赞
踩
DynSQL和LEGO没有互相引用
前者2023.8 后者2023.4
Existing DBMS fuzzers always make a trade-off between complexity and validity of generated queries. For example, SQLsmith [43] generates only one statement in each query, avoiding the analysis of dependencies among statements, which sacrifices complexity for validity; SQUIRREL [48] uses an intermediate representation (IR) model to infer dependencies and generate queries
that contain multiple statements, but it produces over 50% invalid queries and tends to generate simple statements.
现有的fuzzer往往在query的复杂性和有效性中权衡:SQLsmith在每个query中只加入一条statement以避免分析statement的依赖关系分析;SQUIRREL使用中间表示(IR)推断依赖关系以生成更复杂的查询,但它生成的query超过50%不可用,且倾向于生成简单的statement。
Without accurate state information, these fuzzers tend to build incorrect dependencies among statements or misuse SQL features, causing many invalid queries to be generated. To generate valid test cases, these fuzzers have to limit the complexity of generated queries to tolerate their inaccurate state information.
原因:这些fuzzer无法获得准确的状态信息,因此必须限制生成query的复杂性来耐受这些不正确性。
However, existing DBMS fuzzers fail to capture s
uch information, as their query generation is finished before query execution.
传统模式:生成完再执行。
*DBMS的优化:列出几种可选的执行计划,选择效率最高的一种
动态交互query主要分为两个部分:Scheduler和Translator。Scheduler和目标DBMS交互,获取最新的DBMS状态,将数据库模式传递给translator。在此基础上,Translator将输入文件翻译为SQL语句。
状态检查:当query导致crash或error时,表明DBMS已经进入一个不正确的状态,因此需要终止循环。Crash和语法、语义以外的error(如Subquery result missing)需要上报,因为可能有潜在bug。如果是引发语法、语义错误,该种子
将被丢弃,因为这样的种子无法增加新的coverage,重复执行只会浪费资源(在现有的fuzzer中,这些种子确实会触发新的类型的语法语义错误,导致coverage表面上增加,因此被放入种子池!)。
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。