Journal of Industrial Convergence (산업융합연구)

DAEHAN Society of Industrial Management (대한산업경영학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on eGovFrame Security Analysis and Countermeasures

eGovFrame 보안 분석 및 대응 방안에 관한 연구

  • 박중오 (성결대학교 파이데이아학부)
  • Received : 2022.12.15
  • Accepted : 2023.03.20
  • Published : 2023.03.28
Download PDF
⟨ Previous Next ⟩

Abstract

The e-Government standard framework provides overall technologies such as reuse of common components for web environment development such as domestic government/public institutions, connection of standard modules, and resolution of dependencies. However, in a standardized development environment, there is a possibility of updating old versions according to core versions and leakage of personal and confidential information due to hacking or computer viruses. This study directly analyzes security vulnerabilities focusing on websites that operate eGovFrame in Korea. As a result of analyzing/classifying vulnerabilities at the internal programming language source code level, five items associated with representative security vulnerabilities could be extracted again. As a countermeasure against this, the security settings and functions through the 2 steps (1st and 2nd steps) and security policy will be explained. This study aims to improve the security function of the e-government framework and contribute to the vitalization of the service.

전자정부 표준 프레임워크는 국내 정부/공공기관 등 웹 환경 개발을 위한 공통 컴포넌트 재사용, 표준 모듈의 연계와 종속성 해소 등 전반적인 기술을 제공하고 있다. 그러나, 획일화된 개발 환경은 코어 버전에 따른 구버전 업데이트 문제와 해킹이나 컴퓨터 바이러스 등에 의한 개인정보와 기밀정보 유출 가능성이 존재한다. 본 연구는 국내 eGovFrame을 운영하는 웹사이트 중심으로 보안 취약성을 직접 분석한다. 내부 프로그래밍 언어 소스 코드 수준에서 취약점을 분석/분류한 결과, 대표 보안 취약성과 연계되는 5개 항목을 다시 추출할 수 있었다. 이에 대한 대응책으로, 2단계(1, 2차)를 통한 보안 설정과 기능 그리고 보안 정책을 설명한다. 본 연구는 향후 전자정부 프레임워크 보안 기능 개선하고 서비스 활성화에 이바지하고자 한다.

Keywords

References

  1. Standard Framework Portal. (2022). Introduction of the standard framework (applied cases - achievements), Retrieved from https://www.egovframe.go.kr/
  2. Standard Framework Portal. (2022). Download (Development Environment - Release Notes), Retrieved from https://www.egovframe.go.kr/
  3. Canitano, G. (2022). Development of framework for Attack/Defense Capture the Flag competition (Doctoral dissertation, Politecnico di Torino).
  4. Shcherbakov, M., Balliu, M., & Staicu, C. A. (2023). Silent spring: Prototype pollution leads to remote code execution in node. js. In USENIX Security Symposium 2023.
  5. Kim, S. S. (2020). [Diagnosis] E-Government Standard Framework, 'JAVA Only' have to change. Retrieved from https://www.comworld.co.kr/
  6. Standard Framework Portal. (2022). Introduction of the standard framework (applied cases - technical support details), https://www.egovframe.go.kr/
  7. NVD. (2022). Spring Framework CVE® List, Retrieved from https://www.cve.org/
  8. Krcert. (2022). Spring Java Framework Security Update Advisory, https://www.krcert.or.kr/
  9. Mohamed, H. M., & El-Gayar, O. (2022). Security Vulnerability Impact on Open Source: A Social Media Exploration. (AMCIS 2022 TREOS)
  10. Bai, S., Boe, E. B., & Hegland-Antonsen, R. C. (2022). Efficiently Weaponizing Vulnerabilities and Automating Vulnerability Hunting (Bachelor's thesis, NTNU).
  11. YANGJU CITY. (2022). Yangju City Hall - website. Retrieved from https://www.yangju.go.kr/
  12. Korea National University of Arts. (2022). Korea National University of Arts - website. https://www.karts.ac.kr/
  13. Hanam Urban Innovation Corporation. (2022). Hanam Urban Innovation Corporation - website. https://www.huic.co.kr/
  14. KDIT. (2022). Korea Credit Guarantee Fund, Retrieved from https://www.kodit.co.kr/
  15. KTO. (2022). Korea Tourism Information - E-learning. Retrieved from https://touredu. visitkorea.or.kr/
  16. Im, Y. G. (2022). Expanded to 11 types of private certifications on public sites...Added Hana Bank and Dream certifications. Retrieved from https://zdnet.co.kr/
  17. Ashouri, M. (2019). Practical dynamic taint tracking for exploiting input sanitization error in java applications. In Australasian Conference on Information Security and Privacy, 494-513. Springer, Cham. DOI : 10.1007/978-3-030-21548-4_27
  18. Ponta, S. E., Plate, H., & Sabetta, A. (2020). Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empirical Software Engineering, 25(5), 3175-3215. DOI : 10.1007/s10664-020-09830-x
  19. Jung, B.-M., Jang, J.-Y., & Choi, C.-J. (2019). Countermeasure of an Application Attack Scenario Using Spring Server Remote Code Execution Vulnerability (CVE-2018-1270). The Journal of the Korea Institute of Electronic Communication Sciences, 14(2), 303-308. DOI : 10.13067/JKIECS.2019.14.2.303
  20. Standard Framework Portal. (2020). Standard Framework Security Development Guide for E-Government SW Developers and Operators, Retrieved from https://www.egovframe.go.kr/
  21. NIST. (2020). National Institute of Standards and Technology - CVE Record Metadata, Retrieved from https://csrc.nist.gov/
  22. ZAP. (2022). OWASP ZAP(OWASP Zed Attack Proxy), Retrieved from https://www.zaproxy.org/
  23. PortSwigger. (2022). Burp Suite - Application Security Testing Software, Retrieved from https://portswigger.net/burp
  24. NMAP. (2022). Nmap Security Scanner, Retrieved from https://nmap.org/
  25. ModSecurity. (2022). SpiderLabs - ModSecurity, Retrieved from https://www.modsecurity.org/
  26. Metasploit. (2022). Metasploit - Penetration Testing Software, Retrieved from https://www.metasploit.com/
  27. Im, M, C. (2021). Personal Information Commission, major public institution website security check⋯ "See HTTPS applied", Retrieved from https://www.ajunews.com/
  28. Ministry of Public Administration and Security. (2022). Guidelines for establishment and operation of information systems for administrative and public institutions, Retrieved from https://www.law.go.kr/
  29. Ministry of Public Administration and Security. (2021). Guidelines for Quality Management of E-Government Websites, Retrieved from https://www.law.go.kr/