Journal of IKEEE (전기전자학회논문지)

Institute of Korean Electrical and Electronics Engineers (한국전기전자학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on a Secure Coding Library for the Battlefield Management System Software Development

전장정보체계 SW 개발을 위한 시큐어 코딩 라이브러리에 관한 연구

  • Park, Sanghyun (C4I.Cyber Team, R&D Division, Hanwha System Co. Ltd.) ;
  • Kim, Kwanyoung (C4I.Cyber Team, R&D Division, Hanwha System Co. Ltd.) ;
  • Choi, Junesung (The Board of Audit and Inspection of Korea AIRI)
  • Received : 2018.04.23
  • Accepted : 2018.05.21
  • Published : 2018.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we identify the code vulnerabilities that can be automatically detected through Visual Studio (VS) compiler and code analyzer based on a secure coding rule set which is optimized for development of battlefield information system. Then we describe a weak point item that can be dealt with at the implementation stage without depending on the understanding or ability of the individual programmer's secure coding through the implementation of the secure coding library. Using VS compiler and the code analyzer, the developers can detect only about 38% of security weaknesses. But with the help of the proposed secure coding library, about 48% of security weaknesses can be detected and prevented in the proactive diagnosis in the development stage.

본 논문에서는 전장 정보 체계 개발에 최적화된 시큐어 코딩룰 셋에 기반하여 Visual Studio 컴파일러와 코드 분석기를 통해 자동으로 검출이 가능한 코드의 보안 약점을 식별하고, 도구를 이용한 자동 검출이 어려운 보안 약점 항목에 대하여는 시큐어 코딩 라이브러리 구현을 통해 개별 프로그래머의 시큐어 코딩에 대한 이해나 능력에 의존하지 않고도 구현 단계에서 대응할 수 있는 방안을 설명한다. 시큐어 코딩룰 셋을 기준으로, 개발자는 VS 컴파일러와 코드 분석기를 이용하면 약 38%의 보안 약점을 검출할 수 밖에 없는 한계가 있으나, 기존의 개발 도구와 더불어 제안하는 시큐어 코딩 라이브러리를 함께 이용하는 경우 48%로 보안 약점의 사전진단에서 10%의 향상이 가능하며, 개발단계에 해당 보안 취약점을 검출하여 예방하는 것이 가능하다.

Keywords

References

  1. DAPA, "Weapon System Software Development and Management Guide," 2016
  2. June-sung Choi, Woo-je Kim, Won-hyung Park and Kwang-ho Kook, "Evaluation Method Using Analytic Hierarchy Process for C4I SW Secure Coding Rule Selection," The Journal of Korean Institute of Communications and Information Sciences, Vol. 38, No. 8, pp. 651-662, 2013. DOI : 10.7840/kics.2013.38C.8.651
  3. Microsoft, "MS SDL 5.2," https://msdn.microsoft.com/en-us/library/windows/desktop/cc307748.aspx
  4. James Ransome, "Core software security: security at the source," CRC press, 2013
  5. Brandon Bray, Compiler Security Checks In Depth, https://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx.
  6. OWASP, "OWASP Secure Coding Practices - Quick Reference Guide," 2010
  7. Microsoft, "Security in the .NET Framework," https://msdn.microsoft.com/en-us/library/fkytk30f(v=vs.110).aspx
  8. Nishant Sivakumar, "C++/CLI in Action," Manning, 2007
  9. "C Secure Coding Guide", Ministry of the Administration, 2012
  10. RFC 4086(Randomness Requirements for Security)
  11. Microsoft CryptoAPI : https://en.wikipedia.org/wiki/Microsoft_CryptoAPI
  12. Dieharder Random Number Tests, http://www.phy.duke.edu/-rgb/General/dieharder.php
  13. Bjarne Stroustrup, "C++ Programming Language, The, 4th Edition," Addison-Wesley Professional, 2013
  14. Design Guidelines for Developing Class Libraries, https://msdn.microsoft.com/en-us/library/ms229042(v=vs.100).aspx
  15. CryptGenRandom : https://en.wikipedia.org/wiki/CryptGenRandom#Using_RNGCryptoServiceProvider