MongoDB’s JavaScript Fuzzer: Creating Chaos (1/2)

MongoDB
October 19, 2016 | Updated: September 19, 2022
#Engineering#EngineeringBlog

As MongoDB becomes more feature rich and complex with time, our need for more sophisticated bug-finding methods grows as well. We recently added a homegrown JavaScript fuzzer to our toolkit, and it is now our most prolific bug finding tool, responsible for finding almost 200 bugs over the course of two release cycles. These bugs span a range of MongoDB components from sharding to the storage engine, with symptoms ranging from deadlocks to data inconsistency. We run the fuzzer as part of our continuous integration system, Evergreen, where it frequently catches bugs in newly committed code.

In part one of two, we examine how our fuzzer hybridizes the two main types of fuzzing to achieve greater coverage than either method alone could accomplish. Part two will focus on the pragmatics of running the fuzzer in a production setting and distilling a root cause from the complex output fuzz tests often produce.

What's a fuzzer?

Fuzzing, or fuzz testing, is a technique of generating randomized, unexpected, and invalid inputs to a program to trigger untested code paths. Fuzzing was originally developed in the 1980s and has since proven to be effective at ensuring the stability of a wide range of systems, from filesystems to distributed clusters to browsers. As people attempt to make fuzzing more effective, two philosophies have emerged: smart, and dumb fuzzing. And as the state of the art evolves, the techniques that are used to implement fuzzers are being partitioned into categories, chief among them being “generational” and “mutational.” In many popular fuzzing tools, smart fuzzing corresponds to generational techniques, and dumb fuzzing to mutational techniques, but as we will see, this is not an intrinsic relationship. Indeed, in our case, the situation is precisely reversed.

Smart fuzzing

A smart fuzzer is one that has a good understanding of the valid input surface of the program being tested. With this understanding, a smart fuzzer can avoid getting hung up on input validation and focus on testing a program’s behavior. Testing that a program properly validates its input is important, but isn’t the goal of fuzz testing.

Many fuzzers rely on an explicit grammar to generate tests, and it is that grammar that makes those tests smart. But our command language is young, and we did not want to delay our fuzzer’s delivery by taking the time to distill a formal grammar. Instead, we borrow our knowledge of the MongoDB command grammar from our corpus of JavaScript integration tests, mutating them randomly to create novel test-cases. Thus, our mutational strategy results in a smart fuzzer.

This corpus of JavaScript integration tests has been a mainstay of our testing for many years. Evergreen feeds each test file to a mongo shell, which executes the commands within those files against MongoDB servers, shard routers, and other components we want to test. When the fuzzer runs, it takes in a random subset of these JS tests and converts them to an abstract syntax tree (AST) of the form understood by JavaScript interpreters. It then wreaks (controlled) havoc on the tree, by selectively replacing nodes, shuffling them around, and replacing their values. This way we generate commands with parameters that wouldn’t be encountered during normal testing, but preserve the overall structure of valid JavaScript objects.

For example, this code:

db.coll.find({x:1})

...which finds a document in collection coll with a field x having the value 1, becomes:

To begin fuzzing that AST, the fuzzer first traverses the tree to mark nodes that should be replaced. In this case, let's assume it has decided to replace the value of the ObjectExpression, a 1. This node is then replaced with a PLACEHOLDER node, as follows:

As the fuzzer traverses the tree, it also picks up values that it thinks are interesting, which are usually primitive values like strings and numbers. These values are harvested and used to construct the final value of the placeholder nodes.

In this example, the placeholder is replaced with another ObjectExpression containing the key and value that it harvested elsewhere from the corpus:

When this tree is converted into code, it becomes a new test case:

db.coll.find(x:{$regex:'a\0b'})

...which finds a document with a field x that matches the regular expression a\0b.

A test very much like this one was acutally run by our fuzzer, and it turned out that MongoDB did not properly handle regex strings containing null bytes, so this test case caused the server to crash.

Lessons from our experience

AST>REGEX

Using an abstract syntax tree is a great strategy for fuzz testing. Previously, we had tried using a regex-based approach. This involved stringifying the tests and finding specific tokens to replace or shuffle. But regexes are opaque and fragile -- they are a nightmare to maintain, and it's very easy to introduce subtle mistakes that make the mutations less effective. Syntax trees, on the other hand, actually model the test code as objects with named properties, so the fuzzer code for performing substitutions clearly embodies the logic for doing so. Thus, ASTs are far easier to reason about and less error-prone.

