DOI QR코드

DOI QR Code

A Design of Smart Fuzzing System Based on Hybrid Analysis

하이브리드 분석 기반의 스마트 퍼징 시스템 설계

  • Kim, Mansik (Dept. of Computer Science & Engineering, Soongsil University) ;
  • Kang, Jungho (Dept. of Computer Science & Engineering, Soongsil University) ;
  • Jun, Moon-seog (Dept. of Computer Science & Engineering, Soongsil University)
  • Received : 2016.12.29
  • Accepted : 2017.03.20
  • Published : 2017.03.28

Abstract

In accordance with the development of IT industry worldwide, software industry has also grown tremendously, and it is exerting influence on the general society starting from daily life to financial organizations and public institutions. However, various security threats that can inflict serious threat to provided services in proportion to the growing software industry, have also greatly increased. In this thesis, we suggest a smart fuzzing system combined with black box and white box testing that can effectively detectxdistinguish software vulnerability which take up a large portion of the security incidents in application programs.

전 세계적으로 IT 산업이 발전함에 따라 소프트웨어 산업 또한 크게 성장하였으며, 사회전반에 걸쳐 일상생활에서부터 금융과 공공 기관까지 영향력을 미치고 있다. 특히 ICT 기술의 활성화로 인해 소프트웨어 산업은 더욱 고도화 되고, 다양한 기능과 기술을 공유하게 되었다. 그러나 이렇게 성장하는 소프트웨어 산업과 비례하여 제공되는 서비스에 치명적인 위협을 가할 수 있는 다양한 보안 위협 또한 크게 증가 하였다. 이미 OpenSSL 하트블리딩 취약점으로 전 세계적으로 큰 이슈를 일으켰으며, 그밖에도 이란의 원자력 발전시설, 미국의 에너지 기업들이 소프트웨어 취약점으로 인해 많은 피해를 입었다. 본 논문에서는 응용프로그램 보안 사고의 큰 비중을 차지하고 있는 소프트웨어 취약점을 효과적으로 탐지 식별 할 수 있는 블랙박스, 화이트박스 테스트를 연계한 하이브리드 퍼징 시스템을 제안한다.

Keywords

References

  1. SH Lee, DW LEE,"A Study on u-Health Fusion Field based on Internet of Thing", Korea Convergence Society, Vol 7, No. 4, pp. 19-24, 2016
  2. LS Kim, "Convergence of Information Technology and Corporate Strategy", Korea Convergence Society, Vol. 6, No. 6, pp. 17-26, 2015
  3. SS Shin, GS Chae, TH Lee, "An Investigation Study to Reduce Security Threat in the Internet of Things Environment", Convergence Society for SMB, Vol. 5, No. 4, pp. 31-16, 2015
  4. Software security weaknesses diagnostic guide, KISA, 2012.
  5. MS Gu, YZ Li, "A Study of Countermeasures for Advanced Persistent Threats attacks by malicious code", Convergence Society for SMB, Vol. 5, No. 4, pp. 37-42, 2015
  6. Symantec, "2013 Internet Security Threat Report, Volume 18," 2013.
  7. Christey, S. M., and R. P. Glenn. Common weakness enumeration. 2013.
  8. Robert C. Seacord, The CERT C Secure Coding Standard, Addison-Wesley, October 2008.
  9. Robert C. Seacord, Secure Coding in C and C++, Addison-Wesley, May 2010.
  10. Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda The CERT Java Secure Coding Standard, Addison-Wesley, September 2011.
  11. Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: brute force vulnerability discovery. Pearson Education, 2007.
  12. Patton, Ron. Software testing. Sams Pub., 2006.
  13. KHAN, Mohd Ehmer; KHAN, Farmeena. A Comparative Study of White Box, Black Box and Grey Box Testing Techniques. Editorial Preface, 2012.
  14. Bekrar, S., Bekrar, C., Groz, R., & Mounier, L. Finding software vulnerabilities by smart fuzzing. In Software Testing, Verification and Validation (ICST), IEEE Fourth International Conference, pp. 427-430. 2011.
  15. BALL, Thomas; RAJAMANI, Sriram K. The S LAM project: debugging system software via static analysis. In: ACM SIGPLAN Notices. ACM, pp. 1-3, 2002.
  16. OWASP, Top. Top 10-2013. The Ten Most Critical Web Application Security Risks, 2013.
  17. Ministry of Government Administration and Home Affairs, Software development security guide for developer and operator in E-government SW, 2012
  18. NEWSOME, James; SONG, Dawn. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. 2005.