• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.10
• /
• pp.4933-4956
• /
• 2016

Use-After-Free (UAF) is a common lethal form of software vulnerability. By using tools such as Web Browser Fuzzing, a large amount of samples containing UAF vulnerabilities can be generated. To evaluate the threat level of vulnerability or to patch the vulnerabilities, automatic deduplication and exploitability determination should be carried out for these samples. There are some problems existing in current methods, including inadequate pertinence, lack of depth and precision of analysis, high time cost, and low accuracy. In this paper, in terms of key dangling pointer and crash context, we analyze four properties of similar samples of UAF vulnerability, explore the method of extracting and calculate clustering eigenvalues from these samples, perform clustering by fast search and find of density peaks on a large number of vulnerability samples. Samples were divided into different UAF vulnerability categories according to the clustering results, and the exploitability of these UAF vulnerabilities was determined by observing the shape of class cluster. Experimental results showed that the approach was applicable to the deduplication and exploitability determination of a large amount of UAF vulnerability samples, with high accuracy and low performance cost.

• Annual Conference of KIPS
• /
• 2024.05a
• /
• pp.386-388
• /
• 2024

UAF(Use-After-Free)는 heap 영역에서 메모리 오염을 발생시킬 수 있는 취약점이다. UAF를 방지하기 위해 다양한 방법으로 관련 연구가 활발히 이루어지고 있지만, 아직까지 여러 오버헤드 측면에서 모두 좋은 성능을 발휘한 결과는 나오지 않고 있다. 할당자 수준에서의 수정을 통하여, UAF 취약점 방어를 보장하는 동시에 높은 성능과 낮은 오버헤드를 발생시킬 수 있는 방법을 제시한다. 본 논문에서는 UAF 취약점 및 관련 연구를 소개하고, 이를 기반으로 UAF 취약점에 대처할 수 있는 방법을 제시한다.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.4
• /
• pp.43-53
• /
• 2020

There are three standards for FIDO1 authentication technology: Universal Second Factor (U2F), Universal Authentication Framework (UAF), and Client to Authenticator Protocols (CTAP). FIDO2 refers to the WebAuthn standard established by W3C for the creation and use of a certificate in a web application that complements the existing CTAP. In Korea, the FIDO certified market is dominated by UAF, which deals with standards for smartphone (Android, iOS) apps owned by the majority of the people. As the market requires certification through FIDO on PCs, FIDO Alliance and W3C established standards that can be certified on the platform-independent Web and published 『Web Authentication: An API for Accessing Public Key Credentials Level 1』 on March 4, 2019. Most PC do not contain biometrics, so they are not being utilized contrary to expectations. In this paper, we intend to present a model that allows login in PC environment through biometric recognition of smartphone and FIDO UAF authentication. We propose a model in which a user requests login from a PC and performs FIDO authentication on a smartphone, and authentication is completed on the PC without any other user's additional gesture.

• Annual Conference of KIPS
• /
• 2015.10a
• /
• pp.620-623
• /
• 2015

최근 핀테크 기술들이 금융 산업의 전반에 융합되기 시작하면서 다양한 모바일 결제 서비스와 새로운 형태의 금융 서비스가 출시되고 있다. 또한 지문 인식 기술이 탑재된 모바일 단말이 대중화 되면서 모바일 단말의 생체 인증 수단을 온라인 서비스의 본인 확인 수단으로 사용할 수 있는 FIDO(Fast IDentity Online) 인증 기술이 핀테크 산업의 핵심으로 부각되고 있다. 본 논문에서는 FIDO 인증 기술에 대한 개념과 ETRI FIDO UAF 1.0 서버 구현에 대한 내용을 기술한다. 그리고 본 논문에서 소개하는 ETRI FIDO 서버는 2015년 4월에 개최된 FIDO UAF 1.0 상호운용성(Interoperability) 테스트를 통과한 것으로 현재 다양한 업체에 기술 이전되어 제품 및 서비스 개발에 활용되고 있다.

• Annual Conference of KIPS
• /
• 2024.10a
• /
• pp.304-306
• /
• 2024

Use After Free(UAF) 취약점은 의료 소프트웨어, 의료 시스템, 임베디드 시스템 등 다양한 분야에서 널리 사용되고 있는 보안 취약점이다. C/C++는 메모리를 직접 할당하고 해제하는 작업을 프로그래머가 수동으로 수행하기 때문에 UAF의 발생 가능성이 높다. UAF는 과거로부터 현재까지 해결되지 않은 버그로써 존재하고 있으며, [1]2023년CWE 제일 위험한 취약점 Top25중에 4위를 차지하고 있다. 본 논문에서는 C/C++가 널리 사용되는 만큼 UAF를 빠르고 정확하게 탐지하기 위한 연구내용과 성능 결과를 소개한다.

