bug squashing with sqlsmith
play

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October - PowerPoint PPT Presentation

Dec 09, 2023 •1.18k likes •1.6k views

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018 andreas.seltenreich@credativ.de PGConf.EU 2018 1 / 32 Outline Motivation Testing Methodology Analysis of Bugs Uncovered Design Future Work

  1. Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018 andreas.seltenreich@credativ.de PGConf.EU 2018 1 / 32

  2. Outline Motivation Testing Methodology Analysis of Bugs Uncovered Design Future Work andreas.seltenreich@credativ.de PGConf.EU 2018 2 / 32

  3. Motivation: My Story ◮ Inspired by Csmith, a random C program generator ◮ While working on a C compiler, I learned that one can never have enough testing ◮ Regression tests, unit tests and testbenches were all green ◮ Csmith made assertions fail in my optimization phase ◮ Me in 2015: We need an SQLsmith! ◮ In total, it found: ◮ 71 Bugs in PostgreSQL ◮ 3 in SQLite ◮ 50 in MonetDB ◮ 6 in various libraries (even glibc!) andreas.seltenreich@credativ.de PGConf.EU 2018 3 / 32

  4. Motivation: Who’s it for? ◮ Developers of SQL speaking databases ◮ Extension writers ◮ Reviewers of submitted patches ◮ Security auditers ◮ Indirectly, all users profit from additional quality assurance andreas.seltenreich@credativ.de PGConf.EU 2018 4 / 32

  5. On Fuzz Testing: Bit-Level Bit-Level fuzzers (e.g. AFL, libFuzzer) ◮ Only applicable when information density is very high ◮ Do not grasp high-level concepts such as syntax, schema, catalog, identifiers or scope ◮ Works ok for fuzzing Postgres’ regexp parser ◮ Need ages to find the first trivial syntactically correct query ◮ Need eons to find a hit in the catalog/schema andreas.seltenreich@credativ.de PGConf.EU 2018 5 / 32

  6. On Fuzz Testing: Domain-Aware Domain-aware fuzzers (Csmith, SQLsmith) ◮ Generate syntactically and semantically valid input at high speed ◮ Still cannot interpret the result semantically ◮ Semantics may be verified indirectly andreas.seltenreich@credativ.de PGConf.EU 2018 6 / 32

  7. Prior work ◮ CSmith by utah.edu (since 2011) ◮ Found over 400 bugs in various compilers ◮ Finds bugs in optimizations, code generators, register allocators, etc. despite fuzzing the parser ◮ BSD-style license ◮ RAGS by Microsoft (conference paper from 1998) ◮ They implemented differential testing ◮ Queries look similar to SQLsmith’s, albeit smaller ◮ No code available andreas.seltenreich@credativ.de PGConf.EU 2018 7 / 32

  8. Running SQLsmith ◮ Just tell it the target database $ sqlsmith --target="host=/tmp port=65432 dbname=regression" $ sqlsmith --sqlite="file:~/.firefox/places.sqlite?mode=ro" $ sqlsmith --monetdb="mapi:monetdb://localhost:50000/smith" ◮ Using --verbose , it prints a character for each query symbol meaning . ok S syntax error t timeout C broken connection e other error andreas.seltenreich@credativ.de PGConf.EU 2018 8 / 32

  9. Advanced Options log errors to postgres database --log-to=connstr seed RNG with specified int instead of PID --seed=int --dump-all-graphs dump generated ASTs print queries as they are generated --dump-all-queries --dry-run print queries instead of executing them don’t generate queries using catalog relations --exclude-catalog --max-queries=long terminate after generating this many queries deserialize dumped rng state --rng-state=string andreas.seltenreich@credativ.de PGConf.EU 2018 9 / 32

  10. How to Hunt Bugs Watch out for symptoms like: ◮ Core dumping due to failed assertions, PANICs ◮ Outlandish error messages or warnings ◮ Log them into a database to allow filtering ◮ Analysis of historical data may also give insights ◮ Processes bloating, hogging CPU ◮ Need to monitor system load to find these bugs andreas.seltenreich@credativ.de PGConf.EU 2018 10 / 32

  11. Nature of Bugs Found: Crashes postgres=# select bit ’1’ >> (-2^31)::int; LOG: server process (PID 15838) was terminated by signal 11: Segmentation LOG: terminating any other active server processes LOG: database system was not properly shut down; automatic recovery in progress LOG: redo is not required LOG: database system is ready to accept connections andreas.seltenreich@credativ.de PGConf.EU 2018 11 / 32

  12. Nature of Bugs Found: Crashes (cont.) Datum bitshiftleft(PG_FUNCTION_ARGS) { VarBit *arg = PG_GETARG_VARBIT_P(0); int32 shft = PG_GETARG_INT32(1); /* Negative shift is a shift to the right */ if (shft < 0) PG_RETURN_DATUM(DirectFunctionCall2( bitshiftright, VarBitPGetDatum(arg), Int32GetDatum(-shft))); /* do bitshift left for positive arguments */ andreas.seltenreich@credativ.de PGConf.EU 2018 12 / 32

