• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.305-318
• /
• 2023

The complexity of software products led many manufacturers to stitch open-source software for composing a product. Using open-source help reduce the development cost, but the difference in the different development life cycles makes it difficult to keep the product up-to-date. For this reason, even the patches for known vulnerabilities are not adopted quickly enough, leaving the entire product under threat. Existing studies propose to use binary differentiation techniques to determine if a product is left vulnerable against a particular vulnerability. Despite their effectiveness in finding real-world vulnerabilities, they often fail to locate the evidence of a vulnerability if it is a small function that usually is inlined at compile time. This work presents our tool FunRank which is designed to identify the short functions. Our experiments using synthesized and real-world software products show that FunRank can identify the short, inlined functions that suggest that the program is left vulnerable to a particular vulnerability.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.10a
• /
• pp.741-742
• /
• 2016

Secure Coding is in the development phase, removing a potential security vulnerability that could lead to attacks such as hacking in advance, says the technique to develop secure software from external attacks. In this paper, we'll learn about the needs and expectations of the effectiveness of these security software development. Due to this, the threat to the safe software development project, and there is an effect to improve quality.

• ETRI Journal
• /
• v.31 no.5
• /
• pp.554-564
• /
• 2009

In information security and network management, attacks based on vulnerabilities have grown in importance. Malicious attackers break into hosts using a variety of techniques. The most common method is to exploit known vulnerabilities. Although patches have long been available for vulnerabilities, system administrators have generally been reluctant to patch their hosts immediately because they perceive the patches to be annoying and complex. To solve these problems, we propose a security vulnerability evaluation and patch framework called PKG-VUL, which evaluates the software installed on hosts to decide whether the hosts are vulnerable and then applies patches to vulnerable hosts. All these operations are accomplished by the widely used simple network management protocol (SNMP). Therefore, system administrators can easily manage their vulnerable hosts through PKG-VUL included in the SNMP-based network management systems as a module. The evaluation results demonstrate the applicability of PKG-VUL and its performance in terms of devised criteria.

• International Journal of Internet, Broadcasting and Communication
• /
• v.12 no.3
• /
• pp.189-195
• /
• 2020

Smart contract, one of the applications of blockchain, is expected to be used in various industries. However, there is risks of damages caused by attacks on vulnerabilities in smart contract codes. Tool support is essential to detect vulnerabilities, and as new vulnerabilities emerge and smart contract implementation languages increase, the tools must have extensibility for them. We propose a design model for extensible architecture of smart contract vulnerability detection tools that detect vulnerabilities in smart contract source codes. The proposed model is composed of design pattern-based structures that provides extensibility to easily support extension of detecting modules for new vulnerabilities and other implementation languages of smart contract. In the model, detecting modules are composed of independent module, so modifying or adding of module do not affect other modules and the system structure.

• Journal of the Society of Disaster Information
• /
• v.3 no.1
• /
• pp.69-86
• /
• 2007

The fire department has one of the most important role as public resources of response to disasters in the aspect of supply and the adequate distribution of resources of response is essential, but the distribution of the response capability to disaster of fire department does not reflect the regional hazard vulnerability and hazard risks. Researchers performed database process with simple mapping based on the regional fire disaster response capability and the regional hazard vulnerability and hazard risks. The cities and towns are divided to four types each, total eight types and relative threat ratios are extracted from every type. The fire disaster response capability was extracted from number of firemen and fire vehicles in defined region. The distribution of the fire disaster response capability was inadequate and not matching to relative threat especially in small cities and some types of towns. The regional relative threat and resources should be analyzed by more delicate mapping and software development in the future.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.187-194
• /
• 2008

This paper proposes an effective countermeasure to an intrinsic hardware vulnerability of the keyboard controller that causes sniffing problem on the password authentication system based on the keyboard input string. Through the vulnerability, some possible attacker is able to snoop whole the password string input from the keyboard even when any of the existing keyboard protection software is running. However, it will be impossible for attackers to gather the exact password strings if the proposed policy is applied to the authentication system though they can sniff the keyboard hardware protocol. It is expected that people can use secure Internet commerce after implementing and applying the proposed policy to the real environment.

• Journal of Convergence for Information Technology
• /
• v.9 no.3
• /
• pp.1-7
• /
• 2019

There are various cyber attacks on business PCs. In order to reduce the threat of PC security, we are preventing the vulnerability from being diagnosed beforehand. However, this guideline is difficult to cope with because the domestic vulnerability guide does not update the diagnostic items. In this paper, we examine the cyber infringement cases of PCs and the diagnostic items of foreign technical vulnerabilities in order to cope with security threats. In addition, an improved guide is provided by comparing the differences in the diagnostic items of technical vulnerability from abroad and domestic. Through 41 proposed technical vulnerability improvement items, it was found that various security threats can be coped with. Currently, it is mainly able to respond to only known vulnerabilities, but we hope that applying this guideline will reduce unknown security threats.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2018.10a
• /
• pp.193-195
• /
• 2018

홍채코드는 홍채의 정보를 이진코드로 표현함으로써 홍채정보를 보호하는 방법이다. 이러한 방법은 현재 홍채인식 시스템에서 표준으로 채택된 기술이다. 본 논문에서는 1-D 가버 필터를 사용하여 홍채 코드로부터 역공학적 방법을 사용하여 홍채영상을 복원하고, 복원된 홍채 영상과 기존의 홍채영상의 인식 결과를 통해 홍채 인식에 대한 취약성을 연구한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.243-250
• /
• 2013

We have entered into an era of smart software system where the many kinds of embedded software, especially SCADA and Automotive software not only require high reliability and safety but also high-security. Removing software weakness during the software development lifecycle is very important because hackers exploit weaknesses which are source of software vulnerabilities when attacking a system. Therefore the coding rule as like core functions of MISRA-C should expand their coding focus on security. In this paper, we used CERT-C secure coding rules for nuclear-related software being developed to demonstrate high-safety software, and proposed how to remove software weakness during development.

• Transactions of the Korean Society of Automotive Engineers
• /
• v.22 no.3
• /
• pp.68-74
• /
• 2014

As the number of ECUs (Electronic control units) are increasing, reliability and functional stability of a software in an ECU is getting more important. Therefore the application of functional safety standards ISO 26262 is making the software more reliable. Software fault injection test (SFIT) is required as a verification technique for the application of ISO 26262. In case of applying SFIT, an artificial error is injected to inspect the vulnerability of the system which is not easily detected during normal operation. In this paper, the basic concept of SFIT will be examined and the application of SIFT based on ISO26262 will be described.