• KIISE Transactions on Computing Practices
• /
• v.21 no.3
• /
• pp.257-262
• /
• 2015

As software grows more complex, it contains more bugs that are not recognized by developers. Attackers can then use exploitable bugs to penetrate systems or spread malicious code. As a representative method, attackers manipulated documents or multimedia files in order to make the software engage in unanticipated behavior. Recently, this method has gained frequent use in A.P.T. In this paper, an automatic analysis method to find software security bugs was proposed. This approach aimed at finding security bugs in the software which can arise from input data such as documents or multimedia. Through dynamic taint analysis, how input data propagation to vulnerable code occurred was tracked, and relevant instructions in relation to input data were found. Next, the relevant instructions were translated to a formula and vulnerable input data were found via the formula using an SMT solver. Using this approach, 6 vulnerable codes were found, and data were input to crash applications such as HWP and Gomplayer.

• KIPS Transactions on Computer and Communication Systems
• /
• v.8 no.5
• /
• pp.119-126
• /
• 2019

Typical software developed and used by North Korea is Red Star and internal application software. However, most of the existing research on the North Korean software is the software installation method and general execution screen analysis. One of the ways to identify software vulnerabilities is file fuzzing, which is a typical method for identifying security vulnerabilities. In this paper, we use file fuzzing to analyze the security vulnerability of the software used in North Korea's Seogwang Document Processing System. At this time, we propose the analysis of open document text (ODT) file produced by Seogwang Document Processing System, extraction of node based on Document Object Mode (DOM) to determine test target, and generation of mutation file through insertion and substitution, this increases the number of crash detections at the same testing time.

• Journal of Aerospace System Engineering
• /
• v.16 no.2
• /
• pp.13-24
• /
• 2022

As the scale of airborne system software increases, the use of OOT (Object-Oriented Technology) is increasing for functional expansion, efficient development, and code reuse, but the verification method for airborne object-oriented software is conducted from the perspective of the existing procedure-oriented program. The purpose of this paper was to analyze the characteristics of OOT and the vulnerabilities derived from the functional characteristics of OOT, and present a verification method applicable to each software development process (Design, Coding and Testing) to ensure the functional safety integrity of aviation software to which OOT is applied. Additionally, we analyzed the meaning of the static analysis results among the step-by-step verification measures proposed by applying LDRA, a static analysis automation tool, to PX4, an open source used to implement flight control software.

• Journal of IKEEE
• /
• v.16 no.4
• /
• pp.389-394
• /
• 2012

Most current systems have ignored security vulnerability concerned with boot firmware. It is highly likely that boot firmware may cause serious system errors, such as hardware manipulations by malicious programs or code, the operating system corruption caused by malicious code and software piracy under a condition of no consideration of security mechanism because boot firmware has an authority over external devices as well as hardware controls. This paper proposed a structural security mechanism based on software equipped with encrypted bootstrap patterns different from pre-existing bootstrap methods in terms of securely loading an operating system, searching for malicious codes and preventing software piracy so as to provide reliability of boot firmware. Moreover, through experiments, it proved its superiority in detection capability and overhead ranging between 1.5 % ~ 3 % lower than other software security mechanisms.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.327-333
• /
• 2014

The rapid expansion of the software industry has brought a serious security threat and vulnerability. Many softwares are constantly attacked by exploit codes using security vulnerabilities. Smart fuzzing is automated method to find software vulnerabilities. However, Many resources are consumed in fuzzing, because the fuzzing needs to create data model for target software and to analyze a data file and software binary. Therefore, The automated method for efficient smart fuzzing is needed to develop the automated data model. In this paper, through analysing the input file format and optimizing the data structure, we propose an efficient data modeling framework for smart fuzzing and implement the framework for detect software vulnerabilities.

