现有工作中,让fuzzer适应新的DBMS是一件劳动密集型的工作
现状:市场上存在391种不同的DBMS,使用着不同的语法
Griffin不使用具体语法,而是metadate graph(一种轻量型数据结构)来提高突变过程中的正确性。
实现:C++ 9532行 base on AFL++ 4.00c
Metadata的获取:对于支持ANSI标准的DBMS,可以通过SELECT语句获取;不支持的DBMS则需要调用它们各自特有的API
基于生成: For SQLancer and SQLsmith, they cannot generate these SQL test cases due to the lack of grammar rules support.
For Sqirrel, although the initial seeds contain some specific SQL grammar, it skips the mutation of those seeds because they cannot be recognized by the inner parser of Sqirrel, which does not support the specific grammar.
As a result, when only limited initial seeds are given and cover only a little SQL grammar of DBMS, Griffin’s performance will decrease because it is designed without any SQL grammar. However, for commonly used DBMS, it is not difficult to collect grammar-rich SQL queries.
For example, if a test case tries to insert the same value twice in a primary key column, the DBMS cannot execute the second insertion statement due to the primary key constraint.
Griffin only considers metadata dependencies, while primary key constraints are related to both metadata dependencies and data dependencies.
Strengths
Simple but effective
Grammer-Free
Potential scalability(Crash bug领域)
Weekness & Adaptation
Still may trigger some semantic errors——(insert the same value twice in a primary key column,data dependence)
Rely on abundance of initial seeds(This passage:transform SQL queries from other DBMSs;RATEL:Establish keyword dictionary)
Random reshuffle(LEGO:Type-affinity) and random deletion(QPG:Complex query plan)
注:以上两点改进的有效性被否决,mutation的随机性不应被破坏
在AFL++基础上用C++实现,没有给出开源代码
No coverage guidance(or unmentioned)
7642
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
