• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.869-879
• /
• 2022

Through this study, we discovered that among three types of compressed data blocks generated through the Deflate algorithm, No-Payload Non-Compressed Block type (NPNCB) which has no literal data can be randomly generated and inserted between normal compressed blocks. In the header of the non-compressed block, there is a data area that exists only for byte alignment, and we called this area as DBA (Disposed Bit Area), where an attacker can hide various malicious codes and data. Finally we found the vulnerability that hides malicious codes or arbitrary data through inserting NPNCBs with infected DBA between normal compressed blocks according to a pre-designed attack scenario. Experiments show that even though contaminated NPNCB blocks were inserted between normal compressed blocks, commercial programs decoded normally contaminated zip file without any warning, and malicious code could be executed by the malicious decoder.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.6
• /
• pp.155-164
• /
• 2018

Many malicious programs have been compressed or encrypted using various commercial packers to prevent reverse engineering, So malicious code analysts must decompress or decrypt them first. The OEP (Original Entry Point) is the address of the first instruction executed after returning the encrypted or compressed executable file back to the original binary state. Several unpackers, including PinDemonium, execute the packed file and keep tracks of the addresses until the OEP appears and find the OEP among the addresses. However, instead of finding exact one OEP, unpackers provide a relatively large set of OEP candidates and sometimes OEP is missing among candidates. In other words, existing unpackers have difficulty in finding the correct OEP. We have developed new tool which provides fewer OEP candidate sets by adding two methods based on the property of the OEP. In this paper, we propose two methods to provide fewer OEP candidate sets by using the property that the function call sequence and parameters are same between packed program and original program. First way is based on a function call. Programs written in the C/C++ language are compiled to translate languages into binary code. Compiler-specific system functions are added to the compiled program. After examining these functions, we have added a method that we suggest to PinDemonium to detect the unpacking work by matching the patterns of system functions that are called in packed programs and unpacked programs. Second way is based on parameters. The parameters include not only the user-entered inputs, but also the system inputs. We have added a method that we suggest to PinDemonium to find the OEP using the system parameters of a particular function in stack memory. OEP detection experiments were performed on sample programs packed by 16 commercial packers. We can reduce the OEP candidate by more than 40% on average compared to PinDemonium except 2 commercial packers which are can not be executed due to the anti-debugging technique.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.04a
• /
• pp.276-279
• /
• 2017

오늘날 사회 전반적인 부분에서 소프트웨어의 비중은 지속적으로 증가하고 있다. 또한 소프트웨어는 점차 대규모화되고 있고 동시에 개인의 중요한 정보 등을 다루는 경우도 매우 늘어나고 있기에 소프트웨어의 보안성 검증은 매주 중요한 문제이다. 그러나 소스코드가 존재하지 않는 라이브러리의 경우 보안성 검증은 매우 어려운 문제로, 이를 해결하기 위해 바이너리 내에 존재하는 보안약점을 검사하기 위한 기술의 개발이 매우 요구되는 상황이며, 이를 위해 중간언어를 활용하여 보안약점을 분석하는 기술이 활발히 논의되고 있다. 본 논문에서는 바이너리 코드내에 존재하는 보안약점을 효과적으로 분석하기 위해서 바이너리 코드로부터 보안약점 분석에 효과적인 중간언어로 변환하는 시스템을 제안한다.

• The Journal of the Korea Contents Association
• /
• v.16 no.5
• /
• pp.13-20
• /
• 2016

Most software is distributed as a binary file format, so reverse engineering is not easy. But Android is based on the Java and running on virtual machine. So, Android applications can be analyzed by reverse engineering tools. To overcome this problem, various obfuscation techniques are developed. In android environment, the Proguard is most widely used because it is included in the Android SDK distribution package. The Proguard can protect the Java source code from reverse engineering analysis. But it has no function to protect resources like images, sounds and databases. In this paper, we proposed and implemented resource obfuscation framework to protect resources of android application. We expect that this framework can protect android resources effectively.

• Journal of KIISE:Information Networking
• /
• v.29 no.5
• /
• pp.473-481
• /
• 2002

Decryption of encrypted malicious scripts is essential in order to analyze the scripts and to determine whether they are malicious. An effective decryption technique is one that is designed to consider the characteristics of the script languages rather than the specific encryption patterns. However, currently X-raying and emulation are not the proper techniques for the script because they were designed to decrypt binary malicious codes. In addition to that, heuristic techniques are unable to decrypt unknown script codes that use unknown encryption techniques. In this paper, we propose a new technique that will be able to decrypt malicious scripts based on analytical approach. we describe its implementation.

