Awesome
Squirrel, a coverage-guided DBMS fuzzer.
Squirrel
is a fuzzer for database managment systems (DBMSs).
Squirrel
was first built on AFL and then migrated to AFLplusplus to enjoy the improvement of state-of-the-art fuzzing strategies.
Currently supported DBMSs
- SQLite
- PostgreSQL
- MySQL
- MariaDB
Build Instruction (Run in docker, recommended)
- Go to the directory of the dockerfile:
cd scripts/docker/xxx/
, wherexxx
is the database name. - Build the docker:
docker build -t xxx .
. - Run:
docker run -it xxx
.
Build Instruction (Run on localhost)
Prerequisite
For ubuntu 22.04:
sudo apt install libmysqlclient-dev cmake ninja-build clang pkg-config clang-format libpq-dev libyaml-cpp-dev
Build Squirrel
- Clone this repo and run
git submodule update --init
. cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -Wno-dev
. If you want to compile only the mutator for the specific databases, add-DXXXXX=ON
,XXXXX
can beSQLITE
,MYSQL
andPOSTGRESQL
.Mariadb
share the same interface withMySQL
.cmake --build build -j
, the binaries are inbuild/
.
Build AFLplusplus and DBMSs
- Build aflplusplus:
cd AFLplusplus && make -j && cd ..
. - Use
afl-cc
andafl-c++
to instrument your database.
Run
Configuration
- Set up a configuration file in
yaml
. Examples can be found indata/*.yml
. - Set the enviroment variable
export SQUIRREL_CONFIG=/path/to/config.yml
export AFL_CUSTOM_MUTATOR_ONLY=1
export AFL_CUSTOM_MUTATOR_LIBRARY= REPO_DIR/build/libxxxx_mutator.so
export AFL_DISABLE_TRIM=1
Normal Mode (SQLite)
Same as AFLplusplus: afl-fuzz -i input -o output -- sqlite_harness
.
Client/Server Mode (MySQL/MariaDB/PostgreSQL)
- Dry run the database to get the
__afl_map_size
and set it toAFL_MAP_SIZE
. - Run
afl-fuzz -i input -o output -- ./build/db_driver
, it will print the share memory id and wait for 30 seconds. - Start the databse server with
export __AFL_SHM_ID=xxxx
.
Publications
<a href="https://arxiv.org/pdf/2006.02398.pdf"><img src="https://huhong789.github.io/images/squirrel.png" align="right" width="250"></a>
More details can be found in our CCS 2020 paper. And the bugs found by Squirrel
can be found in here.
SQUIRREL: Testing Database Management Systems with Language Validity and Coverage Feedback
@inproceedings{zhong:squirrel,
title = {{SQUIRREL: Testing Database Management Systems with Language Validity and Coverage Feedback}},
author = {Rui Zhong and Yongheng Chen and Hong Hu and Hangfan Zhang and Wenke Lee and Dinghao Wu},
booktitle = {Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS)},
month = nov,
year = 2020,
address = {Orlando, USA},
}
Special Thanks
- Roel Van de Paar (@mariadb-RoelVandePaar): For his helpful feedback for improving Squirrel.