introduction to sane lab, korea university

고려대학교정보보호대학원

마스터 제목 스타일 편집


보안성분석평가연구실

김승주교수 ([email protected])

로봇융합관 306호

- Security Engineering : (1) Threat-Risk Modeling(2) Provably Secure Design (3) Automated Verification of Security Implementations (4) (Structured) PenetrationTesting (5) Secure Over-The-Air Software Updates

- Security Evaluation & Certification (including CMVP, CC, C&A, SSE-CMM)

- SDL (Security Development Lifecycle)

연구분야

Security Analysis aNd Evaluation Labwww.KimLab.net / www.SecEng.net

주요 경력 : 1990.3~1999.2) 성균관대학교 공학 학사·석사·박사1998.12~2004.2) KISA 암호기술팀장 및 CC평가1팀장2004.3~2011.2) 성균관대학교 정보통신공학부 부교수2011.3~현재) 고려대학교 사이버국방학과∙정보보호대학원 정교수

Founder of (사)HARU & SECUINSIDE2017.4~현재) 고려대학교 사이버무기시험평가연구센터 부센터장

前) 육군사관학교 초빙교수前) 선관위 DDoS 특별검사팀 자문위원前) KBS ‘명견만리’ 및 ‘장영실쇼’ 및 EBS ‘과학다큐 비욘드’ 출연

現) 한국정보보호학회 이사現) 카카오뱅크 정보보호부문 자문교수現) 개인정보분쟁조정위원회 위원

- ’96: Convertible group signatures (AsiaCrypt)- ’97: Proxy signatures, revisited (ICICS): 690회이상 피인용

* 100회 이상 피인용 논문 건수: 6건- ’06: 국가정보원 암호학술논문공모전 우수상- ’07: 국가정보원장 국가사이버안전업무 유공자 표창- ’12,’16: 고려대학교 석탑강의상- ’13,’17: Smart TV Security (Black Hat USA, Hack In Paris): 삼성 및 LG 스마트TV 해킹(도청∙도촬) 및 해적방송 송출 시연

주요 R&D 성과

삼성전자와 공동으로국내 최초 프린터복합기 보안 인증 획득 (2008년)

LG전자와 공동으로세계 최초 스마트TV 보안 인증 획득 (2015년)

사이버무기시험〮평가연구센터

사이버무기 시험〮평가 연구센터(CW-TEC : Cyber Weapon Test and Evaluation Center)

고신뢰 암호장비실(High-Assurance Cryptography)

고신뢰 시스템〮네트워크실(High-Assurance System•Network)

고신뢰 관리체계실(High-Assurance Management

System)

(센터장 : 황석중 교수, 부센터장 : 김승주 교수)

(실장 : 홍석희 교수) (실장 : 김승주 교수) (실장 : 이경호 교수)

암호알고리즘연구실 (홍석희 교수) 보안성분석〮평가연구실 (김승주 교수) 위험관리연구실 (이경호 교수)

Red Team

CyKor

(사)HARU

(팀장 : 이기택 박사과정)

정형기법연구실 (최진영 교수) 암호프로토콜연구실 (이동훈 교수)

외부 자문단

사이버사, 기무사, KISA, TTA,국가보안기술연구소 등

네트워크연구실 (이원준 교수)

4

SE(Security Engineering) & SDL(Security Development Lifecycle) for High-Assurance Trustworthy(or Dependable) CPS.

Especially, we focus on 1) Threat-Risk Modeling

2) Provably Secure Design

3) Automated Verification of Security Implementations

4) (Structured) Pentesting = TRM-based Pentesting

5) Secure Over-The-Air Software Updates

6) Security Evaluation & Certification (including CMVP, CC, C&A, SSE-CMM).

Our Ultimate Research Objective



6

Cryptography v.s Cryptanalysis

Cryptology :science of secret communication

Cryptography :design secret

systems

Cryptanalysis :break secret

systems



7

Security Engineer : Like to fix systems. Security engineers are more intend on building robust security solutions (Firewalls, IDS, etc.).

