计算机科学

计算机科学 ›› 2026, Vol. 53 ›› Issue (2): 133-144.doi: 10.11896/jsjkx.241200060

• 计算机体系结构 • 上一篇    下一篇

基于黑盒插桩的闭源数据库管理系统的模糊测试技术研究

李忠杰1, 梁皓天1, 贾浩阳1, 王清贤1, 曹琰1,2   

  1. 1 郑州大学网络空间安全学院 郑州 450002
    2 嵩山实验室 郑州 450000
  • 收稿日期:2024-12-09 修回日期:2025-03-18 发布日期:2026-02-10
  • 通讯作者: 曹琰(ieycao@zzu.edu.cn)
  • 作者简介:(aizawanachu@gmail.com)
  • 基金资助:
    嵩山实验室资助项目(232102210124,ZZK202403002-03);河南省科技攻关项目(232102210124)

Research on Fuzz Testing Techniques for Closed-source DBMSs Based on Black-box Instrumentation

LI Zhongjie1, LIANG Haotian1, JIA Haoyang1, WANG Qingxian1 , CAO Yan1,2   

  1. 1 School of Cyberspace Security and Engineering,Zhengzhou University,Zhengzhou 450002,China
    2 Songshan Laboratory,Zhengzhou 450000,China
  • Received:2024-12-09 Revised:2025-03-18 Online:2026-02-10
  • About author:LI Zhongjie,born in 1996,postgra-duate,is a member of CCF(No.N1001G).His main research interest is database vulnerability discovery.
    CAO Yan,born in 1983,associate professor,Ph.D supervisor,is a member of CCF(No.17447S).His main research interest is vulnerability discovery.
  • Supported by:
    Songshan Laboratory-Funded Project(232102210124,ZZK202403002-03) and Henan Province Science and Technology Research Project(232102210124).

PDF (PC)

64

摘要: 数据库管理系统(Database Management Systems,DBMSs)是被广泛用作管理业务数据的应用软件,其安全性至关重要,任何形式的数据泄露或损坏都可能导致重大安全问题。目前针对闭源DBMS漏洞检测的公开研究成果相对较少。为了实现闭源DBMS的有效测试,提出了基于文法结构的变异和基于语义规则的变量填充的方法来批量生成测试数据集,根据提供的原始语料生成语法和语义高度正确的复杂SQL查询,使得输入数据能够深入探索DBMS的深层逻辑;同时提出了基于Pin的动态覆盖率分析方法来收集闭源DBMS的实时覆盖率,根据覆盖率反馈指导模糊测试的种子调度。基于上述方法实现了面向闭源DBMS的自动化测试原型工具OFuz。使用OFuz对Oracle和SQL Server两种DBMS进行测试,实验结果验证了该工具的有效性,在生成测试集和覆盖统计方面相比其他工具效果更优。

关键词: 数据库安全, 闭源数据库管理系统, 黑盒测试, 模糊测试, 覆盖率统计

Abstract: DBMSs are widely used application software for managing business data,and their security is critical.Any form of data leakage or corruption could lead to significant security issues.Currently,there are relatively few public research findings on vulnerability detection for closed-source DBMSs.To enable effective testing of closed-source DBMSs,a novel approach has been developed.It proposes methods based on grammar structure mutation and semantic rule-based variable filling to generate test datasets in batches,creating syntactically and semantically correct complex SQL queries from provided raw corpora.These inputs allow for in-depth exploration of the deep logic of DBMSs.Additionally,a dynamic coverage analysis method based on Pin is introduced to collect real-time coverage data for closed-source DBMSs,using feedback from the coverage to guide seed scheduling in fuzz testing.Based on these methods,an automated testing prototype tool for closed-source DBMSs,named OFuz,has been deve-loped.Experiments conducted on Oracle and SQL Server validate the effectiveness of OFuz,demonstrating superior performance in test dataset generation and coverage analysis compared to other tools.

Key words: Database security, Closed-source database management systems, Black-box testing, Fuzz testing, Coverage analysis

中图分类号: 

