최소 단어 이상 선택하여야 합니다.
최대 10 단어까지만 선택 가능합니다.
다음과 같은 기능을 한번의 로그인으로 사용 할 수 있습니다.
NTIS 바로가기情報保護學會誌 = KIISC review, v.28 no.2, 2018년, pp.33 - 42
장대일 (한국인터넷진흥원 보안기술R&D2팀) , 김태은 (한국인터넷진흥원 보안기술R&D2팀) , 김환국 (한국인터넷진흥원 보안기술R&D2팀)
* AI 자동 식별 결과로 적합하지 않은 문장이 있을 수 있으니, 이용에 유의하시기 바랍니다.
핵심어 | 질문 | 논문에서 추출한 답변 |
---|---|---|
동적 분석이란? | 동적 분석은 통제 가능한 가상 환경에서 소스코드나 바이너리를 실행시켜 오류를 찾아내는 방법이다. 바이너리에서 사용하는 API, 네트워크 활동 정보, 접근하는 파일, 레지스트리, 메모리 정보 등 다양한 정보를 확인할 수 있다. | |
정적분석이란? | 정적분석은 소프트웨어의 소스코드나 바이너리를 실행하지 않은 상태에서 대상에 맞는 분석을 수행하였을 때 나타나는 오류나 논리적인 문제 혹은 취약점을 찾아내는 방법이다. 이를 위해 대상 소프트웨어의 실행 가능한 경로, 변수가 가질 수 있는 값의 범위 등을 분석하고, 대상 내 탐색이 가능한 실행 경로나 값의 범위가 프로그램의 오류를 발생시키는 조건을 만족하는 지 검사하여 오류가 발생하는 소스코드나 바이너리의 인스트럭션을 찾아내는 기술이 정적 분석 기술이다. | |
지능형 취약점 탐색 연구에는 무엇이 있는가? | 지능형 취약점 탐색 연구는 크게 2가지로 분류할 수 있다. 첫째는 취약점 예측 모델을 통해 취약점을 탐색하는 연구이고, 둘째는 기존 취약점을 활용하여 대상 소스코드나 바이너리 내에 동일한 패턴의 취약점이 존재하는지 탐색하는 연구이다. 지능형 취약점 대응에 관한 연구도 크게 2가지로 나눌 수 있는데, 첫 번째는 소프트웨어의 행위를 패치하는 연구이다. |
CVE Details, https://www.cvedetails.com/
B. Arkin, S. Stender, G. McGraw, "Software penetration testing," IEEE Security and Privacy, 3(1), pp. 84-87, 2005.
Matt Bishop, "About penetration testing", IEEE Security & Privacy, pp.84-87, 2007.
Patrice Godefroid, "Random testing for security: Blackbox vs. whitebox fuzzing", In Proceedings of the 2nd International Workshop on Random Testing (RT'07), 2007.
M. E. Khan, F. Khan, "A comparative study of white box, black box and grey box testing techniques", International Journal of Advanced Computer Science and Applications (IJACSA), 2012.
Thomas Zimmermann, Nachiappan Nagappan, Laurie Williams, "Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista", In Proceedings of the 3rd International Conference on Software Testing, Verification and Validation (ICST'10), pp. 421-428, 2010.
Andrew Meneely, Laurie Williams, "Strengthening the empirical analysis of the relationship between linus' law and software security", In Proceedings of the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM'10), 2010.
MaureenDoyle, JamesWalden, "An empirical study of the evolution of PHPweb application security", In Proceedings of the 3rd International Workshop on Security Measurements and Metrics (MetriSec'11), pp.11-20, 2011.
Yonghee Shin, Laurie Williams, "Can traditional fault prediction models be used for vulnerability prediction?", Empir. Softw. Eng, pp.25-59, 2013.
Yonghee Shin, Laurie Williams, "An initial study on the use of execution complexity metrics as indicators of software vulnerabilities", In Proceedings of the 7th International Workshop on Software Engineering for Secure Systems(SESS'11), pp.1-7, 2011.
Sara Moshtari, Ashkan Sami, Mahdi Azimi, "Using complexity metrics to improve software security", Computer Fraud & Security, pp.8-17, May 2011.
James Walden, Jeffrey Stuckman, Riccardo Scandariato, "Predicting vulnerable components: Software metrics vs text mining",In Proceedings of the 25th International Symposium on Software Reliability Engineering (ISSRE'14), pp.23-33, 2014.
Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, Yasemin Acar, "VccFinder: Finding potential vulnerabilities in open-source projects to assist code audits", In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS'15), pp.426-437, 2015.
Awad Younis, Yashwant Malaiya, Charles Anderson, Indrajit Ray, "To fear or not to fear that is the question: Code characteristics of a vulnerable function with an existing exploit", In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY'16), pp.97-104, March 2016.