  13. Nature of Bugs Found: PANICs postgres=# update brintest set oidcol = coalesce(brintest.oidcol, pg_my_temp_schema()), timestamptzcol = clock_timestamp(), uuidcol = null returning brintest.byteacol; WARNING: specified item offset is too large PANIC: failed to add BRIN tuple server closed the connection unexpectedly andreas.seltenreich@credativ.de PGConf.EU 2018 13 / 32

  14. Nature of Bugs Found: Failed Assertions From: Andreas Seltenreich <seltenreich(at)gmx(dot)de> To: pgsql-hackers(at)postgresql(dot)org Subject: [sqlsmith] Failed assertion in postgres_fdw/deparse.c:1116 Creating some foreign tables via postgres_fdw in the regression db of master as of de33af8, sqlsmith triggers the following assertion: TRAP: FailedAssertion("!(((((const Node*)(var))->type) == T_Var))", File: "deparse.c", Line: 1116) gdb says var is holding a T_PlaceHolderVar instead. andreas.seltenreich@credativ.de PGConf.EU 2018 14 / 32

  15. Nature of Bugs Found: Internal ERRORs ERROR: failed to build any 8-way joins ERROR: could not devise a query plan for the given query ERROR: plan should not reference subplan’s variable ERROR: failed to assign all NestLoopParams to plan nodes ERROR: could not find pathkey item to sort ERROR: too late to create a new PlaceHolderInfo andreas.seltenreich@credativ.de PGConf.EU 2018 15 / 32

  16. Nature of Bugs Found: Other ERRORs From: Andreas Seltenreich <seltenreich(at)gmx(dot)de> To: pgsql-hackers(at)postgresql(dot)org Subject: [sqlsmith] Missing CHECK_FOR_INTERRUPTS in tsquery_rewrite [...] testing with sqlsmith yielded an uncancellable backend hogging CPU time. [...] select ts_rewrite( (select string_agg(i::text, ’&’)::tsquery from generate_series(1,32) g(i)), (select string_agg(i::text, ’&’)::tsquery from generate_series(1,19) g(i)), ’foo’); andreas.seltenreich@credativ.de PGConf.EU 2018 16 / 32

  17. How to Hunt Bugs (cont.) ◮ Complicate DUT configuration (replication, non-default settings) ◮ Make interesting objects or values available to sqlsmith ◮ Use a regression DB as a starting point ◮ Add Foreign Tables ◮ Have infinity, NaN, 2 31 -1, etc around in your database ◮ Use additional tools ◮ low-memory/libfailmalloc ◮ ASAN ◮ valgrind ◮ trap on division by zero andreas.seltenreich@credativ.de PGConf.EU 2018 17 / 32

  18. My Testing Rig ◮ Cluster of cheap surplus Sandy Bridge quad-cores in my apartment ◮ Ansible to put testing arrangements on machines ◮ gdb scripts to harvest backtraces from appearing coredumps ◮ sinfod ◮ Broadcasts system load on the network ◮ Yields a real-time view on the entire cluster load ◮ Many failure modes are readily identifyable andreas.seltenreich@credativ.de PGConf.EU 2018 18 / 32

  19. BUGs by Nature over Modules Plan Exec Access TX Oper Contrib ADT � Segfault 2 6 1 3 8 1 21 PANIC 1 1 2 TRAP 11 4 4 1 4 1 25 ERROR 10 4 1 15 ÷ 0 3 2 5 other 1 2 3 � 26 11 6 4 19 3 2 71 Regarding SQLite3, all three bugs were failed assertions in the planner and executor andreas.seltenreich@credativ.de PGConf.EU 2018 19 / 32

  20. Test Coverage src/postgres$ ./configure --enable-coverage test load overall parser sqlsmith 39.8 30.3 62 80.2 make check sqlsmith+make check 65.1 80.4 Numbers generated using sqlsmith commit 7ffac2d, running 4 instances w/25000 queries each. Postgres code for the analysis was from master branch at around the same time. andreas.seltenreich@credativ.de PGConf.EU 2018 20 / 32

  21. Project Goals for SQLsmith Inspired by Csmith, the following goals were set ◮ Be product-agnostic ◮ No requirement for templates/user-provided grammar/etc � The language is the limit ◮ Deterministic generation for reproducability/benchmarking ◮ Speed: The bottleneck should always be the database under test (DUT) andreas.seltenreich@credativ.de PGConf.EU 2018 21 / 32

  22. Language Choice: C++11 ◮ OO design well-suited for AST construction ◮ Absolute type safety ◮ Implicit memory management ◮ Standardized multi-threading ◮ Exceptions, also employed for backtracking in AST generation ◮ Speed andreas.seltenreich@credativ.de PGConf.EU 2018 22 / 32