There are open source libraries that turn code into ASTs for most languages; we used acorn.js.

Heuristic>Random

When implementing the mutational aspect of a fuzzer, noting what types of mutations are provoking the most bugs can yield benefits. Our initial implementation randomly chose which nodes to replace, but we observed that modified ObjectExpressions contributed to finding more new bugs, so we tweaked the probabilities to make more mutations happen on them.

Dumb fuzzing

Smart, AST-based mutation gives our fuzzer a familiarity with the input format, but it also guarantees blind spots, because the corpus is a finite list harvested from human-written tests. The school of dumb fuzzing proposes an answer to this shortcoming, advocating fuzzers that generate input randomly, without regard to validity, thereby covering areas the developer may have overlooked.

This is a bit of a balancing act. With no knowledge of the target program at all, the best a fuzzer could do would be to feed in a random stream of 0s and 1s. That would generally do nothing but trigger input validation code at some intervening layer before reaching the program under test... Triggering only input validation code is the hallmark of a bad fuzzer.

To put some dumb in our fuzzer without resorting to random binary, we generate values from a seed list. Since our test inputs are JavaScript objects comprised of MongoDB commands and primitive values, our seed list is composed of MongoDB commands and primitive types that we know from experience are edge cases. We keep these seed values in a file, and generate JavaScript objects using them as the keys and values. Here's a little excerpt:

var defaultTokens = {
        Infinity, -Infinity,
        NaN, -NaN,
        'a\0b', 'A\0B',
        '\u0000', '\u0000\u0000',
        '$',
        '$all',
        '$and',
        '$bitsAllClear'
        // etc.

These strings are drawn from our experience with testing MongoDB, but as far as the fuzzer is concerned, they are just strings, and it composes the test input from them without regard to what would be valid. Thus, our generational method produces dumbness.

It doesn't work like this

We’re trying to balance coverage with validation avoidance. To generate test input that has a chance of passing input validation, we could start with a template of a valid JavaScript object. The letters in this template represent placeholders:

{a:X, b:Y, c:Z}

We could then replace the capital letters with seed primitive values:

{a: 4294967296, b: '\0ab', c: NumberDecimal(-NaN)}

...and replace the lower case letters with seed MongoDB command parameters:

{create: 4294967296, $add: '\0ab', $max: NumberDecimal(-NaN)}

But this isn't a valid MongoDB command. Despite filling in a well-formated template from a list of valid MongoDB primitives, this generated input still only triggers the validation code.

Hybrid fuzzing

Mutational fuzzing leaves blind spots, and generational fuzzing on its own won't test interesting logic at all. But when combined, both techniques become much more powerful. This is how our fuzzer actually works.

As it mutates existing tests, every once in awhile, instead of pulling a replacement from the corpus, it generates an AST node from its list of seeds. This generational substitution reduces blind spots by producing a value not present in the corpus, while the mutational basis means the resulting command retains the structure of valid input, making it likely to pass validation. Only after it is deep in the stack does the program realize that something has gone horribly wrong. Mission accomplished.

Here’s an example of hybrid fuzzing in action, using a simplified version of a test that actually exposed a bug.

The fuzzer starts with the following corpus...

db.test.insert({x:1});
db.test.update({some: "object"}, ...);

...the first line of which becomes the following AST:

The ObjectExpression is converted into a PLACEHOLDER node, in the same manner as mutational fuzzing.

Then the fuzzer decides that instead of replacing the placeholder with a value from elsewhere in the corpus, it will replace it with a generated object. In this case, a newExpression with a large NumberLong as the argument.

This yields the following test:

db.test.insert({a: new NumberLong("9223372036854775808")});
db.test.update({}, {$inc: {a: 13.0}});

The result is that we insert a large 64-bit integer into MongoDB before later updating that value. When the actual test ran, it turned out that the new value would still be a large number, but not the correct one. The bug was that MongoDB stored the integer as a double internally, which only has 53 bits of precision. The fuzzer was able to find this through generating the large NumberLong, which did not appear in any test.

