DOI QR코드

DOI QR Code

A DOM-Based Fuzzing Method for Analyzing Seogwang Document Processing System in North Korea

북한 서광문서처리체계 분석을 위한 Document Object Model(DOM) 기반 퍼징 기법

  • 박찬주 (해군사관학교 전산과학과) ;
  • 강동수 (국방대학교 컴퓨터공학전공/사이버전과정)
  • Received : 2018.11.26
  • Accepted : 2019.01.28
  • Published : 2019.05.31

Abstract

Typical software developed and used by North Korea is Red Star and internal application software. However, most of the existing research on the North Korean software is the software installation method and general execution screen analysis. One of the ways to identify software vulnerabilities is file fuzzing, which is a typical method for identifying security vulnerabilities. In this paper, we use file fuzzing to analyze the security vulnerability of the software used in North Korea's Seogwang Document Processing System. At this time, we propose the analysis of open document text (ODT) file produced by Seogwang Document Processing System, extraction of node based on Document Object Mode (DOM) to determine test target, and generation of mutation file through insertion and substitution, this increases the number of crash detections at the same testing time.

자체 개발하여 사용하고 있는 대표적인 소프트웨어는 붉은별(Red Star)과 내부 응용 소프트웨어이다. 하지만 이러한 북한 소프트웨어에 대한 기존 연구는 소프트웨어 설치방법 및 일반적인 실행화면 분석이 대부분이다. 소프트웨어 보안 취약점을 확인하는 방법 중 하나인 파일 퍼징은 보안 취약점을 식별하는 대표적인 방법이며, 본 연구에서는 북한에서 개발하여 사용 중인 소프트웨어 중 서광문서처리체계에 대한 보안 취약점을 분석하기 위해 파일 퍼징을 사용한다. 이때 서광문서처리체계에서 생산되는 Open Document Text(ODT) 파일 분석 및 테스팅 대상을 정하기 위한 Document Object Model(DOM) 기반 노드 추출, 그리고 삽입과 대체를 통한 변이 파일 생성을 제안하며, 이를 통해 동일한 테스팅 시간에 크래시 발견 횟수를 증가시킨다.

