DBMS bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of memory bugs and logic bugs in DBMSs, and aims to solve the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which considers all static semantic requirements (including but not limited to the identifier type used by existing systems) to generate semantically valid SQL queries. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 50 new bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.

翻译：数据库管理系统（DBMS）漏洞可能引发严重后果，对安全与隐私构成重大威胁。本文致力于检测DBMS中的内存漏洞和逻辑漏洞，旨在解决两个固有挑战：如何在测试用例中生成语义正确的SQL查询，以及如何设计有效的预言机制来捕获逻辑漏洞。为此，本系统提出两项关键技术。第一项技术称为上下文敏感实例化，它综合考虑所有静态语义要求（包括但不限于现有系统使用的标识符类型），以生成语义有效的SQL查询。第二项技术称为多计划执行，可有效捕获逻辑漏洞。给定一个测试用例，多计划执行强制DBMS执行所有查询计划而非默认的最优计划，并对结果进行比较。若不同查询计划的执行结果存在差异，则判定存在逻辑漏洞。我们实现了名为Kangaroo的原型系统，并将其应用于三个广泛使用且经过充分测试的DBMS（包括SQLite、PostgreSQL和MySQL）。本系统成功检测到50个新漏洞。与现有最优系统的对比表明，本系统在生成的语义有效SQL查询数量、测试期间探索的代码路径以及检测到的漏洞数量方面均具有优势。