KR101640479B1 - Software vulnerability attack behavior analysis system based on the source code - Google Patents
Software vulnerability attack behavior analysis system based on the source code Download PDFInfo
- Publication number
- KR101640479B1 KR101640479B1 KR1020150121728A KR20150121728A KR101640479B1 KR 101640479 B1 KR101640479 B1 KR 101640479B1 KR 1020150121728 A KR1020150121728 A KR 1020150121728A KR 20150121728 A KR20150121728 A KR 20150121728A KR 101640479 B1 KR101640479 B1 KR 101640479B1
- Authority
- KR
- South Korea
- Prior art keywords
- vulnerability
- analysis
- software
- attack
- source code
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
- Computing Systems (AREA)
Abstract
Description
The present invention relates to a software vulnerability attack analysis based on a source code, and more particularly, to a vulnerability detection method using a vulnerability detection result obtained as a result of information collection used for analyzing a software vulnerability, static analysis of a source code, The present invention relates to a software vulnerability attack analysis system based on a source code capable of defining an action that can be exploited by a vulnerability of actual software.
Most of the security problems using the recent security vulnerabilities are due to software vulnerability. Security vulnerabilities in software are caused by a developer's mistake.
A security vulnerability is a property that can be derived from fundamental problems of software and cause security accidents. When a hacker exploits a security vulnerability, it becomes a security vulnerability and causes security incidents.
Security vulnerabilities in other respects are not a fundamental problem of software in the background, but security problems in individual software caused by mistakes of software developers.
Software vulnerability analysis is performed in an environment where most of the source code can not be obtained. Therefore, it is performed in the form of a black box test that can be performed only by an executable file. Here, the black box test is a test method in which the software itself is assumed to be a black box that can not observe the internal operation, and analysis is performed based on the input / output values of the software.
In order to determine whether the software can be infringed, the vulnerability is detected through dynamic analysis of the source code of the software and dynamic analysis of the memory, registers, etc. during the operation of the software. It is judged whether or not it can be infringed.
These methods are classified into three categories: information collection, static analysis, and dynamic analysis.
First, gather information about the software, such as crawling, and predict vulnerabilities to the environment in which the software operates.
Second, by analyzing the source code of the software, such as symbolic auditing, it is checked whether the source code known to be vulnerable is included, or the source code is checked for a flow that does not go through the normal processing procedure, And checks for vulnerabilities in the same way.
Third, run software such as Fuzzing and Taint to input various values that can be input during execution or check the effect of input values on software such as memory, registers, etc. Examine the vulnerability in the same manner as if there is an exploitable part.
Prior arts for checking and analyzing the vulnerability of software are disclosed in Patent Documents 1 to 2 below.
The prior art disclosed in Patent Document 1 includes a target function selection module for selecting a function of software to perform a software vulnerability check; A comparison file generation module for generating a first file and a second file not including the selected function; A binary pattern comparison module for comparing the binary values of the first file and the second file to search for a changed or added binary pattern; A test case generation module that generates one or more test cases based on the retrieved binary patterns; And a vulnerability verification module that performs a vulnerability check based on the one or more test cases and generates a vulnerability check result.
According to the conventional technology configured as described above, the purging is performed intensively on the changed or added portions according to the function of the software, so that not only the vulnerability of each function of the software can be found but also the efficiency of purging can be increased.
The prior art disclosed in Patent Document 2 defines weaknesses that may become vulnerabilities when writing source code at the development stage of software as rules and analyzes input sources to compare / The security vulnerability is detected in real time and a solution is provided.
According to the related art, it is possible to reduce the time and cost required for security prevention by reducing the security incidents occurring after the execution of the program by preventing weak security problems in the program development step in advance.
However, since the above-described general software vulnerability analysis technique and the conventional technology stay at the level of checking basic data about the exploitability of software, it is impossible to explain procedurally how the expected vulnerability will affect the software In addition, there is a limited disadvantage that the experienced vulnerability must be verified through experience.
SUMMARY OF THE INVENTION Accordingly, the present invention has been made to solve the above-mentioned problems occurring in the prior art, and it is an object of the present invention to provide a method and apparatus for analyzing software vulnerabilities, The purpose of this study is to provide a software vulnerability attack analysis system based on source code that can define vulnerabilities of actual software.
It is another object of the present invention to provide an easy analysis of how a vulnerability is exploited by providing vulnerable information of a software as an attack procedure and providing a basis for proving a vulnerability of a target software based on an attack procedure And provides a source code based software vulnerability attack analysis system.
