• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.3
• /
• pp.576-599
• /
• 2013

Protocol reverse engineering is useful for many security applications, including intelligent fuzzing, intrusion detection and fingerprint generation. Since manual reverse engineering is a time-consuming and tedious process, a number of automatic techniques have been proposed. However, the accuracy of these techniques is limited due to the complexity of binary instructions, and the derived formats have missed constraints that are critical for security applications. In this paper, we propose a new approach for protocol format extraction. Our approach reasons about only the evaluation behavior of a program on the input message from concolic execution, and enables field identification and constraint inference with high accuracy. Moreover, it performs binary analysis with low complexity by reducing modern instruction sets to BIL, a small, well-specified and architecture-independent language. We have implemented our approach into a system called Icefex and evaluated it over real-world implementations of DNS, eDonkey, FTP, HTTP and McAfee ePO protocols. Experimental results show that our approach is more accurate and effective at extracting protocol formats than other approaches.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.10
• /
• pp.4933-4956
• /
• 2016

Use-After-Free (UAF) is a common lethal form of software vulnerability. By using tools such as Web Browser Fuzzing, a large amount of samples containing UAF vulnerabilities can be generated. To evaluate the threat level of vulnerability or to patch the vulnerabilities, automatic deduplication and exploitability determination should be carried out for these samples. There are some problems existing in current methods, including inadequate pertinence, lack of depth and precision of analysis, high time cost, and low accuracy. In this paper, in terms of key dangling pointer and crash context, we analyze four properties of similar samples of UAF vulnerability, explore the method of extracting and calculate clustering eigenvalues from these samples, perform clustering by fast search and find of density peaks on a large number of vulnerability samples. Samples were divided into different UAF vulnerability categories according to the clustering results, and the exploitability of these UAF vulnerabilities was determined by observing the shape of class cluster. Experimental results showed that the approach was applicable to the deduplication and exploitability determination of a large amount of UAF vulnerability samples, with high accuracy and low performance cost.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.557-564
• /
• 2019

As the number and type of software increases, those security vulnerabilities are also increasing. Various types of software may have multiple vulnerabilities and those vulnerabilities as they can cause irrecoverable significant damage must be detected and deleted quickly. Various studies have been carried out to detect the vulnerability of the current software, but it is slow, and prediction accuracy is low. Therefore, in this paper, we describe a method to efficiently predict software vulnerability by using neural network algorithm and compare prediction accuracy with conventional system using machine learning algorithm. As a result of the experiment, the prediction system proposed in this paper showed the highest prediction rate.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2013.11a
• /
• pp.831-834
• /
• 2013

최근 퍼징(Fuzzing, Fuzz Testing)이 소프트웨어의 취약점을 찾아내기 위한 방법으로 활발하게 사용되고 있다. 퍼징은 반복적으로 비정상적인 데이터를 무작위로 생성하여 대상 소프트웨어에 입력 값으로 전달해 오작동을 유도하고, 오작동의 원인을 분석하여 소프트웨어의 취약성을 찾아낸다. 퍼징에서 사용되는 입력 값인 테스트 케이스에 따라서 취약점 탐지율 및 탐지 시간이 결정된다. 따라서 어떻게, 어떤 테스트 케이스를 생성하여 퍼징을 실행 할 것인지가 퍼징 연구의 핵심이다. 퍼징을 위해 생성하는 테스트 케이스는 숫자가 굉장히 많기 때문에 최근에 테스트 케이스의 크기를 축약하여 퍼징 결과 분석을 위해 소요되는 시간을 줄이는 연구가 발하게 진행되고 있다. 본 논문에서는 테스트 케이스 축약에 이용되는 다양한 알고리즘들에 대해 소개하고, 그 각각을 비교 분석하여 향후 퍼징의 테스트 케이스 축약에 관한 연구에 기여하고자 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1023-1030
• /
• 2020

Wearable devices, such as a smart watch and a wrist band, store owner's private information in the devices so that security in a high level is required. Applications developed by third parties in Tizen request for an access to designated services through the desktop bus (D-Bus). The D-Bus verifies application's privileges to grant the request for an access. We developed a fuzzing tool, so-called DAN (the D-bus ANalyzer), to detect errors in implementations for privilege verifications and access controls within Tizen's system services. The DAN has found a number of vulnerable services which granted accesses to unauthorized applications. We built a proof-of-concept application based on those findings to demonstrate a bypass in the privilege examination.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.183-186
• /
• 2024

