Jie
    Wu, Zhiyong
    Wang, Mingzhe
    Jiang, Yu
    PROCEEDINGS OF THE 37TH IEEE/ACM INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING, ASE 2022, 2022,
  • [7] T-Fuzz: Model-Based Fuzzing for Robustness Testing of Telecommunication Protocols
    Johansson, William
    Svensson, Martin
    Larson, Ulf E.
    Almgren, Magnus
    Gulisano, Vincenzo
    2014 IEEE SEVENTH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION (ICST), 2014, : 323 - 332
  • [8] A Model-Based SEMP Approach
    Steiner, Rick
    Stemm, Doug
    Insight, 2 (03): : 18 - 19
  • [9] A Model-based Approach for Assessment and Motivation
    Spector, J. Michael
    Kim, ChanMin
    COMPUTER SCIENCE AND INFORMATION SYSTEMS, 2012, 9 (02) : 893 - 915
  • [10] An approach for model-based risk assessment
    Gran, BA
    Fredriksen, R
    Thunem, APJ
    COMPUTER SAFETY, RELIABILITY, AND SECURITY, PROCEEDINGS, 2004, 3219 : 311 - 324
12345