  • TP309
[1]SENDNER C,IFFLÄNDER L,SCHINDLER S,et al.Ransomware detection in databases through dynamic analysis of query sequences[C]//2022 IEEE Conference on Communications and Network Security(CNS).IEEE,2022:326-334.
[2]WANG M,WU Z,XU X,et al.Industry practice of coverage-guided enterprise-level DBMS fuzzing[C]//2021 IEEE/ACM 43rd International Conference on Software Engineering:Software Engineering in Practice.IEEE,2021:328-337.
[3]WANG Q Y,XU J C,LI Y W,et al.A Review of Smart Fuzzing:Problem Exploration and Method Classification[J].Chinese Journal of Computers,2024,47(9):2059-2083.
[4]ZHONG R,CHEN Y H,HU H,et al.SQUIRREL:Testing Da-tabase Management Systems with Language Validity and Coverage Feedback[C]//ACM SIGSAC Conference on Computer and Communications Security(ACM CCS).2020:955-970.
[5]JIANG Z M,BAI J J,SU Z D,et al.DynSQL:Stateful Fuzzing for Database Management Systems with Complex and Valid SQL Query Generation[C]//32nd USENIX Security Sympo-sium.2023:4949-4965.
[6]RIGGER M,SU Z D,ASSOC U.Testing Database Engines via Pivoted Query Synthesis[C]//14th USENIX Symposium on Operating Systems Design and Implementation(OSDI).2020:667-682.
[7]DOU W S,CUI Z Y,DAI Q W,et al.Detecting Isolation Bugs via Transaction Oracle Construction[C]//45th IEEE/ACM International Conference on Software Engineering(ICSE).2023:1123-1135.
[8]JUNG J H,HU H,ARULRAJ J,et al.APOLLO:AutomaticDetection and Diagnosis of Performance Regressions in Database Systems[J].Proceedings of the VLDB Endowment,2019,13(1):57-70.
[9]LIU X Y,ZHOU Q,ARULRAJ J,et al.Automatic Detection of Performance Bugs in Database Systems using Equivalent Queries[C]//ACM/IEEE 44th International Conference on Software Engineering(ICSE).2022:225-236.
[10]ZHENG Y Y,DOU W S,WANG Y C,et al.Finding Bugs in Gremlin-Based Graph Database Systems via Randomized Differential Testing[C]//31st ACM SIGSOFT International Sympo-sium on Software Testing and Analysis(ISSTA).2022:302-313.
[11]HUA Z Y,LIN W,REN L Y,et al.GDsmith:Detecting Bugs in Cypher Graph Database Engines[C]//32nd ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA).2023:163-174.
[12]YANG Y,CHEN Y,ZHONG R,et al.Towards Generic Database Management System Fuzzing[C]//33rd USENIX Security Symposium(USENIX Security 24).2024:901-918.
[13]PHAM V,BÖHME M,SANTOSA A E,et al.Smart Greybox Fuzzing[J].IEEE Transactions on Software Engineering,2021,47(9):1980-1997.
[14]LIANG J,WU Z Y,FU J Z,et al.Survey on Database Management System Fuzzing Techniques[J].Journal of Software,2025,36(1):399-423.
[15]FIORALDI A,MAIER D,EIßFELDT H,et al.AFL++:Combining incremental steps of fuzzing research[C]//14th USENIX Workshop on Offensive Technologies(WOOT 20).2020.
[16]CHEN P,CHEN H.Angora:Efficient Fuzzing by PrincipledSearch[C]//39th IEEE Symposium on Security and Privacy(SP),IEEE,2018:711-725.
[17]LIANG J,WU Z,FU J,et al.Mozi:Discovering DBMS Bugs via Configuration-Based Equivalent Transformation[C]//Procee-dings of the IEEE/ACM 46th International Conference on Software Engineering.2024:1-12.
[18]LIANG Y,LIU S,HU H,et al.Detecting Logical Bugs of DBMS with Coverage-based Guidance[C]//31st USENIX Security Symposium.2022:4309-4326.
[19]PAN Q F,XU C.Advances in SQL Execution Techniques Based on Query Compilation[J].Journal of Computer Research and Development,2024,61(7):1754-1770.
[20]TRICKEL E,PAGANI F,ZHU C,et al.Toss a Fault to YourWitcher:Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities[C]//44th IEEE Symposium on Security and Privacy(SP),IEEE,2023:2658-2675.
[21]WANG J H,SONG C Y,YIN H,et al.Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing[C]//.28th Annual Network and Distributed System Security Symposium(NDSS).2021.
[22]WANG A Q,YANG B,ZHANG J H,et al.A Survey of SQL Injection Attack Detection and Defense Technology[J].Journal of Information Security Research,2023,9(5):412-422.
[23]BA J S,RIGGER M.Testing Database Engines via Query Plan Guidance[C]//45th IEEE/ACM International Conference on Software Engineering(ICSE).2023:2060-2071.
[24]BLAZYTKO T,ASCHERMANN C,SCHLOGEL M,et al.GRIMOIRE:Synthesizing Structure while Fuzzing[C]//28th USENIX Security Symposium.2019:1985-2002.
[25]WANG W T,SUN J J,WAN Y F,et al.Fuzzing for Binary Software Based on Program Analysis[J].Computer Systems and Applications,2025,34(1):294-307.
[26]LIU X,ZHOU Q,ARULRAJ J,et al.Testing dbms performance with mutations[J].arXiv:2105.10016,2021.
[27]FU J Z,LIANG J,WU Z Y,et al.Griffin:Grammar-Free DBMS Fuzzing[C]//37th IEEE/ACM International Conference on Automated Software Engineering(ASE).2022.
[28]ZHANG J,ZHANG C,XUAN J F,et al.Recent Progress in Program Analysis[J].Journal of Software,2019,30(1):80-109.
[29]FU J,LIANG J,WU Z,et al.Sedar:Obtaining High-Quality Seeds for DBMS Fuzzing via Cross-DBMS SQL Transfer[C]//Proceedings of the IEEE/ACM 46th International Conference on Software Engineering.2024:1-12.
[30]LI J,WANG K,CHEN Y,et al.Detecting DBMS Bugs with Context-Sensitive Instantiation and Multi-Plan Execution[J].arXiv:2312.04941,2023.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市两江新区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发