Modeling a Program with Vulnerabilities in the Terms of Its Representations Evolution. Part 2. Analytical Model and Experiment

The investigation results of the creating programs process and the resulting vulnerabilities are presented. In the second part of the articles series, a program life cycle generalized analytical model of the based on its representations is proposed, taking into account the direct and reverse transformation methods. Also, the model reflects the occurrence and detection of vulnerabilities and their classification. A particularly model is synthesized from it, reflecting the current state of the program representations evolution, and on the basis of which a number of fundamental statements were derived, written in an analytical form. To base the performance of models in reflecting vulnerabilities terms, the following two experiments are carried out: retrospective-factual, comparing real-life vulnerabilities with a particularly model; and practical demonstration the evolution of vulnerability in representations in the process of the simplest program evolution. As a result of the second experiment, the increase in coverage by the vulnerability of representations in the development process is clearly shown.

1. Kotenko I., Izrailov K., Buinevich M. Static Analysis of Information Systems for IoT Cyber Security: A Survey of Machine Learning Approaches. Sensors. 2022;22(4):1335. DOI:10.3390/s22041335 (in Russ.)

2. Trevizan R.D., Obert J., De Angelis V., Nguyen Tu.A., Rao V.S., Chalamala B.R. Cyberphysical Security of Grid Battery Energy Storage Systems. IEEE Access. 2022;(10):59675‒59722. DOI:10.1109/ACCESS.2022.3178987

3. Cho C.-S., Chung W.-H., Kuo S.-Y. Cyberphysical Security and Dependability Analysis of Digital Control Systems in Nuclear Power Plants. IEEE Transactions on Systems, Man, and Cybernetics: Systems. 2016;46(3):356‒369. DOI:10.1109/TSMC.2015.2452897

4. Izrailov K. Modeling a Program with Vulnerabilities in the Terms of Its Representations Evolution. Part 1. Life Cycle Scheme. Proc. of Telecom. Universities. 2023;9(1):75‒93. (In Russ.) DOI:10.31854/1813-324X-2023-9-1-75-93

5. Monastyrnaya V.S., Frolov V.V. Visual language dragon and it is application. Aktual'nye problemy aviacii i kosmonavtiki. 2016;2(12):78‒79. (in Russ.)

6. Parondzhanov V.D. Algorithmic Languages and Programming: DRAGON. Moscow: Yurajt Publ.; 2023. 436 p. (in Russ.)

7. Dolidze A.N. Overview of specific functions of the FBD language using the example of Logo! Engineering journal of Don. 2022;11(95):1‒10. (in Russ.)

8. Pardo M.X.C., Ferreiro G.R. SFC++: A Tool for Developing Distributed Real-Time Control Software. Microprocessors and Microsystems. 1999;23(2):75‒84. DOI:10.1016/S0141-9331(99)00015-0

9. Akhmerova A.N. Controller programming languages. Features of the application of the languages. Nauchnyj aspekt. 2019;3(3):340‒345. (in Russ.)

10. Nassi I., Shneiderman B. Flowchart techniques for structured programming. SIGPLAN Notices. 8(8):12–26. DOI:10.1145/953349.953350

11. Basov A.S. Classification of Programming Languages and their Features. Vestnik nauki. 2020;2(8):95‒101. (in Russ.)

12. Morozov D.P., Slepnev A.V. Development of C, C++ code analyzer in Python using Lex, Yacc. Proceedings of the 74th Regional Scientific and Technical Conference of Students, Graduate Students and Young Scientists “Student Spring ‒ 2020”, 26‒27 May 2020, St. Petersburg, Russia. St. Petersburg: The Bonch-Bruevich Saint Petersburg State University of Telecommunications Publ.; 2020. p.28‒32. (in Russ.)

