• International Journal of Internet, Broadcasting and Communication
• /
• v.12 no.3
• /
• pp.189-195
• /
• 2020

Smart contract, one of the applications of blockchain, is expected to be used in various industries. However, there is risks of damages caused by attacks on vulnerabilities in smart contract codes. Tool support is essential to detect vulnerabilities, and as new vulnerabilities emerge and smart contract implementation languages increase, the tools must have extensibility for them. We propose a design model for extensible architecture of smart contract vulnerability detection tools that detect vulnerabilities in smart contract source codes. The proposed model is composed of design pattern-based structures that provides extensibility to easily support extension of detecting modules for new vulnerabilities and other implementation languages of smart contract. In the model, detecting modules are composed of independent module, so modifying or adding of module do not affect other modules and the system structure.

• Earthquakes and Structures
• /
• v.18 no.6
• /
• pp.709-718
• /
• 2020

Fragility curves are useful tools to estimate the damage probability of buildings owing to seismic actions. The purpose of this study is to investigate seismic vulnerability of reinforced concrete (RC) buildings, according to the 2007 and 2018 Turkish Seismic Codes, using fragility curves. For the numerical analyses, typical five- and seven-storey RC buildings were selected and incremental dynamic analyses (IDA) were performed. To complete the IDAs, eleven earthquake acceleration records multiplied by various scaling factors from 0.2g to 0.8g were used. To predict nonlinearity, a distributed hinge model that involves material and geometric nonlinearity of the structural members was used. Damages to confined concrete and reinforcement bar of structural members were obtained by considering the unit deformation demands of the 2007 Turkish Seismic Code (TSC-2007) and the 2018 Turkey Building Earthquake Code (TBEC-2018). Vulnerability evaluation of these buildings was performed using fragility curves based on the results of incremental dynamic analyses. Fragility curves were generated in terms of damage levels occurring in confined concrete and reinforcement bar of structural members with a lognormal distribution assumption. The fragility curves show that the probability of damage occurring is more according to TBEC-2018 than according to TSC-2007 for selected buildings.

• Convergence Security Journal
• /
• v.12 no.6
• /
• pp.61-67
• /
• 2012

Accordingly the number of smart-phone-based malicious codes is also increasing and their techniques for malicio us purpose are getting more clever and evolved. Among them, the malicious codes related to Android take the major portion and it can be estimated that they are based on open source so that the access to the system is easy. Intent is a technique to support the communication between application's components by transmitting message subjects in Android. Intent provides convenience to developers, but it can be utilized as security vulnerability that allows the developer with a malicious purpose to control the system as intended. The vulnerability of intent security is that personal information can be accessed using discretionally its proper function given to application and smart phone's functions can be maliciously controlled. This paper improves with the Intent security vulnerability caused by the smart phone users' discretional use of custom kernel. Lastly, it verifies the malicious behaviors in the process of installing an application and suggests a technique to watch the Intent security vulnerability in realtime after its installation.

• International Journal of Internet, Broadcasting and Communication
• /
• v.12 no.4
• /
• pp.180-187
• /
• 2020

Security threats are increasing with interest due to the mass spread of smart devices, and vulnerabilities in developed applications are being exposed while mobile malicious codes are spreading. The government and companies provide various applications for the public, and for reliability and security of applications, security checks are required during application development. In this paper, among the security threats that can occur in the mobile service environment, we set up the vulnerability analysis items to respond to security threats when developing Android-based applications. Based on the set analysis items, vulnerability analysis was performed by examining three applications of public institutions and private companies currently operating as mobile applications. As a result of application security checks used by three public institutions and companies, authority management and open module stability management were well managed. However, it was confirmed that many security vulnerabilities were found in input value verification, outside transmit data management, and data management. It is believed that it will contribute to improving the safety of mobile applications through the case of vulnerability analysis for Android application security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1225-1236
• /
• 2020

Fuzzing is an automated software testing methodology that dynamically tests the security of software by inputting randomly generated input values outside of the expected range. KISA is releasing open source for standard cryptographic algorithms, and many crypto module developers are developing crypto modules using this source code. If there is a vulnerability in the open source code, the cryptographic library referring to it has a potential vulnerability, which may lead to a security accident that causes enormous losses in the future. Therefore, in this study, an appropriate security policy was established to verify the safety of block cipher source codes such as SEED, HIGHT, and ARIA, and the safety was verified using differential fuzzing. Finally, a total of 45 vulnerabilities were found in the memory bug items and error handling items, and a vulnerability improvement plan to solve them is proposed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.177-182
• /
• 2011

This paper introduces a possibility for attackers to acquire the keyboard scan codes through using the RESEND command provided by the keyboard hardware itself, based on the PS/2 interface that is a dominant interface for input devices. Accordingly, a keyboard sniffing program using the introduced vulnerability is implemented to prove the severeness of the vulnerability, which shows that user passwords can be easily exposed. As one of the intrinsic vulnerabilities found on the existing platforms, for which there were little considerations on the security problems when they were designed, it is required to consider a hardware approach to countermeasure the introduced vulnerability.

