Seon Kwon Kim



Contact

godmakessky@gmail.com
+82-10-3151-6243


I received the B.S. degree in computer science and electronics engineering from Handong Global University, Pohang, South Korea, and the M.S. degree in cyber security from Korea University, Seoul, Korea. I am currently pursuing a Ph.D. program at the Graduate School of Information Security, KAIST, Daejeon, South Korea. My research interests include Federated Learning, XAI, and AI Security.

I am interested in the intersection of security and artificial intelligence, focusing on developing defense techniques for attacks on software and networks. My research focuses on the synergy between deep learning models and multivariate data, including side-channel information, to enhance defense mechanisms against diverse attacks in various environment. Furthermore, I am eager to solve security problems through privacy-aware programming. In detail, I aim to develop human-centered security solutions. I want to explore how the design of dialogue tutors can enhance the qualities of privacy-aware programming. I anticipate that utilizing natural language processing (NLP) for privacy-aware programming can create interactive learning experiences and customized learning materials.

Project Experience

This project was commissioned by the Agency for Defense Development. I participated in the project as a researcher in the Embedded Security Lab. The project aimed to prevent the forgery of programs and the exposure of algorithms and data utilized by programs and applications in the South Korean military. During the project, I:

  1. Researched a new data obfuscation method based on mixed boolean-arithmetic.
  2. Designed a novel control flow obfuscation method using dummy statements and our new data obfuscation method.
  3. Investigated metrics to measure the strength of obfuscation.

This project was commissioned by the National Research Foundation of Korea. I participated in the project as a researcher in the Embedded Security Lab, developing security solutions that utilized side-channel information from the PHY-level. The project aimed to detect, defend against, and respond to attacks on cyber-physical systems, including smartwatches, car smart keys, and PC systems.
Throughout the project, I concentrated on developing a defense technique against control-flow attacks for PC systems (Linux, Windows). This involved incorporating both anomaly detection using deep learning and system information as a combination of hardware performance counter data in the hardware layer and system utilization data in the kernel layer.

This project was commissioned by the Institute for Information & communication Technology Planning & evaluation. I participated in the project as a researcher in the Embedded Security Lab. The project aimed to create a new way to detect and respond to issues in autonomous vehicle networks using artificial intelligence. During the project, I:

  1. Researched security threats and hacking, including attack scenarios and attack vectors targeting the in-vehicle network of autonomous vehicles.
  2. Researched AI-based prediction and analysis techniques for security threats against the in-vehicle network.

KU-Smart Mask was designed to recognize one's own bad breath through a simple interface between a mask sensor and a smartphone. Our team developed KU-Smart Mask, incorporating an Arduino and a cross-platform mobile application for sensing and analyzing human breath. The primary goal was to eliminate the unpleasant experience of bad breath in face-to-face situations where the mask is removed.

This project was conducted as a Post-Capstone Research course. The project aimed to design a cross-platform mobile application to assist visually impaired individuals in their shopping activities by providing audio guidance about groceries' information.
The application primarily incorporates both NFC tagging and voice recognition (text-to-speech & speech-to-text) techniques. When the application's users buy their groceries, they can use its functions by using their voice. They simply pick up a product, tag it with their phones, and listen to its information such as name, price, duration, and ingredients.

This project was commissioned by Doreiku Co. Our team utilized various web development tools based on Java Enterprise Edition 8. The objective was to enable users without programming knowledge to develop web pages that seamlessly integrate both back-end and front-end functionalities. The web page design involves all functions operating based on a graphical user interface (GUI), allowing users to create web pages through a drag-and-drop interface for web components.

2019   Industry and Academy Capstone Design Project: A enterprise web solution
  • Team Lead for a 2-member team with a professor advisor and a company president, to develop a web-based international track and field tournament system.
  • Utilized Java EE 8 and responded to multi-view and internationalization dynamically.
2018   FPGA Design Project: A shooting game with various I/O devices
  • Used Nexys DDR 4 board by Verilog with a computer monitor, a speaker and a PS2 Keyboard to play the game.
2017   Arduino Design Project: A device to show on a screen display about seats in a library
  • Used Arduino by Sketch with PIR sensors and servomotors to detect whether people sit in a library chair or not.
2017   Business Design Project for an IT Start-up in China
  • Team Lead for a 5-member team who developed a business project for an IT start-up business in China.
  • Won 1st Place in the contest hosted by Cheil Pengtai Corporation.
  • Utilized Oven, an online prototyping tool.
2017   Product Design Project: A bus application Using Voice Recognition Technology for Blind People
  • Part of a 3-member team with a professor advisor, to develop a product to address the needs of Pohang city residents who are blind.
  • Utilized Android by Java and researched GPI technology and Open API as a programmer.

Work Experience

Research

Publications

Abstract: As modern return-oriented programming (ROP) attacks have become more sophisticated, preventing or detecting these attacks is essential for real-world exploit defense. As an alternative to many defense techniques of ROP attacks that require software modification and hardware assistance, researchers have proposed ROP defense techniques using hardware performance counters (HPCs) to mitigate concerns about additional cost and compatibility issues. However the existing HPC data-based ROP detection techniques typically suffer from low detection performance mainly because of the non-deterministic nature of HPCs. To address these issues, we propose DROPSYS, an enhanced detection of ROP attacks using system information. DROPSYS is based on the detection of the abnormal change of system information that takes place during ROP attacks. Differing from the existing techniques, DROPSYS harnesses not only HPC data, but also system utilization data to mitigate the non-deterministic nature of HPCs. Using both HPCs of processors and system utilization of operating systems makes transparent operation without requiring any modifications to the protected programs. DROPSYS uses a long short-term memory-based variational autoencoder to effectively analyze the multivariate time-series HPC data and system utilization data for better detection performance. DROPSYS also performs feature selection for low computational overhead while maintaining the attack detection performance. In our experiments with real-world ROP exploits, DROPSYS successfully detected ROP code execution in all tested programs. Evaluation results show that DROPSYS effectively captures the behaviors and effects of ROP attacks and can detect the attacks with a 0.028% false positive rate. The accuracy of DROPSYS is 95.3%, and its F1 score is 94.9%---a figure much higher than those of existing techniques that utilize only HPC data.

