EXHAUSTIVE SECURITY FUZZING FOR TRANSACT STRUCTURED QUERY LANGUAGE

US 20080288822A1
Filed: 05/17/2007
Published: 11/20/2008
Est. Priority Date: 05/17/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented system comprising the following computer executable components:

a fuzzing system that receives explicit user specified parameters for penetration testing of SQL server(s) associated therewith; and

a fuzzing component as part of the SQL server to provide an entry point for the fuzzing system and update the explicit user specified parameters.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods that incorporate fuzzing capabilities within an SQL server to facilitate penetration testing. A fuzzing component associated with the SQL server provides an entry point for accessing the fuzzing system to update explicit user specified parameters associated with SQL, wherein the server'"'"'s in depth knowledge regarding semantics of the language code (e.g., manner of parsing) can be employed to determine vulnerabilities thereof.

55 Citations

View as Search Results

20 Claims

1. A computer implemented system comprising the following computer executable components:
- a fuzzing system that receives explicit user specified parameters for penetration testing of SQL server(s) associated therewith; and
  
  a fuzzing component as part of the SQL server to provide an entry point for the fuzzing system and update the explicit user specified parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer implemented system of claim 1 further comprising a parser that includes the fuzzing component.
  - 3. The computer implemented system of claim 1, the explicit user specified parameters updateable with fuzz values that are potentially created within the SQL server.
  - 4. The computer implemented system of claim 1 further comprising a T-SQL language fuzz testing that is built into the SQL server itself.
  - 5. The computer implemented system of claim 1 further comprising a switch that controls fuzzing capability during runtime.
  - 6. The computer implemented system of claim 1 further comprising a fuzz tracking component that tracks fuzzed values.
  - 7. The computer implemented system of claim 1 further comprising a transformation component that tracks occurred transformations.
  - 8. The computer implemented system of claim 1, the fuzzing component employs pluggable fuzzing logic.
  - 9. The computer implemented system of claim 1 the fuzzing component with in depth knowledge regarding semantics for language code of the SQL server.

10. A computer implemented method comprising the following computer executable acts:
- supplying entry points for accessing a fuzzing system of an SQL server; and
  
  replacing user input for the fuzzing system with fuzz values that are created within the SQL server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The computer implemented method of claim 10 further comprising performing fuzzing at deeper levels than the network protocol layer.
  - 12. The computer implemented method of claim 10 further comprising maintaining track related to a state of fuzzing the SQL server.
  - 13. The computer implemented method of claim 10 further comprising storing fuzzing combinations in a data store.
  - 14. The computer implemented method of claim 10 further comprising determining whether combinations associated with a query have been parsed prior to receiving the query.
  - 15. The computer implemented method of claim 14 further comprising executing the query.
  - 16. The computer implemented method of claim 15 further comprising logging results of executing the query.
  - 17. The computer implemented method of claim 15 further comprising checking results for executing the query.
  - 18. The computer implemented method of claim 15 further comprising looping through combinations of fuzzing variations.
  - 19. The computer implemented method of claim 15 further comprising employing plugabble fuzzing logic for the fuzzing system.

20. A computer implemented system comprising the following computer executable components:
- fuzzing means for penetration testing of an SQL server; and
  
  means for providing an entry point for the fuzzing means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Baras, Adrian Sorin, Ismert, Erik, Garcia, Raul, Gick, Craig Alan, Wu, Jiazhen

Granted Patent

US 7,953,674 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/32
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

EXHAUSTIVE SECURITY FUZZING FOR TRANSACT STRUCTURED QUERY LANGUAGE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXHAUSTIVE SECURITY FUZZING FOR TRANSACT STRUCTURED QUERY LANGUAGE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links