The combination of mutational fuzzing with the edge cases we seed to the generational fuzzer is an order of magnitude more powerful than writing tests for these edge cases explicitly. In fact, a significant portion of the bugs that the fuzzer found were triggered by values generated in this way.

Up next: Detection and Triage

These examples use cleaned up and minimal fuzz tests with all the complexity removed. In actuallity, they are hundreds of lines long and contain plenty of branching logic, and all that randomization produces uninteresting errors in the test code itself. Furthermore, becuase it tests random components of the target application, a fuzzer can't tell you what failed even when the error is legitimate. For a fuzzer to be useful, it needs a way to filter out all the noise, and to help a tester isolate a root cause. That's what we're going to talk about in part two.

← Previous

Leaf in the Wild: KPMG France Enters the Cloud Era with New MongoDB Data Lake

Love it or loathe it, the term “big data” continues to gain awareness and adoption in every industry. No longer just the preserve of internet companies, traditional businesses are innovating with “big data” applications in ways that were unimaginable just a few years ago. A great example of this is KPMG France’s deployment of a MongoDB-based data lake to support its accounting suite named Loop , and the release of its industry-first financial benchmarking service – enabling KPMG France customers to unlock new levels of insight into how each of their businesses are really performing. In the true spirit of big data, this application would have truly overwhelmed the capabilities of traditional data management technologies. I spoke with Christian Taltas, Managing Director of KPMG France Technologies Services, to learn more. Can you start by telling us about KPMG France? KPMG is one of the world’s largest professional services firms operating as independent businesses in 155 countries, with 174,000 staff. KPMG provides audit, tax and advisory services used by corporations, governments and not-for-profit organizations. KPMG France provides accounting services to 65,000 customers. I am the managing director of KPMG Technologies Services (KTS), a software company subsidiary of KPMG France. KTS developed Loop, a complete collaborative accounting solution which is used by KPMG France’s Certified Public Accountants (CPAs) and their clients. Please describe how you use MongoDB. MongoDB is the database powering the Loop accounting suite, used by KPMG’s 4,800 CPAs. The suite is also currently used in collaboration with around 2,000 of KPMG’s customers. We are expecting more than 20,000 customers to adopt Loop’s collaborative accounting within the next 18 months. What services does MongoDB provide for the accounting suite? It serves multiple functions for the suite: Data Lake: All raw accounting data from our customers’ business systems, such as sales data, invoices, bank statements, cash transactions, expenses, payroll and so on, is ingested from Microsoft SQL Server into MongoDB. This data is then accessible to our CPAs to generate the customer’s KPIs. A unique capability we have developed for our customers is financial benchmarking. We can use the data in the MongoDB data lake to allow our customers to benchmark their financial performance against competitors operating in the same industries within a specified geographic region. They can compare salary levels, expenses, margin, marketing costs – in fact almost any financial metric – to help determine their overall market competitiveness against other companies operating in the same industries, regions and markets. The MongoDB data lake enables us to manage large volumes of structured, semi-structured, and unstructured data, against which we can run both ad-hoc and predefined queries supporting advanced analytics and business intelligence dashboards. We are continuously loading new data to the data lake, while simultaneously supporting thousands of concurrent users. Metadata Management: - Another unique feature of our accounting suite is the ability to customize reporting for each customer, based on specific criteria they want to track. For example, a restaurant chain will be interested in different metrics than a construction company. We enable this customization by creating a unique schema for each customer which is inherited from a standard business application schema, and then written to MongoDB. It stores the schema classes for each customer, which are then applied at run time when accounts and reports are generated. The Loop application has been designed as a business framework that generates reports in real time, running on top of Node.js. MongoDB is helping us manage the entire application codebase in order to deliver the right schemas and application business modules to each user depending on their role and profile, i.e.: bookkeeper, CPA, sales executive. It is a very powerful feature enabled by the flexibility of the MongoDB document data model that we could not have implemented with the constraints imposed by a traditional relational data model. Caching Layer: The user experience is critical, so we use MongoDB as a high-speed layer to manage user authentication and sessions. Logging Layer: We also use MongoDB to store all the Loop application’s millions of clients requests each day. This enables us to build Tableau reports on top of the logs to troubleshoot production performance issues for each user session, and for each of the 220 regional KPMG sites spread across France. We are using the MongoDB Connector for BI to generate these reports in Tableau. Why did you choose MongoDB? When we started development back in 2012, we knew we needed schema flexibility to handle the massive variances in data structures the accounting suite would need to store and process. This requirement disqualified traditional relational databases from handling the caching, metadata management and KPIs benchmarking computation. As we explored different NoSQL options, we were concerned that we’d over-complicate our architecture by running