올해 다양한 보안 분야에 대해서 다루는 ACSAC 컨퍼런스에 가게 되었다. 벌써 23회째나 된 이 컨퍼런스에서는 다양한 보안 분야를 다루고 있지만 최근 이슈가 되고 있는 가상화와 보안, 그리고 분산 시스템에 대해 관심이 많았던 나에게 관련 내용이 있었기에 더욱더 나의 호기심을 자극 했다.
컨퍼런스 전날 리셉션에서 여러 발표자들과 이야기를 할 수 있었다. 참여한 대부분의 발표자와 참석자가 industrial이라기 보다는 학계쪽의 분들이 많았다. 이 컨퍼런스의 좌장 말에는 학계 컨퍼런스에서 가장 현업에 가까운 컨퍼런스 형태라고 하며, 많은 프라이드를 가지고 있는것 같았다.
컨퍼런스에는 200여명 정도가 참석하였고, 대부분 학계와 연구소쪽의 분들이 많이 참석하였다. 3개의 트랙으로 구성되어 있었으며, industrial한 특정 분야를 주제로하는 컨퍼런스와 분위기가 사묻 달랐다.
내가 관심있었던 가상화 부분에 대해서, 호주에서 분산시스템을 이용해 보안기술을 만들고 있는 연구원과의 대화에서는, "가상화기술을 이용한다 하더라도, 호스트와 게스트사이에 쉐어링이 필요하기에, 완벽한 보안은 힘들고, 그쪽에서는 이런쪽 보다는 새로운 플랫폼에서, 분산된 시스템에 데이터가 오가게 함으로써, 시스템의 보안을 만들고 있다고 이야기 하였다". 그리고 가상화 전문업체인, VMWARE와, IBM, 그리고 Zen을 이용하여 프로젝트를 진행하는 미해군?에서는 역시 완벽한 보안은 안되지만 보안에 대해 다른 초점으로 바라봐야 한다는 입장이 큰듯 하였다.
예를 들어, 가상환경에서, 모든 가상메모리 조작을, VMM에서 핸들링 할 수 있기에, Immune Virtual Memory를 만든다든지 하는 계념에 도입할 수 있음으로써, 특정 부분에 특화되게 만들수 있다는 이야기를 하였다.
분명 가능성이 있는 말이였다. 암튼, 보안 분야에 대해 보다 넓은 시야에서 바라 볼 수 있었던 좋은 시간이였다.
Speak on the paper titled "Hackers are storming : New Attack Trend in Online Game Security Area" At AVAR 2007
<About AVAR , citied by AVAR> (Association of anti Virus Asia Researchers International Conference) AVAR is a non-profit organization whose primary objective is to prevent the spread and the damage caused by malicious code. AVAR now comprises members from 15 countries/regions, not just from the Asia pacific area, but from all over the world.
This demonstrates that the anti malware research activities of AVAR have extensive support from many countries, corporations, and individuals. In the past years, we have been facing a new era in internet security. The objective of malicious code has changed to its use as a tool to steal corporate secrets and private information. To prevent such crimes, AVAR 2007 will provide possibly the best opportunity to learn about the latest anti malware technology and discuss the major issues in worldwide information security technology. I hope you can join us and benefit from this conference. I look forward to meeting you at AVAR 2007 in Seoul, Korea.
<The Paper that I spoke on the Conference.> Title : Hackers are storming : New Attack Trend in Online Game Security Area. Deokyoung Jung & Howoong Lee AhnLab Inc.