Abstract: Malicious attackers exploit memory vulnerabilities to carry out control-flow attacks, such as a ROP attack, negatively impacting the system. They execute malicious code with adverse effects on the system through these control flow attacks. While techniques to safeguard programs from ROP attacks have primarily focused on preserving the integrity of return addresses and function pointers, there is insufficient research on protection techniques for frequently used data pointers residing in memory. This is due to the more frequent declaration and use of data pointers compared to other pointer objects, resulting in a higher cost of integrity verification. In this paper, we propose a technique that utilizes the pointer authentication function provided by the ARM architecture for efficient integrity verification of pointers. The hardware support functions help significantly mitigate negative performance impacts while ensuring high-security levels for data pointer protection. The proposed technique operates through hardware-based keyed MAC generation and verification instructions. It analyzes the declaration and usage of data pointers during the compilation process, inserts ARM PA instructions, and generates MAC values with appropriate context values.

Abstract: Code obfuscation serves as a method to safeguard a program's intellectual property rights against malicious software analysis through reverse engineering. Within code obfuscation, control flow obfuscation makes it challenging to analyze the program by intricately altering its control flow. However, in general, the control flow of a program with obfuscated control flow is statically determined, rendering it susceptible to dynamic analysis. Recently, a technique was proposed to address this issue, utilizing dynamic opaque predicate. However, the technique has a limitation—once the control flow is determined through the first opaque predicate, the subsequent control flow becomes fixed. This paper introduces a novel dynamic control flow obfuscation technique designed to address these limitations. The strength of the proposed technique lies in the fact that its deobfuscation not only necessitates additional technology, leading to a high cost for malicious software analysis, but it can also be seamlessly integrated with existing control flow obfuscation techniques.

Abstract: Recent studies on control-flow attack defense techniques aim to mitigate the analysis cost when applied to real applications. Nevertheless, their defense strategies, incorporating both hardware implementations and algorithms, still prove less effective in tackling the challenges of attack analysis and cost issues in real-world industries. This paper introduces a lightweight detection technique that utilizes system side-channel information, specifically the system utilization generated by running systems and processes, to address the limitations of existing defense techniques. The newly implemented detection technique dynamically profiles the program's process I/O, memory, and context switch information through threading during the execution of the analyzed program. In the experiment, we analyzed specific fluctuation sections and detected control-flow attacks through pattern comparison using actual system side-channel information. Specifically, through approximately 1,600 profiling experiments conducted 1,000 times, we confirmed that system side-channel information exhibits a normal pattern in the control flow of a typical program but displays a distinct change pattern when a control-flow attack occurs.

Abstract: Code pointer manipulation attacks, commonly used to hijack the control flow of an application, enable attackers to execute code with a detrimental impact on the system. In particular, backward-edge exploits are frequently employed in real-world system hacking through ROP attacks. Backward-edge protection techniques are primarily implemented through code instrumentation in the prologue and epilogue of a function block. Instrumented code includes instructions to either encrypt/decrypt the return address of the function or store it in a separate memory space. However, when a library function, used to handle a program's exception, is called, a mismatch between the function prologue and epilogue occurs. The instrumented code fails to adjust for this mismatch, resulting in a program crash. In this paper, we propose an enhanced exception handler that takes into account security, compatibility, and efficiency in the exception handling process for programs utilizing the backward-edge CFI technique. In detail, we implemented a practical and efficient C/C++ exception handler compatible with backward-edge CFI. We assessed compatibility and performance by applying the proposed prototype to the SPEC CPU2017 benchmark program. The results of the measurements confirmed no compatibility issues and revealed a performance overhead of less than 1%.

Patents

  • Surveillance Method and System Applicable to a Mobile Electronic Device Based on Video Image Comparison Algorithm
    Seon Kwon Kim, Yujin Noh, Jihyun Lee
    KR10-2321480

  • Device and Method For Detecting Return-oriented Programming Attacks Using System Information
    Seon Kwon Kim, Dong Hoon Lee, Hongjoo Jin, Kyungho Joo, Jiwon Lee
    KR10-2828696

  • Information Leak Defense Technique Using Double Stack Isolation Technology
    Hongjoo Jin, Dong Hoon Lee, Jiwon Lee, Seon Kwon Kim
    KR2023-0021188 (Application Number)

  • Exception Handler Dedicated to Instrumentation of Security Code Using Hash Table
    Hongjoo Jin, Dong Hoon Lee, Seon Kwon Kim, Jiwon Lee
    KR2022-0105952 (Application Number)

  • Improved Stack Memory Protection Technique Using Random Memory Allocation
    Hongjoo Jin, Dong Hoon Lee, MoonChan Park, Jiwon Lee, Seon Kwon Kim
    KR2022-0087114 (Application Number)

  • Dynamic Web Solution System
    Seon Kwon Kim, Hang Gyu Han
    Korea Copyright No.C-2019-043487

Volunteer Experience

  • 2018   Member, Handong Global University SW Education Pro Bono
  • 2018   Member, Handong Global University ISEL S-LAB
  • 2017   Member, SeeSeon Academy