The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Validation Test Codes Development of Static Analysis Tool for Secure Software

안전한 소프트웨어 개발을 위한 정적분석 도구 시험코드 개발

  • 방지호 (홍익대학교 컴퓨터공학과 실시간시스템 연구실) ;
  • 하란 (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
  • Received : 2013.03.04
  • Accepted : 2013.05.09
  • Published : 2013.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, for secure software development, static analysis tools have been used mostly to analyze the source code of the software and identify software weaknesses caused of vulnerabilities. In order to select the optimal static analysis tool, both weaknesses rules and analysis capabilities of the tool are important factors. Therefore, in this paper we propose the test codes developed for evaluating the rules and analysis capabilities of the tools. The test codes to involve 43 weaknesses such as SQL injection etc. can be used to evaluate the adequacy of the rules and analysis capabilities of the tools.

최근 안전한 소프트웨어 개발을 위해 소프트웨어의 소스코드를 분석하여 보안취약점의 원인이 되는 소프트웨어 보안약점을 식별해 주는 정적분석 도구가 많이 활용되고 있다. 최적의 정적분석 도구를 선택하기 위해서는 도구가 보유한 보안약점 규칙 및 분석기능이 중요한 요소가 된다. 따라서, 본 논문은 정적분석 도구가 보유한 규칙 및 분석 성능을 평가하기 위해 개발한 시험코드를 제시하고자 한다. 시험코드는 SQL 삽입 등 43개 보안약점이 존재하는 소스코드로 정적분석 도구가 보유한 보안약점 규칙과 이를 기반으로 한 도구의 분석기능의 적절성을 평가하기 위해 사용될 수 있다.

Keywords

References

  1. P. Li and B. Cui, "A comparative study on software vulnerability static analysis techniques and tools," in Proc. IEEE Int. Conf. Inform. Theory Inform. Security (ICITIS) 2010, pp. 521-524, Beijing, China, Dec. 2010.
  2. R. K. McLean, "Comparing static security analysis tools using open source software," in Proc. 6th IEEE Int. Conf. SW Security Reliability Companion (SERE-C), pp. 68-74, Gaithersburg, U.S.A., June 2012.
  3. NIST, "Report on the Static Analysis Tool Exposition(SATE) IV," NIST Special Publication 500-297, Jan. 2013.
  4. T. Hofer, "Evaluation static source code analysis tools," M.S. Thesis, School Compt. Commun. Sci., Ecole Polytechnique Federale de Lausanne, Mar. 2010.
  5. M. Johns and M. Jodeit, "Scanstud: a methodology for systematic, fine-grained evaluation of static analysis tools," in Proc. IEEE 4th ICSTW, pp. 523-530, Berlin, Germany, Mar. 2011.
  6. NIST and NSA CAS, Juliet Test Suite for Java and C/C++, Retrieved Sep., 2012, from http://samate.nist.gov/SRD/testsuite.php.
  7. MITRE, Common Vulnerabilities and Exposures, Retrieved June, 20, 2012, from http://cve.mitre.org.
  8. MOPAS, "Guidelines on building and operating Information Systems," MOPAS Notification No.2012-25, June 2012.
  9. T. Boland and P. E. Black, "Juliet 1.1 C/C++ and JAVA test suite," IEEE Computer Soc., pp.88-90, Oct. 2012.
  10. MITRE, Comon Weakness Enumeration V2.4, Retrieved Feb., 21, 2013, from http://cwe.mitre.org.
  11. J. Bang, R. Ha, J. Park, and P. Kang, "Minimum standard of weakness in development of reliable e-GOV software," in Proc. KICS Int. Conf. Commun. 2012 (KICS ICC 2012), vol. 48, pp.127-128, Jeju Island, Korea, June 2012.
  12. J. Bang and R. Ha, "Evaluation Methodology of Diagnostic Tool for Security Weakness of e-GOV Software," J. KICS, vol. 38C, no. 04, pp. 335-343, Apr. 2013. https://doi.org/10.7840/kics.2013.38C.4.335