  23. Product Abstraction Two front-end classes provide product-agnostic access to the DUT ◮ Schema class ◮ DUT class Implemented for: ◮ PostgreSQL 9.1 or later ◮ SQLite 3 ◮ MonetDB (contributed by cwi.nl) ◮ Various forks on github andreas.seltenreich@credativ.de PGConf.EU 2018 23 / 32

  24. Auxiliary Modules ◮ Class logger ◮ Invoked for generation and result ◮ Implementations for ◮ logging to stderr (with primitive analysis) ◮ logging into a database (allows filtering) ◮ collecting statistics ◮ Impedance matching module ◮ Allows to adapt grammar to the DUT ◮ Productions consistently leading to errors are blacklisted andreas.seltenreich@credativ.de PGConf.EU 2018 24 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Squashing the beast into a 60MB cage Tor Lillqvist &lt;tml@collabora.com&gt; tml,

Squashing the beast into a 60MB cage Tor Lillqvist &lt;tml@collabora.com&gt; tml,

Squashing the beast into a 60MB cage Tor Lillqvist &lt;tml@collabora.com&gt; tml, #libreoffice-dev, irc.freenode.net Background: One single executable in an iOS app. No own shared libs Repeat: all non-system code has to be in one executable

815 views • 47 slides
Why Squashing Functions in Shall We Go Beyond . . . Which . . . Multi-Layer Neural Invariance

Why Squashing Functions in Shall We Go Beyond . . . Which . . . Multi-Layer Neural Invariance

A Short Introduction Machine Learning Is . . . Deep Learning Why Squashing Functions in Shall We Go Beyond . . . Which . . . Multi-Layer Neural Invariance Traditional Neural . . . Networks This Leads Exactly to . . . Home Page Julio C.

661 views • 46 slides
Special relativity Squashing of the E-field line associated to a moving charge is suggestive

Special relativity Squashing of the E-field line associated to a moving charge is suggestive

Special relativity Squashing of the E-field line associated to a moving charge is suggestive of Lorentz contraction e.m. law and eqn of motion should be invariant with respect to Lorentz transformations Lets refresh our memory

560 views • 12 slides
drm/i915 Updates Daniel Vetter, Intel OTC FOSDEM 2013 bug squashing bugs fixed by the

drm/i915 Updates Daniel Vetter, Intel OTC FOSDEM 2013 bug squashing bugs fixed by the

drm/i915 Updates Daniel Vetter, Intel OTC FOSDEM 2013 bug squashing bugs fixed by the truckload especially regressions! intel-gpu-tools kernel tests no testsuite is worse than having none debugfs knobs for tricky cases

438 views • 24 slides
Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science &amp;

Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science &amp;

Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science &amp; Engineering University of Washington Seattle, USA @nlpnoah Research supported in part by: NSF, DARPA DEFT, DARPA CWC, Facebook, Google, Samsung,

1.28k views • 90 slides
Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM Forschungslaboratorium R uschlikon, Switzerland 19 June 2001 1 MAFTIA A European project whose aim is to develop: Malicious- and Accidental-

366 views • 13 slides
On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer ajudmayer@sba-research.org ajudmayer@auto.tuwien.ac.at On the security of security extensions for IP-based KNX networks 1 SBA Research P1.1: Risk Management

1.06k views • 51 slides
Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer Science and Engineering School of Physical and Mathematical Sciences, Nanyang Technological University June 7, 2017 Motivation Security not a

669 views • 27 slides
Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System Microprocessor used as a component in a device and is designed for a specific control function within a device Used In: Cell Phones

560 views • 31 slides
MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and Estimation in Dynamical Systems (FDE), a.a. 2019/2020, Lecture 2 A brief review of analysis of continuous-time linear dynamical systems Prof. Mauro

591 views • 48 slides
Approaching Automation Necessary for introducing a task Prioritize automation steps based

Approaching Automation Necessary for introducing a task Prioritize automation steps based

Learning objectives Understand the main purposes of automating software analysis and testing Identify activities that can be fully or partially Automating Analysis and Test automated Understand cost and benefit trade-offs in

799 views • 12 slides
Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum Computing; Is there anything else worth working on? ISCA, 2002 Avi Mendelson Technion, Israel avi.mendelson@technion.ac.il Agenda Intro and motivation

525 views • 18 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides
Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

4/19/2010 Chapter 10 Other Public Key Cryptosystems Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older Chapter 10 men upon him or her

241 views • 5 slides
Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt using the following formula: C i = P i E(K, IV+i) Is this secure? Why or why not? If so, how does this relate to CTR mode? If not, what

935 views • 48 slides
Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing, University of Campinas September 2017, Habana, Cuba. ASCrypto 2017 Agenda 1 Efficient Software Implementations Software Efficiency Parallel

1.68k views • 124 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of

Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of

Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of security protocols Core team: David Basin, Cas Cremers, Jannik Dreier, Simon Meier, Ralf Sasse, Benedikt Schmidt

578 views • 26 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The

377 views • 19 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

684 views • 33 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides

More recommend