Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

Technology Analysis on Automatic Detection and Defense of SW Vulnerabilities

SW 보안 취약점 자동 탐색 및 대응 기술 분석

  • Received : 2017.10.12
  • Accepted : 2017.11.03
  • Published : 2017.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

As automatic hacking tools and techniques have been improved, the number of new vulnerabilities has increased. The CVE registered from 2010 to 2015 numbered about 80,000, and it is expected that more vulnerabilities will be reported. In most cases, patching a vulnerability depends on the developers' capability, and most patching techniques are based on manual analysis, which requires nine months, on average. The techniques are composed of finding the vulnerability, conducting the analysis based on the source code, and writing new code for the patch. Zero-day is critical because the time gap between the first discovery and taking action is too long, as mentioned. To solve the problem, techniques for automatically detecting and analyzing software (SW) vulnerabilities have been proposed recently. Cyber Grand Challenge (CGC) held in 2016 was the first competition to create automatic defensive systems capable of reasoning over flaws in binary and formulating patches without experts' direct analysis. Darktrace and Cylance are similar projects for managing SW automatically with artificial intelligence and machine learning. Though many foreign commercial institutions and academies run their projects for automatic binary analysis, the domestic level of technology is much lower. This paper is to study developing automatic detection of SW vulnerabilities and defenses against them. We analyzed and compared relative works and tools as additional elements, and optimal techniques for automatic analysis are suggested.

자동으로 해킹을 수행하는 도구 및 기법의 발전으로 인해 최근 신규 보안 취약점들이 증가하고 있다. 대표적인 취약점 DB인 CVE를 기준으로 2010년부터 2015년까지 신규 취약점이 약 8만건이 등록되었고, 최근에도 점차 증가하는 추세이다. 그러나 이에 대응하는 방법은 많은 시간이 소요되는 전문가의 수동 분석에 의존하고 있다. 수동 분석의 경우 취약점을 발견하고, 패치를 생성하기까지 약 9개월의 시간이 소요된다. 제로데이와 같은 빠른 대응이 필요한 취약점에 대한 위험성이 더 부각되는 이유이다. 이와 같은 문제로 인해 최근 자동화된 SW보안 취약점 탐색 및 대응 기술에 대한 관심이 증가하고 있다. 2016년에는 바이너리를 대상으로 사람의 개입을 최소화하여 자동화된 취약점 분석 및 패치를 수행하는 최초의 대회인 CGC가 개최 되었다. 이 외에도 세계적으로 Darktrace, Cylance 등의 프로젝트를 통해 인공지능과 머신러닝을 활용하여 자동화된 대응 기술들을 발표하고 있다. 그러나 이러한 흐름과는 달리 국내에서는 자동화에 대한 기술 연구가 미비한 상황이다. 이에 본 논문에서는 자동화된 SW 보안 취약점 탐색 및 대응 기술을 개발하기 위한 선행 연구로서 취약점 탐색과 대응 기술에 대한 선행 연구 및 관련 도구들을 분석하고, 각 기술들을 비교하여 자동화에 용이한 기술 선정과 자동화를 위해 보완해야 할 요소를 제안한다.

Keywords

References

  1. Yeon-Suk Choi, "A Study on security characteristics and vulnerabilities of BAS(Building Automation System)", Journal of the Korea Academia-Industrial, vol .18, no. 4, pp. 669-676, cooperation Society, 2017. DOI: https://doi.org/10.5762/KAIS.2017.18.4.669
  2. U.S. National Vulnerability Database(NVD), CVE LIST, The MITRE Corporation, c2015(cited 1999), From: https://cve.mitre.org/cve/, (accessed Oct., 11, 2017).
  3. So-Yeon Min, Chan-Suk Jung, Kwang-Hyong Lee, Eun-Sook Cho, Tae-Bok Yoon, Seung-Ho You," Design of Comprehensive Security Vulnerability Analysis System through Efficient Inspection Method according to Necessity of Uptrading System Vulnerability", Journal of the Korea Academia-Industrial cooperation Society, vol. 18, no. 7, pp. 1-8, 2017. DOI: https://doi.org/10.5762/KAIS.2017.18.7.1
  4. Defense Advanced Research Projects Agency(DARPA), Program, DARPA, c2016, From: https://www.darpa.mil/program/cyber-grand-challenge, (accessed Oct., 11, 2017).
  5. Darktrace. Support_1, FRENTREE, c2013, From: http://www.frentree.com/Darktrace.pdf, (accessed Oct., 11, 2017).
  6. Cylance, White Papers, Cylance Inc, c2017, From: https://www.cylance.com/content/dam/cylance/pdfs/white_papers/MathvsMalware.pdf, (accessed Oct., 11, 2017).
  7. For All Secure, Unleashing-mayhem, For All Secure, 2016 Feb 9, From: https://forallsecure.com/blog/2016/02/09/unleashing-mayhem/, (accessed Oct., 11, 2017).
  8. IBM, Congnitive security white paper, IBM, c2000, From: http://www-03.ibm.com/security/kr/ko/cognitive/whitepaper/#cognitive-security-ibm-data-security, (accessed Oct., 11, 2017).
  9. P.Miller, L.Fredriksen, Bryan So, "An empirical study of the reliability of UNIX utilities", Communications of the ACM, vol. 33, Issue 12, pp. 32-44, 1990. DOI: https://doi.org/10.1145/96267.96279
  10. PeachTech, Peach Fuzzer Community Edition, Deja vu Security, 2014 Feb 23, From: http://community.peachfuzzer.com/WhatIsPeach.html, (accessed Oct., 11, 2017).
  11. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna, "Driller: Augmenting Fuzzing Through Selective Symbolic Execution", the Network and Distributed System Security Symposium, 2016. DOI: https://doi.org/10.14722/ndss.2016.23368
  12. Cristian Cadar, Daniel Dunbar, Dawson Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs", Operating Systems Design and Implementation, vol. 8, 2008.
  13. Liviu Ciortea, Cristian Zamfir, Stefan Bucur, Vitaly Chipounov, George Candea, "Cloud9: A Software Testing Service", 3rd SOSP Workshop on Large Scale Distributed Systems and Middleware, vol. 43, no. 4, 2009.
  14. Stephanie Forrest, ThanhVu Nguyen, Westley Weimer, Claire Le Goues, "A Genetic Programming Approach to, Automated Software Repair", Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 947-954, 2009.
  15. Chen Liu, Jinqiu Yang, Lin Tan, "R2Fix: Automatically Generating Bug Fixes from Bug Reports", Proceedings of the International Conference on Software Testing, Verification and Validation, pp. 282-291, 2013. DOI: https://doi.org/10.1109/ICST.2013.24
  16. Dong-Sun Kim, Jae-Chang Nam, Jae-Woo Song, Sunghun Kim, "Automatic patch generation learned from human-written patches", Proceedings of the International Conference on Software Engineering, pp. 802-811, 2013. DOI: https://doi.org/10.1109/ICSE.2013.6606626
  17. Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, Giovanni Vigna, UC Santa Barbara, "SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis", Security and Privacy (SP), pp. 138-157, 2016.
  18. Maksim O, Shudrak, Vyacheslav V.Zolotarev, "Improving Fuzzing Using Software Complexity Metrics", International Conference on Information Security and Cryptology, pp. 246-261, 2015.