Keywords

JBCRIN_2019_v8n5_119_f0001.png 이미지

Fig. 1. Red star's Seogwang Document Processing System 3.0

JBCRIN_2019_v8n5_119_f0002.png 이미지

Fig. 2. ODT File Structure

JBCRIN_2019_v8n5_119_f0003.png 이미지

Fig. 3. Swap

JBCRIN_2019_v8n5_119_f0004.png 이미지

Fig. 4. Bytemut

JBCRIN_2019_v8n5_119_f0005.png 이미지

Fig 5. Wave

JBCRIN_2019_v8n5_119_f0006.png 이미지

Fig. 6. Result of Execution of Target Program by Dump Fuzzing

JBCRIN_2019_v8n5_119_f0007.png 이미지

Fig. 7. Proposed ODT File Fuzzing Process

JBCRIN_2019_v8n5_119_f0008.png 이미지

Fig. 8. Preparing to Extract Testing Area

JBCRIN_2019_v8n5_119_f0009.png 이미지

Fig. 9. Extract Testing Area

JBCRIN_2019_v8n5_119_f0010.png 이미지

Fig. 10. Mutation of the Area to be Tested

JBCRIN_2019_v8n5_119_f0011.png 이미지

Fig. 11. Detailed Mutation of A31 and A32

JBCRIN_2019_v8n5_119_f0012.png 이미지

Fig 13. The Mutated Part of the Styles.xml, where the Crash is a Mutation File

JBCRIN_2019_v8n5_119_f0013.png 이미지

Fig. 14. Iteration Cumulative Comparisons in Three Methods

JBCRIN_2019_v8n5_119_f0014.png 이미지

Fig. 15. Crash Cumulative Comparisons in Three Methods

JBCRIN_2019_v8n5_119_f0015.png 이미지

Fig. 12. The Basic Process of a Fuzzing Tool Written in Python

Table 1. Types of Fuzzing

JBCRIN_2019_v8n5_119_t0001.png 이미지

Table 2. Experiment Environment

JBCRIN_2019_v8n5_119_t0002.png 이미지

Table 3. Iteration Cumulative Counts for Three Methods

JBCRIN_2019_v8n5_119_t0003.png 이미지

Table 4. Crash Cumulative Counts for Three Methods

JBCRIN_2019_v8n5_119_t0004.png 이미지

References

  1. Ministry of National Defense, "2016 Defense white paper," pp.20-25, 2016.
  2. Guyeon Jeong and Gitae Lee, "Science technology development and new threats from North Korea : Cyber threat and UAV Penetration," KINU Research Series 16-04, pp.69-72, 2016.
  3. Kihun Park and Dongsu Kang, "A security vulnerability analysis of North Korea OS Red Star," in Proceedings of Korea Software Congress, pp.146-148, 2017.
  4. Jongseon Kim and Lee Choongeun, "Analysis and cooperation of North Korea's IT technology in uniform preparation," Science and Technology Policy Institute, 2014.
  5. P. Oehlert, "Violating assumptions with fuzzing," in Proc. the IEEE Security & Privacy(S&P), Vol.3, No.2, pp.58-62, 2005.
  6. ISO/IEC 26300:2006 Information technology - Open Document Format for Office Applications [Internet], https://www.iso.org/standard/43485.html.
  7. Byungjoon Jung, Jaehyeok Han, and Sangjin Lee, "A method of recovery for damaged ZIP files," Journal of The Korea Institute of Information Security & Crypto logy, Vol.27, No.5, pp.1099-1106, 2017.
  8. Chanju Park and Dongsu Kang, "Analysis of file structure about Red Star's SeoKwang Document Processing System for security vulnerability analysis," in Proceedings of the Korea Information Processing Society, Vol.25, No.1, pp.110-112, 2018.
  9. G. Wang, "Improving data transmission in web applications via the translation between xml and json," Communications and Mobile Computing(CMC) 2011 Third International Conference, pp.182-185, 2011.
  10. R.shirey, "RFC 2828-Internet Security Glossary," 2007.
  11. Sangsu Kim and Dongsu Kang, "Software Vulnerability Analysis using File Fuzzing," in Proceedings of the Korean Society of Computer Information Conference, Vol.25, No.2, pp.29-32, 2017.
  12. Michael Sutton, "FUZZING: Brute Force Vulnerability Discovery," United States of America: Addison-Wesley, 2007.
  13. Jaeseo Lee, Jongmyung Kim, Suyong Kim, Youngtae Yun, Yongmin Kim and Bongnam Noh, "A length-based file fuzzing test suite reduction algorithm for evaluation of software vulnerability," Journal of the Korea Institute of Information Security & Cryptology, Vol.23, No.2, pp.231-242, 2013. https://doi.org/10.13089/JKIISC.2013.23.2.231
  14. Colleen Lewis, Barret Rhoden and Cynthia Sturton, "Using structured random data to precisely fuzz media players," Project Report, 2007.
  15. Hanyang University, "Study on systematic approach for finding vulnerabilities in multimedia data and players for Microsoft Windows systems," KISA, 2009.
  16. Sangsu Kim and Dongsu Kang, "Fuzzing-based test case generation technique for multimedia file vulnerability analysis," Journal of Security Engineering, Vol.14, No.6, pp.441-458, 2017. https://doi.org/10.14257/jse.2017.12.04
  17. Sunghwan Ahn, "A novel fuzzing approach for discovering potential vulnerabilities in Hangul Word Processor," Thesis, Sungkyunkwan University, Seoul, Korea, 2014.
  18. CVE Details, Vulnerability Details : CVE-2012-2665 [Internet], https://www.cvedetails.com/cve/CVE-2012-2665.
  19. CISCO, Multiple Products XML Manifest Encryption Handling Arbitrary Code Execution Vulnerability [Internet], https://tools.cisco.com/security/center/viewAlert.x?alertId=26540.