Prof. Dr. SEUNGJOO (GABRIEL) KIM

Click here to see my CV in Korean. : NamuWiki

Hello, I am Seungjoo (Gabriel) Kim (Nick: Pr0xy5kim). I have been a full professor at the School of Cybersecurity in Korea University from 2011. For the past 7 years I was an associate professor at the School of Information and Communication Engineering in Sungkyunkwan University and had 5 years of background as a team leader of Cryptographic Technology Team and also IT Security Evaluation Team of KISA(Korea Internet & Security Agency).

In addition to being a professor, I am a vice president for Digital Information of Korea University from 2023, a dean of School of Smart Mobility, Korea University from 2022, a director of  AR2C(Army RMF Research Center), a director of CHAOS(Center for High-Assurance Operating Systems), a head of SANE(Security Assessment aNd Engineering) Lab, an adviser of undergraduate hacking club  'CyKor (DEFCON CTF 2015 & 2018 winner)'  at the School of Cybersecurity, Korea University from 2011 to February 2020, and a founder/advisory director of an international security & hacking conference 'SECUINSIDE'. 

Beside my activities within the school, I am also active as an advisory committee member for various organizations such as The Presidential Committee on AI, The Presidential Defense Innovation Committee, The Presidential Committee on the 4th Industrial Revolution, NIS(National Intelligence Service), Ministry of National Defense, Ministry of Justice, Supreme Prosecutors' Office, Korea National Police Agency, and Nuclear Safety and Security Commission, etc. I also served as a visiting professor at the Korea Military Academy.

I solicit research on a broad range of topics relating to cyber security engineering, which is focused on creating secure systems and designing networks that are resilient to malicious attacks, as well as any other potential cause of outages such as natural disasters. In more detail, my research interests lie primarily in ⑴ Security/Privacy by Design (a.k.a. security engineering)​ processes,​ ​from​ ​requirements​ ​to​ ​maintenance, ⑵ Threat analysis and attack scenarios, ⑶ Risk management and risk oriented security testing, ⑷ Secure design and architecture, ⑸ Secure coding, ⑹ Security assessment (Common Criteria, CMVP, SSE-CMM, RMF A&A. etc.), ⑺ Software ecosystem and software supply chain security, ⑻ DevSecOps, ⑼ Security automation and tooling, ⑽ Formal​ ​verification​ ​and​ ​other​ ​high-assurance​ ​methods​ ​for​ ​security, ⑾ Human-centered​ design​ ​for​ systems​ security, ⑿ Blockchain & Crypto Engineering.

Till now, I have written 17 books, 80 SCI(E) papers, 35 patents and, according to Google Scholar, the citations to my works are 4800+ (Published papers in premier conferences and journals : ACSAC (1 paper), AsiaCrypt (1 paper), BlackHat (7 papers), CT-RSA (3 papers), DEFCON (4 papers), ICCC (8 papers), IEEE MILCOM (1 paper), IEEE TC (1 paper), Virus Bulletin (2 papers)). And I have received the best lecturer award from Korea University in 2012, 2016 (awarded in the top 5%) and from National Human Resources Development Institute in 2019 (awarded in the top 0.3% (=3/800+)). Furthermore, I technically advised the SBS TV drama, "Phantom" and the movie, "The Berlin File".

Our lab's R&Ds mainly focus on "Security Assessment", "Secure Software Engineering", and "Blockchain". Till now we have gotten some notable achievements such as :

• Smart Card : In 2006, smart card O/S, co-worked with Samsung SDS, have earned the Common Criteria EAL4+ certification for the first time in Korea.

• Printer (MFP) : In 2008, we co-developed the security modules of MFP (Multifunction Printer) with Samsung Electronics and guided them to get Common Criteria certification for the first time in Korea.

• Database : In 2008, we (with WareValley) also received Common Criteria EAL4 certification for database security solution, 'Chakra' for the first time in Korea.

