KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Remove Use-After-Free Security Weakness

소프트웨어 개발단계 Use-After-Free 보안약점 제거방안 연구

  • 박용구 (고려대학교 정보보호대학원 정보보호학과) ;
  • 최진영 (고려대학교 정보보호대학원 정보보호학과)
  • Received : 2016.09.26
  • Accepted : 2016.10.31
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

Use-After-Free security problem is rapidly growing in popularity, especially for attacking web browser, operating system kernel, local software. This security weakness is difficult to detect by conventional methods. And if local system or software has this security weakness, it cause internal security problem. In this paper, we study ways to remove this security weakness in software development by summarize the cause of the Use-After-Free security weakness and suggest ways to remove them.

최근 컴퓨터 시스템 내부에 존재하는 웹 브라우저, 운영체제 커널 등에서 Use-After-Free 보안문제가 지속적으로 발생하고 있다. 해당 보안약점은 기존의 보안약점 탐지방법으로 제거하기 어려우며 소프트웨어 내부에 해당 보안약점이 존재할 경우 내부 보안에 심각한 영향을 미친다. 본 논문에서는 소프트웨어 개발 과정에서 해당 보안약점을 제거하기 위한 방안을 연구하였다. 이 과정에서 해당 보안약점의 발생 원인을 정리하고 이를 제거하기 위한 방법을 제시한다.

Keywords

References

  1. L. Szekeres, M. Payer, T. Wei, and D. Song, "Sok: Eternal war in memory," in Security and Privacy (SP), 2013 IEEE Symposium on, pp.48-62, 2013.
  2. Breno Cunha, Perspectives on exploit development and cyber attacks [Internet], http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html.
  3. J. Caballero, G. Grieco, M. Marron, and A. Nappa, "Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities," in Proceedings of the 2012 International Symposium on Software Testing and Analysis, pp.133-143, 2012.
  4. B. Zhang, B. Wu, C. Feng, X. Zhang, and C. Tang, "Statically detect invalid pointer dereference vulnerabilities in binary soft ware," in 2015 IEEE International Conference on Progress in Informatics and Computing (PIC), pp.390-394, 2015.
  5. Mark Yason, Use-After-Frees : That pointer may be pointing to something bad[Internet] https://securityintelligence.com/us e-after-frees-that-pointer-may-be-pointing-to-somethingbad.
  6. J. Feist, L. Mounier, and M. L. Potet, "Statically detecting use after free on binary code," Journal of Computer Virology and Hacking Techniques, Vol.10, No.3, pp.211-217, 2014. https://doi.org/10.1007/s11416-014-0203-1
  7. B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee, "Preventing Use-after-free with Dangling Pointers Nullification," in NDSS, 2015.
  8. W. Xu, J. Li, J. Shu, W. Yang, T. Xie, Y. Zhang, and D. Gu, "From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp.414-425, 2015.
  9. G. Tassey, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project, 7007(011). 2002.
  10. CVE-2012-4792 [Internet], http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4792.
  11. Red Alert, CVE-2012-4792 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability, 2013.
  12. H.M. Kim, "Windows System Hacking Guide : Bug Hunting and Exploit," SECU BOOK, Goyang-City, Gyunggi Province, 2016.
  13. CERT : MEM01-C [Internet], https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=440.
  14. CWE-416 : Use After Free [Internet], https://cwe.mitre.org/data/definitions/416.html.