Sequence-Oriented DBMS Fuzzing.

The SQL specification consists of hundreds of statement types, which leads to difficulties in DBMS fuzzing: state-of-the-art works generally reuse the statements of predefined types; the limited types cannot cover the full input space and test the corresponding logic consequently. In this paper, we propose Lego, a fuzzer to generate SQL sequences with abundant types to improve DBMS fuzzing coverage. The key idea of sequence generation is type-affinity, which indicates the meaningful occurrence of SQL type pairs (e.g., INSERT and SELECT). During each fuzzing iteration, Lego first proactively explores SQL statements of different types and analyzes affinities with coverage feedback. Next, when a new affinity is discovered, Lego synthesizes new SQL sequences containing the types progressively.We evaluate Lego on PostgreSQL, MySQL, MariaDB, and Comdb2 against SQLancer, SQLsmith, and Squirrel. The sequence-oriented fuzzing helps Lego outperform other fuzzers on branch coverage by 44%–198%. More importantly, in the continuous fuzzing, Lego has discovered 102 new vulnerabilities confirmed by the corresponding vendors, including 6 bugs in PostgreSQL, 21 bugs in MySQL, 42 bugs in MariaDB, and 33 bugs in Comdb2. Among them, 22 CVEs have been assigned due to their severe security influences.