• Smart TV : In 2017, LG electronics, which had been working with us, received 'world-first' Common Criteria EAL2 certification for home appliances (smart TV). CC EAL2 is the same security level as Samsung KNOX! (Prior to this, in 2015, we got TTA-verified security certification from TTA(Telecommunications Technology Association), which was well-known security testing and certification laboratory in Korea! (For detailed information refer to this article: "How to Obtain Common Criteria Certification of Smart TV for Home IoT Security and Reliability", Symmetry 2017, 9(10), 233 (IF: 1.457))

• K-RMF : At the request of the Joint Chiefs of Staff, from 2016, I started research on the Integrating the RMF(Risk Management Framework) into the Defense Acquisition Management System for the first time in Korea. And related policies began to take effect in April 2024. (For detailed information refer to this article: "Security Evaluation Framework for Military IoT Devices", Security and Communication Networks 2018 (IF: 1.067))

• soFrida : In 2019, we developed 'soFrida', which was an automatic vulnerability analysis tool against the mobile cloud app and, among the 4 million android apps, we had identified 2,700+ potentially vulnerable android apps. Our tool was shown for the first time at DEFCON 2019. (For detailed information refer to this site: github.com/HackProof/soFrida)

• Secure SDLC : From 2019 to 2020, we had conducted R&D project for diagnosing and improving the current level of Samsung Research's Secure SDLC(Software Development Life Cycle). Through this project, we quantitatively analyzed the difference in Secure SDLC level between Samsung and its competitors, and suggested improvement plans for Secure SDLC optimized for Samsung.

• CHAOS(ChibiOS-based High-Assurance Operating System) : Since 2018, we have been developing Korea's first secure micro kernel for drones with a security level above Common Criteria EAL6. (For detailed information refer to this site: github.com/HackProof/CHAOS)

• TMoC(Threat Modelers on Chain) : Since 2021, we have been developing a threat modeling tool in the form of a decentralized web. For this, we combined threat modeling with a blockchain-based collective intelligence system. Our tool was presented at DEFCON 2021 and Black Hat Asia 2022. (For detailed information refer to this site: github.com/HackProof/TMoC)

• HASUMS(High-Assurance Software Update Management System) : In 2023, we developed a 'HASUMS', an acronym for "High-Assurance Software Update Management System", that meets the requirements of the "UN Regulation No. 156 - Software update and software update management system". To further specify the unclear requirements of UN R156, we used the STRIDE Threat Modeling technique. We also designed, implemented, and formally verified our HASUMS using Event-B and Atelier B. Our tool was presented at NDSS Symposium - VehicleSec 2023. (For detailed information refer to this site: github.com/HackProof/HASUMS)

Highlights of Recent Researches & Activities

• I am a frequent speaker and interviewee on Information Security. Some highlights include talks at SBS '꼬리에 꼬리를 무는 그날 이야기' in October 2024, at SBS 'Master In The House' in January 2022, at KBS1 Issue Pick ‘With Teacher' in January 2022 and June 2021, at tvN Insight 'Living the New Normal' in December 2020, at KBS1 'Midnight Debate-Live' in March 2020, at KBS1 'Tonight - Kim Jedong' in February 2019, at JTBC 'Lecture' in May 2018 (Note : Lecture material), at EBS1 science documentary 'Beyond' in November 2017, at KBS1 lecture/documentary show 'Good Insight' in July 2016, at KBS1 'Midnight Debate-Live' in March 2016, and at KBS1 'Jang Young Sil Show' in July 2015. You can find my other talks and interviews here, and newspaper columns here.

• 2024 Highlights : I was honorably appointed as a committee member of "The Presidential Committee on AI", which would help unify our national capabilities in the AI sector and establish a trustworthy environment for AI usage. Also, while serving as a member of  "The Presidential Defense Innovation Committee", I persuaded the president to improve 'the network separation' policy, uniformly used in public work environments. As a result of that, the NIS(National Intelligence Service) announced that the 'MLS(Multi Level Security)' transition roadmap at the 'CSK 2024 (Cyber Summit Korea 2024)' event on Sept 11th, 2024. MLS classifies public operational data into three categories: Classified, Sensitive, and Open, applying security controls accordingly. Academically, our work, "A Tip for IOTA Privacy: IOTA Light Node Deanonymization via Tip Selection" was accepted as a full paper at IEEE ICBC 2024 (IEEE International Conference on Blockchain and Cryptocurrency 2024), to be held in Dublin, Ireland, 27-31 May, 2024. In this year, 35 full papers were accepted among 181 of full paper submissions, yielding an acceptance rate of 19.34%! And our journal paper, "Challenges in Dynamic Analysis of Drone Firmware and Its Solutions" was accepted to IEEE Access (IF:3.4).

• 2023 Highlights : I was honorably appointed as a committee member of "The Presidential Defense Innovation Committee", and became the first chair of the "Korea Security Association for Emerging Military Technologies(K-SAEM)". In addition, I was appointed as the Vice President for Digital Information of Korea University, and, in December 2023, when I was working as the Vice President for Digital Information, Korea University was selected as the best ISMS(Information Security Management System) operating institution for the first time in the university, and received a commendation from the Minister of MSIT(Ministry of Science and ICT). Academically, our paper, "Formally Verified Software Update Management System in Automotive" was presented at NDSS Symposium - VehicleSec 2023 (Inaugural Symposium on Vehicle Security and Privacy 2023)! 

