• Title/Summary/Keyword: Information security program

Search Result 681, Processing Time 0.03 seconds

Vulnerability Analysis on the CNG Crypto Library (CNG 암호 라이브러리의 보안 취약점 분석)

  • Lee, Kyungroul;Oh, Insu;Lee, Sun-Young;Yim, Kangbin
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.42 no.4
    • /
    • pp.838-847
    • /
    • 2017
  • CNG which was released as a substitute of the previous CAPI (Cryptography API) library from Microsoft is constructed with individual modules based on the plug-in architecture, this means CNG is exceedingly helpful in the cost of development as well as the facility of extension. On the opposite side of these advantages, considerations on security issues are quite insufficient. Therefore, a research on security assurance is strongly required in the environment of distributing and utilizing the CNG library, hence, we analyze possible security vulnerabilities on the CNG library. Based on analyzed vulnerabilities, proof-of-concept tools are implemented and vulnerabilities are verified using them. Verified results are that contents of mail, account information of mail server, and authentication information of web-sites such as Amazon, E-bay, Google, and Facebook are exposed in Outlook program and Internet Explorer program using CNG library. We consider that the analyzed result in this paper can improve the security for various applications using CNG library.

The Empirical Study on the Misuse Intention Using Information System : Focus on Healthcare Service Sector (정보시스템 오남용 의도에 관한 실증적 연구 : 의료기관을 대상으로)

  • Kim, Eun Ji;Lee, Joon Taik
    • Convergence Security Journal
    • /
    • v.16 no.5
    • /
    • pp.23-31
    • /
    • 2016
  • Despite the number of security incidents in healthcare sector is considerable, earlier studies have been done in business sector. We have tried to empirically analyze the misuse intention using information system for healthcare sector. As a result, the preventative security software of the information security management have positive impact on the effectiveness of sanctions. Though further analysis is needed, the security policies, security awareness program and monitoring practices are determined to have a valid impact on the effectiveness of sanctions equivalent to the preventative security software.

IoT Industry & Security Technology Trends

  • Park, Se-Hwan;Park, Jong-Kyu
    • International journal of advanced smart convergence
    • /
    • v.5 no.3
    • /
    • pp.27-31
    • /
    • 2016
  • High-tech industries in a state well enough to troubleshoot hacking information introduction a big barrier to delay the growth of the market related to IoT(Internet of Things) as is likely to be on the rise. This early on, security issues introduced in the solution, a comprehensive solution, including the institutional laws/precautions needed. Recent examples of frequent security threats while IoT is the biggest issue of introducing state-of-the-art industry information due to the vulnerable security hacking. This high-tech industries in order to bridge the information responsible for the target attribute, target range, and the protection of security and how to protect the subject, IoT environment (domestic industrial environment) considering the approach is needed. IoTs with health care and a wide variety of services, such as wearable devices emerge. This ensures that RFID/USN-based P2P/P2M/M2M connection is the implementation of the community. In this study, the issue on the high-tech industrial information and the vulnerable security issues of IoT are described.

Ensuring Securityllable Real-Time Systems by Static Program Analysis (원격 실시간 제어 시스템을 위한 정적 프로그램 분석에 의한 보안 기법)

  • Lim Sung-Soo;Lee Kihwal
    • Journal of the Korea Society of Computer and Information
    • /
    • v.10 no.3 s.35
    • /
    • pp.75-88
    • /
    • 2005
  • This paper proposes a method to ensure security attacks caused by insertion of malicious codes in a real-time control system that can be accessed through networks. The proposed technique is for dynamically upgradable real-time software through networks and based on a static program analysis technique to detect the malicious uses of memory access statements. Validation results are shown using a remotely upgradable real-time control system equipped with a modified compiler where the proposed security technique is applied.

  • PDF

Security Analysis of ARM64 Hardware-Based Security (ARM64 아키텍처 기반 하드웨어 보안기술 분석 및 보안성 진단)

  • Myung-Kyu Sim;Hojoon Lee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.3
    • /
    • pp.437-447
    • /
    • 2023
  • Memory protection has been researched for decades for program execution protection. ARM recently developed a newhardware security feature to protect memory that was applied to real hardware. However, there are not many hardware withhardware memory protection feature and research has not been actively conducted yet. We perform diagnostics on howandhow it works on real hardware, and on security, with a new hardware memory protection feature, named 'Pointer Authentication Code'. Through this research, it will be possible to find out the direction, use, and security of future hardware security technologies and apply to the program.

