Thread: Inquiry Regarding Initial Seed for pgsql Protocol Fuzz Testing

Inquiry Regarding Initial Seed for pgsql Protocol Fuzz Testing

From
Cherry Pang
Date:

hello!
I am a novice enthusiast in the field of fuzz testing and have an interest in conducting fuzz testing for the SQLite protocol. I understand that testing the logic bugs or crash bugs in Data Manipulation Language (DML) functionalities differs significantly, and as such, I am unsure about the initial seed format required.

From my understanding, the seed for protocol testing refers to queries or commands sent to the database server. How does this differ from seeds used in regular logic testing? I would greatly appreciate it if you could shed some light on the format of the initial seed for this purpose. If possible, providing a few seed examples would be immensely helpful.

Thank you very much for your time and assistance.

Re: Inquiry Regarding Initial Seed for pgsql Protocol Fuzz Testing

From
Adrian Klaver
Date:
On 11/22/23 22:56, Cherry Pang wrote:
> hello!
> I am a novice enthusiast in the field of fuzz testing and have an 
> interest in conducting fuzz testing for the SQLite protocol. I 
> understand that testing the logic bugs or crash bugs in Data 
> Manipulation Language (DML) functionalities differs significantly, and 
> as such, I am unsure about the initial seed format required.

1) FYI, this is the list for Postgres not SQLite.

2) I don't know anything about fuzzy testing, but for those that do it 
might be helpful to mention what tools you are using.

> 
>  From my understanding, the seed for protocol testing refers to queries 
> or commands sent to the database server. How does this differ from seeds 
> used in regular logic testing? I would greatly appreciate it if you 
> could shed some light on the format of the initial seed for this 
> purpose. If possible, providing a few seed examples would be immensely 
> helpful.
> 
> Thank you very much for your time and assistance.
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com




Re: Inquiry Regarding Initial Seed for pgsql Protocol Fuzz Testing

From
Adrian Klaver
Date:
On 11/23/23 17:42, Cherry Pang wrote:
Reply to list also.
Ccing list.

> Firstly, I apologize for my mistake. I meant PostgreSQL, not SQLite.
> 
> Secondly, when it comes to fuzzing tests, it refers to using 
> automatically generated inputs to test the security and stability of 
> software. In the realm of databases, particularly with respect to 
> PostgreSQL, fuzzing tests can help uncover logic errors and crash bugs 
> in the database. Fuzzing inputs for these types of bugs typically 
> encompass various SQL statements, such as creating tables, creating 
> indexes, inserting data, deleting data, and so forth. These inputs 
> simulate various scenarios within the database system, aiding in the 
> discovery of potential vulnerabilities and issues, thus enhancing the 
> stability and security of the database
What I was getting at is that details about the tools/software you are 
using as well as how you are currently using them would help those that 
also do this to guide you.

> 
> Adrian Klaver <adrian.klaver@aklaver.com 
> <mailto:adrian.klaver@aklaver.com>> 于2023年11月23日周四 23:54写道:
> 
>     On 11/22/23 22:56, Cherry Pang wrote:
>      > hello!
>      > I am a novice enthusiast in the field of fuzz testing and have an
>      > interest in conducting fuzz testing for the SQLite protocol. I
>      > understand that testing the logic bugs or crash bugs in Data
>      > Manipulation Language (DML) functionalities differs
>     significantly, and
>      > as such, I am unsure about the initial seed format required.
> 
>     1) FYI, this is the list for Postgres not SQLite.
> 
>     2) I don't know anything about fuzzy testing, but for those that do it
>     might be helpful to mention what tools you are using.
> 
>      >
>      >  From my understanding, the seed for protocol testing refers to
>     queries
>      > or commands sent to the database server. How does this differ
>     from seeds
>      > used in regular logic testing? I would greatly appreciate it if you
>      > could shed some light on the format of the initial seed for this
>      > purpose. If possible, providing a few seed examples would be
>     immensely
>      > helpful.
>      >
>      > Thank you very much for your time and assistance.
>      >
> 
>     -- 
>     Adrian Klaver
>     adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com




Re: Inquiry Regarding Initial Seed for pgsql Protocol Fuzz Testing

From
Adrian Klaver
Date:
On 11/23/23 22:36, Cherry Pang wrote:

Again please use Reply All and include the list in your responses.
Ccing list.

> Sure, I'm interested in experimenting with SGFuzz, a tool mentioned in 
> the 'Stateful Greybox Fuzzing' paper, to conduct fuzz testing on the 
> PostgreSQL database protocol. I've successfully replicated SGFuzz's fuzz 
> testing on the OpenSSL protocol.


-- 
Adrian Klaver
adrian.klaver@aklaver.com