Towards Generic Database Management System Fuzzing
Yupeng Yang, Yongheng Chen, Rui Zhong, Jizhou Chen, Wenke Lee
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
Database Management Systems (DBMSs), encompassing both relational (SQL) and non-relational (NoSQL) variants, form the backbone of modern data storage, retrieval, and management across a vast array of applications. Given their pervasive adoption and critical role, the security and robustness of these systems are paramount. Flaws within DBMSs can lead to data corruption, unauthorized access, denial of service, and significant operational disruptions. Fuzzing, a powerful software testing technique involving the injection of random or semi-random inputs, has proven highly effective in uncovering vulnerabilities and stability issues in various software systems. While specialized fuzzers have achieved considerable success in identifying bugs in SQL DBMSs, a significant gap exists in effective fuzzing solutions for the increasingly diverse landscape of non-SQL DBMSs.
AI review
Busby delivers a genuinely novel framework for fuzzing both SQL and NoSQL DBMSs, tackling long-standing challenges in semantic correctness and data dependencies. Its sophisticated approach, particularly the dependency-guided mutation and context-sensitive constraint resolution, led to the discovery of 40 new vulnerabilities across eight real-world systems. This isn't just theory; it's a practical tool that raises the bar for database security.