The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Methodology for Security Vulnerability Assessment Process on Binary Code

실행코드 취약점 분석 프로세스 방법론

  • Hwang, Seong-Oun (Dept. of Computer & Information Communications Engineering, Hongik University)
  • 황성운 (홍익대학교 컴퓨터정보통신공학과)
  • Received : 2012.08.30
  • Accepted : 2012.10.12
  • Published : 2012.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Cyber attacks have rapidly increased by exploiting the underlying vulnerabilities in the target software. However, identifying and correcting these vulnerabilities are extremely difficult and time consuming tasks. To address these problems efficiently, we propose a systematic methodology for security vulnerability assessment process on binary code in the paper. Specifically, we first classified the existing vulnerabilities based on whether the target software run in a Web environment and features of the software. Based on the classification, we determined the list and scope of the vulnerabilities. As our future research direction, we need to further refine and validate our methodology.

공격 대상 소프트웨어의 취약점을 악용한 사이버 공격이 급속히 증가하여 왔다. 그러나, 이러한 취약점을 탐지하고 대처하는 것은 매우 어렵고 시간이 많이 걸리는 작업이다. 이 문제를 효과적으로 대응하기 위하여, 본 논문에서는 실행코드 상에서의 체계적인 보안 취약점 분석 프로세스 방법론을 제시한다. 구체적으로, 본 연구진은 기존 취약점을 웹 환경 유무, 대상 소프트웨어 특성 등을 고려하여 분류하고 취약점 리스트 및 범위를 결정하는 접근법을 택하였다. 향후 연구 방향으로는 현재 도출된 방법론을 좀 더 구체화하고 검증하는 과정이 필요하다.

Keywords

References

  1. Veracode, "State of Software Security Report", 2011.
  2. SANS, "CWE/SANS TOP 25 Most Dangerous Software Errors", http://www.sans.org/top25-software-errors, 2011.
  3. CVE List, "http://cve.mitre.org/cve".
  4. OSVDB, "http://www.osvdb.org".
  5. Exploit DB, "http://www.exploit-db.com".
  6. CWE List, "http://cwe.mitre.org/data/index.html".
  7. Metasploit, "www.metasploit.com".
  8. M. Sutton, A. Greene and P. Amini, "Fuzzing Brute Force Vulnerability Discovery", Addison-Wesley, 2008.
  9. B. Edgar, "Taint Analysis", Hackers to Hackers Conference, 2009.
  10. IDA Pro, http://www.hexblog.com.
  11. Corelan, "In Memory Fuzzing", http://www.corelan.be/index.php/2010/10/20/in-memory-fuzzing, 2010.
  12. Colleen Lewis, Barret Rhoden, Cynthia Sturton, "Using Structured Random Data to Precisely Fuzz Media", http://www.eecs.berkeley.edu/-csturton/classes/cs261/fuzz_media_players.pdf, 2007.
  13. Yong Su Park et al., Window Multimedia Vulnerabilities Analysis Study, KISA, 2009.
  14. Seong Oun Hwang, Finding Vulnerabilities in Binary Codes Using Tainting/Fuzzing Analysis, 6th International conference on Convergence and Hybrid Information Technology (ICHIT), CCIS, vol. 310, 2012.

Cited by

  1. Estimating Economic Loss by S/W Vulnerability vol.19, pp.4, 2014, https://doi.org/10.7838/jsebs.2014.19.4.031