• 제목/요약/키워드: Smart fuzzing

Search Result 8, Processing Time 0.026 seconds

File Analysis Data Auto-Creation Model For Peach Fuzzing (Peach 퍼징을 위한 파일 분석 데이터 자동 생성 모델)

  • Kim, Minho;Park, Seongbin;Yoon, Jino;Kim, Minsoo;Noh, Bong-Nam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.2
    • /
    • pp.327-333
    • /
    • 2014
  • The rapid expansion of the software industry has brought a serious security threat and vulnerability. Many softwares are constantly attacked by exploit codes using security vulnerabilities. Smart fuzzing is automated method to find software vulnerabilities. However, Many resources are consumed in fuzzing, because the fuzzing needs to create data model for target software and to analyze a data file and software binary. Therefore, The automated method for efficient smart fuzzing is needed to develop the automated data model. In this paper, through analysing the input file format and optimizing the data structure, we propose an efficient data modeling framework for smart fuzzing and implement the framework for detect software vulnerabilities.

An Efficient Web Browser Fuzzing Strategy through Comparative Analysis of Fuzzers (퍼징 도구들의 비교 분석을 통한 효율적인 웹 브라우저 퍼징 전략)

  • Park, Yeong-Ung;Lee, Jun-Hyuk;Cho, Seong-Je
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2011.06a
    • /
    • pp.328-331
    • /
    • 2011
  • 최근 소프트웨어 결함이나 보안 취약점을 분석하고 발견하기 위해 퍼징(fuzzing)에 대한 연구가 활발하다. 퍼징은 무작위 입력 데이터를 대상 프로그램에 주입하여 그 결과를 관찰하면서 결함을 탐지하는 테스팅 방법이다. 본 논문에서는 웹 브라우저를 대상으로 기존의 '변이 기반의 덤 퍼징'(Mutation based Dumb Fuzzing) 방식과 '생성 기반의 지능적 퍼징'(Generation based Smart Fuzzing) 방식을 비교 분석하였다. 그리고 실험을 통해 기존의 퍼징 도구들의 성능을 측정하고 이를 바탕으로 브라우저 퍼징에서' 변이 기반의 덤 퍼징' 이 웹 브라우저의 결함 및 취약점 탐지에 더 효율적이라는 것을 보인다. 그리고 웹 브라우저를 대상으로 '변이 기반의 덤 퍼징' 방식을 적용할 때, 코드 실행 커버리지를 고려한 다수의 입력 템플릿 확보와 다수의 템플릿들에 대한 구성 요소들을 랜덤하게 섞어서 변이를 하는 효과적인 브라우저 퍼징 전략을 제안한다.

A Design of Smart Fuzzing System Based on Hybrid Analysis (하이브리드 분석 기반의 스마트 퍼징 시스템 설계)

  • Kim, Mansik;Kang, Jungho;Jun, Moon-seog
    • Journal of Digital Convergence
    • /
    • v.15 no.3
    • /
    • pp.175-180
    • /
    • 2017
  • In accordance with the development of IT industry worldwide, software industry has also grown tremendously, and it is exerting influence on the general society starting from daily life to financial organizations and public institutions. However, various security threats that can inflict serious threat to provided services in proportion to the growing software industry, have also greatly increased. In this thesis, we suggest a smart fuzzing system combined with black box and white box testing that can effectively detectxdistinguish software vulnerability which take up a large portion of the security incidents in application programs.

Method of Fuzzing Document Application Based on Android Devices (안드로이드 기반 문서 어플리케이션의 퍼징 방법론 연구)

  • Jo, Je-Gyeong;Ryou, Jae-Cheol
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.1
    • /
    • pp.31-37
    • /
    • 2015
  • As the forms of cyberattacks become diverse, there has been reported another case of exploiting vulnerabilities revealed while processing either a document or multimedia file that was distributed for attacking purpose, which would replace the traditional method of distributing malwares directly. The attack is based upon the observation that the softwares such as document editer or multimedia player may reveal inherent vulnerabilities on some specific inputs. The fuzzing methods that provide invalid random inputs for test purpose could discover such exploits. This paper suggests a new fuzzing method on document applications that could work in mobile environments, in order to resolve the drawback that the existing methods run only in PC environments. Our methods could effectively discover the exploits of mobile applications, and thus could be utilized as a means of dealing with APT attacks in mobile environments.

