• Proceedings of the Korea Information Processing Society Conference
• /
• 2008.11a
• /
• pp.582-585
• /
• 2008

제어 흐름 그래프(CFG : Control Flow Graph)는 제어 흐름상의 오류나 문제점을 찾아내고 흐름에 대해 한눈에 파악할 수 있기 때문에 소프트웨어공학 분야에서 많이 사용되고 있다. 현재 여러 테스팅 분야에서 다양한 제어 흐름 분석 기법들이 연구, 소개되고 있는데 본 논문에서는 XML 문서를 이용하여 CFG를 나타내고자 한다. XML은 트리구조를 가진 문서 모델로 C 언어 소스 코드를 구조적으로 나타냄으로써 좀 더 쉽게 코드를 분석하고, 제어 흐름 요소를 추출하여 제어 흐름 그래프를 나타내는 데에 유용하다. 따라서 중간 분석 파일로 XML을 이용하여 보다 빠르고 쉽게 CFG를 나타내는 기법을 제안한다.

• Journal of Convergence Society for SMB
• /
• v.6 no.4
• /
• pp.137-150
• /
• 2016

Along with the rapid development of IT technology and business services, the effort to provide new services to the customers has been increasing, and also the improvement and enhancement of legacy systems are continuously occurring for rapid service delivery. In this situation, the quality assurance of the source code for the legacy system became a key technical elements that can quickly respond to the service needs. Refactoring is an engineering technique to ensure the quality for the legacy code, and essential for the improvement and extension of the legacy system in order to provide value-added services. This paper proposes some features of refactoring techniques through surveying and analyzing the existing refactoring techniques and tools to enhance source code quality. When service developers want to refactor the source code of the legacy system to enhance code quality, our proposed features may provide with the guidance on what to use any technique and tool in their work. This can improve the source code quality with correct refactoring and without trial and error, and will also enable rapid response to new services.

• Convergence Security Journal
• /
• v.4 no.2
• /
• pp.27-34
• /
• 2004

The recent explosive use of the Internet and the development of computer communication technologies reveal serious computer security problem. Inspite of many studies on secure access to the system, generally, the attackers do not use the previous intrusion techniques or network flaw, rather they tend to use the vulnerabilities residing inside the program, which are the running programs on the system or the processes for the service. Therefore, the security managers must focus on updating the programs with lots of time and efforts. Developers also need to patch continuously to update the Program, which is a lot of burden for them. In order to solve the problem, we need to understand the vulnerabilities in the program, which has been studied for some time. And also we need to analyze the functions that contains some vulnerabilities inside. In this paper, we first analyzed the vulnerabilities of the standard C library, and Win32 API functions used in various programs. And then we described the design and implementation of the automated scanning tool for writing secure source code based on the analysis.

• KIPS Transactions on Software and Data Engineering
• /
• v.2 no.5
• /
• pp.319-328
• /
• 2013

Software maintainers try to comprehend software source code by intensively using source code identifiers. Thus, use of inconsistent identifiers throughout entire source code causes to increase cost of software maintenance. Although participants can adopt peer reviews to handle this problem, it might be impossible to go through entire source code if the volume of code is huge. This paper introduces an approach to automatically detecting inconsistent identifiers of Java source code. This approach consists of tokenizing and POS tagging all identifiers in the source code, classifying syntactic and semantic similar terms, and finally detecting inconsistent identifiers by applying proposed rules. In addition, we have developed tool support, named CodeAmigo, to support the proposed approach. We applied it to two popular Java based open source projects in order to show feasibility of the approach by computing precision.

• KIPS Transactions on Computer and Communication Systems
• /
• v.9 no.11
• /
• pp.273-280
• /
• 2020

Automatic Static Analysis Tools help developers to quickly find potential defects in source code with less effort. However, the tools reports a large number of false positive warnings which do not have to fix. In our study, we proposed an artificial neural network-based warning classification method using topic models of source code blocks. We collect revisions for fixing bugs from software change management (SCM) system and extract code blocks modified by developers. In deep learning stage, topic distribution values of the code blocks and the binary data that present the warning removal in the blocks are used as input and target data in an simple artificial neural network, respectively. In our experimental results, our warning classification model based on neural network shows very high performance to predict label of warnings such as true or false positive.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.04a
• /
• pp.518-521
• /
• 2014

