A Model-Based Fuzzing Approach for DBMS

被引：0

作者：

Wang, Jiajie ^{[1
]}

Zhang, Puhan ^{[1
]}

Zhang, Lei ^{[1
]}

Zhu, Haowen ^{[2
]}

Ye, Xiaojun ^{[2
]}

机构：

[1] China Informat Technol Secur Evaluat Ctr, Beijing, Peoples R China

[2] Tsinghua Univ, Sch Software, Beijing, Peoples R China

来源：

2013 8TH INTERNATIONAL ICST CONFERENCE ON COMMUNICATIONS AND NETWORKING IN CHINA (CHINACOM) | 2013年

基金：

中国国家自然科学基金;

关键词：

security testing for DBMS; fuzzing framework; model-based testing; vulnerability discovery;

D O I：

暂无

中图分类号：

TM [电工技术]; TN [电子技术、通信技术];

学科分类号：

0808 ; 0809 ;

摘要：

As one of critical components of information infrastructure, database management system (DBMS) faces various security challenges. Although fuzz testing has been used in the security evaluation of DBMS, most of current fuzzers focus on SQL syntax more than multi-phase interaction between the client and server of DBMS. This paper presents a model-based fuzzing approach to discover vulnerabilities of DBMSs, which supports state-aware and multi-phase fuzz testing. Based on the model-based fuzzing framework, a finite state machine model EXT-DBFSM is proposed to manipulate the fuzzing process and guarantee the validation of test cases. The approach is implemented and experimented on several DBMSs. The result has proved effectiveness of this approach, 14 vulnerabilities are discovered, including 10 unreleased ones.

引用

页码：426 / 431

页数：6

共 18 条

[1]

Abdelnur Humberto J, 2007, P 1 INT C PRINC SYST, P47

[2]

Aitel D., ADVANTAGES BLOCK BAS

[3]

Amini P., Sulley

[4]

Banks G, 2006, LECT NOTES COMPUT SC, V4176, P343

[5]

Beynon-Davies P., 2004, Database Systems, V3rd

[6]

Eddington M., PEACH

[7]

Felderer M., 2011, Advances in System Testing and Validation Lifecycle (VALID 2011), P109

[8]

Forrester J.E., 2000, Proceedings of the 4th conference on USENIX Windows Systems Symposium, V4, P6

[9] Test model for security vulnerability in web controls based on fuzzing [J].

Yao, Guoxiang ;

Guan, Quanlong ;

Ni, Kaibin .

Journal of Software, 2012, 7 (04) :773-778

[10]

Hopcroft J.E., 2006, Introduction to Automata Theory, Languages, and Computation, V3rd

← 1 2 →