separate caches and databases. However, in performance testing MongoDB offered the flexibility and scalability to serve both use cases. It outperformed the NoSQL databases and dedicated caches we tested, and so we took the decision to build our platform around MongoDB. As our accounting suite is built on JavaScript, close integration between the JavaScript application and the database was also a significant advantage in helping us accelerate development cycles. As we were developing our new financial benchmarking service last year, we evaluated Microsoft’s Azure Cosmos DB (note, at the time this was called DocumentDB), but MongoDB offered much richer query and indexing functionality. We also considered building the benchmarking analytics on Hadoop, but the architecture of MongoDB, coupled with the power of the aggregation pipeline gave us a much simpler solution, while delivering the data lake functionality we needed. Aggregation enhancements delivered in MongoDB 3.2 , especially the introduction of the $lookup operator , were key to our technology decisions. Can you describe what your MongoDB deployment looks like? Both the caching layer and metadata management are run on dedicated three node replica sets . This gives the accounting suite fault resilience to ensure always-on availability. The metadata is largely read only, while the caching layer serves a mixed read / write workload. The data lake is deployed as a sharded cluster handling both large batch loads of data from clients business systems while concurrently serving complex analytics queries and reporting to the CPAs. We are running MongoDB on Windows instances in the Microsoft Azure cloud, after migrating from our own data center. We needed to ensure we could meet the scalability demands of the app, and the cloud is a better place to do that, rather than investing in our own infrastructure. How do you support and manage your deployment? We use MongoDB's fully managed database, MongoDB Atlas , and have access to 24x7 proactive support from MongoDB engineers. We have also recently used the Production Readiness package from MongoDB consulting services . The combination of the cloud database service, professional services, and technical support are proving invaluable: The MongoDB consultants reviewed our operational processes and Azure deployment plans, from which they able to provide guidance and best practices to execute the migration without interruption to the business. They also helped us create an operations playbook to institutionalize best practices going forward. MongoDB Atlas automated the configuration and provisioning of MongoDB instances onto Azure, and we rely on it now to handle on-going upgrades and maintenance. A few simple clicks in the UI eliminates the need for us to develop our own configuration management scripts. MongoDB Atlas also provides high-resolution telemetry on the health of our MongoDB databases, enabling us to proactively address any issues before they impact the CPAs. Data integrity is obviously key to our business, and so Atlas is invaluable in providing continuous backups of our data lake. We evaluated managing backup ourselves, but ultimately it was much more cost effective for MongoDB to manage it for us as part of the fully managed backup service available through Atlas. As part of your migration to Azure, you also migrated to the latest MongoDB 3.2 release. Can you share the results of that upgrade? One word – scalability. With MongoDB 3.2 now using WiredTiger as its default storage engine, we can achieve much higher throughput and scalability on a lower hardware footprint. The accounting suite supports almost 7,000 internal and external customers today, with half of them connecting for an average of 5 hours every working day. But we plan to roll it out to 20,000 customers over the next 18 months. We’ve been able to load test the suite against our development cluster, and MongoDB has scaled to 5x the current sessions, analytics and data volumes with no issues at all. WiredTiger’s document level concurrency control and storage compression are key to these results. What future plans do you have for the Loop accounting suite? We want to automate more of the benchmarking, and enable further data exploration to build predictive analytics models for our customers. This will enable us to provide benchmarks against both historic data, as well as evaluate future likely business outcomes. We plan on using the Azure Machine Learning framework against our MongoDB data lake. How are you measuring the impact of MongoDB on your business? We estimate that by selecting MongoDB for the accounting suite we achieved at least a 50% faster time to market than using any other non-relational database. The tight integration with JavaScript, flexible data model, out-of-box performance and sophisticated management platform have all been key to enabling developer productivity and reducing operational costs. The accounting suite’s financial benchmarking service is a highly innovative application that provides KPMG France with significant competitive advantage. We have access to a lot of customer information which becomes actionable with our data lake built on MongoDB. It allows us to store that data cost effectively, while supporting rich analytics to give insights that other accounting practices just can’t match. Christian, thanks for taking the time to share your story with the MongoDB community. Thinking of implementing a data lake? Learn more from our guide: Bringing Online Big Data to BI & Analytics with MongoDB About the Author - Mat Keep Mat is a director within the MongoDB product marketing team, responsible for building the vision, positioning and content for MongoDB’s products and services, including the analysis of market trends and customer requirements. Prior to MongoDB, Mat was director of product management at Oracle Corp. with responsibility for the MySQL database in web, telecoms, cloud and big data workloads. This followed a series of sales, business development and analyst / programmer positions with both technology vendors and end-user companies.

