Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Cross-check based Vulnerability Analysis Method using Static and Dynamic Analysis

정적 및 동적 분석을 이용한 크로스 체크기반 취약점 분석 기법

  • Song, Jun-Ho (Department of Computer Science and Engineering, Soongsil University) ;
  • Kim, Kwang-Jik (Department of IT Policy Management, Soongsil University) ;
  • Ko, Yong-Sun (Department of IT Policy Management, Soongsil University) ;
  • Park, Jae-Pyo (Graduate School of Information Science, Soongsil University)
  • 송준호 (숭실대학교 컴퓨터학과) ;
  • 김광직 (숭실대학교 IT정책경영학과) ;
  • 고용선 (숭실대학교 IT정책경영학과) ;
  • 박재표 (숭실대학교 정보과학대학원)
  • Received : 2018.09.14
  • Accepted : 2018.12.07
  • Published : 2018.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Existing vulnerability analysis tools are prone to missed detections, incorrect detections, and over-detection, which reduces accuracy. In this paper, cross-checking based on a vulnerability detection method using static and dynamic analysis is proposed, which develops and manages safe applications and can resolve and analyze these problems. Risks due to vulnerabilities are computed, and an intelligent vulnerability detection technique is used to improve accuracy and evaluate risks under the final version of the application. This helps the development and execution of safe applications. Through incorporation of tools that use static analysis and dynamic analysis techniques, our proposed technique overcomes weak points at each stage, and improves the accuracy of vulnerability detection. Existing vulnerability risk-evaluation systems only evaluate self-risks, whereas our proposed vulnerability risk-evaluation system reflects the vulnerability of self-risk and the detection accuracy in a complex fashion to evaluate relative. Our proposed technique compares and analyzes existing analysis tools, such as lists for detections and detection accuracy based on the top 10 items of SANS at CWE. Quantitative evaluation systems for existing vulnerability risks and the proposed application's vulnerability risks are compared and analyzed. We developed a prototype analysis tool using our technique to test the application's vulnerability detection ability, and to show that our proposed technique is superior to existing ones.

본 논문에서는 기존의 취약점 분석 도구들의 미탐지, 오탐지, 과탐지를 발생시켜 정확한 취약점 탐지를 어렵게 하는 문제점을 해결하고 분석 대상이 되는 어플리케이션의 위험도를 평가하여 안전한 어플리케이션을 개발하거나 관리할 수 있는 정적 및 동적 분석을 이용한 크로스 체크기반의 취약점 탐지 기법을 제안한다. 또한 각각의 취약점이 가지고 있는 자체 위험도를 계산하고 정확도를 높인 취약점 탐지 기법을 바탕으로 최종적인 어플리케이션의 위험도를 평가, 제시함으로서 안전한 어플리케이션의 개발 및 운영을 돕는다. 제안하는 기법은 정적 분석 및 동적 분석 기법을 사용하는 도구들의 상호작용을 통해 각 기법의 단점들을 극복하여 취약점 탐지 정확도를 향상시킨다. 또한 기존의 취약점 위험도평가 시스템은 취약점 자체 위험도에 대해서만 평가하였으나, 제안하는 위험도 평가는 취약점 자체 위험도와 탐지 정확도를 복합적으로 반영하여 어플리케이션이 얼마나 위험에 노출되어 있는지를 평가한다. 제안하는 기법은 CWE에서 SANS top 25의 상위 10위 항목을 기준으로 기존의 분석 도구들과 탐지 가능한 목록, 탐지 정확도를 비교분석하였으며, 기존의 취약점 위험도에 대한 정량적 평가 시스템과 제안하는 어플리케이션 위험도 평가 결과를 비교 분석 및 평가하였다. 제안하는 기법으로 프로토타입 분석 툴을 구현하여 실험을 통해 어플리케이션의 취약점을 분석하였을 때, 기존의 분석 도구들의 취약점 탐지 능력보다 우수한 것으로 나타났다.

