2 research outputs found
Industry Practice of Coverage-Guided Enterprise-Level DBMS Fuzzing
As an infrastructure for data persistence and analysis, Database Management
Systems (DBMSs) are the cornerstones of modern enterprise software. To improve
their correctness, the industry has been applying blackbox fuzzing for decades.
Recently, the research community achieved impressive fuzzing gains using
coverage guidance. However, due to the complexity and distributed nature of
enterprise-level DBMSs, seldom are these researches applied to the industry.
In this paper, we apply coverage-guided fuzzing to enterprise-level DBMSs
from Huawei and Bloomberg LP. In our practice of testing GaussDB and Comdb2, we
found major challenges in all three testing stages. The challenges are
collecting precise coverage, optimizing fuzzing performance, and analyzing root
causes. In search of a general method to overcome these challenges, we propose
Ratel, a coverage-guided fuzzer for enterprise-level DBMSs. With its
industry-oriented design, Ratel improves the feedback precision, enhances the
robustness of input generation, and performs an on-line investigation on the
root cause of bugs. As a result, Ratel outperformed other fuzzers in terms of
coverage and bugs. Compared to industrial black box fuzzers SQLsmith and
SQLancer, as well as coverage-guided academic fuzzer Squirrel, Ratel covered
38.38%, 106.14%, 583.05% more basic blocks than the best results of other three
fuzzers in GaussDB, PostgreSQL, and Comdb2, respectively. More importantly,
Ratel has discovered 32, 42, and 5 unknown bugs in GaussDB, Comdb2, and
PostgreSQL
IntelliGen: Automatic Driver Synthesis for FuzzTesting
Fuzzing is a technique widely used in vulnerability detection. The process
usually involves writing effective fuzz driver programs, which, when done
manually, can be extremely labor intensive. Previous attempts at automation
leave much to be desired, in either degree of automation or quality of output.
In this paper, we propose IntelliGen, a framework that constructs valid fuzz
drivers automatically. First, IntelliGen determines a set of entry functions
and evaluates their respective chance of exhibiting a vulnerability. Then,
IntelliGen generates fuzz drivers for the entry functions through hierarchical
parameter replacement and type inference. We implemented IntelliGen and
evaluated its effectiveness on real-world programs selected from the Android
Open-Source Project, Google's fuzzer-test-suite and industrial collaborators.
IntelliGen covered on average 1.08X-2.03X more basic blocks and 1.36X-2.06X
more paths over state-of-the-art fuzz driver synthesizers FUDGE and FuzzGen.
IntelliGen performed on par with manually written drivers and found 10 more
bugs.Comment: 10 pages, 5 figure