• 2022 Highlights : In this year, I wrote 4 books, among which  "Seven Tech" was ranked third in the bestseller at the largest bookstore in Korea. Also our papers, "TMoC: Threat Modelers on Chain" was presented at Black Hat Asia 2022 Arsenal, "Block Double-Submission Attack: Block Withholding Can Be Self-Destructive" was presented at ACM AFT 2022 (ACM Advances in Financial Technologies 2022), "Do You Really Need to Disguise Normal Servers as Honeypots?" was accepted to IEEE MILCOM 2022 (40th IEEE Military Communications Conference 2022), and another paper, "Rethinking Selfish Mining under Pooled Mining" was accepted to ICT Express journal, the Impact Factor of which is 4.317, ranking it 22 out of 91 in Telecommunications.

• 2021 Highlights : As of January 1, 2021, I was appointed as the head of the Department of Cyber Defense under the School of Cybersecurity at Korea University, and I wrote a book titled "Coin War". Furthermore two papers from our lab were accepted in DEFCON Blockchain Village 2021! : "Blockchain as a Threat Modeling Thinking Tool" and "Will Secure Element Really Help Strengthen the Security of Cryptocurrency Wallets?". Congratulations to all the authors! And our journal papers, "CIA-Level Driven Secure SDLC Framework for Integrating Security into SDLC Process" and "Blockchain as a Cyber Defense", were accepted to Journal of Ambient Intelligence and Humanized Computing (IF:7.104), and IEEE Access (IF:3.367) respectively.

• 2020 Highlights : Honorably, I was selected as a NHI(National HRD Institute) best lecturer of 2019, and also listed in the NHI Hall of Fame. Since 2012, NHI has selected 3 of 800+ lecturers each year and dedicated them to the Hall of Fame for best lecturers. This is an interview with the NHI. nd, our paper, "Blockchain for Cyber Defense: Will It Be As Good As You Think?" was presented at DEFCON Blockchain Village 2020, and our university hacking club "CyKor" finished 8th in the finals of the "DEFCON Capture the Flag (CTF) 28". In addition, another paper, "BinTyper: Type Confusion Detection for C++ Binaries", was accepted to Black Hat Europe 2020, and "Application of the Common Criteria to Building Trustworthy Automotive SDLC", was accepted at the 19th ICCC 2020 (The 19th International Common Criteria Conference 2020). Finally, one more! Our journal paper, "Blockchain Based Sensitive Data Management by Using Key Escrow Encryption System from the Perspective of Supply Chain", was published at IEEE Access (IF:4.098)!

• 2019 Highlights : Our paper, "When Voice Phishing met Malicious Android App (extended version)" was accepted to Black Hat Asia 2019 conference (acceptance ratio: 11.95% = 35 accepted / 293 submissions) (See press coverage at DARKReading and Heise), and another paper "Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit" was accepted to Black Hat Europe 2019 (Our discovery of an information leak vulnerability in Microsoft Remote Desktop Client, CVE-2019-1108, had received $10,000 bug bounty from HackerOne). Furthermore, our automated mobile cloud app analysis tool, "soFrida", was accepted to DEFCON Demo Labs 2019. By using this tool, we had analyzed 4 million Android apps and found 2,700+ potentially vulnerable apps that could leak sensitive personal information data and manipulate back-end cloud DB. For more details, see sofrida.github.io. And also two papers were accepted at the 18th ICCC 2019 (The 18th International Common Criteria Conference 2019) : "IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria" and "Verification of IVI Over-The-Air Using UML/OCL". One moer thing! My graduate students, "JaeKi Kim" and "Min-Chang Jang", presented "Kimsuky Group: Tracking the King of the Spear-Phishing" at 29th VB2019 (Virus Bulletin conference 2019) again, after VB 2018. In addition, I was honored to receive a Proud Alumni Award from Dae-Il Foreign Language High School, South Korea.

• 2018 Highlights : I was honorably appointed as "the Presidential Committee member on the 4th Industrial Revolution". As a result of this committee's work, we issued a "Recommendations to the Government for the 4th Industrial Revolution" in October 2019 (Main written in Korean ❘ Main written in English ❘ Appendix written in Korean).

