• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1331-1345
• /
• 2017

Binary instrumentation has been developed for monitoring and debugging executables without their source codes. Previous efforts on the binary instrumentation are mainly focused on its capability and accuracy, but not on efficiency for practical application. In particular, criteria and measurement methodologies for evaluating and comparing the efficiency of binary investigation tools and algorithms do not estimated yet. In this paper, we propose the instrumentation primitives which are a unit functionality and measurement methodology. Through the empirical experiments by adopting the proposed methodology on DynamoRIO and Pin, we show the feasibility of the proposal.

• Journal of KIISE
• /
• v.42 no.1
• /
• pp.44-53
• /
• 2015

Control flow information is useful in the analysis and comparison of programs. Virtualization-obfuscation hides control structures of the original program by transforming machine instructions into bytecode. Direct examination of the resulting binary reveals only the structure of the interpreter. Recovery of the original instructions requires knowledge of the virtual machine architecture, which is randomly generated and hidden. In this paper, we propose a method to reconstruct original control flow using only traces generated from the obfuscated binary. We consider traces as strings and find an automaton that represents the strings. State transitions in the automaton correspond to the control transfers in the original program. We have shown the effectiveness of our method with commercial obfuscators.

• Journal of Korea Multimedia Society
• /
• v.12 no.9
• /
• pp.1309-1315
• /
• 2009

This research goal of developing and producing a tool that finds security weakness that may happen when a usual program is executed. The analyzing tool for security weakness has the major functions as follows. In case that a part of anticipated security weakness are in execution, it traces a machine language to a part in execution. And Monitoring System calls and DLL(API) calls when a program is in execution. The result of this study will enable to contribute to use as educational materials for security service in companies and related agencies and to prevent from hacking of external information invaders in the final analysis.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.17 no.2
• /
• pp.89-94
• /
• 2017

This paper presents a theoretical study of transmission performance for optical duobinary transmitters employed a Mach-Zehnder modulator. Especially, we have investigated the performance of the various transmitters for transmitting 25Gbps optical duobinary signals at a wavelength of 1550nm without any dispersion compensation methods over single mode fiber. Due to the characteristics of generating their duobinary signals, each transmitter has a distinct optical power spectrum and an eye opening shape. By these, there was a difference in the dispersion tolerance. We could find a suitable transmitter for 25Gbps transmission considering the structure complexities and the restricted conditions with the simulation results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.437-444
• /
• 2014

In this paper, we introduce a Graph based Binary Code Execution Path Exploration Platform. In the graph, a node is defined as a conditional branch instruction, and an edge is defined as the other instructions. We implemented prototype of the proposed method and works well on real binary code. Experimental results show proposed method correctly explores execution path of target binary code. We expect our method can help Software Assurance, Secure Programming, and Malware Analysis more correct and efficient.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.701-713
• /
• 2021

Race Condition is a vulnerability in which two or more processes input or manipulate a common resource at the same time, resulting in unintended results. This vulnerability can lead to problems such as denial of service, elevation of privilege. When a vulnerability occurs in software, the relevant information is documented, but often the cause of the vulnerability or the source code is not disclosed. In this case, analysis at the binary level is necessary to detect the vulnerability. This paper aims to detect the Time-Of-Check Time-Of-Use (TOCTOU) Race Condition vulnerability of UNIX kernel-based File System at the binary level. So far, various detection techniques of static/dynamic analysis techniques have been studied for the vulnerability. Existing vulnerability detection tools using static analysis detect through source code analysis, and there are currently few studies conducted at the binary level. In this paper, we propose a method for detecting TOCTOU Race Condition in File System based on Control Flow Graph and Call Graph through Binary Analysis Platform (BAP), a binary static analysis tool.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.05a
• /
• pp.755-758
• /
• 2016

In this paper, binary in the program function is to be called binary explain the function in any way to call with in the binary. And the functions required during the call to the elements and their dynamic links in the compilation process and its elements and C-language file describes the concept of 'linker' that connects, and static links and dynamic link Compare analysis differences. Also Do an experiment on Return To Dynamic Linker exploit.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1197-1199
• /
• 2010

본 논문에서는 동적 인스트러멘테이션을 적용한 동적 바이너리 분석 툴들에 대해 비교 분석을 수행하였다. 비교 분석은 각 툴들에서 공통의 항목에 맞는 특성 값들을 도출하여 비교함으로써 동일한 상황에서 툴들의 특장점을 확인할 수 있고, 각 특징에 따른 기술적인 배경을 뒷받침하여 더 나은 동적 분석 툴을 만들 수 있는 발판을 마련하였다. 이를 위해 DynamoRIO, DynInst, Pin, Valgrind의 4가지 동적 분석 툴을 지원 가능 플랫폼, 실행 메카니즘의 컨셉, 인스트러멘테이션 가능 범위, 성능, 라이선스와 관련된 입수 가능성의 5가지 주요 항목으로 비교 분석을 수행하였다.

• Journal of KIISE:Software and Applications
• /
• v.35 no.7
• /
• pp.452-461
• /
• 2008

Binary diffing is a method to find differences in similar binary executables such as two different versions of security patches. Previous diffing methods using flow information can detect control flow changes, but they cannot track constant value changes. Biffing methods using assembly instructions can detect constant value changes, but they give false positives which are due to compiling methods such as instruction reordering. We present a binary diffing method and its implementation named SCV which utilizes both structure and value information. SCV summarizes structure and constant value information from disassembled code, and matches the summaries to find differences. By analyzing a Microsoft Windows security patches, we showed that SCV found necessary differences caused by constant value changes which the state-of-the-art binary diffing tool BinDiff failed to find.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1013-1021
• /
• 2020

Malware Authorship Attribution is a research field for identifying malware by comparing the author characteristics of unknown malware with the characteristics of known malware authors. The authorship attribution method using binaries has the advantage that it is easy to collect and analyze targeted malicious codes, but the scope of using features is limited compared to the method using source code. This limitation has the disadvantage that accuracy decreases for a large number of authors. This study proposes a method of 'Defining semantic features from binaries' and 'Defining allowable ranges for redundant features using the concept of survival network' to complement the limitations in the identification of binary authors. The proposed method defines Opcode-based graph features from binary information, and defines the allowable range for selecting unique features for each author using the concept of a survival network. Through this, it was possible to define the feature definition and feature selection method for each author as a single technology, and through the experiment, it was confirmed that it was possible to derive the same level of accuracy as the source code-based analysis with an improvement of 5.0% accuracy compared to the previous study.