• Journal of the Korea Society of Computer and Information
• /
• v.20 no.8
• /
• pp.69-75
• /
• 2015

Nowadays, software plays various roles in applications in wide areas. However, the security problems caused by software vulnerabilities increase. So, it is necessary to improve software security and safety in software execution. In this paper, we propose an approach to improve the safety of software execution by managing information used in software through static data access analysis. The approach can detect the exposures of secure data in software execution by analyzing information property and flows through static data access analysis. In this paper, we implemented and experimented the proposed approach with a base language, and verify that the proposed approach can effectively detect the exposures of secure information. The proposed approach can be applied in several areas for improving software safety by analysing vulnerabilities from information flows in software execution.

• Journal of Multimedia Information System
• /
• v.9 no.3
• /
• pp.191-200
• /
• 2022

These days, businesses, in both online and offline, have started accepting cryptocurrencies as payment methods. Even in countries like El Salvador, cryptocurrencies are recognized as fiat currencies. Meanwhile, publicly known, but not patched software vulnerabilities are security threats to not only software users but also to our society in general. As the status of cryptocurrencies has gradually increased, the impact of security vulnerabilities related to cryptocurrencies on our society has increased as well. In this paper, we first analyze vulnerabilities from the two major cryptocurrency vendors of Bitcoin and Ethereum in a quantitative manner with the respect to the CVSS, to see how the vulnerabilities are roughly structured in those systems. Then we introduce a modified AML vulnerability discovery model for the vulnerability datasets from the two vendors, after showing the original AML dose not accurately represent the vulnerability discovery trends on the datasets. The analysis shows that the modified model performs better than the original AML model for the vulnerability datasets from the major cryptocurrencies.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.557-564
• /
• 2019

As the number and type of software increases, those security vulnerabilities are also increasing. Various types of software may have multiple vulnerabilities and those vulnerabilities as they can cause irrecoverable significant damage must be detected and deleted quickly. Various studies have been carried out to detect the vulnerability of the current software, but it is slow, and prediction accuracy is low. Therefore, in this paper, we describe a method to efficiently predict software vulnerability by using neural network algorithm and compare prediction accuracy with conventional system using machine learning algorithm. As a result of the experiment, the prediction system proposed in this paper showed the highest prediction rate.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.11a
• /
• pp.464-465
• /
• 2014

Analysis of characteristics in software vulnerabilities can be used to assess security risks and to determine the resources needed to develop patches quickly to handle vulnerability discovered. Being a new research area, the quantitative aspects of software vulnerabilities and risk assessments have not been fully investigated. However, further detailed studies are required related to the security risk assessment, using rigorous analysis of actual data which can assist decision makers to maximize the returns on their security related efforts. In this paper, quantitative software vulnerability analysis has been presented for major Web browsers (Internet Explorer (IE), Firefox (FX), Chrome (CR) and Safari (SF)) with respect to the Common Vulnerability Scoring System (CVSS). The results show that, almost all the time, vulnerabilities are compromised from remote networks with no authentication required systems, and exploitation aftermath is getting worse.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.12 no.5
• /
• pp.237-242
• /
• 2012

Cyber attacks have rapidly increased by exploiting the underlying vulnerabilities in the target software. However, identifying and correcting these vulnerabilities are extremely difficult and time consuming tasks. To address these problems efficiently, we propose a systematic methodology for security vulnerability assessment process on binary code in the paper. Specifically, we first classified the existing vulnerabilities based on whether the target software run in a Web environment and features of the software. Based on the classification, we determined the list and scope of the vulnerabilities. As our future research direction, we need to further refine and validate our methodology.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.2
• /
• pp.127-137
• /
• 2012

Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.10a
• /
• pp.347-350
• /
• 2016

Analysis of vulnerability of the software for risk. The weakness of the software material, the importance of strengthening security in accordance with financial damage occurred is emerging. There is a potential risk factor not only from the case, the manufacturing to use the software company that appropriate to use a software business and personal risk of loss to size.In this paper due to diagnose and vulnerabilities in software, diagnosis, the curriculum and to cultivate a diagnostic guide, and security vulnerabilities in software.Proposal system for increased.

• Journal of Multimedia Information System
• /
• v.4 no.2
• /
• pp.57-64
• /
• 2017

Numerous software vulnerabilities have been found in the popular operating systems. And recently, robust linear behaviors in software vulnerability discovery process have been noticeably observed among the many popular systems having multi-versions released. Software users need to estimate how much their software systems are risk enough so that they need to take an action before it is too late. Security vulnerabilities are discovered throughout the life of a software system by both the developers, and normal end-users. So far there have been several vulnerability discovery models are proposed to describe the vulnerability discovery pattern for determining readiness for patch release, optimal resource allocations or evaluating the risk of vulnerability exploitation. Here, we apply a linear vulnerability discovery model into Windows operating systems to see the linear discovery trends currently observed often. The applicability of the observation form the paper show that linear discovery model fits very well with aggregate version rather than each version.

• The KIPS Transactions:PartD
• /
• v.16D no.6
• /
• pp.921-926
• /
• 2009

Vulnerabilities in software can result in many social and economic problems once it has already been deployed and put to use. Thus, the vulnerabilities should be seriously taken into consideration from the beginning step of software development. A modeling and simulation method for software can be adopted as a testing tool for establishing vulnerability inspection strategies. For verification of usability of this strategy, in this paper, we modeled the behavior of a DNS system using Ptolemy and the simulation was performed. The result shows that a well-known vulnerability of DNS server could be effectively found, which confirms that the modeling and simulation can be used for vulnerability testing.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.243-250
• /
• 2013

We have entered into an era of smart software system where the many kinds of embedded software, especially SCADA and Automotive software not only require high reliability and safety but also high-security. Removing software weakness during the software development lifecycle is very important because hackers exploit weaknesses which are source of software vulnerabilities when attacking a system. Therefore the coding rule as like core functions of MISRA-C should expand their coding focus on security. In this paper, we used CERT-C secure coding rules for nuclear-related software being developed to demonstrate high-safety software, and proposed how to remove software weakness during development.