• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.05a
• /
• pp.730-733
• /
• 2010

Mobile handsets with all applicable Internet Protocol brought communication channels between the easy and rapid development. But this time that the security is part of the most vulnerable points. All IP-network currently being presented to analyze the current state of integration technology, and two kinds of terminal interworking between networks of different security systems are likely to occur in the course of the various security threats, vulnerabilities and expectations regarding possible measures to consider more stringent security technologies and performance analysis the present study.

• Review of KIISC
• /
• v.16 no.6
• /
• pp.42-47
• /
• 2006

디지털 홈을 구성하는 HDTV, 디지털 캠코더, Home theater, 인터넷 냉장고 등의 디지털 정보가전기기들의 보급이 활성화되면서 가정은 단순한 가정에서 탈피하여 하나의 네트워크를 구성하게 되었다. 홈 네트워크 구성하는 기술에는 다양한 응용기술들이 있으며, 새로운 선로의 설치가 없는 여러 신호들을 전송할 수 있는 유 무선 기술이 핵심으로 응용되고 있다. 또한 홈 네트워크를 구성하는 많은 기기들이 있다. 본 논문에서는 다양한 홈 네트워크의 구성기술과 홈 기기들이 취약점 및 인증, 그리고 홈 네트워크 구축에 필요한 보안 기술에 대해서 정리한다.

• Review of KIISC
• /
• v.34 no.1
• /
• pp.53-59
• /
• 2024

블록체인 기술의 발전과 중앙집중형 금융서비스의 취약성과 불신에 대한 우려가 커지면서 탈중앙화 금융(DeFi)과 탈중앙화 거래소(DEX)가 유망한 대안으로 떠올랐다. 본 논문에서는 특히 Uniswap에 초점을 맞춰 DeFi 내의 과제와 문제를 살펴본다. 우리는 DeFi 및 DEX의 현재 상태에 대한 배경 지식을 제공하여 MEV(Maximal Extractable Value) 공격에 대한 취약성을 강조한다. 우리의 접근 방식에는 MEV 공격 패턴을 식별하고 분석하기 위한 Uniswap에 구조 분석이 포함된다. 이 연구는 DEX 보안을 강화하고 MEV 위험을 완화하기 위한 귀중한 지침을 제공하여 DeFi 생태계의 이해관계자에게 필수적인 리소스 역할을 한다.

• Journal of the Korea Society of Computer and Information
• /
• v.25 no.9
• /
• pp.21-29
• /
• 2020

In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.

• The Journal of Society for e-Business Studies
• /
• v.16 no.2
• /
• pp.129-142
• /
• 2011

Traditionally research in Service Oriented Architecture(SOA) security has focused primarily on exploiting standards and solutions separately. There exists no unified methodology for SOA security to manage risks at the enterprise level. It needs to analyze preliminarily security threats and to manage enterprise risks by identifying vulnerabilities of SOA. In this paper, we propose a metric-based vulnerability assessment method using dynamic properties of services in SOA. The method is to assess vulnerability at the architecture level as well as the service level by measuring run-time dependency between services. The run-time dependency between services is an important characteristic to understand which services are affected by a vulnerable service. All services which directly or indirectly depend on the vulnerable service are exposed to the risk. Thus run-time dependency is a good indicator of vulnerability of SOA.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.477-480
• /
• 2006

IPv6는 IPv4의 주소 부족을 해결하기 위해 1998년 IETF에서 표준화된 프로토콜이다. 현재 IPv4가 수축으로 되어 있는 인터넷을 동시에 IPv6로 전환하는 것은 불가능하므로 IPv4/IPv6 혼재네트워크를 거쳐 IPv6 순수 망으로 전환될 것이다. 본 논문에서는 혼재네트워크에서 IPv4 망과 IPv6 망간의 통신을 가능하게 해주는 IPv6 전환 메커니즘 중 터널링 방식에 대해 기술하고, 보안 취약성을 테스트하기 위해 동일한 보안 취약성에 대해 각각 IPv4 패킷, IPv6 패킷, 터널링된 패킷을 캡쳐할 수 있는 구축방안을 제안한다. 제안된 방식은 IPv4, IPv6, 터널링 패킷에 대한 분석이 가능하므로 IPv6 지원을 계획하는 침입탐지, 침입차단 시스템에 활용이 가능하다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.4
• /
• pp.781-799
• /
• 2024

