Browse > Article
http://dx.doi.org/10.3745/KTCCS.2016.5.4.79

Development of Safe Korean Programming Language Using Static Analysis  

Kang, Dohun (부산대학교 전기전자컴퓨터공학과)
Kim, Yeoneo (부산대학교 전기전자컴퓨터공학과)
Woo, Gyun (부산대학교 전기컴퓨터공학과, LG 스마트제어센터)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.5, no.4, 2016 , pp. 79-86 More about this Journal
Abstract
About 75% of software security incidents are caused by software vulnerability. In addition, the after-market repairing cost of the software is higher by more than 30 times than that in the design stage. In this background, the secure coding has been proposed as one of the ways to solve this kind of maintenance problems. Various institutions have addressed the weakness patterns of the standard software. A new Korean programming language Saesark has been proposed to resolve the security weakness on the language level. However, the previous study on Saesark can not resolve the security weakness caused by the API. This paper proposes a way to resolve the security weakness due to the API. It adopts a static analyzer inspecting dangerous methods. It classifies the dangerous methods of the API into two groups: the methods of using tainted data and those accepting in-flowing tainted data. It analyses the security weakness in four steps: searching for the dangerous methods, configuring a call graph, navigating a path between the method for in-flowing tainted data and that uses tainted data on the call graph, and reporting the security weakness detected. To measure the effectiveness of this method, two experiments have been performed on the new version of Saesark adopting the static analysis. The first experiment is the comparison of it with the previous version of Saesark according to the Java Secure Coding Guide. The second experiment is the comparison of the improved Saesark with FindBugs, a Java program vulnerability analysis tool. According to the result, the improved Saesark is 15% more safe than the previous version of Saesark and the F-measure of it 68%, which shows the improvement of 9% point compared to 59%, that of FindBugs.
Keywords
Secure Coding; Korean Programming Language; Safety Programming Language; Saesark;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 MSIP, SPRI, Software Industry Annual Report, 2014.
2 I. H. Kim, Facebook users private information leaked six million people [Internet], http://news.inews24.com/php/news-_view.php?g_serial=754079&g_menu=020600.
3 A. Buncombe, "Sony Pictures hack: US intelligence chief says North Korea cyberattack was 'most serious' ever against US interests," The Independent, 2015.
4 S. W. Lee, "Study on the information system aduit check list for enhanced privacy," MS. dissertation, Konkuk University, Seoul, ROK, 2015.
5 T. Lanowitz, "Now is the time for security at the application level," Gartner, 2005.
6 G. Tassey, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project 7007, 2002.
7 J. McManus and D. Mohindra, The CERT Sun Microsystems Secure Coding Standard for java [Internet], http://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=34669015.
8 OWASP, Welcome to OWASP [Internet], https://www.owasp.org/index.php/Main_Page.
9 CWE, A community Developed Dictionary of Software Weakness Types [Internet], http://cwe.mitre.or/.
10 JSF, The F-35 Lightning II Program [Internet], http://www.jsf.mil/.
11 MISRA, The Motor Industry Software Reliability Association [Internet], http://www.misra.org.uk/.
12 J. S. Cheon, D. H. Kang, and G. Woo, "A Concise Korean Programming Language Sprout," Journal of KIISE, Vol.42, No.4, pp.496-503, 2015.   DOI
13 D. H. Kang, Y. E. Kim, and G. Woo, "A Study on Improving Runtime Safety of a Sprout through Analysis of Java Secure Coding Guide," Proc. of the KIISE Korea Computer Congress 2015, pp.1751-1753, 2015.
14 OWASP, "OWASP Top 10-2013," The Ten Most Critical Web Application Security Risks, 2013.
15 B. Martin, M. Brown, A. Paller, and D. Kirby. "2011 CWE/SANS top 25 most dangerous software errors," Common Weakness Enumeration, 2011.
16 HP, IT Security in the Idea Economy [Internet], https://www.hpe.com/us/en/solutions/security.html.
17 Coverity, Coverity Software Testing Platform [Internet], http://www.coverity.com/products/.
18 IBM, IBM Security AppScan [Internet], http://www-03.ibm.com/software/products/en/appscan.
19 FindBugs, FindBugs because it's easy [internet], http://findbugs.sourceforge.net/findbugs2.html.
20 N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Q. Zhou, "Evaluating static analysis defect warnings on production software," Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, ACM, pp.1-8, 2007.
21 Evenstar, BigLook is the financial and enterprise security weaknesses SW diagnostic system optimized for enterprise environments [Internet], http://www.evenstar.co.kr/index-.php.
22 Trinitysoft, The Trinitysoft is committed to providing the best Web application security solutions [Internet], http://www.trinitysoft.co.kr/page/solution_04.
23 GTONE, SecurityPrism is secure coding solution to ensure safe application since the early stages of development [Internet], http://www.gtone.co.kr/main/ag/sp.php.
24 Fasoo, SPARROW is a source code analysis tool, using static analysis [internet], http://www.fasoo.com/site/fasoo/sourcecodeanalysis/sparrow.do.
25 Y. E. Kim, J. W. Song, and G. Woo, "A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules," Journal of KIISE, Vol.42, No.4, pp.487-495, 2015.   DOI
26 V. B. Livshits and M. S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Usenix Security, pp.18-18, 2005.
27 D. E. Knuth, "An empirical study of FORTRAN programs," Software: Practice and Experience, Vol.1, No.2, pp.105-133, 1971.   DOI
28 A. V. Aho, R. Sethi, and J. D. Ullamn, "Compilers: Principles, Techniques, and Tools," 2nd ed., PEARSON, 2014.
29 T. Boland and P. E. Black, "Juliet 1.1 C/C++ and Java test suite," Computer, Vol.10, No.45, pp.88-90, 2012.
30 NIST and NSA CAS, Juliet Test Suite for Java and C/C++ [Internet], https://samate.nist.gov/SRD/testsuite.php.