Similar Jobs : Information Assurance Engineer, Information Security Engineer, Information System Security Engineer

Security Analyst : Try to break them. Security analysts are more concerned with probing for risks and weaknesses (Pentesting, Auditing, etc.).

Security Engineer v.s Security AnalystOur Concern!



8

Pentesting can identify some vulnerabilities for repair.

However, the failure of any particular penetration team to find vulnerabilities does not imply their absence. It only indicates that the team failed to find

any.

This is the reason we need a rigorous development process (i.e., Security Engineering).

Pentesting Can't Guarantee Coverage!

☞ Daniel Jackson et al., "Software for Dependable Systems: Sufficient Evidence?"



9

Our motto is …



CryptographySecurity Engineering

(e.g., High-Assurance Cryptography)

Goal) Security Goal) Trustworthiness(= Dependability = Security +

Safety + Reliability + Availability)

How-to) Strength-Oriented Approach

In many cases, "provable securityin cryptography" means only "design assurance"! i.e., the proposedalgorithm/protocol satisfies certain security goals.

How-to) Robustness(= Strength + Assurance)-Oriented Approach

Standards) CAVP, ISO/IEC 29128 Standards) CMVP, CC, SSE-CMM, MS-SDL, etc.

Define Goals

↓

Design Algorithms/Protocols

↓

Implementation

↓

Operation &Maintenance

"High-assurance (or end-to-endprovable security) in security engineering" means that there is a mathematical proof (or well-definedprocess) that the goals hold for the actual implementation (i.e., "code assurance").

Main research topics of SANE Lab.: Security Engineering for High-Assurance Trustworthy Cyber Systems


마스터 제목 스타일 편집Main research topics of SANE Lab.: Security Engineering for High-Assurance Trustworthy Cyber Systems

End-to-End Proof

High-AssuranceCyber System



12

Our Works – Messengers (’06)중앙일보

(2006.11.9.)


마스터 제목 스타일 편집Our Works – Smart TV (’13~’17)

[1] “Smart TV Security - #1984 in 21st century”, SeungJin (beist) Lee et al., CanSecWest 2013

[2] “Hacking, Surveilling, and Deceiving Victims on Smart TV”,SeungJin (beist) Lee et al., Black Hat USA 2013

[3] “Developing a Protection Profile for Smart TV”,Minsu Park et al., International Common Criteria Conference 2014

[4] “(The First Experimental) Study on Smart TV Forensics”,Heesoo Kang et al., Journal of the KIISC, 2014 (in Korean)

2013.3

2013.7

2014.9

2014.10

[5] (R&D with LG electronics) we got TTA-verifiedsecurity certification for Smart TV from TTA

2015.12

[6] ”Further Analysis on Smart TV Forensics",Minsu Park et al., Journal of Internet Technology (SCI-Indexed Journal),2016.11 (Accepted for Publication)

2016.11

[7] (R&D with LG electronics) We received 'world-first' Common Criteria EAL2 certificationfor home appliances (Smart TV). 2017.4

[8] “Are you watching TV now? Is it real?: Hacking of smart TV with 0-day”JongHo Lee et al., Hack in Paris 2017 2017.6

[10] “LG vs. Samsung Smart TV: Which Is Better for Tracking You?”Sangmin Lee et al., CODE BLUE 2017

2017.11[9] “How to Obtain Common Criteria Certification of Smart TV for Home IoT

Security and Reliability”, Sooyoung Kang et al., Symmetry-Basel (SCI-Indexed Journal)

2017.10



14

Our Works – Femtocell (’15)



15

Our Works – DDoS (’15)



16

Our Works – Forensics (’17)



17

Our Works – Evaluation (’06~’13)



18

Our Works – SDL (’13)



(Founder & Board Member : Seungjoo Kim, 2011)

Our Works (’11~Current)



20

Information Assurance Engineer



21

Information Assurance Engineer

(Paul Curran, “Cyber Security Today: Career Paths, Salaries and In-Demand Job Titles”, Aug 30, 2016)