Recently, the US and EU have been institutionally introducing and promoting Coordinated Vulnerability Disclosure(CVD) to strengthen the response to security vulnerabilities in ICT products and services, based on collaboration with white-hat hackers. In response to these changes in cybersecurity, we propose a three-step approach to introduce CVD through the Information and Communications Network Act(ICNA). In the first step, to comprehend the necessity and requirements for legislating CVD, we survey the current situation in Korea and the trends of CVD in the US, EU, and OECD. In the second step, we analyze the necessity for legislating CVD and derive the requirements for its legislation. In this paper, we analyze the necessity for legislating CVD from three perspectives: the need for introducing CVD, the need for institutionalization based on law, and the suitability of the ICNA as the legislation. The derived requirements for CVD legislation include the establishment and publication of Vulnerability Disclosure Policy(VDP), legal protection for white-hat hackers, and designation and role assignments of coordinator. In the third step, we introduce approaches to apply the requirements for CVD legislation to the ICNA, which is the law governing prevention and response to cybersecurity incidents in private sector.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.6
• /
• pp.147-155
• /
• 2010

It has been widely addressed that static analysis techniques can play important role in identifying potential security vulnerability reside in source code. This paper proposes the design and application of security metrics that use both vulnerability information extracted from the static analysis, and significant factors of information that software handles. The security metrics are useful for both developers and evaluators in that the metrics help them identity source code vulnerability in early stage of development. By effectively utilizing the security metrics, evaluators can check the level of source code security, and confirm the final code depending on the characteristics of the source code and the security level of information required.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.2
• /
• pp.263-277
• /
• 2021

Taint analysis techniques are popularly used to detect web vulnerabilities originating from unverified user input data, such as Cross-Site Scripting (XSS) and SQL Injection, in web applications written in JavaScript. To detect such vulnerabilities, it would be necessary to trace variables affected by user-submitted inputs. However, because of the dynamic nature of JavaScript, it has been a challenging issue to identify those variables without running the web application code. Therefore, most existing taint analysis tools have been developed based on dynamic taint analysis, which requires the overhead of running the target application. In this paper, we propose a novel static taint analysis technique using symbol information obtained from the TypeScript (a superset of JavaScript) compiler to accurately track data flow and detect security vulnerabilities in TypeScript code. Our proposed technique allows developers to annotate variables that can contain unverified user input data, and uses the annotation information to trace variables and data affected by user input data. Since our proposed technique can seamlessly be incorporated into the TypeScript compiler, developers can find vulnerabilities during the development process, unlike existing analysis tools performed as a separate tool. To show the feasibility of the proposed method, we implemented a prototype and evaluated its performance with 8 web applications with known security vulnerabilities. We found that our prototype implementation could detect all known security vulnerabilities correctly.

• Journal of Digital Convergence
• /
• v.12 no.8
• /
• pp.289-294
• /
• 2014

Recently, the various web service and applications are provided to the user. As to these service, because of providing the service to the authenticated user, the user undergoes the inconvenience of performing the authentication with the service especially every time. The OAuth(Open Authorization) protocol which acquires the access privilege in which 3rd Party application is limited on the web service in order to resolve this inconvenience appeared. This OAuth protocol provides the service which is convenient and flexible to the user but has the security vulnerability about the authorization acquisition. Therefore, we propose the method that analyze the security vulnerability which it can be generated in the OAuth 2.0 protocol and secure user authority authentication method.