• Title/Summary/Keyword: Software Weakness

Search Result 9, Processing Time 0.034 seconds

Nuclear-related Software analysis based on secure coding (시큐어 코딩 중심으로 본 원자력 관련 소프트웨어)

  • Jung, Da-Hye;Choi, Jin-Young;Lee, Song-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.23 no.2
    • /
    • pp.243-250
    • /
    • 2013
  • We have entered into an era of smart software system where the many kinds of embedded software, especially SCADA and Automotive software not only require high reliability and safety but also high-security. Removing software weakness during the software development lifecycle is very important because hackers exploit weaknesses which are source of software vulnerabilities when attacking a system. Therefore the coding rule as like core functions of MISRA-C should expand their coding focus on security. In this paper, we used CERT-C secure coding rules for nuclear-related software being developed to demonstrate high-safety software, and proposed how to remove software weakness during development.

Quantitative Scoring Criteria on the Importance of Software Weaknesses (소프트웨어 보안약점의 중요도에 대한 정량 평가 기준 연구)

  • Ahn, Joonseon;Bang, Ji-Ho;Lee, Eunyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.6
    • /
    • pp.1407-1417
    • /
    • 2012
  • In order to protect a software system from security attacks, it is important to remove the software security weaknesses through the entire life cycle of software development. To remove the software weaknesses more effectively, software weaknesses are prioritized and sorted continuously. In this paper, we introduce the existing scoring systems for software weakness and software vulnerability, and propose a new quantitative standard for the scoring system, which helps evaluate the importance of software weakness objectively. We also demonstrate the practicability of the proposed standard by scoring 2011 CWE/SANS Top 25 list with the proposed standard and comparing it to the original score of MITRE.

A Study on the Structured Weakness Classification for Mobile Applications (모바일 애플리케이션을 위한 보안약점 구조화 기법에 대한 연구)

  • Son, Yunsik;Oh, Se-Man
    • Journal of Korea Multimedia Society
    • /
    • v.15 no.11
    • /
    • pp.1349-1357
    • /
    • 2012
  • In recent years, security accidents which are becoming the socially hot issue not only cause financial damages but also raise outflow of private information. Most of the accidents have been immediately caused by the software weakness. Moreover, it is difficult for software today to assure reliability because they exchange data across the internet. In order to solve the software weakness, developing the secure software is the most effective way than to strengthen the security system for external environments. Therefore, suggests that the coding guide has emerged as a major security issue to eliminate vulnerabilities in the coding stage for the prevention of security accidents. Developers or administrators effectively in order to use secure coding coding secure full set of security weaknesses organized structurally and must be managed. And the constant need to update new information, but the existing Secure Coding and Security weakness is organized structurally do not. In this paper, we will define and introduce the structured weakness for mobile applications by the surveys of existing secure coding and coding rules for code analysis tools in Java.

Quantitative Scoring System on the Importance of Software Vulnerabilities (보안취약점 중요도 정량 평가 체계 연구)

  • Ahn, Joonseon;Chang, Byeong-Mo;Lee, Eunyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.4
    • /
    • pp.921-932
    • /
    • 2015
  • We proposed a new scoring system on software vulnerabilities, which calculates quantitatively the severity of software vulnerabilities. The proposed scoring system consists of metrics for vulnerability severity and scoring equations; the metrics are designed to measure the severity of a software vulnerability considering the prevalence of the vulnerability, the risk level of the vulnerability, the domestic market share of the software and the frequency of the software. We applied the proposed scoring system to domestically reported software vulnerabilities, and discussed the effectiveness of the scoring system, comparing it with CVSS and CWSS. We also suggested the prospective utilization areas of the proposed scoring system.

A Study of The Binary Code to Intermediate Language Translator for Analysis of Software Weakness (소프트웨어 보안약점 분석을 위한 바이너리 코드-중간언어 변환기에 관한 연구)

  • Lee, Tae-Gue;Lim, Jung-Ho;Baik, Do-Woo;Son, Yunsik;Jeong, Junho;Ko, Kwangman;Oh, Seman
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2017.04a
    • /
    • pp.276-279
    • /
    • 2017
  • 오늘날 사회 전반적인 부분에서 소프트웨어의 비중은 지속적으로 증가하고 있다. 또한 소프트웨어는 점차 대규모화되고 있고 동시에 개인의 중요한 정보 등을 다루는 경우도 매우 늘어나고 있기에 소프트웨어의 보안성 검증은 매주 중요한 문제이다. 그러나 소스코드가 존재하지 않는 라이브러리의 경우 보안성 검증은 매우 어려운 문제로, 이를 해결하기 위해 바이너리 내에 존재하는 보안약점을 검사하기 위한 기술의 개발이 매우 요구되는 상황이며, 이를 위해 중간언어를 활용하여 보안약점을 분석하는 기술이 활발히 논의되고 있다. 본 논문에서는 바이너리 코드내에 존재하는 보안약점을 효과적으로 분석하기 위해서 바이너리 코드로부터 보안약점 분석에 효과적인 중간언어로 변환하는 시스템을 제안한다.