최근 개인정보 유출 등으로 인해 정보시스템의 보안약점 및 소스코드 품질에 대한 관심이 높으며, 특히 개인자산과도 관련된 금융 정보 시스템의 경우에는 더욱 높다. 해당 시스템의 보안성 강화를 위해서는 개발단계에서부터 보안취약점과 코드의 품질을 높일 수 있는 정적분석 기반의 진단도구 활용이 중요하다. 많은 분야에서 진단도구의 활용이 이루어지고 있지만 금융 정보시스템의 경우 다른 SW 와 특성이 다르기 때문에 추가적인 진단규칙이 반영된 진단도구의 활용이 필요하다. 본 논문은 여러 진단도구 중 전자정부개발에 사용하고, 비교적 진단규칙 추가가 용이한 PMD 에 추가 진단규칙을 반영한 후 생명보험 정보시스템에 적용하고 이에 대한 PMD 검출 계수를 분석한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1225-1236
• /
• 2020

Fuzzing is an automated software testing methodology that dynamically tests the security of software by inputting randomly generated input values outside of the expected range. KISA is releasing open source for standard cryptographic algorithms, and many crypto module developers are developing crypto modules using this source code. If there is a vulnerability in the open source code, the cryptographic library referring to it has a potential vulnerability, which may lead to a security accident that causes enormous losses in the future. Therefore, in this study, an appropriate security policy was established to verify the safety of block cipher source codes such as SEED, HIGHT, and ARIA, and the safety was verified using differential fuzzing. Finally, a total of 45 vulnerabilities were found in the memory bug items and error handling items, and a vulnerability improvement plan to solve them is proposed.

• Proceedings of the Korean Information Science Society Conference
• /
• 2001.10a
• /
• pp.466-468
• /
• 2001

객체지향형 소프트웨어가 개발되고 분산 시스템에 적용되면서 소프트웨어 시스템의 분석 및 안전상의 보장이 매우 어려워지고 있다. 정형 기법을 이용해서 소프트웨어 시스템의 안전성을 증명하는 연구가 진행되고 있지만 소스코드 레벨에서의 보장은 아직 어려운 상태이다. 본 연구에서는 이러한 소프트웨어 시스템의 소스코드 레벨에서의 안전성 보장을 위한 연구로 Bandera toolset 을 이용한 정형검증에 대해 논한다.

• Journal of KIISE
• /
• v.42 no.7
• /
• pp.860-867
• /
• 2015

In the defense field, weapon systems are increasing in importance, as well as the weight of the weapon system embedded software development as an advanced technology. As the development of a network-centric warfare has become important to secure the reliability and quality of embedded software in modern weapons systems in battlefield situations. Also, embedded software problems are transferred to the production stage in the development phase and the problem gives rise to an enormous loss at the national level. Furthermore, development companies have not systematically constructed a software reliability test. This study suggests that approaches about a qualityverification- system establishment of embedded software, based on a variety of source code reliability test verification case analysis.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.11a
• /
• pp.642-645
• /
• 2014

본 논문은 EAL6 수준의 공통평가기준 인증을 위해 ADV(개발) 클래스에서 ADV_INT에 대해 기술하였다. 특히, 테스트용 스마트 운영체제 소스코드 분석을 통해 구현된 내부 구조가 잘 구조화되었는지, 지나치게 복잡하지 않았는지 입증하기 위해 시도를 하였다. 다양한 소스코드 분석 도구를 통해 사이클로매틱복잡도(CyC), 정보흐름복잡도(IFC), Weighted IFC, fan-in, fan-out 등의 정보를 추출하였고, 추출된 정보를 기반으로 적용하여 수행하였다. 구조화된 정보 분석을 위해 객체지향 분석 도구를 사용한 재구조화 기법을 적용하여 수행하였다. 객체간 결합도, 팬아웃 등의 정보 등을 추출하였다. 추출된 정보를 기반으로 SW의 복잡도 및 구조적 정보를 분석한 결과 응집도 분석에 한계, TOE의 형상관리 정보 등의 부재에 따른 추출된 정보 분석의 한계, 활용된 도구의 분석 정보의 재반영 부재 및 구조적 분석 등의 한계점이 드러났다.