• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.198-201
• /
• 2022

본 논문에서는 소프트웨어에 내장된 취약점의 패턴을 인식하여 찾아내는 딥러닝 기반 취약점 탐색 기술에 대해 소개한다. 특정 소프트웨어의 소스 코드 혹은 바이너리 코드를 분석하여 취약점을 찾아내는 여러 기법들을 살펴본 다음, 딥러닝 기반 바이너리 취약점 탐색 기술의 향후 연구 방향을 조망하고자 한다.

• Journal of Software Assessment and Valuation
• /
• v.8 no.2
• /
• pp.45-51
• /
• 2012

This paper is to identify and assess vulnerabilities of services considering the nature of service layers for analyzing vulnerability of SOA security. It is a model driven approach which provides the way to present security requirements of the business model and identify the vulnerabilities of the services to extract the secure service model. We validate the proposed method with the analytic evaluation because the predictive nature of our methodology poses some specific challenges for its validation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.4
• /
• pp.667-680
• /
• 2024

If the software is not updated after the vulnerability is disclosed, it can continue to be attacked. As a result, the importance of N-day detection is increasing as attacks that exploit vulnerabilities increase. However, there is a problem that it is difficult to find specific version information in the published vulnerability database, or that the wrong version or software is outputted. There is also a limitation in that the connection between the published vulnerability databases is not good. In order to overcome these limitations, this paper proposes a method of building information including comprehensive vulnerability information such as CVE, CPE, and Exploit Database into an integrated database. Furthermore, by developing a website for searching for vulnerabilities based on an integrated database built as a result of this study, it is effective in detecting and utilizing vulnerabilities in specific software versions and Windows operating systems.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.10a
• /
• pp.313-314
• /
• 2016

최근 컴퓨터, 휴대폰 등 전자기기만 인터넷 연결이 가능하던 시대를 지나 냉장고, 에어컨, 현관문 등 모든 종류의 사물들 간 사람의 개입이 필요 없는 초연결사회로 발전하고 있다. 이러한 모든 사물들 간 인터넷기반으로 상호 연결되어있는 IoT(Internet of Things)환경이 급격히 성장 하고 있는 가운데 더불어 OSIoT(Open Source IoT)의 수요도 함께 급성장하고 있다. OSIoT의 소프트웨어는 보안에 대한 전문적인 개발자의 체계적인 설계에 의해 개발되어야만 하트블리드(HeartBleed), 쉘쇼크(ShellShock)와 같은 다양한 보안취약점에 안전하다. 하지만 OSIoT소프트웨어는 누구나 쉽게 접근 설계가 가능하기 때문에 일반적으로 배포되고 있는 OSIoT의 소프트웨어 검증이 필요하다. 따라서 본 논문에서는 다른 소프트웨어 점검 도구들과 연계 가능한 정적분석 도구인 취약점 별 익스플로잇 적용 모듈 설계를 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2009.11a
• /
• pp.855-856
• /
• 2009

소프트웨어의 크기가 대형화되고 복잡화됨에 따라 소프트웨어의 기능성 오류 및 취약점을 개발 후 테스팅에 의해 찾는 비용이 매우 커지고 있다. 또한 테스트에 의한 방법을 통해 내재된 모든 오류나 취약점을 찾는 것은 거의 불가능하다고 인식되고 있다. 이러한 이유로 소프트웨어 개발에서 오류 및 취약성을 제거하고자 하는 노력이 증대되고 있다. 본 논문에서는 오류를 줄이고자 하는 기법중 하나인 Design by Contract와 취약성을 줄이고자 하는 시큐어 코딩을 소개하고, 이 두 가지 기법을 접목하여 오류가 없는 안전한 소프트웨어를 개발하는 방법을 소개한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.327-333
• /
• 2014

The rapid expansion of the software industry has brought a serious security threat and vulnerability. Many softwares are constantly attacked by exploit codes using security vulnerabilities. Smart fuzzing is automated method to find software vulnerabilities. However, Many resources are consumed in fuzzing, because the fuzzing needs to create data model for target software and to analyze a data file and software binary. Therefore, The automated method for efficient smart fuzzing is needed to develop the automated data model. In this paper, through analysing the input file format and optimizing the data structure, we propose an efficient data modeling framework for smart fuzzing and implement the framework for detect software vulnerabilities.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.973-983
• /
• 2019

The importance of information security has been increasingly emphasized at the national, organizational, and individual levels due to the widespread adoption of software applications. High-safety software, which includes embedded software, should run without errors, similar to software used in the airline and nuclear energy sectors. Software development techniques in the above sectors are now being used to improve software security in other fields. Secure coding, in particular, is a concept encompassing defensive programming and is capable of improving software security. In this paper, we propose a software security vulnerability detection method using an improved coding standard searching technique. Public static analysis tools were used to assess software security and to classify the commands that induce vulnerability. Software security can be enhanced by detecting Application Programming Interfaces (APIs) and patterns that can induce vulnerability.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.06b
• /
• pp.391-393
• /
• 2006

버퍼 오버런과 같은 소프트웨어의 보안 취약점이 알려진 이후로 이를 해결하기 위한 분석 도구 개발이 다양한 연구그룹에 의해 수행되었다. 하지만 범용 소프트웨어를 분석할 수 있는 실용적인 도구는 않지 않다. 본 논문은 모든 버그를 빠트림 없이 찾는 정적 분석에서 한발 물러나 조금 부정확하지만 빠른 시간안에 보안 취약점을 검출할 수 있는 방법을 소개하고, 버그가 알려진 소프트웨어에 대한 실험 결과를 통해 제안하는 검출기의 실용성을 보인다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.635-642
• /
• 2018

In the Era of the Fourth Industrial Revolution, we live in huge amounts of software. However, as software increases, software vulnerabilities are also increasing. Therefore, it is important to detect and remove software vulnerabilities. Currently, many researches have been studied to predict and detect software security problems, but it takes a long time to detect and does not have high prediction accuracy. Therefore, in this paper, we describe a method for efficiently predicting software vulnerabilities using machine learning algorithms. In addition, various machine learning algorithms are compared through experiments. Experimental results show that the k-nearest neighbors prediction model has the highest prediction rate.

• Journal of Digital Convergence
• /
• v.15 no.3
• /
• pp.175-180
• /
• 2017

In accordance with the development of IT industry worldwide, software industry has also grown tremendously, and it is exerting influence on the general society starting from daily life to financial organizations and public institutions. However, various security threats that can inflict serious threat to provided services in proportion to the growing software industry, have also greatly increased. In this thesis, we suggest a smart fuzzing system combined with black box and white box testing that can effectively detectxdistinguish software vulnerability which take up a large portion of the security incidents in application programs.