Browse > Article
http://dx.doi.org/10.3745/KTCCS.2019.8.5.119

A DOM-Based Fuzzing Method for Analyzing Seogwang Document Processing System in North Korea  

Park, Chanju (해군사관학교 전산과학과)
Kang, Dongsu (국방대학교 컴퓨터공학전공/사이버전과정)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.8, no.5, 2019 , pp. 119-126 More about this Journal
Abstract
Typical software developed and used by North Korea is Red Star and internal application software. However, most of the existing research on the North Korean software is the software installation method and general execution screen analysis. One of the ways to identify software vulnerabilities is file fuzzing, which is a typical method for identifying security vulnerabilities. In this paper, we use file fuzzing to analyze the security vulnerability of the software used in North Korea's Seogwang Document Processing System. At this time, we propose the analysis of open document text (ODT) file produced by Seogwang Document Processing System, extraction of node based on Document Object Mode (DOM) to determine test target, and generation of mutation file through insertion and substitution, this increases the number of crash detections at the same testing time.
Keywords
Fuzzing; Document Object Model(DOM); Open Document Text(ODT); Seogwang Document Processing System;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Sangsu Kim and Dongsu Kang, "Fuzzing-based test case generation technique for multimedia file vulnerability analysis," Journal of Security Engineering, Vol.14, No.6, pp.441-458, 2017.   DOI
2 Sunghwan Ahn, "A novel fuzzing approach for discovering potential vulnerabilities in Hangul Word Processor," Thesis, Sungkyunkwan University, Seoul, Korea, 2014.
3 CVE Details, Vulnerability Details : CVE-2012-2665 [Internet], https://www.cvedetails.com/cve/CVE-2012-2665.
4 CISCO, Multiple Products XML Manifest Encryption Handling Arbitrary Code Execution Vulnerability [Internet], https://tools.cisco.com/security/center/viewAlert.x?alertId=26540.
5 Jongseon Kim and Lee Choongeun, "Analysis and cooperation of North Korea's IT technology in uniform preparation," Science and Technology Policy Institute, 2014.
6 Ministry of National Defense, "2016 Defense white paper," pp.20-25, 2016.
7 Guyeon Jeong and Gitae Lee, "Science technology development and new threats from North Korea : Cyber threat and UAV Penetration," KINU Research Series 16-04, pp.69-72, 2016.
8 Kihun Park and Dongsu Kang, "A security vulnerability analysis of North Korea OS Red Star," in Proceedings of Korea Software Congress, pp.146-148, 2017.
9 P. Oehlert, "Violating assumptions with fuzzing," in Proc. the IEEE Security & Privacy(S&P), Vol.3, No.2, pp.58-62, 2005.
10 Byungjoon Jung, Jaehyeok Han, and Sangjin Lee, "A method of recovery for damaged ZIP files," Journal of The Korea Institute of Information Security & Crypto logy, Vol.27, No.5, pp.1099-1106, 2017.
11 Chanju Park and Dongsu Kang, "Analysis of file structure about Red Star's SeoKwang Document Processing System for security vulnerability analysis," in Proceedings of the Korea Information Processing Society, Vol.25, No.1, pp.110-112, 2018.
12 G. Wang, "Improving data transmission in web applications via the translation between xml and json," Communications and Mobile Computing(CMC) 2011 Third International Conference, pp.182-185, 2011.
13 R.shirey, "RFC 2828-Internet Security Glossary," 2007.
14 Sangsu Kim and Dongsu Kang, "Software Vulnerability Analysis using File Fuzzing," in Proceedings of the Korean Society of Computer Information Conference, Vol.25, No.2, pp.29-32, 2017.
15 Michael Sutton, "FUZZING: Brute Force Vulnerability Discovery," United States of America: Addison-Wesley, 2007.
16 ISO/IEC 26300:2006 Information technology - Open Document Format for Office Applications [Internet], https://www.iso.org/standard/43485.html.
17 Jaeseo Lee, Jongmyung Kim, Suyong Kim, Youngtae Yun, Yongmin Kim and Bongnam Noh, "A length-based file fuzzing test suite reduction algorithm for evaluation of software vulnerability," Journal of the Korea Institute of Information Security & Cryptology, Vol.23, No.2, pp.231-242, 2013.   DOI
18 Colleen Lewis, Barret Rhoden and Cynthia Sturton, "Using structured random data to precisely fuzz media players," Project Report, 2007.
19 Hanyang University, "Study on systematic approach for finding vulnerabilities in multimedia data and players for Microsoft Windows systems," KISA, 2009.