Keywords

SHGSCZ_2018_v19n12_863_f0001.png 이미지

Fig. 1. The whole process of the proposed method

SHGSCZ_2018_v19n12_863_f0002.png 이미지

Fig. 2. The detail process of the proposed method

SHGSCZ_2018_v19n12_863_f0003.png 이미지

Fig. 3. Setting the rules

SHGSCZ_2018_v19n12_863_f0004.png 이미지

Fig. 4. The Process of Result Categorization

SHGSCZ_2018_v19n12_863_f0005.png 이미지

Fig. 5. The Process of Mapping Unavailable Module

SHGSCZ_2018_v19n12_863_f0006.png 이미지

Fig. 6. The Process of Mapping Available Module

SHGSCZ_2018_v19n12_863_f0007.png 이미지

Fig. 7. Custom Rule Creation Example(XSS)

SHGSCZ_2018_v19n12_863_f0008.png 이미지

Fig. 8. Detail results for Application Vulnerability Analysis

SHGSCZ_2018_v19n12_863_f0009.png 이미지

Fig. 9. Details of Detection Vulnerability based on Source Code

Table 1. The process of matching vulnerabilities of the same cause after dynamic and static analysis

SHGSCZ_2018_v19n12_863_t0001.png 이미지

Table 2. The ways to describe final vulnerability scores by sections of mid scores

SHGSCZ_2018_v19n12_863_t0002.png 이미지

Table 3. Vulnerability Analysis Tools used for Test bed

SHGSCZ_2018_v19n12_863_t0003.png 이미지

Table 5. Comparison of number of vulnerability detection when compared to existing static tool

SHGSCZ_2018_v19n12_863_t0004.png 이미지

Table 6. Comparison of vulnerable detection numbers when compared with existing dynamic module

SHGSCZ_2018_v19n12_863_t0005.png 이미지

References

  1. Luca Allodi and Fabio Massacci, "Comparing Vulnerability Severity and Exploits Using Case-Control Studies," Journal of ACM Transactions on Information and System Security (TISSEC), Vol. 17, Issue 1, pp. 1-12, August, 2014. DOI: https://dx.doi.org/10.1145/2630069
  2. More Secure Software, https://www.microsoft.com/en-us/sdl/about/benefits.aspx, Date accessed: May, 2016.
  3. Sam Ransbotham and Sabyasachi Mitra, The Impact of Immediate Disclosure on Attack Diffusion and Volume, Economics of Information Security and Privacy III, Springer, New York, pp.1-12, 2013.
  4. Introduction To ISO 27005(ISO27005), http://www.27000.org/iso-27005.htm, Date accessed: May, 2016.
  5. Agawal, Monica, Singh, Abhinav, Metasploit Penetration testing Cookbook(Second Edition), Packt Publishing, UK, pp.23-50, Oct., 2013.
  6. CVE(Common Vulnerabilities and Exposures), http://cve.mitre.org/, Date accessed: May, 2016.
  7. Common Weakness Scoring System(CWSS), http://cwe.mitre.org/cwss/cwss_v1.0.1.html/, May, 2016.
  8. Joon-Ho Kim, A study of utilization of source code security vulnerabilities detection tools and improving tools by using symbolic execution engine, Master's Thesis, Department of Information Protection Graduate School, Soongsil University, pp.9-15, Jun, 2015.
  9. Seokmo Kim, A Study of Dynamic Analysis Compensation of Over-detection Problem of Static Analysis : In Case of Software Vulnerability Detection, Master's Thesis, Department of Computer Science and Engineering Graduate School, Dankook University, pp.14-15, Dec., 2015.
  10. M. D. Ernst, "Static and dynamic analysis: synergy and duality", In Proceedings of the ICSE Workshop on Dynamic Analysis(WODA '03), pp.24-27, 2003.
  11. Ari Takanen, Jared D. DeMott and Charles Miller, Fuzzing for Software Security Testing and Quality Assurance, Artech House Publishers, UK, pp.80-84, 2008.