SQLaser: Detecting DBMS Logic Bugs with Clause-Guided Fuzzing

TL;DR

This work addresses the challenge of detecting logic bugs in DBMSs, which often do not crash systems but yield incorrect results or data leakage. It introduces SQLaser, a clause-guided directed fuzzing approach that models logic bugs as sequences of function calls (target call chains) derived from SQL clause patterns, and uses a path-to-path distance to prioritize seeds. By systematically identifying 35 SQL-level bug patterns across four DBMSs and testing against differentiated oracles, SQLaser reproduces all patterns and finds 22 bugs (including 4 new zero-day bugs) with roughly 60% faster bug discovery than prior methods. The approach demonstrates practical impact by delivering more efficient bug discovery, uncovering unique bugs, and highlighting the value of clause-level guidance in fuzzing-based DBMS testing.

Abstract

Database Management Systems (DBMSs) are vital components in modern data-driven systems. Their complexity often leads to logic bugs, which are implementation errors within the DBMSs that can lead to incorrect query results, data exposure, unauthorized access, etc., without necessarily causing visible system failures. Existing detection employs two strategies: rule-based bug detection and coverage-guided fuzzing. In general, rule specification itself is challenging; as a result, rule-based detection is limited to specific and simple rules. Coverage-guided fuzzing blindly explores code paths or blocks, many of which are unlikely to contain logic bugs; therefore, this strategy is cost-ineffective. In this paper, we design SQLaser, a SQL-clause-guided fuzzer for detecting logic bugs in DBMSs. Through a comprehensive examination of most existing logic bugs across four distinct DBMSs, excluding those causing system crashes, we have identified 35 logic bug patterns. These patterns manifest as certain SQL clause combinations that commonly result in logic bugs, and behind these clause combinations are a sequence of functions. We therefore model logic bug patterns as error-prone function chains (ie, sequences of functions). We further develop a directed fuzzer with a new path-to-path distance-calculation mechanism for effectively testing these chains and discovering additional logic bugs. This mechanism enables SQLaser to swiftly navigate to target sites and uncover potential bugs emerging from these paths. Our evaluation, conducted on SQLite, MySQL, PostgreSQL, and TiDB, demonstrates that SQLaser significantly accelerates bug discovery compared to other fuzzing approaches, reducing detection time by approximately 60%.

Figures (6)

• Figure 1: Overview of SQLaser. It utilizes trimmed call chains representing SQL-level bug pattern as the target sites for the fuzzer. In the distance calculation part, we propose an algorithm to calculate the distance between seed call chains and target call chains, aiming to enable SQLaser to prioritize seeds based on their proximity to the target sites.
• Figure 2: TTE of SQLaser, SQLRight and WindRanger testing SQLite, MySQL and TiDB. Due to SQLRight and SQLaser's inability to detect bugs in PostgreSQL, we can't collect TTE statistics for PostgreSQL.
• Figure 3: Code coverage of SQLaser, SQLRight and WindRanger for NoREC oracle.
• Figure 4: Code coverage of SQLaser, SQLRight and WindRanger to trigger bugs for TLP oracle.
• Figure 5: Code coverage of SQLaser, SQLRight and WindRanger to trigger bugs in SQLite for ROWID, LIKELY and INDEX oracle.