• Journal of Software Engineering Society
• /
• v.28 no.1
• /
• pp.13-22
• /
• 2019

To enhance effective and efficient applications of automated security vulnerability checkers in highly competitive and fast-evolving IT industry, this paper studies a comprehensive set of security bug checkers in open-source static analysis frameworks and how they can be utilized for source code inspections according to the security vulnerability inspection guidelines by MOIS. This paper clarifies the relationship be tween all 42 inspection criteria in the MOIS guideline and total 323 security bug checkers in 4 popular open-source static analysis frameworks for Java web applications. Based on the result, this paper also discuss the current challenges and issues in the MOIS guideline, the comparison among the four security bug checker frameworks, and also the ideas to improve the security inspection methodologies using the MOIS guideline and open-source static security bug checkers.

• International Journal of Internet, Broadcasting and Communication
• /
• v.14 no.3
• /
• pp.17-21
• /
• 2022

In this study, we wanted to examine the new vulnerability 'Dirty Pipe' that is founded in Linux kernel. how it's exploited and what is the limitation, where it's existed, and overcome techniques and analysis of the Linux kernel package. The study of the method used the hmark[1] program to check the vulnerabilities. Hmark is a whitebox testing tool that helps to analyze the vulnerability based on static whitebox testing and automated verification. For this purpose of our study, we analyzed Linux kernel code that is downloaded from an open-source website. Then by analyzing the hmark tool results, we identified in which file of the kernel it exists, cvss level, statistically depicted vulnerabilities on graph which is easy to understand. Furthermore, we will talk about some software we can use to analyze a vulnerability and how hmark software works. In the case of the Dirty Pipe vulnerability in Linux allows non-privileged users to execute malicious code capable of a host of destructive actions including installing backdoors into the system, injecting code into scripts, altering binaries used by elevated programs, and creating unauthorized user profiles. This bug is being tracked as CVE-2022-0847 and has been termed "Dirty Pipe"[2] since it bears a close resemblance to Dirty Cow[3], and easily exploitable Linux vulnerability from 2016 which granted a bad actor an identical level of privileges and powers.

• KIPS Transactions on Software and Data Engineering
• /
• v.7 no.7
• /
• pp.249-258
• /
• 2018

The importance of software in military weapon systems is increasing, and the software structure is becoming more complicated. We therefore must thoroughly verify its reliability. In particular, the defects from the interaction of the software components that make up the weapon system are difficult to prevent only with static testing and code coverage level dynamic testing. In this paper, we classify dynamic software defect types and analyze the issues reported in the Open Source Software (OSS) used in the US department of defense weapon systems. The dynamic defects classified in this paper usually occur after integration, and it is difficult to reproduce and identify the cause. Based on this analysis, we come to the point that the software integration test must be enhanced in order to verify the reliability of the weapon system.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.11 no.3
• /
• pp.31-43
• /
• 2015

In this paper, we discuss a code generation technique for custom transport triggered architecture (TTA) from a high-level language structure. This methodology is implemented by using TTA-based Co-design Environment (TCE) tool. The results show how the scheduler exploits instruction level parallelism in the custom target architecture and source program. Thus, the scheduler generates parallel TTA instructions using lower cycle counts than the sequential scheduling algorithm. Moreover, we take Tensilica tool to make a comparison with TCE. Because of the efficiency of TTA, TCE takes less execution cycles compared to Tensilica configurations. Finally, this paper shows that it requires only 7 cycles to generate the parallel TTA instruction set for implementing Cyclic Redundancy Check (CRC) applications as an input design, and presents the code generation technique to move complexity from the processor software to hardware architecture. This method can be applicable lots of channel Codecs like CRC and source Codecs like High Efficiency Video Coding (HEVC).