• And, OMG!, we won a champion again at DEFCON CTF 2018 after 2015!! "DEFKOR00T (= DEFKOR + R00timentary)," the team comprised of my undergraduate & graduate students from School of Cybersecurity in Korea University and Prof. Taesoo Kim's graduate students from Georgia Institute of Technology won the TOP prize at the "DEFCON Capture the Flag (CTF) 26".

• And my graduate students, "JaeKi Kim" and "Min-Chang Jang", presented "DOKKAEBI: Documents of Korean and Evil Binary" at 28th VB2018 (Virus Bulletin conference 2018), and "Min-Chang Jang" also presented "When Voice Phishing met Malicious Android App" at CODE BLUE 2018 (See press and book coverage at KBS1 and SBS). Furthermore, we opened a 'Center for High-Assurance Operating Systems(CHAOS)' in Korea University in order to develop the technologies needed to make and evaluate EAL6/EAL7 OS.

• 2017 Highlights : Yes, we did it again after Black Hat USA 2013 : See our talk, "Are you watching TV now? Is it real?: Hacking of smart TV with 0-day" at Hack in Paris 2017 (See press coverage at 01net.com and demo.), and "LG vs. Samsung Smart TV: Which Is Better for Tracking You?" at CODE BLUE 2017! Additionally, my graduate student, "Min-Chang Jang", gave a talk on forensic studies of "North Korean hacking" at Black Hat Europe 2017 (See press coverage at Sky News.) and also at Black Hat Asia 2018. Furthermore, we opened a 'Army RMF Research Center(AR²C)'.

• 2016 Highlights : Finally, I got tenured and received best lecturer award again after 2012! In addition, I was appointed as an Advisory Committee Member of the PyeongChang 2018 Olympic and Paralympic Winter Games. Furthermore, our paper, "Deep Learning Based Real-Time DNS DDoS Detection System", was accepted to ACSAC 2016 (The 32nd Annual Computer Security Applications Conference 2016) as a poster presentation.

• 2015 Highlights : Finally, we did it! "DEFKOR," the team comprised of my undergraduate & graduate students from School of Cybersecurity in Korea University and the security technology team from Korea-based IT security solution provider Raon Secure, won the TOP prize at the "DEFCON Capture the Flag (CTF) 23," which was held in Las Vegas. DEFCON is the world’s largest international hacking competition, and is dubbed the Hackers' World Cup among hackers. (In 2015, 4,000+ teams qualified, 15 teams made finalists!) Also, I talked about the various cybersecurity educational and professional training programs of Korea at CODE BLUE 2015 (OMG!! My CODE BLUE presentation slide was selected as one of the 'Most Talked-About Slide on Facebook'!), and we discovered some critical vulnerabilities in LTE Femtocell and notified to the operator and manufacturer (Research Paper @ SECUINSIDE 2015). Additionally, our case studies submission on the "DDoS Attack to DNS Using Infected IoT Devices" to this year's ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015, which is one of the most important cyber security conferences in the world and the oldest information security conference held annually) was included in the program.

• 2014 Highlights : Finally, SECUINSIDE CTF winners were pre-qualified for DEFCON CTF!, and, honorably, I became a Visiting Professor at Korea Military Academy. Besides, our paper, "Developing a Protection Profile for Smart TV" was accepted at The 15th ICCC 2014 (International Common Criteria Conference 2014), and another paper "(The First Experimental) Study on Smart TV Forensics" was presented at Journal of the KIISC (Korean Institute of Information Security and Cryptology) (English version is here! : "Further Analysis on Smart TV Forensics" at Journal of Internet Technology (SCI-E, IF:1.930)).

• 2013 Highlights : "Smart TV Security - #1984 in 21st century" appeared at The 14th CanSecWest 2013 (The 14th CanSecWest Applied Security Conference 2013) (See press coverage at MBC, KBS, channelIT, inews24.com), and the extended version, "Hacking, Surveilling, and Deceiving Victims on Smart TV" was also presented at The 17th Black Hat USA 2013 (See press and book coverage at The Wall Street Journal, The Guardian, Fox News, ZDNet, Network World, Digital Trends, CBS, KBS, The Electronic Times, Nitesh Dhanjani's "Abusing the Internet of Things - Blackouts, Freakouts, and Stakeouts - (O'REILLY)", ENISA's report entitled "Security and Resilience of Smart Home Environments", and etc.). Furthermore, we had two papers accepted at The 14th ICCC 2013 (The 14th International Common Criteria Conference 2013). One was "Problem and Improvement of the Composition Documents for Smart Card Composite Product Evaluations", and the other one was "How the CC Harmonizes with Secure Software Development Lifecycle". One more thing! "SHRT - New method of URL shortening including relative word of target URL" was presented at SOUPS 2013 (The Symposium on Usable Privacy and Security 2013) as a poster.