IoT(Internet of Things) 기기가 다양한 산업 분야에 활용되면서, 보안과 유지 보수를 위한 관리의 중요성이 커지고 있다. 편리한 IoT 기기 관리를 위해 무선 네트워크를 통한 펌웨어 업데이트 기술인 FOTA(Firmware Over The Air)가 적용되어 있지만, 컴퓨팅 파워가 제한된 경량 IoT 기기 특성상 취약점 탐지를 수행하기 어렵다. 본 연구에서는 IoT 기기들이 퍼징 테스트 케이스를 분할하여 협력적으로 퍼징하고, 노드 간의 퍼징 결과가 다르면 재검증을 수행하는 협력적 퍼징 기법을 제안한다. 실험 결과에 따르면, 중복되는 테스트 케이스를 2 개나 3 개 퍼징하는 협력적 퍼징 기법은 종래 방식 대비 연산량을 최소 약 16%, 최대 약 48% 줄였다. 또한, 종래 퍼징 기법 대비 취약점 탐지 성공률(Success rate of vulnerability detection)을 최소 약 3 배, 최대 약 3.4 배 개선시켰다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.323-326
• /
• 2024

본 연구에서는 커널 퍼저인 Syzkaller 를 사용하여 리눅스 커널의 네트워크 서브시스템을 퍼징하고 그 결과를 분석하여, 높은 커버리지를 달성하기가 왜 어려운지 분석하고 이를 개선하기 위한 방법들을 제안한다. 첫 번째 실험에서는 TCP 및 IPv4 소켓과 관련된 시스템 콜 및 매개변수만 허용하여 리눅스 커널 네트워크 퍼징을 진행하고, 두 번째 실험에서는 Syzkaller 가 지원하는 모든 시스템 콜을 포함하도록 범위를 확장한다. 첫 번째 실험 결과, 퍼징 시작 약 55 시간만에 TCP 연결 수립에 성공하였다. 두 번째 실험 결과, 첫 번째 실험보다 전반적인 커버리지와 라우팅 서브시스템의 커버리지는 개선되었으나 TCP 연결 수립에는 실패하였다. TCP 연결 수립을 위해서는 서버의 IP 주소 및 포트번호를 클라이언트가 무작위 입력 생성을 통해 맞혀야 하는데, 이 과정에서 시간이 오래 걸리기 때문에 연결 수립이 쉽게 이루어지지 않는 것으로 분석된다. 추가적으로, 본 연구에서는 TCP 연결 수립을 쉽게 하기 위한 하이브리드 퍼징, IP 패킷 포워딩 허용, 패킷 description 없이 퍼징 등 Syzkaller 를 이용하여 리눅스 커널 네트워크 서브시스템을 더 효율적으로 퍼징할 수 있는 방법들을 제안한다.

• KIISE Transactions on Computing Practices
• /
• v.22 no.4
• /
• pp.178-183
• /
• 2016

To enhance the reliability of programs, developers use fuzzing tools in test processes to identify vulnerabilities so that they can be fixed ahead of time. In this case, the developers consider the security-related vulnerabilities to be the most critical ones that should be urgently fixed to avoid possible exploitation by attackers. However, developers without much experience of analysis of vulnerabilities usually rely on tools to pick out the security-related crashes from the normal crashes. In this paper, we suggest a static analysis-based tool to help developers to make their programs more reliable by identifying security-related crashes among them. This paper includes experimental results, and compares them to the results from MSEC !exploitable for the same sets of crashes.

• Smart Media Journal
• /
• v.9 no.3
• /
• pp.71-79
• /
• 2020

Mobile network is used by many users worldwide for diverse services, including phone-call, messaging and data transfer over the Internet. However, this network may experience massive damage if it is exposed to cyber-attacks or denial-of-service attacks via wireless communication interference. Because the mobile network is also used as an emergency network in cases of disaster, evaluation or verification for security and safety is necessary as an important nation-wide asset. However, it is not easy to analyze the mobile core network because it's built and serviced by private service providers, exclusively operated, and there is even no separate network for testing. Thus, in this paper, a virtual mobile network is built using OpenAirInterface, which is implemented based on 3GPP standards and provided as an open source software, and the structure and protocols of the core network are analyzed. In particular, the S1AP protocol messages captured on S1-MME, the interface between the base station eNodeB and the mobility manager MME, are analyzed to identify potential security threats by evaluating the effect of the messages sent from the user terminal UE to the mobile core network.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.2
• /
• pp.31-42
• /
• 2014

Debugger systems are necessary to apply dynamic program analysis when evaluating security properties of embedded system software. It may be possible to make the use of software-based debugger and/or DBI framework if target devices support general purpose operating systems, however, constraints on applicability as well as environmental transparency might be incurred thereby hindering overall analyzability. Analysis with JTAG (IEEE 1149.1) debugging devices can overcome these difficulties in that no change would be involved in terms of internal software environment. In that sense, JTAG API can facilitate to practically perform dynamic program analysis for evaluating security properties of target device software. In this paper, we introduce an implementation of JTAG API to enable analysis of ARM core based embedded systems. The API function set includes the categories of debugger and target device controls: debugging environment and operation. To verify API applicability, we also provide example analysis tool implementations: our JTAG API could be used to build kernel function fuzzing and live memory forensics modules.