Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.2.279

A Study on the Application Method of Fuzz Testing to Domestic Weapon Systems Considering the Software Development Life Cycle (SDLC)  

Cho, Hyun-suk (LIGNEX1)
Kang, Su-jin (LIGNEX1)
Shin, Yeong-seop (LIGNEX1)
Cho, Kyu-tae (LIGNEX1)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.2, 2021 , pp. 279-289 More about this Journal
Abstract
Currently, regulations for removing security vulnerabilities in software have been enacted/revised and applied in the domestic weapon system industry. However, the regulations published so far can only be part of the preparation for known software security vulnerabilities, and are defenseless against unknown software security vulnerabilities. Fuzz testing is one of the most widely used testing techniques to analyze unknown software security vulnerabilities. In recent research data, many methods such as fuzzer algorithm modification or effective seed value extraction have been suggested in order to increase the efficiency of fuzz testing. However, it is difficult to find research data linking the fuzz testing technique to SDLC. In this paper, we propose a reinforcement method for efficient analysis of weaknesses in domestic weapon systems by applying the data generated by SDLC in the domestic weapon system to fuzz testing.
Keywords
Weapon System; SDLC; Fuzz Testing; Security Vulnerability Analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 "Risk Management Framework (RMF) for DoD Information Technology (IT)," DoDI 8510.01, Mar. 2014
2 "Weapon System Development and Management Manual," DAPA(Defense Acquisition Program Administration), Nov. 2018
3 "Defence Interoperability Management Instruction," MND(Ministry of National Defense), No.2020-003, Jan. 2020
4 "Interoperability Management Guideline," DAPA No.673, Aug. 2020
5 "Security & Privacy Controls for Federal Information Systems and Organizations," NIST SP 800-53 Rev.4, Apr. 2013
6 "Instruction for Supporting the Development of Weapon System Software" DAPA, No.626, Sep. 2020
7 A. Rebert, S. K. Cha, T. Avgerinos, J. M. Foote, D. Warren, G. Grieco, and D. Brumley, "Optimizing seed selection for fuzzing." 23rd USENIX Security Symposium, Aug. 2014.
8 "National Defense Work Instruction," MND, No.2040, Jun. 2017
9 "National Defense Cyber Security Instruction", MND, No.2234, Dec. 2018
10 "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," NIST SP 800-37 Rev.2, Dec. 2018
11 Yeonoh Jeong, "A Study about Development Methodology for Ensure the Software Security of Weapon System," The Korean Institute of Information Scientists and Engineers, 2018(6), pp. 77-79, Jun. 2018   DOI
12 Cheng Wen, "Recent Papers Related To Fuzzing" https://wcventure.github.io/FuzzingPaper/, Mar. 2021
13 Woncheol Lee, Kanghyun Kim and Seunghyeon Lee, "A Study of Software Security of Embedded Weapon Software Development Lifecycle," The Korean Institute of Information Scientists and Engineers, 2016(12), pp. 92-94, Dec. 2016
14 Hyunsuk Cho, Sungyong Cha and Seungjoo Kim "A Case Study on the Application of RMF to Domestic Weapon System", Journal of The Korea Institute of information Security & Cryptology, 29(6), pp. 1463-1475, Dec. 2019   DOI
15 V. J. M. Manes, H. Han, C. Han, S. K. Cha, M. Egele, E. J. Schwartz, and M. Woo, "Fuzzing: Art, science, and engineering," CoRR, vol. abs/1812.00140, 2018. [Online]. Available: https://arxiv.org/pdf/1812.00140.pdf
16 Adith Sudhakar, VMWare; Mohit Arora, Dell; and Souheil Moghnie, Norton LifeLock, "Focus on Fuzzing: Fuzzing Within the SDLC" https://safecode.org/focus-on-fuzzing-fuzzing-within-the-sdlc/, Sep. 2020
17 Beyond Security, "To Fuzz or Not to Fuzz: 8 Reasons to Include Fuzz Testing in Your SDLC" https://blog.beyondsecurity.com/fuzz-testing-sdlc/, Sep. 2020