• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.881-893
• /
• 2020

CFI(Control Flow Integrity) is a mitigation mechanism that protects programs by verifying control flows. IFCC(Indirect Function Call Checks) and SCS(Shadow Call Stack), CFI supported by LLVM Clang compiler, were introduced to protect applications in Android. IFCC protects function calls and SCS protects function returns. In this paper, we propose attacks to bypass CFI on the application environment with IFCC and SCS. Even if IFCC and SCS were applied to user applications, it was confirmed that there were many code segments not protected by IFCC and SCS in the application memory. We execute code in CFI unprotected segments to construct 1) bypassing IFCC to call a protected function, 2) modulating return address via SCS bypass. We identify code segments not protected by IFCC and SCS in Android10 QP1A. 191005.007.A3. We also implement proof-of-concept exploits to demonstrate that modulation of control flow is possible in an environment where IFCC and SCS are applied.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.941-950
• /
• 2015

Internet banking is widely used in our life with the development of the internet. At the same time, phishing attacks to internet banking have been increased by using malicious object to make unfair profit. People using internet banking service in Korea is required to install security modules such as anti-virus and keyboard protection. However phishing attack technique has been progressed and the advanced technique such as memory hacking defeats the security module of internet banking service. In this paper, we describe internet banking security modules provided by Korean internet banks and analyze how keyboard encryption module works. And we propose an attack to manipulate account transfer information using javascript. Although keyboard protection module provides two functions that protect leakage and manipulation of account transfer information submitted by users against the malicious program of hackers. Our proposed technique can manipulate the account transfer information and result html pages.

• Journal of the Korea Society of Computer and Information
• /
• v.13 no.1
• /
• pp.143-151
• /
• 2008

Execute IP traceback at this paper as target an intruder's attacking that Bypass Attack in order to avoid an exposure of own Real IP address Design IP traceback server and agent module, and install in Internet network system for Real IP traceback. Set up detection and chase range aggressive loop around connection arbitrariness, and attack in practice, and generate Real IP data cut off by fatal attacks after data and intrusion detection accessed general IP, and store to DB. Generate the Forensic data which Real IP confirms substance by Whois service, and ensured integrity and the reliability that buy to early legal proof data, and was devoted to of an invader Present the cyber criminal preventive effect that is dysfunction of Ubiquitous Information Society and an effective Real IP traceback system, and ensure a Forensic data generation basis regarding a judge's robe penalty through this paper study.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.418-420
• /
• 2015

인터넷이 발전하면서 사이버 공격이 증가하고 있으며, 사이버 공격에 사용되는 악성코드도 점차 지능화 되고 있다. 악성코드 탐지에는 정적분석을 통해 악성코드의 특정패턴을 비교하는 시그니처 기반 접근법이 널리 사용되고 있으며, 높은 탐지율과 빠른 탐지속도를 보인다. 그러나 알려지지 않은 신종 악성코드(0-day)와 실행압축, 난독화 둥에 의한 변종 악성코드를 분석하기에 한계가 있다. 더욱이 악성코드의 정적분석은 많은 노력과 시간이 소모되는 작업이며, 최근 악성코드들은 대부분 정적분석 우회기술이 적용되어 대량으로 유포되는 실정이다. 그러므로 악성코드를 직접 실행시켜 발생되는 이벤트들을 수집하여 의미를 분석하는 동적분석이 활발하게 연구되고 있다. 본 논문에서는 악성코드에 적용된 동적분석 우회기술에 관하여 기술하고 나아가 동적분석 우회기술이 적용된 악성코드를 탐지하기 위한 방법에 관한 기술동향을 소개한다.

• Convergence Security Journal
• /
• v.19 no.4
• /
• pp.77-85
• /
• 2019

As the Internet continues to evolve, cyber attacks are becoming more precise and covert. Anonymous communication, which is used to protect personal privacy, is also being used for cyber attacks. Not only it hides the attacker's IP address but also encrypts traffic, which allows users to bypass the information protection system that most organizations and institutions are using to defend cyber attacks. For this reason, anonymous communication can be used as a means of attacking malicious code or for downloading additional malware. Therefore, this study aims to suggest a method to detect and block encrypted anonymous communication as quickly as possible through artificial intelligence. Furthermore, it will be applied to the defense to detect malicious communication and contribute to preventing the leakage of important data and cyber attacks.