Static Analysis Based on Backward Control Flow Graph Generation Method Model for Program Analysis (프로그램 분석을 위한 정적분석 기반 역추적 제어흐름그래프 생성 방안 모델)

  • Park, Sunghyun;Kim, Yeonsu;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.5
    • /
    • pp.1039-1048
    • /
    • 2019
  • Symbolic execution, an automatic search method for vulnerability verification, has been technically improved over the last few years. However, it is still not practical to analyze the program using only the symbolic execution itself. One of the biggest reasons is that because of the path explosion problem that occurs during program analysis, there is not enough memory, and you can not find the solution of all paths in the program using symbolic execution. Thus, it is practical for the analyst to construct a path for symbolic execution to a target with vulnerability rather than solving all paths. In this paper, we propose a static analysis - based backward CFG(Control Flow Graph) generation technique that can be used in symbolic execution for program analysis. With the creation of a backward CFG, an analyst can select potential vulnerable points, and the backward path generated from that point can be used for future symbolic execution. We conducted experiments with Linux binaries(x86), and indeed showed that potential vulnerability selection and backward CFG path generation were possible in a variety of binary situations.

A Study of Priority for Policy Implement of Personal Information Security in Public Sector: Focused on Personal Information Security Index (공공분야 개인정보보호 정책 집행과제의 우선순위 분석: 개인정보보호 수준진단 지표의 선정 및 중요도를 중심으로)

  • Shin, Young-Jin;Jeong, Hyeong-Chul;Kang, Won-Young
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.2
    • /
    • pp.379-390
    • /
    • 2012
  • This study is to consider political implication of indicators to measure personal information security in public sector studied by Ministry of Public Adminstration and Security from 2008 to 2011. The study analyzed the priority of personal information security policy dividing into personal information security infrastructure, personal information management with life cycle, correspondence of information infringement by scholars, experts, and chargers. As the results, to progress personal information security policy is important to management of personal identification information on web site; specially institutional infrastructure as responsible organization, exclusive manpower, and security budget; personal information security infrastructure. As like the results, it would be reflected in the progress of personal information security policy and tried to provide systematic management program with improving safe information distribution and usefulness.

Automated Method for Detecting OOB Vulnerability of Heap Memory Using Dynamic Symbolic Execution (동적 기호 실행을 이용한 힙 메모리 OOB 취약점 자동 탐지 방법)

  • Kang, Sangyong;Park, Sunghyun;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.4
    • /
    • pp.919-928
    • /
    • 2018
  • Out-Of-Bounds (OOB) is one of the most powerful vulnerabilities in heap memory. The OOB vulnerability allows an attacker to exploit unauthorized access to confidential information by tricking the length of the array and reading or writing memory of that length. In this paper, we propose a method to automatically detect OOB vulnerabilities in heap memory using dynamic symbol execution and shadow memory table. First, a shadow memory table is constructed by hooking heap memory allocation and release function. Then, when a memory access occurs, it is judged whether OOB can occur by referencing the shadow memory, and a test case for causing a crash is automatically generated if there is a possibility of occurrence. Using the proposed method, if a weak block search is successful, it is possible to generate a test case that induces an OOB. In addition, unlike traditional dynamic symbol execution, exploitation of vulnerabilities is possible without setting clear target points.

Information Flow Control using Model-Checking of Abstract Interpretation (요약 해석의 모델 검사를 이용한 정보흐름 제어)

  • 조순희;신승철;도경구
    • Proceedings of the Korea Society for Industrial Systems Conference
    • /
    • 2002.06a
    • /
    • pp.166-169
    • /
    • 2002
  • In this paper, implements the abstract interpretation of the imperative language While in SMV model-checker and explain how to apply the logic of CTL which example the security of information flow. And show the way to translate the abstract program of While into SMV program and explain the derive process of CTL logic to test the security of the information flow. For the various security test, it is suitable to use the model-checking than to implements the abstract interpretation.

  • PDF

AES-CCM Hardware Architecture using a shared SBox for home security

  • Tumurbaatar, Selenge
    • 한국정보컨버전스학회:학술대회논문집
    • /
    • 2008.06a
    • /
    • pp.181-184
    • /
    • 2008
  • This work was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment) and Yonsei University Institute of TMS Information Technology, a Brain Korea 21 program, Korea. CAD Tools were supported by IDEC.

  • PDF