Title :
A model-based fuzzing approach for DBMS
Author :
Jiajie Wang ; Puhan Zhang ; Lei Zhang ; Haowen Zhu ; Ye Xiaojun
Author_Institution :
China Inf. Technol. Security Evaluation Center, Beijing, China
Abstract :
As one of critical components of information infra-structure, database management system (DBMS) faces various security challenges. Although fuzz testing has been used in the security evaluation of DBMS, most of current fuzzers focus on SQL syntax more than multi-phase interaction between the client and server of DBMS. This paper presents a model-based fuzzing approach to discover vulnerabilities of DBMSs, which supports state-aware and multi-phase fuzz testing. Based on the model-based fuzzing framework, a finite state machine model EXT-DBFSM is proposed to manipulate the fuzzing process and guarantee the validation of test cases. The approach is implemented and experimented on several DBMSs. The result has proved effectiveness of this approach, 14 vulnerabilities are discovered, including 10 unreleased ones.
Keywords :
client-server systems; database management systems; finite state machines; program testing; security of data; DBMS security evaluation; DBMS vulnerability discovery; EXT-DBFSM; SQL syntax; client-server interaction; database management system; finite state machine model; fuzzing process manipulation; information infrastructure; model-based fuzzing approach; multiphase fuzz testing; multiphase interaction; security challenge; state-aware fuzz testing; Automata; Monitoring; Protocols; Security; Servers; Syntactics; Testing; fuzzing framework; model-based testing; security testing for DBMS; vulnerability discovery;
Conference_Titel :
Communications and Networking in China (CHINACOM), 2013 8th International ICST Conference on
Conference_Location :
Guilin
DOI :
10.1109/ChinaCom.2013.6694634