• Journal of the Korea Society of Computer and Information
• /
• v.10 no.1 s.33
• /
• pp.27-34
• /
• 2005

Current security reinforcement systems are Passive defense system that only blocks filter to all traffic from the attacker. So, Those are weak re-attack and Stepping Stones attack because active response about attacker is lacking. Also, present techniques of traceback need much time and manpower by log information collection and trace through the personal inspection and active response is lacking. In this paper, We propose technique for TCP connection traceback that can apply in present internet and trace to inserted marking on IP header to correspond re-attack and Stepping Stones attack. Therefore, Proposed technique is unnecessary correction of existing network component and can reduce size of marked information and overhead of resources.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.15 no.5
• /
• pp.3121-3131
• /
• 2014

Vulnerabilities related to memory have been known as major threats to the security of a computer system. Actually, the number of attacks using memory vulnerability has been increased. Accordingly, various memory protection mechanisms have been studied and implemented on operating system while new attack techniques bypassing the protection systems have been developed. Especially, buffer overflow attacks have been developed as Return-Oriented Programing(ROP) and Jump-Oriented Programming(JOP) called Code Re-used attack to bypass the memory protection mechanism. Thus, in this paper, I analyzed code re-use attack techniques emerged recently among attacks related to memory, as well as analyzed various detection mechanisms proposed previously. Based on the results of the analyses, a mechanism that could detect various code re-use attacks on a binary level was proposed. In addition, it was verified through experiments that the proposed mechanism could detect code re-use attacks effectively.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.273-275
• /
• 2002

고도의 기술을 이용한 최근의 사이버 공격을 방어하기 위해서는 자신의 도메인만을 보호하는 현재의 수동적인 네트워크 보안 서비스보다는 액티브 네트워크 기반 하에 침입자의 위치를 역추적하고 침입자의 근원지에서 네트워크로의 접근을 차단하는 능동적인 대응이 필요하다. 본 논문에서는 TCP 기반의 우회 공격인 TCP 확장 연결 공격을 역추적하고 침입자를 네트워크로부터 고립시키는 메커니즘에 대해 기술한다.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2003.11a
• /
• pp.128-131
• /
• 2003

최근 인터넷을 대상으로 한 네트워크 공격의 공격 경향은 분산 환경에서 다수 공격자의 대규모 분산 서비스 거부 공격(DoS)의 출현 및 해외 해커들의 국내 전산망을 우회 루트로 활용한 사례의 증가 등 고도화된 불법 행위가 점차 벙죄의 강력한 수단으로 이용되는 추세에 있다. 본 논문은 기존 네트워크 노드기반의 침입탐지시스템에서 효율성과 사용자 편의성을 보완하기 위하여 자기 복제가 가능한 이동 에이전트를 적용하여 호스트 간 자율적인 이동을 통해 관리자에게 네트워크 모니터링을 제공하고 침입을 탐지하는 침입탐지시스템을 제안하였다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.04a
• /
• pp.425-427
• /
• 2003

IP 단편을 이용한 공격은 서비스 거부 공격 외에도 이를 이용하여 패킷 필터링 장비나 네트워크 기반의 침입탐지 시스템을 우회할 수 있어 그 심각성이 크다. 그러나 일부 네트워크 기반의 침입탐지 시스템은 IP 패킷단편 재조합 기능을 제공하지 않기 때문에 IP 단편의 취약점을 이용한 공격을 탐지하지 못한다. 본 논문에서는 IP 조각 패킷을 재조합 하지 않고도 단편과 관련된 헤더정보를 분석함으로써 공격을 실시간으로 탐지해 낼 수 있는 IP 단편 필터링 모듈을 설계하고 구현한다.