Journal Highly available systems №3 for 2018 г.
Article in number:
Topical issues of identifying vulnerabilities and undeclared capabilities in software
Type of article: scientific article
DOI: 10.18127/j20729472-201803-03
UDC: 004.056
Authors:

A.V. Barabanov – Ph.D.(Eng.), Deputy General Director of NPO «Echelon» (Moscow)

E-mail: a.barabanov@npo-echelon.ru

A.S. Markov – Dr.Sc.(Eng.), President of NPO «Echelon» (Moscow)

E-mail: a.markov@npo-echelon.ru

V.L. Tsirlov – Ph.D.(Eng.), General Director of NPO «Echelon» (Moscow) E-mail: v.tsirlov@npo-echelon.ru

Abstract:

The paper reviews the current state of the software security topics. The conclusion that the conceptual basis of software security corresponds to modern paradigms of information technologies is made. The advantages and limitations of modern approaches to testing programs for security requirements are shown. It is shown that to ensure the completeness of the checks, a combination of different approaches to software testing is necessary. A modern methodical approach to conducting tests to identify vulnerabilities and undeclared capabilities is given. A brief overview of foreign research is given. Compensatory measures of software security are considered. The statistics on the identification of vulnerabilities in the certification process are presented. The ways of increasing the effectiveness of software security testing are indicated. We should expect a new scientific stage of the development of the subject with the development of applied supercomputers, the emergence of a quantum computer and the widespread introduction of methods of artificial intelligence.

Pages: 12-17
References
  1. Baranov A.P. Aktual'nye problemy v sfere obespecheniya informacionnoj bezopasnosti programmnogo obespecheniya // Voprosy kiberbezopasnosti. 2015. № 1. P. 2−5.
  2. Muravnik V.B., Zaharenkov A.I., Dobrodeev A.Yu. Nekotorye predlozheniya po podhodu i poryadku realizacii politiki i strategii importozameshcheniya v interesah nacional'noj bezopasnosti i ukrepleniya oboronosposobnosti Rossijskoj Federacii // Voprosy kiberbezopasnosti. 2016. № 1(14). P. 2−8.
  3. Markov A.S., Sheremet I.A. Teoreticheskie aspekty sertifikacii sredstv zashchity informacii // Oboronnyj kompleks nauchnotekhnicheskomu progressu Rossii. 2015. № 4(128). P. 7−15.
  4. Markov A.S., Fadin A.A. Sistematika uyazvimostej i defektov bezopasnosti programmnyh resursov // Zashchita informacii. Insajd. 2013. № 3(51). P. 56−61.
  5. Lipaev V.V. Nadezhnost' i funkcional'naya bezopasnost' kompleksov programm real'nogo vremeni // Programmnaya inzheneriya. 2013. № 8. P. 10−18.
  6. Zaharov V.N. Po itogam 4-j Mezhdunarodnoj nauchno-prakticheskoj konferencii «Instrumenty i metody analiza programm» TMPA-2017 // Sistemy vysokoj dostupnosti. 2017. T. 13. № 2. P. 73−74.
  7. Barabanov A.V., Evseev A.N. Voprosy povysheniya ehffektivnosti analiza uyazvimostej pri provedenii sertifikacionnyh ispytanij programmnogo obespecheniya po trebovaniyam bezopasnosti informacii // Trudy Mezhdunar. simpoziuma «Nadezhnost' i kachestvo». 2015. T. 1. P. 330−333.
  8. Barabanov A.V., Grishin M.I., Kubarev A.V. Modelirovanie ugroz bezopasnosti informacii, svyazannyh s funkcionirovaniem skrytyh v vredonosnyh komp'yuternyh programmah // Voprosy kiberbezopasnosti. 2014. № 4(7). P. 41−48.
  9. Markov A.S., Cirlov V.L., Barabanov A.V. Metody ocenki nesootvetstviya sredstv zashchity informacii. M.: Radio i svyaz'. 2012. 192 s.
  10. Kononov D.S. Iteracionnyj metod poiska klonirovannogo koda, osnovannyj na vychislenii redakcionnogo rasstoyaniya // Voprosy kiberbezopasnosti. 2017. № 1. P. 16−21.
  11. Zhidkov I.V., Kadushkin I.V. O priznakah potencial'no opasnyh sobytij v informacionnyh sistemah // Voprosy kiberbezopasnosti. 2014. № 1(2). P. 40−48.
  12. Avetisyan A., Belevancev A., Borodin A., Nesov V. Ispol'zovanie staticheskogo analiza dlya poiska uyazvimostej i kriticheskih oshibok v iskhodnom kode program // Trudy Instituta sistemnogo programmirovaniya RAN. 2011. T. 21. P. 23−38.
  13. Aleksandrov Ya.A., Safin L.K., CHernov A.V., Troshina K.N. Opredelenie granic podprogramm pri staticheskom analize binarnyh obrazov // Voprosy kiberbezopasnosti. 2016. № 1(14). P. 53−60.
  14. Kolosov A.P., Ryzhkov E.A. Primenenie staticheskogo analiza pri razrabotke program // Izvestiya Tul'skogo gosudarstvennogo universiteta. Tekhnicheskie nauki. 2008. № 3. P. 185−190.
  15. Riber G., Malmkvist K., Shcherbakov A. Mnogourovnevyj podhod k ocenke bezopasnosti programmnyh sredstv // Voprosy kiberbezopasnosti. 2014. № 1(2). P. 36−39.
  16. Markov A.S., Matveev V.A., Fadin A.A., Tsirlov V.L. EHvristicheskij analiz bezopasnosti programmnogo koda // Vestnik MGTU im. N.E. Baumana. Ser.: Priborostroenie. 2016. № 1(106). P. 98−111.
  17. Polyakov S.A., Karasev S.V. Osobennosti polucheniya informacii o hode vypolneniya programmy (trassy) s ispol'zovaniem apparatnogo okruzheniya // Voprosy kiberbezopasnosti. 2016. № 3(16). P. 40−44.
  18. Mel'nikov P.V., Goryunov M.N., Anisimov D.V. Podhod k provedeniyu dinamicheskogo analiza iskhodnyh tekstov program // Voprosy kiberbezopasnosti. 2016. № 3(16). P. 33−39.
  19. Sviridov P.Y., Zaytsev G.Y., Ivachev A.S. The universal vulnerability exploitation platform for CTF // Prikladnaya diskretnaya matematika. Prilozhenie. 2014. № 7. P. 106−108.
  20. Barabanov A.V., Markov A.S., Cirlov V.L. Mezhdunarodnaya sertifikaciya v oblasti informacionnoj bezopasnosti // Standarty i kachestvo. 2016. № 7. P. 30−33.
  21. Petrenko A.A., Petrenko S.A. NIOKR agentstva DARPA v oblasti kiberbezopasnosti // Voprosy kiberbezopasnosti. 2015. № 4(12). P. 2−22.
  22. Barabanov A.V., Markov A.S., Cirlov V.L. 28 magicheskih mer razrabotki bezopasnogo programmnogo obespecheniya // Voprosy kiberbezopasnosti. 2015. № 5. P. 2−10.
  23. Barabanov A.V., Markov A.S., Fadin A.A., Cirlov V.L. Statistika vyyavleniya uyazvimostej programmnogo obespecheniya pri provedenii sertifikacionnyh ispytanij // Voprosy kiberbezopasnosti. 2017. № 2(20). P. 2−8.
Date of receipt: 3 августа 2018 г.