• Journal of The Korean Association of Information Education
• /
• v.20 no.3
• /
• pp.293-302
• /
• 2016

It is the latest fashion of interesting with software education in public school environment and also consider as high priority issue of curriculum for college freshman with programming 101 courses. The block-based programming tool is used widely for the beginner and provides several positive features compare than text-based programming language tools. To measure quality of programming code elaborately which is based script language, it is need to very tough manual process. As a result the previously research related with evaluation of block-based script code has been focused very simple methods in which normalize the number of blocks used which is related with programming concept. In such cases in this, it is difficult to measure structural vulnerability of script code and implicit programming concept which does not expose. In this research, the framework is proposed which enable to measure and evaluate quality of code script of block-based programming tools and also provides method to find of vulnerability of script code. In this framework, the quality metrics is constructed to structuralize implicit programming concept and then developed the quality measure and vulnerability model of script to improve level of programming. Consequently, the proposed methods enable to check of level of programming and predict the heuristic target level.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.7
• /
• pp.111-123
• /
• 2013

To verify software vulnerability, the method of conjecturing software structure and then testing the software based on the conjectured structure has been highlighted. To utilize the method, an efficient way to conjecture software structure is required. The popular graph and tree methods such as DFG(Data Flow Graph), CFG(Control Flow Graph) and CFA(Control Flow Automata) have a serious drawback. That is, they cannot express software in a hierarchical fashion. In this paper, we propose a method to overcome the drawback. The proposed method applies various input data to a binary code, generate CFG's based on the code output and construct a HCFG (Hierarchical Control Flow Graph) to express the generated CFG's in a hierarchical structure. The components required for HCFG and progressive algorithm to construct HCFG are also proposed. The proposed method is verified through constructing the software architecture of an open SMTP(Simple Mail Transfer Protocol) server program. The structure generated by the proposed method and the real program structure are compared and analyzed.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.21 no.8
• /
• pp.530-536
• /
• 2020

The use of minutiae by fingerprint readers is robust against presentation attacks, but one weakness is that the mismatch rate is high. Therefore, minutiae tend to be used with skeleton images. There have been many studies on security vulnerabilities in the characteristics of minutiae, but vulnerability studies on the skeleton are weak, so this study attempts to analyze the vulnerability of presentation attacks against the skeleton. To this end, we propose a method based on the skeleton to recover the original fingerprint using a learning algorithm. The proposed method includes a new learning model, Pix2Pix, which adds a latent vector to the existing Pix2Pix model, thereby generating a natural fingerprint. In the experimental results, the original fingerprint is restored using the proposed machine learning, and then, the restored fingerprint is the input for the fingerprint reader in order to achieve a good recognition rate. Thus, this study verifies that fingerprint readers using the skeleton are vulnerable to presentation attacks. The approach presented in this paper is expected to be useful in a variety of applications concerning fingerprint restoration, video security, and biometrics.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.171-182
• /
• 2014

Common Criteria is a scheme that minimize IT products's vulnerabilities in accordance with the evaluation assurance level. SSDLC(Secure Software Development Lifecycle) is a methodology that reduce the weakness that can be used to generate vulnerabilities of software development life cycle. However, Common Criteria does not consider certificated IT products's vulnerabilities after certificated it. So, it can make a problem the safety and reliability of IT products. In addition, the developer and the evaluator have the burden of duplicating evaluations of IT products that introduce into the government business due to satisfy both Common Criteria and SSDLC. Thus, we researched the relationship among the Common Criteria, the static code analysis tools, and the SSDLC. And then, we proposed how to combine SSDLC into Common Criteria.

• The KIPS Transactions:PartC
• /
• v.14C no.4
• /
• pp.313-320
• /
• 2007

In this paper, we propose a method to analyze security vulnerabilities of MS word-processor by checking the validation of its input files. That is, this study is to detect some vulnerabilities in the input file of the word processor by analyzing the header information of its input file. This validation test can not be conducted by the existing software fault injection tools including Holodeck and CANVAS. The proposed method can be also applied to identify the input file vulnerabilities of Hangul and Microsoft Excel which handle a data file with a header as an input. Moreover, our method can provide a means for assessing the fault tolerance and trustworthiness of the target software.