• Journal of KIISE
• /
• v.44 no.10
• /
• pp.1019-1025
• /
• 2017

Binary similarity analysis is used in vulnerability analysis, malicious code analysis, and plagiarism detection. Proving that a function is equal to a well-known safe functions of different versions through similarity analysis can help to improve the efficiency of the binary code analysis of malicious behavior as well as the efficiency of vulnerability analysis. However, few studies have been carried out on similarity analysis of the same function of different versions. In this paper, we analyze the similarity of function units through various methods based on extractable function information from binary code, and find a way to analyze efficiently with less time. In particular, we perform a comparative analysis of the different versions of the OpenSSL library to determine the way in which similar functions are detected even when the versions differ.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.6
• /
• pp.1627-1648
• /
• 2012

We propose an adaptive method for detecting plagiarized pairs from a large set of source code. This method is adaptive in that it uses an adaptive algorithm and it provides an adaptive threshold for determining plagiarism. Conventional algorithms are based on greedy string tiling or on local alignments of two code strings. However, most of them are not adaptive; they do not consider the characteristics of the program set, thereby causing a problem for a program set in which all the programs are inherently similar. We propose adaptive local alignment-a variant of local alignment that uses an adaptive similarity matrix. Each entry of this matrix is the logarithm of the probabilities of the keywords based on their frequency in a given program set. We also propose an adaptive threshold based on the local outlier factor (LOF), which represents the likelihood of an entity being an outlier. Experimental results indicate that our method is more sensitive than JPlag, which uses greedy string tiling for detecting plagiarism-suspected code pairs. Further, the adaptive threshold based on the LOF is shown to be effective, and the detection performance shows high sensitivity with negligible loss of specificity, compared with that using a fixed threshold.

• Journal of the Korea Society of Computer and Information
• /
• v.3 no.3
• /
• pp.47-53
• /
• 1998

This Paper describes design and implementation of the Class Library Management System(CLMS) that is used to efficiently software reuse. Communication softwares are various and wide. They continually must be modified themselves for new demand. maintained previous modules, and extended for new service. Software reuse will have been enhanced of software quality and software developer's productivity The CLMS consists of the Class Register, the Class Retriever, and the Class Browser. The CLMS considered reuse of source code and SDL design specifications.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.2
• /
• pp.873-891
• /
• 2018

This paper suggests an automatic approach to extracting Java method implementation patterns associated with method identifiers using Cascade K-Medoids. Java method implementation patterns indicate recurring implementations for achieving the purpose described in the method identifier with the given parameters and return type. If the implementation is different from the purpose, readers of the code tend to take more time to comprehend the method, which eventually affects to the increment of software maintenance cost. In order to automatically identify implementation patterns and its representative sample code, we first propose three groups of feature vectors for characterizing the Java method signature, method body and their relation. Then, we apply Cascade K-Medoids by enhancing the K-Medoids algorithm with the Calinski and Harrabasez algorithm. As the evaluation of our approach, we identified 16,768 implementation patterns of 7,169 method identifiers from 50 open source projects. The implementation patterns have been validated by the 30 industrial practitioners with from 1 to 6 years industrial experience, resulting in 86% of the precision.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.4
• /
• pp.177-180
• /
• 2013

A software birthmark means inherent characteristics that can be used to identify a program. Because the software birthmark is difficult to remove by simple program transformation, it can be used to detect code theft. In this paper, we propose a birthmark technique based on API k-gram of Android applications. Android SDK provides various libraries that help programmers to develop application easily. In order to use Android SDK, we have to use API method calls. The API call instructions are hard to be replaced or removed, so they can be a inherent characteristics of an application. To show the effectiveness of the proposed birthmark, we compared it with previous birthmarks and evaluated it with open source applications. From the experiments, we verified that the credibility and resilience of our birthmark is higher than previous birthmarks.

• The KIPS Transactions:PartD
• /
• v.8D no.6
• /
• pp.753-760
• /
• 2001

Design Patterns are design knowledge for solving issues related to extensibility and maintainability which are independent from problems concerned by application, but despite vast interest in design pattern, the specification and application of patterns is generally assumed to rely on manual implementation. As a result, we need to spend a lot of time to develop software program not only because of being difficult to analyze and apply to a consistent pattern, but also because of happening the frequent programing faults. In this paper, we propose a notation using XML for describing design pattern and a framework using design pattern. We will also suggest a source code generation support system, and show a example of the application through this notation and the application framework. We may construct more stable system and be generated a compact source code to a user based on the application of structured documentations with XML.