Fuzzing system and method for exhaustive security fuzzing within an SQL server

US 7,953,674 B2
Filed: 05/17/2007
Issued: 05/31/2011
Est. Priority Date: 05/17/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented system comprising the following computer executable components:

a processor; and

a memory component communicatively coupled to the processor, the memory component having stored therein computer-executable instructions that when executed by the processor cause the processor to implement;

a fuzzing system that receives a structured query language (SQL) statement, wherein the SQL statement includes actual grammar associated with the SQL statement and explicit user specified parameters associated with penetration testing of an SQL server; and

a parsing component as part of the SQL server that separates the explicit user specified parameters from the actual grammar associated with the SQL statement, wherein the parsing component mitigates parsing errors by replacing the explicit user specified parameters with fuzz values generated within the SQL server that maintain conformance to syntactically correct SQL statements.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods that incorporate fuzzing capabilities within an SQL server to facilitate penetration testing. A fuzzing component associated with the SQL server provides an entry point for accessing the fuzzing system to update explicit user specified parameters associated with SQL, wherein the server'"'"'s in depth knowledge regarding semantics of the language code (e.g., manner of parsing) can be employed to determine vulnerabilities thereof.

Citations

19 Claims

1. A computer implemented system comprising the following computer executable components:
- a processor; and
  
  a memory component communicatively coupled to the processor, the memory component having stored therein computer-executable instructions that when executed by the processor cause the processor to implement;
  
  a fuzzing system that receives a structured query language (SQL) statement, wherein the SQL statement includes actual grammar associated with the SQL statement and explicit user specified parameters associated with penetration testing of an SQL server; and
  
  a parsing component as part of the SQL server that separates the explicit user specified parameters from the actual grammar associated with the SQL statement, wherein the parsing component mitigates parsing errors by replacing the explicit user specified parameters with fuzz values generated within the SQL server that maintain conformance to syntactically correct SQL statements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer implemented system of claim 1, wherein the parsing component translates the explicit user specified parameters into transact SQL language.
  - 3. The computer implemented system of claim 1 further comprising a transact SQL language fuzz testing component built into the SQL server.
  - 4. The computer implemented system of claim 1 further comprising a switch that controls fuzzing capability during runtime.
  - 5. The computer implemented system of claim 1 further comprising a fuzz tracking component that tracks fuzzed values.
  - 6. The computer implemented system of claim 1 further comprising a transformation component that tracks occurred transformations.
  - 7. The computer implemented system of claim 1, the fuzzing component employs pluggable fuzzing logic.
  - 8. The computer implemented system of claim 1 the fuzzing component with knowledge regarding semantics for language code of the SQL server.

9. A computer implemented method comprising the following computer executable acts:
- employing a processor to execute computer executable instructions stored on a computer readable storage medium to implement the following acts;
  
  receiving a structured query language (SQL) statement, wherein the SQL statement includes actual grammar associated with the SQL statement and explicit user specified parameters;
  
  separating the explicit user specified parameters from the actual grammar associated with the SQL statement; and
  
  mitigating parsing errors by replacing the explicit user specified parameters with fuzz values created within an SQL server, wherein the fuzz values created within the SQL server maintain conformance to syntactically correct SQL statements.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The computer implemented method of claim 9 further comprising performing fuzzing at deeper levels than the network protocol layer.
  - 11. The computer implemented method of claim 9 further comprising maintaining track related to a state of fuzzing the SQL server.
  - 12. The computer implemented method of claim 9 further comprising storing fuzzing combinations in a data store.
  - 13. The computer implemented method of claim 9 further comprising determining whether combinations associated with a query have been parsed prior to receiving the query.
  - 14. The computer implemented method of claim 13 further comprising executing the query.
  - 15. The computer implemented method of claim 14 further comprising logging results of executing the query.
  - 16. The computer implemented method of claim 14 further comprising checking results for executing the query.
  - 17. The computer implemented method of claim 14 further comprising looping through combinations of fuzzing variations.
  - 18. The computer implemented method of claim 14 further comprising employing pluggable fuzzing logic for the fuzzing system.

19. A computer-readable storage medium comprising:
- computer-readable instructions, the computer-readable instructions including instructions for causing at least one processor to perform the following acts;
  
  receiving a structured query language (SQL) statement, wherein the SQL statement includes actual grammar associated with the SQL statement and explicit user specified parameters;
  
  separating the explicit user specified parameters from the actual grammar associated with the SQL statement; and
  
  mitigating parsing errors by replacing the explicit user specified parameters with fuzz values created within an SQL server, wherein the fuzz values created within the SQL server maintain conformance to syntactically correct SQL statement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garcia, Raul, Gick, Craig Alan, Wu, Jiazhen, Baras, Adrian Sorin, Ismert, Erik
Primary Examiner(s)
VINCENT, DAVID ROBERT

Application Number

US11/750,132
Publication Number

US 20080288822A1
Time in Patent Office

1,475 Days
Field of Search

706/45, 706/52, 706/1, 714/100, 714/26, 714/38, 714/32, 714/28, 726 22- 25
US Class Current

706/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Fuzzing system and method for exhaustive security fuzzing within an SQL server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Fuzzing system and method for exhaustive security fuzzing within an SQL server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links