Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Design and Implementation of Software Vulnerability Analysis Algorithm through Static Data Access Analysis

  • Lim, Hyun-il (Dept. of Computer Engineering, Kyungnam University)
  • Received : 2015.05.22
  • Accepted : 2015.08.04
  • Published : 2015.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Nowadays, software plays various roles in applications in wide areas. However, the security problems caused by software vulnerabilities increase. So, it is necessary to improve software security and safety in software execution. In this paper, we propose an approach to improve the safety of software execution by managing information used in software through static data access analysis. The approach can detect the exposures of secure data in software execution by analyzing information property and flows through static data access analysis. In this paper, we implemented and experimented the proposed approach with a base language, and verify that the proposed approach can effectively detect the exposures of secure information. The proposed approach can be applied in several areas for improving software safety by analysing vulnerabilities from information flows in software execution.

Keywords

References

  1. Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahav, "A survey of static analysis methods for identifying security vulnerabilities in software systems," IBM Systems Journal, Vol. 46, No.2, pp. 265-288, 2007. https://doi.org/10.1147/sj.462.0265
  2. Manuel Egele, Theodoor Scholte, Engin Kirda, Christopher Kruegel, "A Survey on Automated Dynamic Malware Analysis Techniques and Tools," ACM Computing Surveys, Vol. 44, No.2, Feb. 2012.
  3. Jeong-Hoon Jeon, "A study on the classification systems of domestic security fields," Journal of the Korea Society of Computer and Information, Vol. 20, No. 3, pp. 81-88, March 2015. https://doi.org/10.9708/jksci.2015.20.3.081
  4. Eun-Gyoem Jang, Sang Jun Lee, Joong In Lee, "A Study on Similarity Comparison for File DNA-Based Metamorphic Malware Detection," Journal of the Korea Society of Computer and Information, Vol. 19, No. 1, pp. 85-94, Jan. 2014. https://doi.org/10.9708/JKSCI.2014.19.1.085
  5. James Newsome and Dawn Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," In Proceedings of the Network and Distributed System Security Symposium, 2005.
  6. Winnie Cheng, Qin Zhao, Bei Yu, and Scott Hiroshige, "TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting," In Proceedings of 11th IEEE Symposium on Computers and Communications, pp. 749-754, June 2006.
  7. James Clause, Wanchun Li, and Ro Orso, "Dytan: A Generic Dynamic Taint Analysis Framework," In Proceedings of the International Symposium on Software Testing and Analysis, pp. 196-206, 2007.
  8. Zhiwen Bai, Liming Wang, Jinglin Chen, Lin Xu, Jian Liu, and Xiyang Liu, "DTAD: A Dynamic Taint Analysis Detector for Information Security," In Proceedings of The Ninth International Conference on Web-Age Information Management, pp. 591-597, July 2008.
  9. Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda, "Panorama: capturing system-wide information flow for malware detection and analysis," In Proceedings of the 14th ACM conference on Computer and communications security, pp. 116-127, 2007.
  10. Matthew Hennessy, "The WHILE programming language," https://www.cs.tcd.ie/Matthew.Hennessy/splexternal2015/notes/WhileSlides2to1.pdf, 2015.
  11. Kenneth Slonneger and Barry L. Kurtz, "Formal Syntax and Semantics of Programming Languages," Addison Wesley, 1995.
  12. Sanjiva Prasad and S. Arun-Kumar, "An Introduction to Operational Semantics," In the Compiler Design Handbook: Optimizations and Machine Code Generation, pp. 841-890, CRC Press, 2002.
  13. Programming Language Haskell, http://www.haskell.org/