• Journal of Korea Society of Industrial Information Systems
• /
• v.20 no.5
• /
• pp.13-23
• /
• 2015

This thesis proposes a method for effectively detecting memory errors with low occurrence frequency that may occur depending on runtime situation by analyzing assembly codes obtained by disassembling an executable file. When applying the proposed method to various programs having no compilation error, a total of about 750 potential errors taken about 90 seconds are detected among 1 million lines of assembly codes corresponding to a total of about 10 thousand functions.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1233-1246
• /
• 2018

With the proliferation of smart mobiles, disassembly techniques for position-independent code (PIC) composed of ARM architecture instructions in computer security are becoming more important. However, existing techniques have been studied on x86 architecture and are focused on solving problems of non-PIC and generality. Therefore, the accuracy of the collected address information is low to apply to advanced security technologies such as binary measurement. In this paper, we propose a disassembly technique that reflects the characteristics of PIC composed of ARM instructions. For accuratly collecting traceable addresses, we designed value-set analysis having symbol-form domain. To solve the main problem of disassembly, we devised a heuristic using the characteristics of the code generated by the compiler. To verify the accuracy and effectiveness of our technique, we tested 669 shared libraries and executables in the Android 8.1 build, resulting in a total disassembly rate of 91.47%.

• Journal of Information Technology Applications and Management
• /
• v.21 no.4
• /
• pp.127-139
• /
• 2014

This study presents a logging method to trace the usage patterns of existing smartphone apps. The actual smartphone app itself, not a specially developed similar app with usage logging, would be used best for the experiment of observing the usage patterns. For this purpose, we used a method of injecting logging codes into existing smartphone app. Using this method, we conducted an experiment to trace usage patterns of a commercial IPTV app, and found that the method is very useful for acquiring detail usage log without influencing participants.

• Proceedings of the Korean Information Science Society Conference
• /
• 2000.04a
• /
• pp.585-587
• /
• 2000

본 논문은 웹 기반의 Java 바이트 코드의 이해를 지원하는 XML(eXtensible Markup Language)문서를 생성하는 것을 목적으로 한다. 기존 XML 문서는 사용자가 임의로 태그를 생성하여 확장할 수 있는 장점이 있는 반면에 프로그램에 대한 태그의 정적인 정보만을 제공하는 단점이 있다. 따라서 정적인 정보만을 제공하는 XML 문서에 Java 바이트 코드를 Javap로 역어셈블(disassemble)하여 얻을 수 있는 메소드 호출의 동적인 정보를 추가할 필요가 있다. 본 논문은 이러한 Java 바이트 코드에 대해 동적.정적인 정보가 포함되어 있는 XML 문서를 웹 상에서 클라이언트에게 다운로드(down load)할 수 있는 기능을 제공하여 Java 프로그램의 이해도를 증진시키는데 그 의의가 있다.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2018.07a
• /
• pp.167-170
• /
• 2018

본 논문에서는 바이너리 분석을 위한 ARM의 구조를 분석한다. 바이너리 분석이란 0과 1로 이루어진 이진 값의 의미를 분석하는 것을 말한다. 바이너리 코드를 역어셈블(Disassemble)하여 값으로만 존재하는 데이터가 어떤 명령어(Instruction)이며 어떤 피연산자(Operand)를 의미하는지 알 수 있다. 소스코드를 컴파일하여 실행파일이 생성이 되면 바이너리 값으로 구성되며 이 실행파일을 바이너리 파일이라고도 한다. 바이너리 파일을 분석하기 위해서 CPU의 명령어 집합 구조(Instruction Set Architecture)를 알아야 한다. PC와 서버, 모바일 등에서 많이 사용되고 있는 ARM 중에서 64비트를 지원하는 AArch64(ARMv8)의 명령어 구조를 분석하여 효율적인 바이너리 분석의 기반을 마련하고자 한다.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2020.07a
• /
• pp.119-122
• /
• 2020

소스 코드가 없는 악성코드를 분석하거나 소프트웨어 취약점 분석을 위해 바이너리 분석이 요구된다. 바이너리 분석을 위한 도구 중 어셈블러는 사용자의 입력 없이 컴파일러 내부에서 수행되기 때문에 사용자 관점의 연구는 많지 않다. 그러나 바이너리 분석 과정 중 역어셈블과 중간언어(Intermediate Representation)의 정확성을 검증하기 위해 사용자가 어셈블리어를 입력하여 결과를 확인할 수 있는 어셈블러가 요구된다. 본 논문에서는 어셈블리어를 바이너리 코드로 변환하는 어셈블러 도구를 함수형 언어인 F#으로 구현하여 어셈블리 과정을 효율적으로 설계한 어셈블러 도구를 제안한다. F#의 강력한 패턴 매칭 기능을 사용하여 수백개의 명령어를 일괄적이고 직관적으로 처리하는 과정을 설계하고 구현하였다.

• Journal of Software Assessment and Valuation
• /
• v.17 no.2
• /
• pp.39-46
• /
• 2021

To analyze and defend malware codes, reverse engineering is used as identify function location information. However, the stripped binary is not easy to find information such as function location because function symbol information is removed. To solve this problem, there are various binary analysis tools such as BAP and BitBlaze IDA Pro, but they are based on heuristics method, so they do not perform well in general. In this paper, we propose a technique to extract function information using LSTM-based models by applying algorithms of N-byte method that is extracted binaries corresponding to reverse assembling instruments in a recursive descent method. Through experiments, the proposed techniques were superior to the existing techniques in terms of time and accuracy.

• The KIPS Transactions:PartD
• /
• v.18D no.1
• /
• pp.35-44
• /
• 2011

Memory errors can cause not only program malfunctions but also even unexpected system halt. Though a programmer checks memory errors, some memory errors with low occurrence frequency are missed to detect. In this paper, we propose a method for effectively detecting such memory errors using instruction transition diagrams through analyzing assembly codes obtained by disassembling an executable file. Out of various memory errors, local memory return errors, null pointer access errors and uninitialized pointer access errors are targeted for detection. When applying the proposed method to various programs including well-known open source programs such as Apache web server and PHP script interpreter, some potential memory errors are detected.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.05a
• /
• pp.938-941
• /
• 2010

Though a compiler checks memory errors, it is difficult for the compiler to detect function pointer errors in code level. Thus, in this paper, we propose a method for effectively detecting Invalid function pointer access errors, by analyzing assembly codes that are obtained by disassembling an executable file. To detect the errors, assembly codes in disassembled files are checked out based on the instruction transition diagrams which are constructed through analyzing normal usage patterns of function pointer access. When applying the proposed method to various programs having no compilation error, a total of about 500 potential errors including the ones of well-known open source programs such as Apache web server and PHP script interpreter are detected among 1 million lines of assembly codes corresponding to a total of about 10 thousand functions.

• Journal of Software Assessment and Valuation
• /
• v.16 no.1
• /
• pp.37-44
• /
• 2020

The similarity of the software is extracted by the verification of comparing with the source code. The source code is the intellectual copyright of the developer written in the programming language. And the source code written in text format contains the contents of the developer's expertise and ideas. The verification for judging the illegal use of software copyright is performed by comparing the structure and contents of files with the source code of the original and the illegal copy. However, there is hard to do the one-to-one comparison in practice. Cause the suspected source code do not submitted Intentionally or unconsciously. It is now increasing practically. In this case, the comparative evaluation with execution code should be performed, and indirect methods such as reverse assembling method, reverse engineering technique, and sequence analysis of function execution are applied. In this paper, we analyzed the effectiveness of indirect comparison results by practical evaluation . It also proposes a method to utilize to the system and executable code files as a verification results.