A Study of File Format-Aware Fuzzing against Smartphone Media Server Daemons (스마트폰 미디어 서버 데몬에 대한 파일 포맷 인식 기반의 퍼징 연구)

  • Shin, MinSik;Yu, JungBeen;Kwon, Taekyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.3
    • /
    • pp.541-548
    • /
    • 2017
  • The smartphone operates the media server daemon to handle audio service requests. Media server daemons, running with a high privilege in the background, caused many vulnerabilities to applications most frequently used in smart devices including smartphones. Fuzzing is a popularly used methodology to find software vulnerabilities. Unfortunately, fuzzing itself is not much effective in such format-strict environments as media services. In this paper, we propose a file format-aware fuzzing in order to efficiently detect vulnerabilities of media server daemon. We acquired a remote arbitrary code execution vulnerability on iOS/tvOS/MacOS/watchOS, and we verified the effectiveness by comparing our methodology with the fuzzers FileFuzz and ZZUF.

A Study on Smart Fuzzing System Based on Grey Box Test (그레이 박스 테스트를 활용한 스마트 퍼징 시스템 연구)

  • Kim, Mansik;Kim, Minjin;Yeom, Yun-Ho;Jun, Moon-Soeg
    • Annual Conference of KIPS
    • /
    • 2015.10a
    • /
    • pp.812-814
    • /
    • 2015
  • 유비쿼터스 시대가 ICT 산업의 발달과 함께 도래함에 따라 이용자들의 요구를 충족시켜 주는 다양한 서비스들이 소프트웨어 형태로 등장하고 있다. 이제는 단순 컴퓨터 뿐만이 아니라 모바일, 웨어러블 디바이스, 자동차, 로봇, 의료 산업 등 까지 소프웨어는 현대 사람들의 삶에 깊이 연계되어 있으며 아직도 그 영역은 팽창하고 있다. 이러한 소프트웨어의 풍부한 발달과 비례로 소프트웨어의 취약점을 공략하여 서비스에 치명적인 위협을 가해 이익을 얻으려는 단체도 증가하게 되었다. 본 논문에서는 소프트웨어를 출시하기 전에 취약점을 미리 탐지 식별 할 수 있는 그레이 박스를 활용한 스마트 퍼징 시스템을 제안한다.

Automatic Detection and Analysis of Desktop Bus'(D-Bus) Privilege Bypass in Tizen (타이젠 용 데스크톱 버스 (D-Bus) 권한 우회 취약점 분석 및 자동 탐지)

  • Kim, Dongsung;Choi, Hyoung-Kee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.6
    • /
    • pp.1023-1030
    • /
    • 2020
  • Wearable devices, such as a smart watch and a wrist band, store owner's private information in the devices so that security in a high level is required. Applications developed by third parties in Tizen request for an access to designated services through the desktop bus (D-Bus). The D-Bus verifies application's privileges to grant the request for an access. We developed a fuzzing tool, so-called DAN (the D-bus ANalyzer), to detect errors in implementations for privilege verifications and access controls within Tizen's system services. The DAN has found a number of vulnerable services which granted accesses to unauthorized applications. We built a proof-of-concept application based on those findings to demonstrate a bypass in the privilege examination.

Vulnerability Analysis on the Mobile Core Network using OpenAirInterface (OpenAirInterface를 통한 모바일 코어네트워크 보안위협 분석)

  • Oh, In Su;Park, Jun Young;Jung, Eun Seon;Yim, Kang Bin
    • Smart Media Journal
    • /
    • v.9 no.3
    • /
    • pp.71-79
    • /
    • 2020
  • Mobile network is used by many users worldwide for diverse services, including phone-call, messaging and data transfer over the Internet. However, this network may experience massive damage if it is exposed to cyber-attacks or denial-of-service attacks via wireless communication interference. Because the mobile network is also used as an emergency network in cases of disaster, evaluation or verification for security and safety is necessary as an important nation-wide asset. However, it is not easy to analyze the mobile core network because it's built and serviced by private service providers, exclusively operated, and there is even no separate network for testing. Thus, in this paper, a virtual mobile network is built using OpenAirInterface, which is implemented based on 3GPP standards and provided as an open source software, and the structure and protocols of the core network are analyzed. In particular, the S1AP protocol messages captured on S1-MME, the interface between the base station eNodeB and the mobility manager MME, are analyzed to identify potential security threats by evaluating the effect of the messages sent from the user terminal UE to the mobile core network.