한국컴퓨터정보학회논문지 (Journal of the Korea Society of Computer and Information)

한국컴퓨터정보학회 (Korean Society of Computer Information)
권호 표지
DOI QR코드

DOI QR Code

Implement Static Analysis Tool using JavaCC

  • Kim, Byeongcheol (Dept. of Computer Engineering, Korea Polytechnic University) ;
  • Kim, Changjin (Dept. of Computer Engineering, Korea Polytechnic University) ;
  • Yun, Seongcheol (Dept. of Computer Engineering, Korea Polytechnic University) ;
  • Han, Kyungsook (Dept. of Computer Engineering, Korea Polytechnic University)
  • 투고 : 2018.10.18
  • 심사 : 2018.11.20
  • 발행 : 2018.12.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

In this paper, we implemented a static analysis tool for weakness. We implemented on JavaCC using syntax information and control flow information among various information. We also tested the performance of the tool using Juliet-test suite on Eclipse. We were classified using information necessary for diagnosis and diagnostic methods were studied and implemented. By mapping the information obtained at each compiler phase the security weakness, we expected to link the diagnostic method with the program analysis information to the security weakness. In the future, we will extend to implement diagnostic tools using other analysis information.

키워드

CPTSCQ_2018_v23n12_89_f0001.png 이미지

Fig. 1. Diagnostic Algorithm using Syntax Information

CPTSCQ_2018_v23n12_89_f0002.png 이미지

Fig. 2. Diagnostic Algorithm using Flow Information

Table 1. Classification by Information from Compiler Phase

CPTSCQ_2018_v23n12_89_t0001.png 이미지

Table 2. Diagnostic Method using Syntax Information

CPTSCQ_2018_v23n12_89_t0002.png 이미지

Table 3. Diagnostic Method using Flow Information

CPTSCQ_2018_v23n12_89_t0003.png 이미지

Table 4. Implementation List(using Syntax Information)

CPTSCQ_2018_v23n12_89_t0004.png 이미지

Table 5. Implementation List(using Flow Information)

CPTSCQ_2018_v23n12_89_t0005.png 이미지

Table 6. Result using Juliet Test Suite

CPTSCQ_2018_v23n12_89_t0006.png 이미지

참고문헌

  1. SungMoon Hong, Seungcheol Shin, Kyung-Goo Doh, Detection of Security Vulnerability From the Knowledge-Base Representation of Source Code, Journal of The Korea Information Science Society pp.1618-1620, June 2014.
  2. CWE, Common Weakness Enumeration, https://cwe.mitre.org/
  3. CERT, Computer Emergency Response Team, https://wiki.sei.cmu.edu/confluence/
  4. Kyungsook Han, Damho Lee, Changwoo Pyo, Classificati on of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs, Journal of The Korea Society of Computer and Information Vol. 22 No. 3, pp. 81-88. March 2017. https://doi.org/10.9708/JKSCI.2017.22.03.081
  5. Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman, "Compilers: Principled, Techniques, and Tools", Addison Wesley, 1986
  6. JavaCC, https://javacc.org/
  7. Juliet test-suite, https://samate.nist.gov/SRD/testsuite.php/
  8. MICRO FOCUS Inc., https://software.microfocus.com/
  9. Sparrow Co., https://sparrowpasso.com/
  10. CODEMIND, https://www.codemind.co.kr/
  11. Minero Aoki, "Compiler structure and principle : Language processing system learned by the compiler", 2009
  12. C. Cadar, and K. Sen, "Symbolic execution for software testing: three decades late," Communications of the ACM, 56.2 pp.82-90, July 2013. https://doi.org/10.1145/2408776.2408795
  13. P. Cousot, and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints, "Proceedings of the 4th ACM SIGACT- SIGPLAN symposium on Principles of programming languages, pp238-252, ACM, January 1977.
  14. Kuznetsov, Volodymyr, Kinder, Johannes, Bucur, Stefan, Candea, George, "Efficient State Merging in Symbolic Execution", 2012
  15. LLVM, http://llvm.org/