In order to achieve the above object, a source code-based software vulnerability attack analysis system according to the present invention includes software execution-related information collection, software vulnerability information obtained through source code branch flow suitability analysis and source code weakness static analysis, A vulnerability analysis engine for analyzing whether the vulnerability is activated when the software is actually operated by comparing the environment where the software needs to be run and the environment where the vulnerability can be exploited based on the environment analysis engine;
The above-mentioned source code branch flow suitability analysis, source code weak point static analysis, possible input value analysis at the time of software execution, and known attack behavior in software flow based on software vulnerability information acquired through influence analysis based on input values at software execution A vulnerability attack flow analysis engine that analyzes whether or not a subsequent attack can be defined as a series of subsequent attacks; And
Based on the results analyzed through the vulnerability analysis environment analysis engine and the vulnerability attack flow analysis engine, it is determined whether or not the vulnerability exists that can be exploited in the flow that the vulnerability can be exploited, and the scenarios And a construction engine.
In the above, the vulnerability manifestation environment analysis engine classifies the program installation environment based on the obtained software vulnerability according to a dictionary criterion including an operating system, a compiler, a related library, and redefines the compatibility with the vulnerability manifest environment ; A vulnerability manifestation environment analysis module for extracting a preset management area from a list of occurrence environments among the information on the software vulnerabilities and defining the predefined management areas as dictionary standards compatible with the program installation environment; The analysis results obtained by the software execution environment analysis module and the vulnerability expression environment analysis module are verified through cross queries. The pre-analysis result and the final analysis result are reflected in the vulnerability database, And a vulnerability code clone analysis module that manages the proportion of the vulnerability code to be higher.
Wherein the vulnerability attack flow analysis engine comprises: a vulnerability-associated attack behavior analysis module for cataloging an attack activity associated with a vulnerability in each flow through an attack tree according to a vulnerability of the vulnerability database defined by the source code weak point static analysis; The source code flow tree, which is the result of performing the source code branch flow conformance analysis, and the vulnerability defined in the input value analysis when executing the software, based on the flow tree of the input value effect, Related software structure analysis module for analyzing whether the characteristics of the vulnerability-related features are continuously displayed and cataloging the associated attacking actions into respective flows; A vulnerability linkage flow definition module for reviewing the items crossed in the flow list based on the vulnerability-associated attack analysis module and the result lists of the vulnerability-associated software structure analysis module, and reconstructing the vulnerability- .
The scenario construction engine extracts a list of actual attacking actions by applying a vulnerability analyzed to be manifested in the list of attacking actions based on the analysis results of the vulnerability detection environment analysis engine and the vulnerability attack flow analysis engine An infiltration scenario building module for constructing an infiltration scenario; An aggressive behavior technique constraint that examines technical constraints that can be applied to attacks that are actually expected to occur based on the infringement scenario constructed by the infringement scenario building module and the database of the source code weak point static analysis, And a condition review module.
According to the present invention, when a vulnerability and an underlying knowledge of an attack are insufficient, it is possible to identify a single vulnerability by verifying the exploitation possibility by defining an attack activity including a relation between an operating environment and vulnerabilities and an action that can be abused, The vulnerability of the software can be detected and defined based on the source code, which is difficult to verify. Therefore, there is an advantage that the security of the vulnerability of the software in the software development project can be provided from the real attacker's point of view.
1 is a schematic configuration diagram of a source code-based software vulnerability attack analysis system according to a preferred embodiment of the present invention;
FIG. 2 is a block diagram of an embodiment of the basic software vulnerability analysis engine of FIG. 1;
FIG. 3 is a block diagram of an embodiment of the vulnerability expression environment analysis engine of FIG. 1;
FIG. 4 is a block diagram of an embodiment of the vulnerability attack flow analysis engine of FIG. 1;
5 is a block diagram showing an embodiment of the scenario construction engine of FIG.
Hereinafter, a source code-based software vulnerability attack analysis system according to a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.
1 is a schematic block diagram of a source code-based software vulnerability attack analysis system according to a preferred embodiment of the present invention.
The source code-based software vulnerability attack analysis system according to the present invention includes a basic software
The basic software
The vulnerability manifesting
The vulnerability attack
The
The operation of the source code-based software vulnerability attack analysis system according to the preferred embodiment of the present invention will now be described in detail.
First, the basic software
2, the
When the basic software vulnerability analysis is performed as described above, the vulnerability manifesting
3, the program installation environment collected through the software execution-related
In addition, the vulnerability analysis
The analysis results defined in the structured environment, that is, the software execution
For example, the vulnerability manifestation
Next, the vulnerability attack
For example, source code branch flow suitability analysis, source code weak point static analysis, function input value analysis at software execution, and input analysis result at software execution ◎ Tree structure analysis and vulnerability association analysis .
4, the vulnerability-associated attack
In addition, the vulnerability-related software
Then, the vulnerability linkage
Finally, the
5, a list of attacking actions derived based on the analysis results of the vulnerability detection
In addition, the attacking technology description
Among these structured results, the attack procedure that can exploit the proved vulnerability can verify the abuse of the vulnerability as its own, and the structured result can be used as the base data for the actual verification of the attack behavior.