October 19, 2016
Next →

Recapitulação dos anúncios de produtos no MongoDB.local Nova York 2023

Hoje, no MongoDB.local NYC , revelamos vários novos recursos em nossa plataforma de dados de desenvolvedor para ajudar usuários e clientes a criar, iterar e dimensionar seus aplicativos com o MongoDB. As equipes de desenvolvimento estão sendo solicitadas a oferecer experiências de usuário atraentes e diferenciadas, mais rápidas e inteligentes do que nunca. Ao mesmo tempo, devem fazê-lo da forma mais rápida e eficiente possível. A plataforma de dados de desenvolvedores do MongoDB é essencial para equipes que se esforçam para inovar de forma rápida e eficiente. Ele permite que os desenvolvedores ofereçam suporte a uma ampla variedade de casos de uso de aplicativos em suas organizações por meio de uma API unificada e elimina a necessidade de incorporar, aprender e manter soluções pontuais de banco de dados separadas. Expandindo a gama de aplicativos modernos que você pode construir no MongoDB Uma nova geração de experiências baseadas em IA está sendo desenvolvida, onde os vetores servem como um elemento fundamental que torna essas aplicações possíveis. Vetores são representações matemáticas das características de dados não estruturados — incluindo texto, imagens, vídeos, arquivos de áudio e muito mais — e ocupam um espaço n-dimensional, onde n é o número de características no conjunto de dados. Se os dados são semelhantes ou não, baseia-se na distância entre os vetores neste espaço vetorial n-dimensional. Um banco de dados vetorial permite que os usuários consultem vetores para determinar o que é semelhante ou relacionado, sem depender da correspondência de palavras-chave. Anunciado hoje , o Atlas Vector Search permite armazenar, indexar e consultar vetores juntamente com seus dados operacionais e transacionais em documentos, sem a sobrecarga de adicionar, aprender e manter outro sistema de banco de dados. A adição da pesquisa vetorial ao MongoDB Atlas permite que as equipes forneçam resultados mais relevantes e sensíveis ao contexto aos usuários finais, incluindo a capacidade de aumentar aplicativos construídos em Large Language Models (LLMs) com dados proprietários para melhorar a precisão e o desempenho. Atlas Vector Search está disponível hoje em versão prévia pública. Os aplicativos hoje também precisam ser mais em tempo real do que nunca, mas processar fluxos de dados e trazê-los para os aplicativos é complexo e desafiador. A maioria das organizações introduz uma solução de ponto de processamento de fluxo com um conjunto diferente de APIs, drivers e ferramentas que criam uma experiência de desenvolvedor fragmentada, complexidade operacional e custos adicionais. Em breve, em versão prévia privada , o Atlas Stream Processing transformará a forma como as equipes de desenvolvimento criam aplicativos orientados a eventos. Os desenvolvedores podem usar a mesma linguagem de consulta e modelo flexível de dados de documentos para trabalhar com dados de streaming e seus dados no banco de dados para casos de uso que vão desde o monitoramento do tráfego de rede em busca de intrusões até a realização de planejamento de rotas ao vivo com base nas condições atuais da estrada. Empresas como Albertsons , Glassdoor e Anywhere Real Estate , a maior franqueadora de marcas imobiliárias residenciais do mundo, dependem do Atlas Search para fornecer funcionalidade de texto completo em seus aplicativos sem precisar implantar e sincronizar dados de seu banco de dados para um banco de dados separado. mecanismo de busca. Com a nova análise de consulta de pesquisa, os desenvolvedores obterão insights sobre o que seus usuários finais estão procurando, permitindo-lhes refinar e personalizar melhor sua lógica de pesquisa. Além disso, os índices do Atlas Search agora podem ser criados e managed em drivers de linguagem (começando com Node.js), MongoDB Compass e MongoDB Shell , facilitando para desenvolvedores que preferem trabalhar com seus índices de forma programática. E, finalmente, foram anunciados