Fuzz Testing for Database Management System Configuration Errors
摘要
Configuration item vulnerabilities are very important in the security research of database management systems, because database management systems have a wide range of applications and often have complex configuration items. Configuration vulnerabilities will directly affect the security and stability of the system, and may have an incalculable impact on user data. By improving existing fuzz testing methods, this paper proposes a fuzz testing technology for database management system configuration errors, and analyzes configuration-related vulnerabilities by using guided configuration modification strategies and dynamic configuration generation strategies. This paper designs and implements the database management system configuration error fuzz testing tool ICFuzz (Instrumentation and configuration fuzz), and uses this system to test mainstream database management systems, including MySQL, PostgreSQL and SQLite. Compared with existing fuzz testing tools, the code With less coverage, 7 more unknown security vulnerabilities in configuration items were discovered. The experimental results show that this tool is more efficient in detecting configuration item vulnerabilities.