Journal of the Korea Convergence Society (한국융합학회논문지)

Korea Convergence Society (한국융합학회)
권호 표지
DOI QR코드

DOI QR Code

Implementing a Fuzzing Agent to Dectect Buffer Overflow Vulnerability

버퍼 오버플로우 취약점 탐지를 위한 퍼징 에이전트 구현

  • 김봉한 (청주대학교 디지털보안전공)
  • Received : 2020.11.03
  • Accepted : 2021.01.20
  • Published : 2021.01.28
Download PDF
⟨ Previous Next ⟩

Abstract

If a vulnerability in the software connected to the network to obtain the user's privilege, a remote attacker could gain the privilege to use the computer. In addition, in a user environment in which an operating system for a specific series is used a lot, if a problem occurs in the operating system, considerable damage can occur. In particular, If an error is a security vulnerability, it can be a very big problem. Various studies have been conducted to find and respond to vulnerabilities in such a situation. Among various security technologies, the fuzzing technology is one of the most effective technologies to find errors in software. In this paper, I designed and implemented a fuzzing agent that can detect buffer overflow vulnerabilities that can occur in various applications. Through this fuzzing agent, application developers will be able to realize a more secure computing environment in which they can discover and fix vulnerabilities in their own applications.

네트워크에 연결되는 소프트웨어에서 사용자의 권한을 획득할 수 있는 취약점이 존재한다면, 컴퓨터의 사용 권한을 원격지의 공격자가 획득할 수 있게 된다. 또한 특정 계열에 대한 운영체제의 점유율이 높은 사용자 환경에서는 해당 운영체제에서 문제가 발생하면 보다 큰 피해가 발생될 수 있다. 특히, 보안상 취약점을 가지는 오류가 발견된다면 상당히 큰 문제가 될 수 있다. 이러한 환경 속에서 취약점을 발견하고 대응하기 위한 다양한 연구들이 진행되어왔으며, 퍼징 기법은 소프트웨어에 있는 오류를 찾아내는 가장 효과적인 기술 중 하나이다. 본 논문에서는 다양한 어플리케이션에서 발생할 수 있는 버퍼 오버플로우 취약점을 탐지할 수 있는 퍼징 에이전트를 설계하고 구현하고자 한다. 이러한 퍼징 에이전트를 통해 어플리케이션 개발자들이 스스로 어플리케이션의 취약점을 발견하고 수정할 수 있는 보다 안전한 컴퓨팅 환경을 실현할 수 있을 것이다.

Keywords

References

  1. S. C. Lim & D. Y. Kim. (2018). Comparative Analysis of Network-based Vulnerability Scanner for application Nuclear Power Plants. Journal of the Korea Institute of Information and Communication Engineering, 22(10), 1392-1397. DOI : 10.12811/JKCS.201.11.2.129
  2. T. K. Lee & S. Son. (2018). Performance Analysis of Open Source Web Vulnerability Scanner. Communications of the Korean Institute of Information Scientists and Engineers, 36(3), 42-49.
  3. K. S. Oh & J. C. Ryou. (2016). A Study on Tools for Control System Platform Vulnerability Scanner Development. Proceedings of the Korea Information Processing Society Conference, 51, 202-205.
  4. S. H. Oh, T. E. Kim & H. K. Kim. (2017). Technology Analysis on Automatic Detection and Defense of SW Vulnerabilities. Proceedings of the Korea Information Processing Society Conference, 18(11), 94-103. DOI : 10.5762/KAIS.2017.18.11.94
  5. K. Y. Lim, S. H. Kang, & S. J. Kim. (2016). A study on the security weakness diagnosis method for commercial and open software based on fuzzing. REVIEW OF KIISC, 26(1), 27-33.
  6. S. H. Oh, T. E. Kim & H. K. Kim. (2017). Technology Analysis on Automatic Detection and Defense of SW Vulnerabilities. Journal of the Korea Academia-Industrial cooperation Society, 18(11), 94-103 DOI : 10.5762/KAIS.2017.18.11.94
  7. R. Fayzbek, M. J. Choi & J. B. Yun. (2018). Search-Based Concolic Execution for SW Vulnerability Discovery. IEICE TRANSACTIONS on Information and Systems, E101-D(10). 2526-2529. DOI : 10.1587/transinf.2018EDL8052
  8. P. Godefroid, M. Y. Levin & D. Molnar. (2012). SAGE: Whitebox Fuzzing for Security Testing. Communications of the ACM, 55(3). 40-44. doi:10.1145/2093548.2093564
  9. J. M. Yoon. (2019). SIEM OWASP-ZAP and ANGRY-IP Vulnerability Analysis Module and Interlocking. Convergence security journal, 19(2), 83-89 DOI : 10.33778/kcsa.2019.19.2.083
  10. S. H. Paek, H. G. Oh & D. H. Lee. (2006). Study of Methodologies for New Vulnerability Checking Module Development Proper to User Level. Journal of information and security, 6(4). 29-40
  11. I. Haller, A. Slowinska, M. Neugschwandtner & H. Bos. (2013). Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the USENIX Security Symposium. (pp. 49-63). Washington : USENIX
  12. W. You, P. Zong, K. Chen, X. Wang, X. Liao & P. Bian. (2017, Nov). SemFuzz: Semantics- based automatic generation proof-of-concept exploits. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. (pp.2139-2154). Dallas : ACM
  13. S. McClure, J. Scambray & G. Kurtz. (2012). Hacking Exposed 7: Network Security Secrets and Solutions. New york : McGraw Hill.
  14. A. Takanen, J. D. Demott & C. Miller. (2018). Fuzzing for Software Security Testing and Quality Assurance. Boston : Artech House.
  15. P. Brandon. (2017). Gray Hat C#: A Hacker's Guide to Creating and Automating Security Tools. San Francisco : No Starch Press
  16. S. H. Hong & H. J. Sin. (2017). Analysis of the Vulnerability of the IoT by the Scenario. Journal of the Korea Convergence Society, 8(9), 1-7. DOI : 10.15207/JKCS.2017.8.9.001