• Asian-Australasian Journal of Animal Sciences
• /
• v.2 no.4
• /
• pp.565-570
• /
• 1989

The influence of age at first calving on the milk production of crossbred dairy cows produced under major dairy cattle crossbreeding projects in Pakistan was studied from the year 1974 to 1980. These animals were bred and raised at the Livestock Production Research Institute, Bahadarnagar (LPRI), Livestock Experiment Station, Karachi (LES) and the University of Agriculture, Faisalabad (UAF). Local Sahiwal (SWL) cattle were crossed with the European breeds, Holstein Friesian (HF) and Jersey (J) at LPRI and UAF. At LES, native Red Sindhi (RS) were crossed with the HF and J breeds. At LES and UAF, the crossbred progeny, thus, produced comprised of halfbreds only while at LPRI 3/4 HF, 3/4 J, 1/4 HF and 1/4 J groups were also available for this study. The average age at first calving was considerably higher among the native breeds. At LES, the RS calved for the first time at an age of approximately 56 months. Corresponding values for SWLs at LPRI and UAF were 44 and 64 months, respectively. The 1/2 HF and 1/2 J crossbreds calved first at the age of approximately 25, 26, 34, 36, 37 and 38 months at LPRI, LES and UAF respectively. For 3/4 HF, 3/4 K, 1/4 HF and 1/4 J groups of LPRI the average age at first calving was 29, 26, 34 and 33 months. Considerable differences in age at first calving between the crossbreds and native breeds were observed. Due to early maturity, the former attained the peak level of milk production in third lactation whereas the latter groups, because of late maturity, reached this level in their fourth lactation. This study suggested that early maturity in Zebu cattle (Box indicus) could be induced through crossbreeding with European cattle (Bos Taurus).

• Annual Conference of KIPS
• /
• 2024.05a
• /
• pp.279-282
• /
• 2024

The Use-after-free (UAF) bug is a long-standing temporal memory safety issue. To prevent UAF attacks, two commonly used approaches are lock-and-key and pointer nullification. Recently, ARM architecture supports the Memory Tagging Extension (MTE) that implemented a lock-and-key mechanism using a 4-bit tag during memory access. Previous research proposed a virtual address tagging scheme utilizing MTE to prevent UAF attacks. In this paper, we aimed to measure a simplified version of the previously proposed virtual address tagging scheme on real machines supporting MTE by implementing a simple module and conducting experiments.

• Annual Conference of KIPS
• /
• 2024.05a
• /
• pp.248-250
• /
• 2024

해제 후 재사용 (Use-After-Free, UAF)는 오랜 시간 동안 소프트웨어 보안에서 중요한 문제로 인식되어 왔다. 이 문제를 해결하기 위해 다양한 완화 방법과 방어 연구가 활발히 진행되고 있다. 이러한 연구들은 대부분 기존 벤치마크 성능과 비교했을 때 낮은 성능을 보인다. 이는 메타 데이터와 코드 계측 정보가 증가하여 포인터를 많이 사용하는 벤치마크의 메모리 사용량이 증가하기 때문이다. 이 연구는 SVF를 활용하여 스택에서만 메모리 할당자 호출 지점을 분석한다. 추후 이 분석 정보를 여러 UAF 연구에 적용하여 런타임 오버헤드를 줄이는 것을 목표로 한다.

• Journal of the Korea Convergence Society
• /
• v.11 no.5
• /
• pp.19-25
• /
• 2020

As the number of mobile device users increases, research on various user authentication methods has been actively conducted to protect sensitive personal information. Knowledge-based techniques have the disadvantage that security is deteriorated due to easy exposure of authentication means, and proprietary-based techniques have a problem of increasing construction cost and low user convenience to use the service. In order to solve this problem, a FIDO authentication system, which is a user authentication method using a smart device, has been proposed. Since the FIDO authentication system performs authentication based on the biometric information of the user, the risk of the authentication means being leaked is low, and since the authentication information is stored in the user's smart device, the user information due to server hacking is solved. Through this, it is possible to select and utilize user authentication technology suitable for the security level of the service. In this paper, we introduce the FIDO authentication system, explain the main parts required for FIDO UAF client-server development, and show examples of implementation using UAF open source provided by ebay.

• Journal of Digital Convergence
• /
• v.14 no.7
• /
• pp.373-383
• /
• 2016

With mobile-epoch and emerging of Fin-tech, Bio-recognition technology utilizing bio-information in secure method has spread. Specially, In order to change convenient payment services and transportation cards, the combination of biometrics and mobile services are being expanded. The basic concept of authentication such as access control, IA&A, OpenID, OAuth 1.0a, SSO, and Biometrics techniques are investigated, and the protocol stack for security API platform, FIDO, SCIM, OAuth 2.0, JSON Identity Suite, Keystone of OpenStack, Cloud-based SSO, and AIM Agent are described detailed in aspect of application of AIM. The authentication technology in domestic and foreign will accelerate technology development and research of standardization centered in the federated FIDO Universal Authentication Framework(UAF) and Universal 2 Factor Framework(U2F). To accommodate the changing needs of the social computing paradigm recently in this paper, the trends of various authentication technology, and design and function of AIM framework was defined.