Abstract: After the popularity of the internet, hackers have expanded their attacks in a variety of ways, one of the areas is online games, for fraudulent gain. In Korea, due to the prevalence of internet, the Korean culture of online gamming and the appearance of the pro-gamer, there has been an explosion of online games. The results are virtual game moneys or items in the case of MMORPG(Massively Multi-player Online Role Playing Game) are being treated as real money, resulting in a new kind of market where hackers have now turned their attention. They now use their skill in malicious way to profit illegally. The game companies are baffled, amongst others by, unfair play by game-hackers using special tools against the ordinary users who may quickly loose interest in specific games. Even though game software companies use intricate designing, hackers can still jeopardize the longevity of games. Some hackers maliciously steal software information such as personal information, so that those companies loose their reputation and profits. Previous attacks by hackers were on the general public in a variety of areas, but now game hackers have a specific target in mind viz. game companies, because they can make illegal profits. In the past generally, hacking was only for fun, but through the confluence of ideas by many kind of hackers, now there is an inter-exchange of ideas such as “Root-kit”, “Runtime Packing”, “Code-Injection”, used by hackers in various ways connecting to problems for all areas of computer security. Online game hacking has been progressing, inter-related with other malicious code and they will be a source of problem for any security. We will announce a growth of Korean Online Game Industries and explain social problems of online game hacking, Trends of attack and defense from the perspective of an anti-virus company. ...
Selected the paper titled "ANTI-MALWARE EXPERT SYSTEM"
< About VB(Virus Bulletin) Conference > Over its 17-year history, the VB conference has become a major highlight of the anti-malware calendar, with many of its regular attendees citing it as the anti-malware event of the year. The VB conference provides a focus for the anti-malware industry, representing an opportunity for experts in the anti-malware arena to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
Split into two streams, the conference program caters for both technical and corporate audiences, covering a wide range of anti-malware and spam-related subjects. Delegates range from dedicated anti-malware researchers to security experts from government and military organizations, legal, financial and educational institutions and large corporations worldwide.
<Notice> I'm very sorry that I could not be there, because of my work-line. but my author Mr hwang, would speak the paper. I hope to see the researchers next time.
<Our Paper> Title : ANTI-MALWARE EXPERT SYSTEM Kyu-beom Hwang and Deok-young Jung AhnLab Inc.
Abstract The EXPERT system is a useful approach for analyzing malware or other kinds of software. We designed an anti-malware expert system using our compiled research results.
AMES (AhnLab anti-Malware Expert System) consists of automatic static/dynamic analysis systems, classification technology of malware and non-malware, and environment analysis. This system helps to minimize human error, or false positive detection. Diverse approaches, like the technology of malware auto-analysis system and classification malware and static/dynamic analysis technology for malware, were tried by AV/AM researchers. Inference malware from function-signature and dectecting behavior patterns of malware are some of the purposes of AMES. If a sample is a malware, then AVES generates a detecting signature automatically. Of course, it is difficult to predict all "malicious " codes automatically, but we get useful results using our malware knowledge database. We think that the core technology is able to judge whether a code is a malware or not, and will be able classify them accordingly. In the traditional virus case, if a virus infected program 'A+V' consists of a safe program 'A' and virus function 'V', and almost all of the functions of 'A+V' are not virus functions, but all functions of 'A+V' are same as 'A', then our AMES will treat it as a virus. The knowledge database has much information about analysts' studied information, extraction functions and behavioral information on collected virus and non-virus. To make a knowledge database, we have designed three categories. First is a function-based static analysis environment. The second category is a virtual machine based dynamic analysis system, while the last one is a human-based active analysis environment. We designed a generic unpacking method for runtime-packed samples on virtual machines and plug-in runtime debuggers.
The objective of AMES is to help analysts evaluate samples and judge malware as variant or non-malware. AMES uses classification technology and function similarity in collaborative analysis technology. We will make the system more concrete by using various dynamic analysis technology researches on a virtualization environment.
The Paper called "Collaborative Malicious Code Analysis System" on VB2006
In 2006, We applied the Paper called "Collaborative Malicious Code Analysis System" on VB2006, and it was accepted. We hope to share our experience with other virus researchers. hope to see you at Montreal in Canada.
COLLABORATIVE MALICIOUS CODE ANALYSIS SYSTEM Kyu-beom Hwang & Deok-young Jung, AhnLab Inc.
Most malicious codes are developed by high-level languages. Those malicious codes bring the code to increase in its size. Therefore, the much more efforts and the time are required for its analysis.