Although the present invention has been described in detail with reference to the above embodiments, it is needless to say that the present invention is not limited to the above-described embodiments, and various modifications may be made without departing from the spirit of the present invention.
The present invention is applied to a technique for defining an attacking behavior that infringes a software vulnerability based on source code.
10: Basic software vulnerability analysis engine
11: The crawling engine
12: Symbolic engine
13: Auditing engine
14: Purge engine
15: Taint engine
20: Vulnerability manifestation environment analysis engine
21: Software execution environment analysis module
22: vulnerability manifestation environment analysis module
23: Vulnerability Code Clone Analysis Module
30: Vulnerability attack flow analysis engine
31: Vulnerability association attack analysis module
32: Vulnerability related software structure analysis module
33: Vulnerability Associated Flow Definition Module
40: scenario building engine
41: Infringement scenario building module
42: Attack Behavior Technology Constraint Review Module
Claims (4)
Software execution related information collection, and source code branch flow suitability analysis and source code vulnerability. Software Vulnerability Information obtained through static analysis is used to compare the environment needed to run the software and the environment where the vulnerability can be exploited, A vulnerability analysis engine that analyzes whether a vulnerability is activated;
The above-mentioned source code branch flow suitability analysis, source code weak point static analysis, possible input value analysis at the time of software execution, and known attack behavior in software flow based on software vulnerability information acquired through influence analysis based on input values at software execution A vulnerability attack flow analysis engine that analyzes whether or not a subsequent attack can be defined as a series of subsequent attacks; And
Based on the results analyzed through the vulnerability analysis environment analysis engine and the vulnerability attack flow analysis engine, it is determined whether or not the vulnerability exists that can be exploited in the flow that the vulnerability can be exploited and the scenarios And a construction engine for detecting a vulnerability of the source code based software vulnerability attack.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150121728A KR101640479B1 (en) | 2015-08-28 | 2015-08-28 | Software vulnerability attack behavior analysis system based on the source code |
PCT/KR2016/007283 WO2017039136A1 (en) | 2015-08-28 | 2016-07-06 | System for analyzing attack action for vulnerable point of source code-based software |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150121728A KR101640479B1 (en) | 2015-08-28 | 2015-08-28 | Software vulnerability attack behavior analysis system based on the source code |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101640479B1 true KR101640479B1 (en) | 2016-07-18 |
Family
ID=56679816
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150121728A KR101640479B1 (en) | 2015-08-28 | 2015-08-28 | Software vulnerability attack behavior analysis system based on the source code |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR101640479B1 (en) |
WO (1) | WO2017039136A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018101575A1 (en) * | 2016-11-29 | 2018-06-07 | 한국전력공사 | Binary code-based embedded software vulnerability analysis device and method therefor |
KR101963756B1 (en) | 2018-11-19 | 2019-03-29 | 세종대학교산학협력단 | Apparatus and method for learning software vulnerability prediction model, apparatus and method for analyzing software vulnerability |
KR20190090436A (en) * | 2018-01-25 | 2019-08-02 | 주식회사 엑스게이트 | Apparatus, method and system for checking vulnerable point |
KR20200080541A (en) * | 2018-12-27 | 2020-07-07 | 아주대학교산학협력단 | Apparatus and method for detecting vulnerability of software |
KR20220007395A (en) * | 2020-07-10 | 2022-01-18 | 한국전자통신연구원 | Apparatus and Method for Classifying Attack Tactics of Security Event in Industrial Control System |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112788009B (en) * | 2020-12-30 | 2023-01-17 | 绿盟科技集团股份有限公司 | Network attack early warning method, device, medium and equipment |
CN115801408A (en) * | 2022-11-17 | 2023-03-14 | 国网福建省电力有限公司 | Security state monitoring method based on attack access analysis |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20050100278A (en) * | 2004-04-13 | 2005-10-18 | 한국전자통신연구원 | Vulnerability analysis apparatus and method of web application |
KR100653122B1 (en) | 2005-08-31 | 2006-12-01 | 학교법인 대전기독학원 한남대학교 | Real-time detection system and method based rule for safety software development |
KR20090044656A (en) | 2007-11-01 | 2009-05-07 | 한국전자통신연구원 | Device and method for inspecting vulnerability of software |
JP2010507165A (en) * | 2006-10-19 | 2010-03-04 | チェックマークス リミテッド | Detect security vulnerabilities in source code |
