Journal of KIISE (정보과학회 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules

C 시큐어 코딩 규칙 분류를 통한 실행 안전성을 보장하는 한글 언어 설계

  • 김연어 (부산대학교 전기전자컴퓨터공학과) ;
  • 송지원 (부산대학교 전기전자컴퓨터공학과) ;
  • 우균 (부산대학교 전기전자컴퓨터공학과)
  • Received : 2014.12.12
  • Accepted : 2015.02.11
  • Published : 2015.04.15
⟨ Previous Next ⟩

Abstract

Since most of information is computerized nowadays, it is extremely important to promote the security of the computerized information. However, the software itself can threaten the safety of information through many abusive methods enabled by coding mistakes. Even though the Secure Coding Guide has been proposed to promote the safety of information by fundamentally blocking the hacking methods, it is still hard to apply the techniques on other programming languages because the proposed coding guide is mainly written for C and Java programmers. In this paper, we reclassified the coding rules of the Secure Coding Guide to extend its applicability to programming languages in general. The specific coding guide adopted in this paper is the C Secure Coding Guide, announced by the Ministry of Government Administration and Home Affairs of Korea. According to the classification, we applied the rules of programming in Sprout, which is a newly proposed Korean programming language. The number of vulnerability rules that should be checked was decreased in Sprout by 52% compared to C.

요즘에는 대부분 정보가 전산화되어 다루어지고 있기 때문에 전산화된 정보의 안전성을 높이는 것이 매우 중요하다. 하지만 코딩 실수로 발생하는 많은 메소드 오용 때문에 소프트웨어 자체가 취약해짐에 따라 정보의 안전성이 위협받을 수 있다. 해킹 공격을 원천적으로 차단하여 정보의 안전성을 높이기 위해 시큐어 코딩 가이드가 제안된 바 있지만, C와 Java 프로그래머를 위주로 작성되었기 때문에 다른 프로그래밍 언어에서는 적용하기 어렵다. 이 논문에서는 다른 프로그래밍 언어에도 사용할 수 있도록 시큐어 코딩 가이드의 규칙을 재분류한다. 구체적으로 행정자치부에서 발표한 C 시큐어 코딩 가이드를 이용하였다. 그리고 이 분류에 따라 구별된 규칙을 새로 제안한 한글 프로그래밍 언어인 새싹에 적용해 보았다. 그 결과 새싹에서는 C 언어 대비 점검해야 할 취약점 규칙의 수가 52% 줄어든 것으로 나타났다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. T. Thornhill. (2014, January 21). Nearly half of South Koreans have their bank details stolen (including the President) as anti-fraud worker arrested [Online]. Available: http://www.dailymail.co.uk
  2. B. Xie and Q. Zhang, "Application-layer Anomaly Detection Based on Application-layer Protocols' Keywords," Proc. of 2012 2nd International Conference on Computer Science and Network Technology, pp. 2131-2135, 2012.
  3. H. Shahriar and M. Zulkernine, "Mitigating program security vulnerabilities: Approaches and challenges," ACM Computing Surveys, Vol. 44, No. 3, pp. 1-46, Jun. 2012.
  4. G. McGraw, Software security: building security in, Addison-Wesley Professional, 2006.
  5. J. Viega and G. McGraw, Building secure software: how to avoid security problems the right way, Pearson Education, 2001.
  6. Ministry of Government Administration and Home Affairs. (2014, May 27). C Secure Coding Guide for SW Development operator of e-government (3rd ed.) [Online]. Available: http://www.mogaha.go.kr (downloaded 2014, Dec. 11)
  7. Digital times. (2014, July 14). The government said expanding compulsory "Secure coding" [online]. Available: www.dt.co.kr
  8. J. Song. (2014, November 10). Sprout - Korean Programming Language Ensuring Run-Time Safety [Online]. Available: http://pl.pusan.ac.kr/sprout
  9. Carnegie Mellon University. Secure Coding | The CERT Division [Online]. Available: www.cert.org
  10. MITRE. CWE - Common Weakness Enumeration [Online]. Available: https://cwe.mitre.org
  11. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng and X. Zheng, "Secure web applications via automatic partitioning," Proc. of twenty-first ACM SIGOPS Symposium on Operating Systems Principles, Vol. 41, No. 6, pp. 31-44, 2007.
  12. T. Tsai and N. Singh, "Libsafe: Transparent systemwide protection against buffer overflow attacks," Proc. of Dependable Systems and Networks 2002, pp. 541, 2002.
  13. Ministry of Government Administration and Home Affairs. (2014, May 27). Java Secure Coding Guide for SW Development operator of e-government (3rd ed.) [Online]. Available: http://www.mogaha.go.kr (downloaded 2014, Dec. 11)
  14. K. Tsipenyuk, B. Chess and G. McGraw, "Seven pernicious kingdoms: A taxonomy of software security errors," IEEE Security & Privacy, Vol. 3, No. 6, pp. 81-84, 2005. https://doi.org/10.1109/MSP.2005.159
  15. J. Lim, Seed is not C, BM media group, 1995.
  16. J. Yu and M. Lee, "Effects of a Programming Class Using Dolittle on Enhancing Creativity, Problem Solving Ability, and Interest in Programming," Journal of The Korean Association of Information Education, Vol. 13, No. 4, pp. 443-450, Dec. 2009. (in Korean)

Cited by

  1. Development of Safe Korean Programming Language Using Static Analysis vol.5, pp.4, 2016, https://doi.org/10.3745/KTCCS.2016.5.4.79