SQLRight
combines the coverage-based guidance, validity-oriented mutations and oracles to detect logical bugs for DBMS systems. SQLRight
first mutates existing queries cooperatively. It inserts a set of oracle-required statements, and applies our validity-oriented mutations to improve the validity rate. Then, it sends the query to the oracle to create functionally equivalent query counterparts. SQLRight
feeds all generated queries to the DBMS, and collects the execution results and the coverage information. After that, SQLRight
invokes the oracle to compare the results of different queries to identify logical bugs. At last, it inserts the coverage-improving queries into the queue for future mutations.
For more details of SQLRight
, plese check our paper published on Usenix Security 2022.
Currently supported DBMS:
- SQLite3
- PostgreSQL
- MySQL
The overview of SQLRight
is illustrated by the diagram below.
- Yu Liang [email protected]
- Song Liu [email protected]
- Hong Hu [email protected]
Detecting Logical Bugs of DBMS with Coverage-based Guidance
@inproceedings{liang:sqlright,
title = {{Detecting Logical Bugs of DBMS with Coverage-based Guidance}},
author = {Yu Liang and Song Liu and Hong Hu},
booktitle = {Proceedings of the 31st USENIX Security Symposium (USENIX 2022)},
month = {aug},
year = {2022},
address = {Boston, MA},
}