Evaluation of Static Analyzers for Weakness in C/C++ Programs using Juliet and STONESOUP Test Suites

  • Seo, Hyunji;Park, Young-gwan;Kim, Taehwan;Han, Kyungsook;Pyo, Changwoo
    • Journal of the Korea Society of Computer and Information
    • /
    • v.22 no.3
    • /
    • pp.17-25
    • /
    • 2017
  • In this paper, we compared four analyzers Clang, CppCheck, Compass, and a commercial one from a domestic startup using the NIST's Juliet test suit and STONESOUP that is introduced recently. Tools showed detection efficacy in the order of Clang, CppCheck, the domestic one, and Compass under Juliet tests; and Clang, the domestic one, Compass, and CppCheck under STONESOUP tests. We expect it would be desirable to utilize symbolic execution for vulnerability analysis in the future. On the other hand, the results of tool evaluation also testifies that Juliet and STONESOUP as a benchmark for static analysis tools can reveal differences among tools. Finally, each analyzer has different CWEs that it can detect all given test programs. This result can be used for selection of proper tools with respect to specific CWEs.

Analysis of Detection Ability Impact of Clang Static Analysis Tool by Source Code Obfuscation Technique (소스 코드 난독화 기법에 의한 Clang 정적 분석 도구의 성능 영향 분석)

  • Jin, Hongjoo;Park, Moon Chan;Lee, Dong Hoon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.3
    • /
    • pp.605-615
    • /
    • 2018
  • Due to the rapid growth of the Internet of Things market, the use of the C/C++ language, which is the most widely used language in embedded systems, is also increasing. To improve the quality of code in the C/C++ language and reduce development costs, it is better to use static analysis, a software verification technique that can be performed in the first half of the software development life cycle. Many programs use static analysis to verify software safety and many static analysis tools are being used and studied. In this paper, we use Clang static analysis tool to check security weakness detection performance of verified test code. In addition, we compared the static analysis results of the test codes applied with the source obfuscation techniques, layout obfuscation, data obfuscation, and control flow obfuscation techniques, and the static analysis results of the original test codes, Analyze the detection ability impact of the Clang static analysis tool.

Open Source Software Security Issues and Applying a Secure Coding Scheme (오픈 소스의 소프트웨어 보안 문제 및 시큐어 코딩 적용방안)

  • Kim, Byoungkuk
    • KIISE Transactions on Computing Practices
    • /
    • v.23 no.8
    • /
    • pp.487-491
    • /
    • 2017
  • Open source software allows the users to freely use, copy, distribute and modify source code without any particular limitations, and this offers the advantages of low entry cost, fast and flexible development, compatibility, reliability and safety. The emergence of many useful open source projects has the advantage of achieving high levels of output with lower costs and time commitment for software development. However, this also increases the risks caused by the security vulnerabilities of the used open source software. There is still no separate process to verify security in using open source software. In this paper, we analyze the security weakness in open source and propose a secure coding scheme in adopting open source, which is known to be highly reliable from a security point of view.

An analysis method for complex attack pattern using the coupling metrics (결합척도를 이용한 복합 공격 패턴 분석 방법)

  • Kwon, Ye-Jin;Park, Young-Bom
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.5
    • /
    • pp.1169-1178
    • /
    • 2012
  • Recently, since the most software intensive systems are using internet environment for data exchange, the software security is being treated as a big issue. And, to minimize vulnerability of software system, security ensuring steps which are applying secure coding rules, are introduced in the software development process. But, since actual attacks are using a variety of software vulnerabilities, it is hard to analyze software weakness by monotonic analysis. In this paper, it is tried to against the complex attack on the variety of software vulnerability using the coupling which is one of the important characteristic of software. Furthermore, pre-analysis of the complex attack patterns using a combination of various attack methods, is carried out to predict possible attack patterns in the relationship between software modules. And the complex attack pattern analysis method is proposed based on this result.