Fig. 1. Red star's Seogwang Document Processing System 3.0
Fig. 2. ODT File Structure
Fig. 3. Swap
Fig. 4. Bytemut
Fig 5. Wave
Fig. 6. Result of Execution of Target Program by Dump Fuzzing
Fig. 7. Proposed ODT File Fuzzing Process
Fig. 8. Preparing to Extract Testing Area
Fig. 9. Extract Testing Area
Fig. 10. Mutation of the Area to be Tested
Fig. 11. Detailed Mutation of A31 and A32
Fig 13. The Mutated Part of the Styles.xml, where the Crash is a Mutation File
Fig. 14. Iteration Cumulative Comparisons in Three Methods
Fig. 15. Crash Cumulative Comparisons in Three Methods
Fig. 12. The Basic Process of a Fuzzing Tool Written in Python
Table 1. Types of Fuzzing
Table 2. Experiment Environment
Table 3. Iteration Cumulative Counts for Three Methods
Table 4. Crash Cumulative Counts for Three Methods
참고문헌
- Ministry of National Defense, "2016 Defense white paper," pp.20-25, 2016.
- Guyeon Jeong and Gitae Lee, "Science technology development and new threats from North Korea : Cyber threat and UAV Penetration," KINU Research Series 16-04, pp.69-72, 2016.
- Kihun Park and Dongsu Kang, "A security vulnerability analysis of North Korea OS Red Star," in Proceedings of Korea Software Congress, pp.146-148, 2017.
- Jongseon Kim and Lee Choongeun, "Analysis and cooperation of North Korea's IT technology in uniform preparation," Science and Technology Policy Institute, 2014.
- P. Oehlert, "Violating assumptions with fuzzing," in Proc. the IEEE Security & Privacy(S&P), Vol.3, No.2, pp.58-62, 2005.
- ISO/IEC 26300:2006 Information technology - Open Document Format for Office Applications [Internet], https://www.iso.org/standard/43485.html.
- Byungjoon Jung, Jaehyeok Han, and Sangjin Lee, "A method of recovery for damaged ZIP files," Journal of The Korea Institute of Information Security & Crypto logy, Vol.27, No.5, pp.1099-1106, 2017.
- Chanju Park and Dongsu Kang, "Analysis of file structure about Red Star's SeoKwang Document Processing System for security vulnerability analysis," in Proceedings of the Korea Information Processing Society, Vol.25, No.1, pp.110-112, 2018.
- G. Wang, "Improving data transmission in web applications via the translation between xml and json," Communications and Mobile Computing(CMC) 2011 Third International Conference, pp.182-185, 2011.
- R.shirey, "RFC 2828-Internet Security Glossary," 2007.
- Sangsu Kim and Dongsu Kang, "Software Vulnerability Analysis using File Fuzzing," in Proceedings of the Korean Society of Computer Information Conference, Vol.25, No.2, pp.29-32, 2017.
- Michael Sutton, "FUZZING: Brute Force Vulnerability Discovery," United States of America: Addison-Wesley, 2007.
- Jaeseo Lee, Jongmyung Kim, Suyong Kim, Youngtae Yun, Yongmin Kim and Bongnam Noh, "A length-based file fuzzing test suite reduction algorithm for evaluation of software vulnerability," Journal of the Korea Institute of Information Security & Cryptology, Vol.23, No.2, pp.231-242, 2013. https://doi.org/10.13089/JKIISC.2013.23.2.231
- Colleen Lewis, Barret Rhoden and Cynthia Sturton, "Using structured random data to precisely fuzz media players," Project Report, 2007.
- Hanyang University, "Study on systematic approach for finding vulnerabilities in multimedia data and players for Microsoft Windows systems," KISA, 2009.
- Sangsu Kim and Dongsu Kang, "Fuzzing-based test case generation technique for multimedia file vulnerability analysis," Journal of Security Engineering, Vol.14, No.6, pp.441-458, 2017. https://doi.org/10.14257/jse.2017.12.04
- Sunghwan Ahn, "A novel fuzzing approach for discovering potential vulnerabilities in Hangul Word Processor," Thesis, Sungkyunkwan University, Seoul, Korea, 2014.
- CVE Details, Vulnerability Details : CVE-2012-2665 [Internet], https://www.cvedetails.com/cve/CVE-2012-2665.
- CISCO, Multiple Products XML Manifest Encryption Handling Arbitrary Code Execution Vulnerability [Internet], https://tools.cisco.com/security/center/viewAlert.x?alertId=26540.