DOI QR코드

DOI QR Code

Design and Implementation of A Weakness Analyzer for Mobile Applications

모바일 애플리케이션을 위한 취약점 분석기의 설계 및 구현

  • Received : 2011.07.01
  • Accepted : 2011.09.07
  • Published : 2011.10.31

Abstract

The dissemination and use of mobile applications have been rapidly expanding these days. And in such a situation, the security of mobile applications has emerged as a new issue. Although the safety of general software such as desktop and enterprise software is systematically achieved from the development phase to the verification phase through secure coding, there have been not sufficient studies on the safety of mobile applications yet. This paper deals with deriving weakness enumeration specialized in mobile applications and implementing a tool that can automatically analyze the derived weakness. Deriving the weakness enumeration can be achieved based on CWE(Common Weakness Enumeration) and CERT(Computer Emergency Response Team) relating to the event-driven method that is generally used in developing mobile applications. The analysis tool uses the dynamic tests to check whether there are specified vulnerabilities in the source code of mobile applications. Moreover, the derived vulnerability could be used as a guidebook for programmers to develop mobile applications.

최근 모바일 애플리케이션의 보급과 사용은 급속도로 확장되고 있으며, 이 과정에서 모바일 애플리케이션의 보안이 새로운 문제로 대두되고 있다. 일반적인 소프트웨어의 안전성은 시큐어 코딩을 통해 개발 단계에서 부터 검증까지 체계적으로 이루어지고 있으나 모바일 애플리케이션의 경우는 아직 연구가 미흡한 실정이다. 본 논문에서는 모바일 애플리케이션에 특화된 취약점 항목을 도출하고 이를 기반으로 취약점을 분석할 수 있는 취약점 분석기를 설계하고 구현한다. 취약점 목록은 CWE(Common Weakness Enumeration)와 CERT (Computer Emergency Response Team)를 기반으로 모바일 애플리케이션의 특징인 이벤트 구동방식을 한정하여 도출하였으며, 분석 도구는 동적 테스트를 통하여 애플리케이션 소스 내에 취약점이 존재하는지 검사한다. 또한 도출된 취약점 목록은 모바일 애플리케이션을 작성하는 프로그래머의 지침서로 활용 될 수 있다.

Keywords

References

  1. Gartner, Nov 2005, http://gartner.com
  2. A. B. Tucker and R. E. Noonan, Programming Languages: Principles and Paradigms, Mc-Graw Hill, 2007.
  3. Gary McGraw, Software Security, Addison- Wesley, February 2006.
  4. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, September 2001.
  5. Common Weakness Enumeration(CWE), A Community-Developed Dictionary of Software Weakness Types, http://cwe.mitre.org.
  6. Richard Ford and Michael Howard, "Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities," IEEE Security & Privacy, Vol.7, Issue 3, pp. 68-71, 2009.
  7. J. McManus and D. Mohindra, The CERT Sun Microsystems Secure Coding Standard for Java, CERT, 2009.
  8. Lockheed Martin Corporation, J oint Strike Fighter: Air Vehicle C++ Coding Standards for The System Development and Demonstration Program, 2005.
  9. MISRA, Guidelines for The Use Of The C Language in Vehicle Based Software, 1998.
  10. Y. W. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo, "Securing Web Application Code by Static Analysis and Runtime Protection," Proceedings of the 13th Conference on World Wide Web, pp. 40-52, 2004.
  11. A.V. Aho, R. Sethi, and J. D. Ulman, Compilers: Principles, Techniques, and Tools, Addison Wesley, 2007.
  12. H. Chen and D. Wagner, "MOPS: an Infrastructure for Examining Security Properties of Software," Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 235-244, 2002.
  13. Plum Hall Inc., Overview of Safe-Secure Project: Safe-Secure C/C++, http://www.plumhall.com/SSCC_MP_071b.pdf.
  14. Coverity Inc., Coverity Static Analysis, http://www.coverity.com/products/static-analysis.html.
  15. Fortify Software Inc., Fortify Source Code Analysis(SCA), http://www.fortify.com/products/sca.
  16. Fasoo.com, About Sparrow, http://www.spaarrow.com/.
  17. 하경휘, 김상영, 최진우, 우종우, 김홍철, 박상서, "안전한 소스코드 작성을 위한 자동화 분석 도구의 개발," 한국멀티미디어학회 추계학술발표대회논문집, pp. 980-983, 2003.
  18. Samsung Electronics, bada Developers, http://developer.bada.com.
  19. Ben Morris, Manfred Bortenschlager, Cheng Luo, Michelle Sommerville, and Jon Lansdell, Introduction to bada: A Developer's Guide, Wiley, 2010.
  20. Roger S. Pressman, Software Engineering: A Practitioner's Approach, McGraw-Hill, 2009.

Cited by

  1. Assessing Web Browser Security Vulnerabilities with respect to CVSS vol.18, pp.2, 2015, https://doi.org/10.9717/kmms.2015.18.2.199
  2. Design of the Specific IP Access Deny for the Database vol.39C, pp.8, 2014, https://doi.org/10.7840/kics.2014.39C.8.716
  3. Quantitative Risk Assessment in Major Smartphone Operating Systems in Asian Countries vol.17, pp.12, 2014, https://doi.org/10.9717/kmms.2014.17.12.1494
  4. 결합척도를 이용한 복합 공격 패턴 분석 방법 vol.22, pp.5, 2012, https://doi.org/10.13089/jkiisc.2012.22.5.1169
  5. 모바일 애플리케이션을 위한 보안약점 구조화 기법에 대한 연구 vol.15, pp.11, 2012, https://doi.org/10.9717/kmms.2012.15.11.1349
  6. 안드로이드 동적 클래스 로딩 기법을 이용한 개발단계에서의 보안약점 및 시큐어 코딩 연구 vol.19, pp.10, 2011, https://doi.org/10.9717/kmms.2016.19.10.1792