13. Lee W.I., Lee G. From natural language to Shell Script: A case-based reasoning system for automatic UNIX programming. Expert Systems with Applications. 1995;9(1):71‒79. DOI:10.1016/0957-4174(94)00050-6

14. Pirogov V. Assembler for Windows. BHV-Petersburg Publ.; 2012. 896 p. (in Russ.)

15. Kapustin D.A., Shvyrov V.V., Shulika T.I. Static analysis of the source code of python applications. Software Engineering. 2022;13(8):394‒403. (in Russ.) DOI:10.17587/prin.13.394-403

16. Krichanov M.Y., Cheptsov V.Y. Secure UEFI firmware for virtual machines. Sistemnyj administrator. 2021;11(228): 75‒81. (in Russ.)

17. Makarov A.V., Skorobogatov S.Y., Chepovskii A.M. Common Intermediate Language and system programming in Microsoft. NET. Moscow, Saratov: Internet University of Information Technologies Publ.; Ai Pi Ar Media Publ.; 2020. 397 p. (in Russ.)

18. Krasov A.V., Sharikov P.I. Methods of protection byte code java-programs from decompilation and theft of source code by an attacker. Vestnik of St. Petersburg State University of Technology and Design. Series 1: Natural and technical Sciences. 2017;(1):47‒50. (in Russ.)

19. Izrailov K., Tatarnikova I. An Approach to Analyzing the Security of a Software Code from the Standpoint of Its Form and Content. Proceedings of the VIIth International Conference on Infotelecommunications in Science and Education, 27‒28 February 2019, St. Petersburg, Russia. St. Petersburg: The Bonch-Bruevich Saint-Petersburg State University of Telecommunications Publ.; 2019. p.462‒467. (in Russ.)

20. Eunkyoung J., Seungjae J., Hojung B., Sungdeok C., Junbeom Y., Geeyong P., et al. Testing of Timer Function Blocks in FBD. Proceedings of 13th Asia Pacific Software Engineering Conference, APSEC'06, 06‒08 December 2006, Bangalore, India. IEEE; 2006. p.243‒250. DOI:10.1109/APSEC.2006.55

21. McCanne S., Jacobson V. The BSD Packet Filter: A New Architecture for User-Level Packet Capture. Proceedings of the Winter USENIX Technical Conference, 25–29 January 1993, San Diego, USA. USENIX Association; 1993.

22. Kim M., Jang H., Shin Y. Avengers, Assemble! Survey of WebAssembly Security Solutions. Proceedings of 15th International Conference on Cloud Computing, CLOUD, 10‒16 July 2022, Barcelona, Spain. IEEE; 2022. p.543‒553. DOI:10.1109/CLOUD55607.2022.00077

23. Chuvilin К.V. Parametric Approach to the Construction of Syntax Trees for Partially Formalized Text Documents. Machine Learning and Data Analysis. 2016;2(2):201‒217. (in Russ.)

24. Buinevich M.V., Izrailov K.E. Anthropomorphic approach to describing the interaction of vulnerabilities in program code. Part 1. Types of interactions. Zaŝita informacii. Inside. 2019;5(89):78‒85. (in Russ.)

25. Buinevich M.V., Izrailov K.E. Anthropomorphic approach to describing the interaction of vulnerabilities in program code. Part 2. Vulnerability metric. Zaŝita informacii. Inside. 2019;6(90):61‒65. (in Russ.)

26. Izrailov K. The Genetic Decompilation Concept of the Telecommunication Devices Machine Code. Proc. of Telecom. Universities. 2021;7(4):10‒17. DOI:10.31854/1813-324X-2021-7-4-95-109 (in Russ.)

27. Izrailov K.E. Applying of genetic algorithms to decompile machine code. Zaŝita informacii. Inside. 2020;3(93):24‒30. (in Russ.)

28. Izrailov K.E., Romanov N.Е. Application of genetic algorithm for reverse engineering of machine code. Proceedings of the XIth International Conference on Infotelecommunications in Science and Education, 15‒16 February 2022, St. Petersburg, Russia. St. Petersburg: The Bonch-Bruevich Saint-Petersburg State University of Telecommunications Publ.; 2022. p. 239‒243. (in Russ.)