KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Development of Safe Korean Programming Language Using Static Analysis

정적 분석을 이용한 안전한 한글 프로그래밍 언어의 개발

  • 강도훈 (부산대학교 전기전자컴퓨터공학과) ;
  • 김연어 (부산대학교 전기전자컴퓨터공학과) ;
  • 우균 (부산대학교 전기컴퓨터공학과, LG 스마트제어센터)
  • Received : 2016.02.18
  • Accepted : 2016.03.24
  • Published : 2016.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

About 75% of software security incidents are caused by software vulnerability. In addition, the after-market repairing cost of the software is higher by more than 30 times than that in the design stage. In this background, the secure coding has been proposed as one of the ways to solve this kind of maintenance problems. Various institutions have addressed the weakness patterns of the standard software. A new Korean programming language Saesark has been proposed to resolve the security weakness on the language level. However, the previous study on Saesark can not resolve the security weakness caused by the API. This paper proposes a way to resolve the security weakness due to the API. It adopts a static analyzer inspecting dangerous methods. It classifies the dangerous methods of the API into two groups: the methods of using tainted data and those accepting in-flowing tainted data. It analyses the security weakness in four steps: searching for the dangerous methods, configuring a call graph, navigating a path between the method for in-flowing tainted data and that uses tainted data on the call graph, and reporting the security weakness detected. To measure the effectiveness of this method, two experiments have been performed on the new version of Saesark adopting the static analysis. The first experiment is the comparison of it with the previous version of Saesark according to the Java Secure Coding Guide. The second experiment is the comparison of the improved Saesark with FindBugs, a Java program vulnerability analysis tool. According to the result, the improved Saesark is 15% more safe than the previous version of Saesark and the F-measure of it 68%, which shows the improvement of 9% point compared to 59%, that of FindBugs.

소프트웨어 보안 사고의 약 75%는 소프트웨어 취약점으로 인해 발생한다. 또한, 제품 출시 후 결함 수정 비용은 설계 단계의 수정 비용보다 30배 이상 많다. 이러한 배경에서, 시큐어 코딩은 유지 보수 문제를 해결하는 방법 중 하나로 제안되었다. 다양한 연구 기관에서는 소프트 웨어 보안 약점의 표준 양식을 제시하고 있다. 새로운 한글 프로그래밍 언어 새싹은 언어 수준에서 보안 약점 해결 방법을 제안하였다. 그러나 이전 연구의 새싹은 API에 관한 보안 약점을 해결하지 못하였다. 본 논문에서는 API에 의한 보안 약점을 해결하는 방법을 제안한다. 이 논문에서 제안하는 방법은 새싹에 위험한 메소드를 검사하는 정적 분석기를 적용하는 것이다. 위험한 메소드는 오염된 데이터 유입 메소드와 오염된 데이터 사용 메소드로 분류한다. 분석기는 위험한 메소드 탐색, 호출 그래프 구성, 호출 그래프를 바탕으로 유입 메소드와 사용 메소드간의 경로 탐색, 검출된 보안 약점 분석 순으로 4단계에 걸쳐 보안 약점을 분석한다. 이 방법의 효율성을 측정하기 위해 정적 분석기를 적용한 새로운 새싹을 이용하여 두 가지 실험을 실행하였다. 첫 번째 실험으로서 이전 연구의 새싹과 개선된 새싹을 Java 시큐어 코딩 가이드를 기준으로 비교하였다. 두 번째 실험으로써 개선된 새싹과 Java 취약점 분석 도구인 FindBugs와 비교하였다. 결과에 따르면, 개선된 새싹은 이전 버전의 새싹보다 15% 더 안전하고 개선된 새싹의 F-measure는 68%로써 FindBugs의 59%인 F-measure와 비교해 9% 포인트 증가하였다.

