Research Article
A Model-Based Fuzzing Approach for DBMS
@INPROCEEDINGS{10.1109/ChinaCom.2013.6694634, author={jiajie wang and Puhan Zhang and Lei Zhang and Haowen Zhu and Xiaojun Ye}, title={A Model-Based Fuzzing Approach for DBMS}, proceedings={8th International Conference on Communications and Networking in China}, publisher={IEEE}, proceedings_a={CHINACOM}, year={2013}, month={11}, keywords={security testing for dbms fuzzing framework model-based testing vulnerability discovery}, doi={10.1109/ChinaCom.2013.6694634} }- jiajie wang
Puhan Zhang
Lei Zhang
Haowen Zhu
Xiaojun Ye
Year: 2013
A Model-Based Fuzzing Approach for DBMS
CHINACOM
IEEE
DOI: 10.1109/ChinaCom.2013.6694634
Abstract
As one of critical components of information infra-structure, database management system (DBMS) faces various security challenges. Although fuzz testing has been used in the security evaluation of DBMS, most of current fuzzers focus on SQL syntax more than multi-phase interaction between the client and server of DBMS. This paper presents a model-based fuzzing approach to discover vulnerabilities of DBMSs, which supports state-aware and multi-phase fuzz testing. Based on the model-based fuzzing framework, a finite state machine model EXT-DBFSM is proposed to manipulate the fuzzing process and guarantee the validation of test cases. The approach is implemented and experimented on several DBMSs. The result has proved effectiveness of this approach, 14 vulnerabilities are discovered, including 10 unreleased ones.