• Proceedings of the Korean Information Science Society Conference
• /
• 2007.06d
• /
• pp.72-75
• /
• 2007

파일 보호 기법은 정보보호와 접근제어라는 측면에서 다양하게 연구되어지고 있다 이러한 파일 보호 기법 중 암호화 파일 시스템에 대한 많은 연구가 진행 되고 있다. 본 연구에서는 기존의 암호화 파일 시스템에서 발생하는 파일에 전체에 대한 암호화 효율성을 개선하기 위한 기법으로 MS 윈도우즈 실행파일 형식인 PE 파일 형식 헤더부분과 코드영역에 대한 암호화 방안을 제안하여 실행 가능한 파일에 대한 효율적인 암호화 기법과 보호방안을 제공하고자 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.807-819
• /
• 2019

Greybox fuzzing is known as an effective method to discover unknown security flaws reside in software and has been actively researched today. However, most of greybox fuzzing tools require an executable file. Because of this, a library, which cannot be executed by itself requires an additional executable file for greybox fuzzing. Generating such an executable file is challengeable because it requires both understanding of the library and fuzzing. In this research, we suggest the approach to generate an executable file automatically for a library and implement this approach as a tool based on the LLVM framework. This tool shows that executable files and seed files can be generated automatically by static/dynamic analysis of a unit test in the target project. A generated executable file is compatible with various greybox fuzzers like AFL because it has a common interface for greybox fuzzers. We show the performance of this tool as code coverage and discovered unknown security bugs using generated executable files and seed files from open source projects through this tool.

• Journal of Korea Multimedia Society
• /
• v.10 no.5
• /
• pp.668-678
• /
• 2007

The development of a wire and wireless communication technologies might permit easily accessing on various information. But, the easiness of accessing information has basically the problem of an unintended information outflow. An executable file which has key algorithms, data and resources for itself has very weak point in the security. Because the various information such as algorithms, data and resources is included in an executable file on embedded systems or virtual machines, the information outflow problem may appear more seriously. In this paper, we propose a technique which can be protecting the executable file contents for resolving the outflow problem through the encryption. Experimentally, we applied the proposed technique to EVM-the virtual machine for embedded system and verified it. Also, we tried a benchmark test for the proposed technique and obtained reasonable performance overhead.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.07a
• /
• pp.215-218
• /
• 2021

심캐시(Shimcache, AppCompatCache) 파일은 Windows 운영체제에서 응용 어플리케이션 간의 운영체제 버전 호환성 이슈를 관리하는 파일이다. 호환성 문제가 발생한 응용 어플리케이션에 대한 정보가 심캐시에 기록되며 프리패치 (Prefetch) 파일이나 레지스트리의 UserAssist 키 등과 같이 응용 어플리케이션의 실행 흔적을 기록한다는 점에서 포렌식적 관점에서 중요한 아티팩트이다. 본 논문에서는 심캐시의 구조를 분석하여 심캐시 파일을 통해 얻을 수 있는 응용 어플리케이션의 정보를 소개하고, 기존 툴 상용도구의 개선을 통해 완전 삭제 등 안티 포렌식 도구의 실행 흔적을 탐지하는 방법을 제시한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.615-619
• /
• 2012

Reverse engineering via static analysis is an essential step in software security and it focuses on reconstructing code structures and data abstractions. In particular, reverse engineering of data abstractions is critical to understand software but the previous scheme, VSA, is not suitable for applying to fragmented binaries. This paper proposes an enhanced method through dynamic region assignment.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.861-870
• /
• 2014

According to the intelligence of the malicious code to extract the executable file in physical memory is emerging as an import researh issue. In previous physical memory studies on executable file extraction which is targeting running files, they are not extracted as same as original file saved in disc. Therefore, we need a method that can extract files as same as original one saved in disc and also can analyze file-information loaded in physical memory. In this paper, we provide a method that executable file extraction by analyzing information of Windows kernel file object. Also we analyze the characteristic of physical memory loaded file data from the experiment and we demonstrate superiority because the suggested method can effectively extract more of original file data than the existing method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.709-720
• /
• 2013

Virtualization obfuscation makes hard to analyze the code by applying virtualization to code section. Protected code by common used virtualization obfuscation technique has become known that it doesn't have restored point and also it is hard to analyze. However, it is abused to protect malware recently. So, It is been hard to analyze and take action for malware. Therefore, this paper's purpose is analyze and take action for protected malware by virtualization obfuscation technique through implement tool which can extract virtualization structure automatically and trace execution process. Hence, basic structure and operation process of virtualization obfuscation technique will be handled and analysis result of protected malware by virtualization obfuscation utilized Equation Reasoning System, one kind of program analysis. Also, we implement automatic analysis tool, extract virtualization structure from protected executable file by virtualization obfuscation technique and deduct program's execution sequence.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.3B
• /
• pp.431-439
• /
• 2010

The security systems using signatures cannot protect servers from new types of Internet worms. To protect servers from Internet worms, this paper proposes a system removing malicious processes and executable files without using signatures. The proposed system consists of control servers which offer the same services as those on protected servers, and agents which are installed on the protected servers. When a control server detects multicasting attacks of Internet worm, it sends information about the attacks to an agent. The agent kills malicious processes and removes executable files with this information. Because the proposed system do not use signatures, it can respond to new types of Internet worms effectively. When the proposed system is integrated with legacy security systems, the security of the protected server will be further enhanced.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.6
• /
• pp.81-93
• /
• 2006

A file system is an evidence resource of cyber crime in computer forensics. Therefore the methods of recovering the file system and searching important information have been offered. However, the methods for finding a malicious fie in free blocks or slack spaces have not been suggested. In this paper, we propose an investigation method to find a maliciously executable fragmented file. After estimating if a file is executable with a machine code rate, we conclude it could be malicious by comparing a similarity of instruction sequences. To examine instruction sequences, we also propose a method of profiling malicious files using file and a method of comparing the continued scores. As the results, we could exactly pick out the malicious execution files, such as buffer overflow attack program, at fitting threshold level.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.179-188
• /
• 2012

Packing techniques, one of malicious code detection and analysis avoidance techniques, change code to reduce size and make analysts confused. Therefore, malwares have more time to spread out and it takes longer time to analyze them. Thus, these kind of unpacking techniques have been studied to deal with packed malicious code lately. Packed programs are unpacked during execution. When it is unpacked, the data inside of the packed program are changed. Because of these changes, the entropy value of packed program is changed. After unpacking, there will be no data changes; thus, the entropy value is not changed anymore. Therefore, packed programs could be unpacked finding the unpacking point using this characteristic regardless of packing algorithms. This paper suggests the generic unpacking mechanism using the method estimating the unpacking point through the variation of entropy values.