Individual analysis of malicious code can not guarantee the expected output because there is a limitation in time for analyzing each malicious code. The individual analysis, which is currently performed and traditionally accepted, is not well suited for entry-level analyst who has just started to learn the work.
Most research efforts to solve the problem are dedicated to the use of concept of collaboration. The concept of collaboration has been achieved through analyzing those malicious codes using IDA and its plug-ins. However, the analyzed result of malicious code in previous concept of collaboration could not be utilized. In addition, newly emerged and various types of malicious codes which has minor difference in its code content from the original copy are not effectively analyzed by the previous concept.
This paper proposes CMAS (Collaborative Malicious codes Analysis System), which is considered as an analysis technique based on “divide and conquer” approach. CMAS provides guidelines to break down the code to be analyzed and to assign the part of code to each individual who is an expert in their particular field such as network, registry and file. It enables each participant to analyze the part of code simultaneously through network environment. The analyzed data is enabled to be stored into the central database, and the data which is previously stored in the database can be utilized to analyze malicious code. ...
[AVAR 2005 - Association of Anti Virus Asia Researchers Conference] 2005.11.17
Andy spoke on the paper "New threats on Mobile environment in KOREA" in AVAR2005. In this paper, we researched into the security hole and using problem, the predicted attack of malicious codes and suggest a guideline of safety mobile phone uses.
After finishing the conference, it was very nice hanging out with other analysts, researchers and developers.
Abstract In Korea, CDMA based cell phones are used widely. Nowadays many people concern about attack cell-phone by malicious codes. Recently, the malicious codes on Symbian OS are found, many people's concerns are on the increase. Of course, In Korea, many users worry about possiblity of malicious codes' attack but Mobile Service Providers(eg. SKT, KTF, LGT) do consider malicious codes' attacks. two years ago, we already developed a signature based antivirus solution on SKT CDMA environment. maybe traditional styled attacks are not possible for a long time.
In spite of these activities, the security holes are based on users' mind. in process of connecting PC, malicious codes attack is enable to do exploit. Illegal contents or firmware are shared on the Internet, so the latency of exploit exists. to the future, the attacks predict forgery, modify, stealing of contents or data and breakdown of phone. In Korea , many users uses phone manger and QPST tool widely .
In this paper, we research into the security hole and using problem, the predicted attack of malicious codes and suggest a guideline of safety cell phone use. Reseached problems are likely to be in other country and similar evironment. so cell phone manufactor, searvice provider and AV company consider these problems.
I n Korea , CDMA based cell phones are used widely.
Nowadays many people concern about attack cell-phone by malicious codes.
Recently, the malicious codes on Symbian OS are found, many people's concerns are on the increase.
Of course, In Korea, many users worry about possiblity of malicious codes' attack but Mobile Service Providers(eg. SKT, KTF, LGT) do consider malicious codes' attacks. two years ago, we already developed a signature based antivirus solution on SKT CDMA environment. maybe traditional styled attacks are not possible for a long time.
In spite of these activities, the security holes are based on users' mind. in process of connecting PC, malicious codes attack is enable to do exploit.
Illegal contents or firmware are shared on the Internet, so the latency of exploit exists. to the future, the attacks predict forgery, modify, stealing of contents or data and breakdown of phone.
In Korea , many users uses phone manger and QPST tool widely .
In this paper, we research into the security hole and using problem, the predicted attack of malicious codes and suggest a guideline of safety cell phone use.
Reseached problems are likely to be in other country and similar evironment.
so cell phone manufactor, searvice provider and AV company consider these problems.
Kyu-beom Hwang Kay's main role is to development and implement core technologies, particularly regarding the scan engine. scan engine design has been his main interest since the founding days of AhnLab in 1995. Nowadays, His interests is the automated system and he has been working on such proejct for a number of years. Kay is a senior researcher and is devoted to new technological research.
Deok-young Jung Andy's main role was to design and implement core technogies, particularly regarding kernel level code since 1998 in Ahnlab. He has implemented the modules to detect the virus on the memory effectively. Nowadays He has been sacrificed much time to protect games and AV products against hackers, in essence. Andy is a senior researcher and is devoted to new technological research.