KR101479516B1 (en) * | 2014-03-05 | 2015-01-07 | 소프트포럼 주식회사 | Source code security weakness detection apparatus and method |
KR101507469B1 (en) * | 2015-01-06 | 2015-04-03 | (주)싸이버텍 | Method for providing source code analysis service |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015130152A (en) * | 2013-12-06 | 2015-07-16 | 三菱電機株式会社 | Information processing device and program |
-
2015
- 2015-08-28 KR KR1020150121728A patent/KR101640479B1/en active IP Right Grant
-
2016
- 2016-07-06 WO PCT/KR2016/007283 patent/WO2017039136A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20050100278A (en) * | 2004-04-13 | 2005-10-18 | 한국전자통신연구원 | Vulnerability analysis apparatus and method of web application |
KR100653122B1 (en) | 2005-08-31 | 2006-12-01 | 학교법인 대전기독학원 한남대학교 | Real-time detection system and method based rule for safety software development |
JP2010507165A (en) * | 2006-10-19 | 2010-03-04 | チェックマークス リミテッド | Detect security vulnerabilities in source code |
KR20090044656A (en) | 2007-11-01 | 2009-05-07 | 한국전자통신연구원 | Device and method for inspecting vulnerability of software |
KR101479516B1 (en) * | 2014-03-05 | 2015-01-07 | 소프트포럼 주식회사 | Source code security weakness detection apparatus and method |
KR101507469B1 (en) * | 2015-01-06 | 2015-04-03 | (주)싸이버텍 | Method for providing source code analysis service |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018101575A1 (en) * | 2016-11-29 | 2018-06-07 | 한국전력공사 | Binary code-based embedded software vulnerability analysis device and method therefor |
KR20190090436A (en) * | 2018-01-25 | 2019-08-02 | 주식회사 엑스게이트 | Apparatus, method and system for checking vulnerable point |
KR102032958B1 (en) * | 2018-01-25 | 2019-10-16 | 주식회사 엑스게이트 | Apparatus, method and system for checking vulnerable point |
KR101963756B1 (en) | 2018-11-19 | 2019-03-29 | 세종대학교산학협력단 | Apparatus and method for learning software vulnerability prediction model, apparatus and method for analyzing software vulnerability |
KR20200080541A (en) * | 2018-12-27 | 2020-07-07 | 아주대학교산학협력단 | Apparatus and method for detecting vulnerability of software |
KR102190727B1 (en) | 2018-12-27 | 2020-12-14 | 아주대학교산학협력단 | Apparatus and method for detecting vulnerability of software |
KR20220007395A (en) * | 2020-07-10 | 2022-01-18 | 한국전자통신연구원 | Apparatus and Method for Classifying Attack Tactics of Security Event in Industrial Control System |
KR102357630B1 (en) * | 2020-07-10 | 2022-02-07 | 한국전자통신연구원 | Apparatus and Method for Classifying Attack Tactics of Security Event in Industrial Control System |
Also Published As
Publication number | Publication date |
---|---|
WO2017039136A1 (en) | 2017-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
CN109426722B (en) | SQL injection defect detection method, system, equipment and storage medium | |
CN107368417B (en) | Testing method of vulnerability mining technology testing model | |
Antunes et al. | Defending against web application vulnerabilities | |
Zhang et al. | Program logic based software plagiarism detection | |
CN111008376B (en) | Mobile application source code safety audit system based on code dynamic analysis | |
Agosta et al. | Automated security analysis of dynamic web applications through symbolic code execution | |
CN105653956A (en) | Android malicious software sorting method based on dynamic behavior dependency graph | |
CN110287693B (en) | Automatic buffer overflow vulnerability detection method based on symbol execution path pruning | |
Cimitile et al. | Formal methods meet mobile code obfuscation identification of code reordering technique | |
CN114996126B (en) | Vulnerability detection method and system for EOSIO intelligent contracts | |
CN107886000B (en) | A kind of software vulnerability detection method, response at different level method and software bug detection system | |
Lin et al. | Recovering fitness gradients for interprocedural Boolean flags in search-based testing | |
Mirsky et al. | {VulChecker}: Graph-based Vulnerability Localization in Source Code | |
Jimenez et al. | Software vulnerabilities, prevention and detection methods: A review1 | |
Homaei et al. | Athena: A framework to automatically generate security test oracle via extracting policies from source code and intended software behaviour | |
CN116383833A (en) | Method and device for testing software program code, electronic equipment and storage medium | |
Al-Ghamdi | A survey on software security testing techniques | |
Chen et al. | Automatic Mining of Security-Sensitive Functions from Source Code. | |
Lin et al. | A priority based path searching method for improving hybrid fuzzing | |
Ghorbanian et al. | Signature-based hybrid Intrusion detection system (HIDS) for android devices | |
CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
Kang et al. | Scaling javascript abstract interpretation to detect and exploit node. js taint-style vulnerability | |
CN111291377A (en) | Application vulnerability detection method and system | |
CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AMND | Amendment | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) | ||
GRNT | Written decision to grant |