• The KIPS Transactions:PartA
• /
• v.18A no.5
• /
• pp.193-204
• /
• 2011

Since web applications are accessed by anonymous users via web, more security risks are imposed on those applications. In particular, because security vulnerabilities caused by insecure source codes cannot be properly handled by the system-level security system such as the intrusion detection system, it is necessary to eliminate such problems in advance. In this paper, to enhance the security of web applications, we develop a static analyzer for detecting the well-known security vulnerability of PHP file inclusion vulnerability. Using a semantic based static analysis, our vulnerability analyzer guarantees the soundness of the vulnerability detection and imposes no runtime overhead, differently from the other approaches such as the penetration test method and the application firewall method. For this end, our analyzer adopts abstract interpretation framework and uses an abstract analysis domain designed for the detection of the target vulnerability in PHP programs. Thus, our analyzer can efficiently analyze complicated data-flow relations in PHP programs caused by extensive usage of string data. The analysis results can be browsed using a JAVA GUI tool and the memory states and variable values at vulnerable program points can also be checked. To show the correctness and practicability of our analyzer, we analyzed the source codes of open PHP applications using the analyzer. Our experimental results show that our analyzer has practical performance in analysis capability and execution time.

• Earthquakes and Structures
• /
• v.3 no.3_4
• /
• pp.365-381
• /
• 2012

Recent earthquakes have damaged some bridges located on the Pacific Coast of Mexico; these bridges have been retrofitted or rebuilt. Based on the fact that the Pacific Coast is a highly active seismic zone where most of the strong earthquakes in the country occur, one fertile and important area of research is the study of the vulnerability of both new and existent bridges located in this area that can be subjected to strong earthquakes. This work is focused on estimating the contribution of some parameters identified to have major influence on the seismic vulnerability of reinforced concrete bridges. Ten models of typical reinforced concrete (RC) bridges, and two existing bridges located close to the Pacific Coast of Mexico are considered. The group of structures selected for the study is based on two span bridges, two pier heights and two substructure types. The bridges were designed according to recent codes in Mexico. For the vulnerability study, the capacity of the structure was evaluated based on the FEMA recommendations. On the other hand, the demand was evaluated using a group of more than one hundred accelerograms recorded close to the subduction zone of Mexico. The results show that the two existent bridges analyzed show similar trends of behavior of the group of bridge models studied. In spite of the contribution that traditional variables (height and substructure type) had to the bridge seismic response, the bridge length was also found to be one of the parameters that most contributed to the seismic vulnerability of these RC medium-length bridges.

• Earthquakes and Structures
• /
• v.3 no.2
• /
• pp.117-140
• /
• 2012

The proposed research includes a comprehensive study on the seismic vulnerability assessment of typical building types, representative of the structural materials, the seismic codes and the construction techniques of Southern Europe. A damage database is created after the elaboration of the results of the observational data obtained from post-earthquake surveys carried out in the area struck by the September 7, 1999 Athens earthquake, a near field seismic event in an extended urban region. The observational database comprises 180.945 buildings which developed damage of varying degree, type and extent. The dataset is elaborated in order to gather useful information about the structural parameters influence on the seismic vulnerability and their correlation to the type and degree of building damages in near field earthquakes. The damage calibration of the observational data was based on label - damage provided by Earthquake Planning and Protection Organization (EPPO) in Greece and referred to the qualitative characterization for the recording of damage in post-earthquake surveys. Important conclusions are drawn on the parameters that influence the seismic response based on the wide homogeneous database which adds to the reliability of the collected information and reduces the scatter on the produced results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.187-194
• /
• 2008

This paper proposes an effective countermeasure to an intrinsic hardware vulnerability of the keyboard controller that causes sniffing problem on the password authentication system based on the keyboard input string. Through the vulnerability, some possible attacker is able to snoop whole the password string input from the keyboard even when any of the existing keyboard protection software is running. However, it will be impossible for attackers to gather the exact password strings if the proposed policy is applied to the authentication system though they can sniff the keyboard hardware protocol. It is expected that people can use secure Internet commerce after implementing and applying the proposed policy to the real environment.