Fabian Yamaguchi, Felix Lindner, Konrad Rieck, "Vulnerability extrapolation : Assisted discovery of vulnerabilities using machine learning", In Proceedings of the 5th USENIX Workshop on Offensive Technologies, 2011.
Fabian Yamaguchi, Felix Lindner, Konrad Rieck. "Generalized vulnerability extrapolation using abstract syntax trees", In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC'12), pp.359-368, 2012.
Sean Heelan, "Vulnerability detection systems: Think cyborg, not robot", IEEE Security and Privacy, pp.74-77, 2011.
Lwin Khin Shar, Hee Beng Kuan Tan, Lionel C. Briand, "Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis", In Proceedings of the 35th International Conference on Software Engineering (ICSE'13), pp.642-651, 2013.
Lwin Khin Shar, Lionel C Briand, Hee Beng Kuan Tan, "Web application vulnerability prediction using hybrid program analysis and machine learning", IEEE Transactions on Dependable and Secure Computing, pp.688-707, 2015.
Gustavo Grieco, Guillermo Luis Grinblat, Lucas Uzal, Sanjay Rawat, Josselin Feist, Laurent Mounier, "Toward Large-scale Vulnerability Discovery Using Machine Learning", In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY'16), pp.85-96, March 2016.
Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Mining bug databases for unidentified software vulnerabilities", In Proceedings of the 5th International Conference on Human System Interactions (HSI'12), pp.89-96, 2012.
Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Vulnerability identification and classification via text mining bug databases", In Proceedings of the 40th Annual Conference of the IEEE Industrial Electronics Society (IECON'14), 2014.
Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Applications of computational intelligence for static software checking against memory corruption vulnerabilities", In Proceedings of the IEEE Symposium on Computational Intelligence in Cyber Security (CICS'13), pp. 59-66, 2013.
Iberia Medeiros, Nuno F. Neves, Miguel Correia, "Automatic detection and correction of web application vulnerabilities using data mining to predict false positives", In Proceedings of the 23rd International Conference on World Wide Web (WWW'14), pp. 63-74, 2014.
W.Weimer, T. Nguyen, C. Le Goues, and S. Forrest, "Automatically Finding Patches Using Genetic Programming", In Proceedings of the International Conference on Software Engineering, 2009.
Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, "GenProg: A Generic Method for Automatic Software Repair", IEEE transactions on software engineering, pp 54-72, 2012.
A. Arcuri, "Automatic Software Generation and Improvement Through Search Based Techniques", PhD thesis. The University of Birmingham, 2009.
V. Debroy, W.Wong, "Using Mutation to Automatically Suggest Fixes for Faulty Programs", In Proceedings of the International Conference on Software Testing, Verification and Validation, pp. 65-74, 2010.
D. Kim, J. Nam, J. Song, S. Kim, "Automatic Patch Generation Learned From Human-Written Patches", In: Proceedings of ICSE, 2013.
G. Candea, S. Kawamoto, Y. Fujiki, G. Friedman, A. Fox, "Microreboot: a Technique for Cheap Recovery", In: Proceedings of the 6th Conference on Symposium on Operating Systems Design & Implementation, pp. 31-44, 2004.
A. Smirnov, T. Chiueh, "DIRA: Automatic Detection, Identification, and Repair of Control-hijacking Attacks", The 12th Annual Network and Distributed System Security Symposium, 2005.
P. E. Ammann, J. C. Knight, "Data Diversity: An Approach to Software Fault Tolerance", Ieee transactions on computers, pp. 418-425, 2005.
C. Lewis, J. Whitehead, "Runtime Repair of Software Faults Using Event-driven Monitoring", In Proceedings of the 32nd acm/ieee international conference on software engineering(icse '10), pp. 275-280, 2010.
Guodong Li, Indradeep Ghosh, and Sreeranga P. Rajan, "KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs", IEEE Software, pp. 33-37, 2017.
L. Luo, Q. Zeng, C. Cao, K. Chen, J. Liu, L. Liu, N. Gao, M. Yang, X. Xing, and P. Liu, "System service call-oriented symbolic execution of android framework with applications to vulnerability discovery and exploit generation," In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. ACM, pp. 225-238, 2017.
S. Rawat, V. Jain, A.Kumar, L. Cojocar, C. Giuffrida, H. Bos, "Vuzzer: Application-aware evloutionary fuzzing," In Proceedings of the Network and Districuted System Security Symposium(NDSS), 2017.
*원문 PDF 파일 및 링크정보가 존재하지 않을 경우 KISTI DDS 시스템에서 제공하는 원문복사서비스를 사용할 수 있습니다.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.