• International journal of advanced smart convergence
• /
• 제9권2호
• /
• pp.157-163
• /
• 2020

Recently the blockchain technology has been actively studied due to its great potentiality. The smart contract is a key mechanism of the blockchain system. Due to the short history of the smart contract, many issues have not been solved yet. One main issue is vulnerability and another main issue is cost optimization. While the vulnerability of smart contract has been actively studied, the cost optimization has been rarely studied. In this paper, we propose two cost optimization methods for smart contracts running on the blockchain system. Triggering a function in a smart contract program code may require costs and it is repeated continuously. So the minimization of costs required to trigger a function of smart contract while maintaining the performance equally is very important. The proposed two methods minimize the usage of expensive permanent variables deployed on the blockchain system. We apply the proposed two methods to three prevalent blockchain platforms: Ethereum, Klaytn and Tron. Evaluation experiments verify that the proposed scheme significantly reduces the costs of functions in the smart contract written with Solidity.

• Journal of Information Technology Applications and Management
• /
• 제26권4호
• /
• pp.19-30
• /
• 2019

Many organizations need to comply with ISMS-P for information systems and personal information management for ISMS-P certification. Organizations should safeguard vulnerablities to information systems. However, as the kinds of information systems are diversified and the number of information systems increases, management of such vulnerabilities manually accompanies with many difficulties. SCAP is a protocol to manage the vulnerabilities of information system automatically with security standards. In this paper, for the introduction of SCAP in domestic domains we verify the applicability of server-oriented system which is one of ISMS-P certification targets. For SCAP applicability, For obtaining this goal, we analyze the structures and functions of SCAP. Then we propose schemes to check vulnerabilities of the server-oriented system. Finally, we implement the proposed schemes with SCAP to show the applicability of SCAP for verifying vulnerabilities of the server-oriented system.

• The Journal of the Korea Contents Association
• /
• 제21권1호
• /
• pp.284-291
• /
• 2021

As the current security monitoring system is operated as a passive system only for response after an attacker's attack, it is common to respond to intrusion incidents after an attack occurs. In particular, when new assets are added and actual services are performed, there is a limit to vulnerability testing and pre-defense from the point of view of an actual hacker. In this paper, a new security monitoring model has been proposed that uses multiple hacking-related search engines to add proactive vulnerability response functions of protected assets. In other words, using multiple search engines with general purpose or special purpose, special vulnerabilities of the assets to be protected are checked in advance, and the vulnerabilities of the assets that have appeared as a result of the check are removed in advance. In addition, the function of pre-checking the objective attack vulnerabilities of the protected assets recognized from the point of view of the actual hacker, and the function of discovering and removing a wide range of system-related vulnerabilities located in the IP band in advance were additionally presented.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• 제32권4호
• /
• pp.709-722
• /
• 2022

The recent "Log4j Security Vulnerability Incident" has occurred, and the information system that uses the open source "Log4J" has been exposed to vulnerabilities. The incident brought great vulnerabilities in the information systems of South Korea's major government agencies or companies and global information systems, causing problems with open source vulnerabilities. Despite the advantages of many advantages, the current development paradigm, which is developed using open source, can easily spread software security vulnerabilities, ensuring open source safety and reliability. You need to check the open source. However, open source vulnerability scan tools have various languages and functions. Therefore, the existing software evaluation criteria are ambiguous and it is difficult to evaluate advantages and weaknesses, so this paper has developed a new evaluation criteria for the vulnerability analysis tools of open source

• Journal of the Korea Institute of Information Security & Cryptology
• /
• 제33권4호
• /
• pp.699-707
• /
• 2023

DevSecOps is a concept that adds security procedures to the operational procedures of DevOps to respond to the short development and operation cycle. Multi-step vulnerability scanning process should be considered to provide reliable security while supporting rapid development and deployment cycle in DevSecOps. Many open-source vulnerability scanning tools available can be used for each stage of scanning, but there are difficulties in evaluating the security level and identifying the importance of information in integrated operation due to the various functions supported by the tools and different security results. This paper proposes an integrated security metric design plan for scurity results and the combination of open-source scanning tools that can be used in security stage when building the open-source based DevSecOps system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• 제33권2호
• /
• pp.253-266
• /
• 2023