Keywords

References

  1. MSIP, SPRI, Software Industry Annual Report, 2014.
  2. I. H. Kim, Facebook users private information leaked six million people [Internet], http://news.inews24.com/php/news-_view.php?g_serial=754079&g_menu=020600.
  3. A. Buncombe, "Sony Pictures hack: US intelligence chief says North Korea cyberattack was 'most serious' ever against US interests," The Independent, 2015.
  4. S. W. Lee, "Study on the information system aduit check list for enhanced privacy," MS. dissertation, Konkuk University, Seoul, ROK, 2015.
  5. T. Lanowitz, "Now is the time for security at the application level," Gartner, 2005.
  6. G. Tassey, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project 7007, 2002.
  7. J. McManus and D. Mohindra, The CERT Sun Microsystems Secure Coding Standard for java [Internet], http://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=34669015.
  8. OWASP, Welcome to OWASP [Internet], https://www.owasp.org/index.php/Main_Page.
  9. CWE, A community Developed Dictionary of Software Weakness Types [Internet], http://cwe.mitre.or/.
  10. JSF, The F-35 Lightning II Program [Internet], http://www.jsf.mil/.
  11. MISRA, The Motor Industry Software Reliability Association [Internet], http://www.misra.org.uk/.
  12. J. S. Cheon, D. H. Kang, and G. Woo, "A Concise Korean Programming Language Sprout," Journal of KIISE, Vol.42, No.4, pp.496-503, 2015. https://doi.org/10.5626/JOK.2015.42.4.496
  13. D. H. Kang, Y. E. Kim, and G. Woo, "A Study on Improving Runtime Safety of a Sprout through Analysis of Java Secure Coding Guide," Proc. of the KIISE Korea Computer Congress 2015, pp.1751-1753, 2015.
  14. OWASP, "OWASP Top 10-2013," The Ten Most Critical Web Application Security Risks, 2013.
  15. B. Martin, M. Brown, A. Paller, and D. Kirby. "2011 CWE/SANS top 25 most dangerous software errors," Common Weakness Enumeration, 2011.
  16. HP, IT Security in the Idea Economy [Internet], https://www.hpe.com/us/en/solutions/security.html.
  17. Coverity, Coverity Software Testing Platform [Internet], http://www.coverity.com/products/.
  18. IBM, IBM Security AppScan [Internet], http://www-03.ibm.com/software/products/en/appscan.
  19. FindBugs, FindBugs because it's easy [internet], http://findbugs.sourceforge.net/findbugs2.html.
  20. N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Q. Zhou, "Evaluating static analysis defect warnings on production software," Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, ACM, pp.1-8, 2007.
  21. Evenstar, BigLook is the financial and enterprise security weaknesses SW diagnostic system optimized for enterprise environments [Internet], http://www.evenstar.co.kr/index-.php.
  22. Trinitysoft, The Trinitysoft is committed to providing the best Web application security solutions [Internet], http://www.trinitysoft.co.kr/page/solution_04.
  23. GTONE, SecurityPrism is secure coding solution to ensure safe application since the early stages of development [Internet], http://www.gtone.co.kr/main/ag/sp.php.
  24. Fasoo, SPARROW is a source code analysis tool, using static analysis [internet], http://www.fasoo.com/site/fasoo/sourcecodeanalysis/sparrow.do.
  25. Y. E. Kim, J. W. Song, and G. Woo, "A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules," Journal of KIISE, Vol.42, No.4, pp.487-495, 2015. https://doi.org/10.5626/JOK.2015.42.4.487
  26. V. B. Livshits and M. S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Usenix Security, pp.18-18, 2005.
  27. D. E. Knuth, "An empirical study of FORTRAN programs," Software: Practice and Experience, Vol.1, No.2, pp.105-133, 1971. https://doi.org/10.1002/spe.4380010203
  28. A. V. Aho, R. Sethi, and J. D. Ullamn, "Compilers: Principles, Techniques, and Tools," 2nd ed., PEARSON, 2014.
  29. T. Boland and P. E. Black, "Juliet 1.1 C/C++ and Java test suite," Computer, Vol.10, No.45, pp.88-90, 2012.
  30. NIST and NSA CAS, Juliet Test Suite for Java and C/C++ [Internet], https://samate.nist.gov/SRD/testsuite.php.