• Journal of IKEEE
• /
• v.27 no.1
• /
• pp.93-102
• /
• 2023

As one of the techniques for analyzing malicious code, techniques creating a sequence or a graph of function call relationships in an executable program and then analyzing the result are proposed. Such methods generally study function calling in the executable program code through static analysis and organize function call relationships into a sequence or a graph. However, in the case of an obfuscated executable program, it is difficult to analyze the function call relationship only with static analysis because the structure/content of the executable program file is different from the standard structure/content. In this paper, we propose a dynamic analysis method to analyze the function call relationship of an obfuscated execution program. We suggest constructing a function call relationship as a graph using the proposed technique.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.5
• /
• pp.2084-2100
• /
• 2020

Operating system (OS) kernel function call graphs have been widely used in OS analysis and defense. However, most existing methods and tools for generating function call graphs are designed for application programs, and cannot be used for generating OS kernel function call graphs. This paper proposes a virtualization-based call graph generation method called Acquire in Trap (AIT). When target kernel functions are called, AIT dynamically initiates a system trap with the help of a virtualization technique. It then analyzes and records the calling relationships for trap handling by traversing the kernel stacks and the code space. Our experimental results show that the proposed method is feasible for both Linux and Windows OSs, including 32 and 64-bit versions, with high recall and precision rates. AIT is independent of the source code, compiler and OS kernel architecture, and is a universal method for generating OS kernel function call graphs.

• Journal of IKEEE
• /
• v.25 no.3
• /
• pp.451-461
• /
• 2021

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.

• Journal of the Chungcheong Mathematical Society
• /
• v.23 no.4
• /
• pp.657-661
• /
• 2010

We study a singular function which we call a generalized cylinder convex(concave) function induced from different generalized dyadic expansion systems on the unit interval. We show that the generalized cylinder convex(concave)function is a singular function and the length of its graph is 2. Using a local dimension set in the unit interval, we give some characterization of the distribution set using its derivative, which leads to that this singular function is nowhere differentiable in the sense of topological magnitude.

• Journal of applied mathematics & informatics
• /
• v.33 no.1_2
• /
• pp.101-110
• /
• 2015

A Total Mean Cordial labeling of a graph G = (V, E) is a function $f:V(G){\rightarrow}\{0,1,2\}$ such that $f(xy)={\Large\lceil}\frac{f(x)+f(y)}{2}{\Large\rceil}$ where $x,y{\in}V(G)$, $xy{\in}E(G)$, and the total number of 0, 1 and 2 are balanced. That is ${\mid}ev_f(i)-ev_f(j){\mid}{\leq}1$, $i,j{\in}\{0,1,2\}$ where $ev_f(x)$ denotes the total number of vertices and edges labeled with x (x = 0, 1, 2). If there is a total mean cordial labeling on a graph G, then we will call G is Total Mean Cordial. Here, We investigate the Total Mean Cordial labeling behaviour of prism, gear, helms.

• Journal of the Korea Society of Computer and Information
• /
• v.11 no.4 s.42
• /
• pp.87-96
• /
• 2006

Although bytecode has many good features, it has slow execution speed and it is not an ideal representation for program analysis or optimization. For analysises and optimizations. bytecode must be translated to a Static Single Assignment Form(SSA Form) But when bytecode is translated a SSA Form it has lost type informations of son variables. For resolving these problem in this paper, we create extended control flow graph on bytecode. Also we convert the control flow graph to SSA Form for static analysis. Calculation about many informations such as dominator, immediate dominator. dominance frontier. ${\phi}$-Function. renaming are required to convert to SSA Form. To obtain appropriate type for generated SSA Form, we proceed the followings. First. we construct call graph and derivation graph of classes. And the we collect information associated with each node. After finding equivalence nodes and constructing Strongly Connected Component based on the collected informations. we assign type to each node.

• Journal of the Korea Society of Computer and Information
• /
• v.16 no.6
• /
• pp.51-59
• /
• 2011

In domestic, the binary code analysis technology is insufficient. In general, an executable file that is installed on your computer without the source code into an executable binary files is given only the most dangerous, or because it is unknown if the action is to occur. In this paper, static program analysis at the binary level to perform the design and implementation framework. In this paper, we create a control flow graph. We use the graph of the function call and determine whether dangerous. Through Framework, analysis of binary files is easy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1079-1085
• /
• 2020

Fuzzing is used to find vulnerabilities for a library. Because library fuzzing only tests the implemented functions, in order to achieve higher code coverage, additional functions that are not implemented should be implemented. However, if a function is added without regard to the calling relationship of the functions in the library, a problem may arise that the function that has already been tested is added. We propose a novel method to improve the code coverage of library fuzzing. First, we analyze the function call graph of the library to efficiently add the functions for library fuzzing, and additionally implement a library function that has not been implemented. Then, we apply a hybrid fuzzing to explore for branches with complex constraints. As a result of our experiment, we observe that the proposed method is effective in terms of increasing code coverage on OpenSSL, mbedTLS, and Crypto++.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.365-375
• /
• 2019

A PLC (Programmable Logic Controller) is a highly-reliable industrial digital computer which supports real-time embedded control applications for safety-critical control systems. Real-time operating systems such as uC/OS have been used for PLCs and must meet real-time constraints. As PLCs have been widely used for industrial control systems and connected to the Internet, they have been becoming a main target of cyberattacks. In this paper, we propose an execution code sanitizer to enhance the security of PLC systems. The proposed sanitizer analyzes PLC programs developed by an IDE before downloading the program to a target PLC, and mitigates security vulnerabilities of the program. Our sanitizer can detect vulnerable function calls and illegal memory accesses in development of PLC programs using a database of vulnerable functions as well as the other database of code patterns related to pointer misuses. Based on these DBs, it detects and removes abnormal use patterns of pointer variables and existence of vulnerable functions shown in the call graph of the target executable code. We have implemented the proposed technique and verified its effectiveness through experiments.