The Null Pointer Dereference vulnerability is a significant vulnerability that can cause severe attacks such as denial-of-service. Previous research has proposed methods for detecting vulnerabilities, but large and complex programs pose a challenge to their efficiency. In this paper, we present a lightweight tool for detecting specific functions in large binaryprograms through symbolizing variables and emulating program execution. The tool detects vulnerabilities through data dependency analysis and heuristics in each execution path. While our tool had an 8% higher false positive rate than the bap_toolkit, it detected all existing vulnerabilities in our dataset.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• 제10권6호
• /
• pp.161-167
• /
• 2010

Social individualized broadcasting increases rapidly in an environment that combines communication and broadcasting. Real-time individualized broadcasting is a service that is provided by multiple individuals to many and unspecified persons. In contrast, newly introduced individualized broadcasting service is a service that has not been experienced socially and culturally and therefore many problems are expected. The newly emerging real-time individualized broadcasting service may bring about various dysfunctions as well as desirable functions. Establishment of guideline and its implementation based in vulnerability analysis are necessary to prevent the expected dysfunctions and reinforce the desirable functions. Therefore, the purpose of this paper is to examine dysfunctions of the information-oriented society which threaten cyber-norms, cyber-morality, cyber-dangers, cyber-democracy, etc. at the level of social individualized broadcasting service and to propose appropriate guidelines. Through this paper, first, future changes of dysfunctions of the information-oriented society due to individualized broadcasting service can be forecast, and countermeasures and policy directions can be proposed. Second, Dysfunctions of ICT-based service that may emerge in individualized broadcasting service can be forecast and correct guideline can be prepared to reduce potential dangers and increase desirable functions of the service. This paper will analyze in various aspects the characteristics of a new media with the focus on individualized broadcasting service among the new ICT-integrated services, and forecast the appearance and aggravation of the dysfunctions and then draw the guideline.

• Proceedings of the Earthquake Engineering Society of Korea Conference
• /
• 한국지진공학회 1999년도 춘계 학술발표회 논문집 Proceedings of EESK Conference-Spring
• /
• pp.223-230
• /
• 1999

The seismic damage assessment to the postulated earthquake is attempted for the buildings in the model district of Seoul City. The capacity spectrum method is employed in which the vulnerability functions are expressed as functions of the spectral displacement. the database of the building stock is constructed and managed using Geographic Information System software. The model district is selected to represent the typical structural and residential characteristics of Seoul City The structural properties were collected from the design documents. The field inspections were carried out to find out the current status of the building. They are classified into 11 structural types. The fragility curves in HazUS are employed, The ground motions from the postulated earthquakes are simulated using the Boor's methods, The surface soil in the district is classified into 3 profiles using the depth as the parameter. The one-dimensional wave propagation method is used to calculate he filtered ground motion through surface soil layer. The average spectrum of this sample time histories is used as the demand curves. The calculated results are expressed in maps using GIS software ArcView 3.0a

• Convergence Security Journal
• /
• 제22권2호
• /
• pp.43-50
• /
• 2022

It is no exaggeration to say that mobile devices have already become an essential tool in our daily life. Among these mobile devices, a representative smart phone is overheating the market by introducing new functions and services whenever a new product is released. However, most users do not know that there are various vulnerabilities depending on the manufacturer, service, or function, and damage is occurring due to attacks that exploit the vulnerabilities.Research on this has already been conducted, but it is very difficult to predict because there are various differences depending on new devices, operating systems, services, and functions. For this reason, it is necessary to continuously monitor and study new vulnerable factors. Therefore, through this study, research so far, vulnerabilities, attack technology, and response technology were considered. In addition, it is expected that it can be used as basic data for the development of systems and response technologies in the future by proposing countermeasures.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• 제20권9호
• /
• pp.504-509
• /
• 2019

Recently, both wireless communications technology and the performance of small devices have developed exponentially, while the number of services using various types of Internet of Things (IoT) devices has also massively increased in line with the ongoing technological and environmental changes. Furthermore, ever more devices that were previously used in the offline environment-including small-size sensors and CCTV-are being connected to the Internet due to the huge increase in IoT services. However, many IoT devices are not equipped with security functions, and use vulnerable open source software as it is. In addition, conventional network equipment, such as switches and gateways, operates with vulnerabilities, because users tend not to update the equipment on a regular basis. Recently, the simple vulnerability of IoT devices has been exploited through the distributed denial of service (DDoS) from attackers creating a large number of botnets. This paper proposes a system that is capable of identifying Internet-connected devices quickly, analyzing and managing the vulnerability of such devices using Internet-wide scan technology. In addition, the vulnerability analysis rate of the proposed technology was verified through collected banner information. In the future, the company plans to automate and upgrade the proposed system so that it can be used as a technology to prevent cyber attacks.