• 2012 Highlights : I was appointed as an Advisory Committee Member of Special Prosecutor, Tae-Seok Park on the case of 2011 Re-Election DDoS Scandal (See press coverage at The Electronic Times), and technically advised the TV drama, "Phantom" and the film, "The Berlin File". Furthermore, our journal paper, "Efficient Certificateless Proxy Signature Scheme with Provable Security" was accepted at Information Sciences (IF:3.643). 

• 2011 Highlights : I moved to Korea University and established my lab, "SANE (Security Assessment aNd Engineering) Lab". Furthermore, Hacker Group, HARU and International Security & Hacking Conference, SECUINSIDE was founded in 2011 by me and my colleagues.

• 2010 Highlights : "Protection Profile for E-Certificate Issuance System" was presented at The 11th ICCC 2010 (The 11th International Common Criteria Conference 2010), and "Efficient Secure Group Communications for SCADA" was presented at IEEE Transactions on Power Delivery. 

• 2009 Highlights : "Advanced Key Management Architecture for Secure SCADA Communications" appeared at IEEE Transactions on Power Delivery. 

• 2008 Highlights : Our paper, "Protection Profile for E-Voting Systems" was acepted at the 9th ICCC 2008 (The 9th International Common Criteria Conference 2008), which was a major conference for the community of experts involved in security evaluation.

• 2007 Highlights : Our journal paper, "Cryptanalysis on the Authentication Mechanism of the NateOn Messenger", showed that NateOn (which was the biggest messenger service in Korea) was vulnerable to replay attacks. (See press coverage at JoongAng Daily, Yonhap News) Furthermore, "Efficient Password-Authenticated Key Exchange Based on RSA" appeared at The 7th CT-RSA 2007 (The 7th Cryptographers' Track at RSA Conference 2007), and "Security Weakness in a Three-Party Pairing-Based Protocol for Password Authenticated Key Exchange" appeared at Information Sciences (IF:2.147). One more thing! I received NIS(National Intelligence Service) Chief's Award for excellent contribution to national cyber security.

• 2005 Highlights : "A Weakness in the Bresson-Chevassut-Essiari-Pointcheval's Group Key Agreement Scheme for Low-Power Mobile Devices" was accepted at IEEE Communication Letters.

• 2004 Highlights : I left KISA(Korea Information Security Agency), and became an Assistant Professor at Sungkyunkwan University.

• 2003 Highlights : We had two papers accepted at The 3rd CT-RSA 2003 (The 3rd Cryptographers' Track at RSA Conference 2003). One was "Rethinking Chosen-Ciphertext Security under Kerckhoffs' Assumption", and the other one was "An Analysis of Proxy Signatures : Is A Secure Channel Necessary?". Furthermore, "RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis" appeared at IEEE Transactions on Computers. 

• 2001 Highlights : "On The Security of The Okamoto-Tanaka ID-Based Key Exchange Scheme against Active Attacks" was accepted at IEICE Trans. Fundamentals.

• 1999 Highlights : "Comments on Password-Based Private Key Download Protocol of NDSS'99" appeared at Electronics Letters (IF:1.164)

• 1997 Highlights : "Proxy Signatures, Rrevisited" appeared at The 1st ICICS 1997 (The 1st International Conference on Information and Communication Security 1997). According to Google Scholar, this paper has been cited more than 780 times. Also, The KPW Proxy Signature Scheme, presented here, became the prototype of the A.Boldyreva's Provably Secure Proxy Signature Scheme used for Stake Delegation in Cardano (ADA)!

• 1996 Highlights : "Convertible Group Signatures" appeared at The 5th AsiaCrypt 1996, which was one of three flagship conferences for cryptography research.

Elsewhere

• Lab (SANE Lab) : www.KimLab.net | KimLab.korea.ac.kr

• Lab (Army RMF Research Center) : www.HackProof.systems

• Blog : www.crypto.kr | blog.naver.com/amhoin

• Youtube : https://www.youtube.com/@skim71

• Facebook : https://www.facebook.com/skim71

• Threads : https://www.threads.net/@skim71

• Twitter : https://twitter.com/skim71

• Instagram : https://www.instagram.com/skim71

• Linkedin : www.linkedin.com/in/skim71

• SlideShare : https://www.slideshare.net/skim71/

• GitHub : https://github.com/skim71

(Since 1994)