• The Bulletin of The Korean Astronomical Society
• /
• v.42 no.2
• /
• pp.64.1-64.1
• /
• 2017

접촉쌍성 EK Com은 0.2667일의 짧은 주기를 가진 만기형 식쌍성으로 광도곡선의 변화로 인해 연구자마다 이계의 하위 유형을 다르게 언급하여 하위유형의 혼동이 있는 천체이다. 우리는 소백산천문대에서 2009년 5월 VR 필터로, 2013년 2 ~ 5월 사이 BVRI 필터로, 2016년 1 ~ 4월 사이 R 필터로 CCD 측광 관측하여 3개의 새로운 광도곡선을 획득하였다. 우리의 관측 자료와 SuperWASP의 공개된 자료로부터 40개의 새로운 극심시각을 산출하였다. 이 극심시각을 포함하여 155개의 극심시각을 여러 문헌에서 수집하여 주기 연구를 수행한 결과, EK Com의 공전주기는 영년 주기 증가와 더불어 8.2년의 주기적인 변화가 겹쳐 변화함을 발견하였다. 이러한 주기 변화 원인에 대하여 살펴본 결과, 영년주기변화는 질량이 작은 별에서 큰 별로의 질량이동에 의하여 일어나고, 주기적인 변화는 질량이 큰 주성의 자기 활동에 의해 발생할 수 있음을 보였다. Wilson-Devinney code를 이용한 광도곡선 분석을 통하여 EK Com은 개기식이 부식에 있는 하위 유형 A라기 보다 주식에 있는 W형에 속하며, 모든 광도곡선에서 1개의 Hot spot과 1개의 Cool spot을 가진 모형이 가장 관측치를 잘 설명한다. W UMa형 별들의 HR도, 온도비, 질량의 그래프에서 EK Com은 W형 Group들이 있는 위치에 존재한다. 이는 광도곡선에서 유추한 EK Com의 하위 유형과도 일치한다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2013.05a
• /
• pp.219-222
• /
• 2013

The Side Channel attack methods proposed by P.Kocher are mainly used for cryptanalysis different cipher algorithms even though they are claimed to be strongly secured. Those kinds of attacks depend on environment implementation especially on the hardware implementation of the algorithm to the crypto module. side-channel attacks are a type of attack introduced by P.Kocher and is applicable according to each environment or method that is designed. This kind of attack can analyze and also extract important information by reading the binary code data via measurement of changes in electricity(voltage) consumption, running time, error output and sounds. Thus, in this paper, we discuss recent SPA and DPA attacks as well as recent countermeasure techniques.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.19 no.5
• /
• pp.971-980
• /
• 1994

The need increased capacity in the cellular system has resulted in the adoption of digital technology with CDMA as the channel access method. It has been recognized that the distinction of the base station is important for its performance in CDMA, since the same spreading sequences are used by the all base stations. Time offset of the pseudo-random noise binary code are used to distinguish signals received at a mobile station from different base station. But the start of the zero offset PN sequence is chosen arbitrary without the background of the systematic and mathematical elaboration. This paper proposes a mothed that define the start of the zero offset PN sequence mathematically. This paper also discusses a method that can easily calculate the time offset of the received spreading sequence with respect to the zero offset PN sequence.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.15 no.2
• /
• pp.112-123
• /
• 1990

This paper presents a vertex-detecting of Hanguel patterns using nested contour shape. Inputed binary character patterns are transformed by distance transformation method and make a new file of transferred data by analysis of charactersitcs. A new vertex-detecting algorithm for recognizing Hanguel patterns using the two data files is proposed. This algorithm is able to reduce the projecting parts of Hanguel pattern, separate the connecting parts between different strokes, set the code number by transformed value of coorked features. It makes the output of results in order to apply the Hanguel recognition.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.7
• /
• pp.3756-3777
• /
• 2019

Recent internet development is helping malware researchers to generate malicious code variants through automated tools. Due to this reason, the number of malicious variants is increasing day by day. Consequently, the performance improvement in malware analysis is the critical requirement to stop the rapid expansion of malware. The existing research proved that the similarities among malware variants could be used for detection and family classification. In this paper, a Cross-Platform Malware Variant Classification System (CP-MVCS) proposed that converted malware binary into a grayscale image. Further, malicious features extracted from the grayscale image through Combined SIFT-GIST Malware (CSGM) description. Later, these features used to identify the relevant family of malware variant. CP-MVCS reduced computational time and improved classification accuracy by using CSGM feature description along machine learning classification. The experiment performed on four publically available datasets of Windows OS and Android OS. The experimental results showed that the computation time and malware classification accuracy of CP-MVCS was higher than traditional methods. The evaluation also showed that CP-MVCS was not only differentiated families of malware variants but also identified both malware and benign samples in mix fashion efficiently.