Detecting DBMS bugs with context-sensitive instantiation and multi-plan execution

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-07 DOI:10.1016/j.cose.2025.104564

Jiaqi Li , Ke Wang , Yaoguang Chen , Yajin Zhou , Lei Wu , Jiashui Wang

{"title":"Detecting DBMS bugs with context-sensitive instantiation and multi-plan execution","authors":"Jiaqi Li , Ke Wang , Yaoguang Chen , Yajin Zhou , Lei Wu , Jiashui Wang","doi":"10.1016/j.cose.2025.104564","DOIUrl":null,"url":null,"abstract":"<div><div>DBMS (Database Management System) bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of crash-related bugs and logic bugs in DBMSs, and aims at solving the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which can obtain all static semantic requirements to guide query generation. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 54 previously unknown bugs, including 41 crash-related bugs and 13 logic bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104564"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002536","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

DBMS (Database Management System) bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of crash-related bugs and logic bugs in DBMSs, and aims at solving the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which can obtain all static semantic requirements to guide query generation. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 54 previously unknown bugs, including 41 crash-related bugs and 13 logic bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.

查看原文本刊更多论文

通过上下文敏感的实例化和多计划执行来检测DBMS错误

数据库管理系统（DBMS）的错误会导致严重的后果，引起严重的安全和隐私问题。本文致力于检测dbms中与崩溃相关的错误和逻辑错误，旨在解决这两个固有的挑战，包括如何在测试用例中生成语义正确的SQL查询，以及如何提出有效的oracle来捕获逻辑错误。为此，本系统提出了两个关键技术。第一个关键技术称为上下文敏感实例化，它可以获得所有静态语义需求来指导查询生成。第二个关键技术称为多计划执行，它可以有效地捕获逻辑错误。给定一个测试用例，多计划执行使DBMS执行所有查询计划，而不是默认的最优查询计划，并比较结果。如果在执行的查询计划的执行结果之间发现差异，则检测到逻辑错误。我们实现了一个名为Kangaroo的原型系统，并将其应用于三个广泛使用且经过良好测试的dbms，包括SQLite、PostgreSQL和MySQL。我们的系统成功检测了54个以前未知的错误，其中41个与崩溃相关的错误和13个逻辑错误。我们的系统与最先进的系统之间的比较表明，我们的系统在生成语义上有效的SQL查询的数量、测试期间探索的代码路径和检测到的错误方面优于它们。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.