hoje nós de pesquisa dedicados, que permitirão que as equipes dimensionem e otimizem recursos de forma independente para suas cargas de trabalho de pesquisa para melhorar o desempenho em escala, maior disponibilidade e criação de índices mais rápida. Melhorando a base de desempenho, escala e segurança O trabalho que estamos realizando para melhorar o desempenho, a escalabilidade e a segurança de nossa plataforma de dados de desenvolvedores é tão importante quanto aumentar sua gama de recursos funcionais. A partir do MongoDB 7.0 , as melhorias na execução de consultas reduzirão o número de leituras de disco, os recursos de computação e a memória necessários para executar determinadas consultas, proporcionando melhor desempenho e consumo de recursos mais eficiente. Em particular, a nova estratégia de execução de consultas irá acelerar o agrupamento e remodelagem de documentos, a filtragem e classificação de documentos e pesquisas de $ usadas para unir dados em collection. No ano passado, apresentamos Queryable Encryption em versão prévia. Este esquema de criptografia pesquisável, pioneiro no setor, permite que os usuários criptografem campos de dados confidenciais — como informações de identificação pessoal — no lado do cliente e armazenem esses dados como dados criptografados totalmente aleatórios no banco de dados, preservando ao mesmo tempo a capacidade de executar consultas expressivas. Com o MongoDB 7.0, Queryable Encryption oferecerá suporte à pesquisa de igualdade, com suporte para consultas de intervalo, prefixo, sufixo e substring a seguir. Foco contínuo em uma experiência de desenvolvedor de primeira classe Poucas coisas são mais críticas para o desenvolvimento de software do que garantir um desenvolvedor e uma experiência operacional de alto nível. Continuamos dedicados a melhorar a usabilidade de nossos produtos e a expandir o conjunto de ferramentas disponíveis aos desenvolvedores para construção com MongoDB. Kotlin está emergindo como uma linguagem popular para desenvolvimento móvel e de servidor. Hoje revelamos um novo Kotlin driver oficial do, permitindo que os desenvolvedores do Kotlin criem aplicativos no MongoDB com confiança, sabendo que estamos comprometidos em apoiar esta comunidade de idiomas em rápido crescimento. Também lançamos PyMongoArrow , uma nova biblioteca para desenvolvedores e analistas de dados exportarem facilmente dados no MongoDB para pilhas analíticas baseadas em Python, incluindo Apache Arrow, Pandas e NumPy. À medida que mais empresas otimizam seu pipeline de DevOps, as ferramentas que permitem a automação programática podem melhorar muito a eficiência e a produtividade. Os desenvolvedores agora podem provisionar recursos no MongoDB Atlas usando o Amazon Web Services cloud Development Kit (AWS CDK) em C#, Go, Java e Python, bem como com Node.js e Typescript. As empresas que utilizam o Kubernetes podem usar o MongoDB Atlas CLI para instalar o Atlas Kubernetes Operator e exportar implantações existentes para gerenciamento e provisionamento de infraestrutura mais simples. Caminho para a modernização de aplicativos A modernização de aplicativos continua a ser um investimento fundamental para muitas empresas desbloquearem a rápida iteração de software e atenderem aos requisitos de aplicativos em constante evolução. O MongoDB Relational Migrator , agora com disponibilidade geral , ajuda a acelerar e reduzir os riscos nas migrações de relational database comuns — incluindo Oracle, SQL Server, MySQL e PostgreSQL — para o MongoDB. Essa ferramenta não apenas lida com a migração de dados em si, mas também permite que as equipes de migração visualizem recomendações de modelagem de dados do MongoDB, definam alterações de esquema com uma interface visual e gerem código de aplicativo em sua linguagem de programação ou estrutura para obter vantagem na refatoração de seus aplicativos para refletir o esquema MongoDB recém-projetado. Para ver mais anúncios e obter as atualizações mais recentes do produto, visite nossa página Novidades.

October 2, 2023