RU2744438C1 - System and method for forming optimal set of tests for identifying software bugs - Google Patents

Abstract

FIELD: computing.

SUBSTANCE: invention relates to computing. The system for generating an optimal set of tests for identifying software bugs includes a unit for inputting initial data, a unit for analyzing and filling in databases, a database for initial data, a control and management unit, a unit for modeling software bugs, a database for software bugs, a unit for generating tests, a database of tests, a unit modeling the confrontation between an adversary and an expert, a unit for analyzing simulation results, a unit for generating an optimal set of tests and the most dangerous set of software bugs, a database of an optimal set of tests, a database of the most dangerous set of software bugs, a unit for outputting results.

EFFECT: invention increases probability of detecting software bugs when certifying software for security requirements.

2 cl, 3 dwg

Description

The invention relates to computer technology, namely to information computing systems and networks, and can be used to protect information resources of workstations and servers, their components, programs or data from unauthorized access to them, as well as when analyzing the source code of software (software ), including when conducting certification tests of software for the absence of undeclared capabilities.

Certification of software for information security requirements is one of the main mandatory measures for assessing the degree of software security. This is due to the fact that in order to implement some undeclared functions in the information system that allow unauthorized access to the resources of the information system, software bookmarks (PZ) are used, which in most cases are introduced at the stage of software development. At the same time, the peculiarity of such tabs is that they become virtually inseparable from the applied or system programs of the information system and their identification is possible only by special test programs that reveal abnormal behavior and undeclared software capabilities (Begaev A.N., S.N.Begaev, Kashin S.V. Analysis of the program code during certification tests.- St. Petersburg: ITMO University, 2018. - 41 p., Makarenko S.I. Information confrontation and electronic warfare in network-centric wars at the beginning of the XXI century.Monograph.- St. Petersburg: Science-intensive technologies , 2017. - 546 p., Kupriyanov A. I., Sakharov A. V., Shevtsov V. A. Fundamentals of information security: a tutorial. - M .: Publishing Center "Academy", 2006. - 256 p.). The effectiveness of the use of test programs depends on the completeness of the tests. Typically, the core suite consists of a large number of tests, which leads to a significant amount of time spent on their execution. Since the testing stage is iterative, the number of iterations is limited by the available time resources (project deadlines) and the quality standards used, which can lead to a decrease in the probability of detecting a PP during software certification for safety requirements. In addition, certification opportunities are limited by testing resources - both time and financial, personnel, hardware and tools. (Lipaev V.V. Software certification. Textbook. - M .: SINTEG, 2010. - 348p., Mironov S.V. Safe information technologies // Proceedings of the Ninth All-Russian Scientific and Technical Conference - M .: MSTU named after N E. Bauman, 2018, 214 p. - ill.). Thus, the development of tools and methods for forming an optimal set of tests for identifying software bookmarks is an urgent task.

Interpretation of terms used in the application:

undeclared (functional) capabilities - software functionality that is not described or does not correspond to those described in the documentation, the use of which may violate the confidentiality, availability or integrity of the processed information (Guidance document "Protection against unauthorized access to information. Part 1. Software for information security . Classification by the level of control over the absence of undeclared opportunities ", approved by the State Technical Commission of Russia on 04.06.1999, hereinafter - RD NDV). Software bookmarks (in particular) - implementation of undeclared features (Begaev A.N., S.N.Begaev, Kashin S.V. Analysis of the program code during certification tests. - St. Petersburg: ITMO University, 2018. - 41 p.);

software bookmarks - functional objects intentionally introduced into the software, which, under certain conditions, initiate the execution of software functions not described in the documentation, leading to a violation of the confidentiality, availability or integrity of the processed information (RD NDV; Makarenko S.I. Information confrontation and electronic warfare in network-centric wars the beginning of the XXI century.Monograph .-- St. Petersburg: Science-Intensive Technologies, 2017. - 546 p., Begaev A.N., S.N.Begaev, Kashin S.V. Analysis of the program code during certification tests.- St. Petersburg: ITMO University , 2018 .-- 41 p.);

certification of software (software) in accordance with information security requirements (hereinafter certification) - verification (confirmation) of software characteristics for compliance with the requirements of regulatory documents and state standards for information protection issued by authorized federal bodies: FSTEC of Russia (State Technical Commission of Russia), FSB of Russia and the Ministry of Defense (Begaev A.N., S.N.Begaev, Kashin S.V. Analysis of the program code during certification tests. - St. Petersburg: ITMO University, 2018. - 41 p.);

software testing - the process of checking the compliance of the requirements stated for the product and the actually implemented functionality, carried out by observing its work in artificially created situations and on a limited set of tests selected in a certain way;

testing for security requirements - the process of identifying the presence or absence of vulnerabilities in a product in artificially created situations and on a limited set of tests selected in a certain way.

Means and methods for generating tests are currently known.

So, the known system of forming tests [RF Patent No. 2012924 C1 - FORMER OF TESTS / Gremalsky Anatoly Aleksandrovich, Beean Viorel Evtemyevich, Roshka Andrey Alekseevich publ. 15.05.1994], consisting of a pseudo-random code generator, a test issuing multiplexer, a random sequence generator, a microtest code sequence memory unit, and a control unit.

The disadvantage of this system is the presence of a random sequence generator, which leads to insufficient reliability of the generated tests, as well as to an increase in the time needed to select the required test sets.

A known system for generating test data [Patent 2679350 Russian Federation, G06F 11/263. Test data generation system / Litvinenko A.M., Smetanin K.A .; applicant and patentee Federal State Budgetary Educational Institution of Higher Education "Voronezh State Technical University" - 2017124567; declared 07/10/2017; publ 07.02.2019], which is based on the use of a genetic algorithm. For this, the system has a fitness function generation unit, which is connected to the population generation unit, which is connected to the generator of the changed population, which has a connection with the processing fixation unit, and the processing fixation unit is connected by a counter-connection with the changed population generator. The genetic algorithm searches for a balance between efficiency and quality of solutions due to the "survival of the strongest alternative solutions" in uncertain and fuzzy conditions.

The disadvantage of the system is the high computational resource intensity, the complexity of determining the parameters of the genetic algorithm (population power, the probability of genetic operators, etc.),

The known complex of automation and visualization of testing the embedded software of electronic devices [Patent 2678717 Russian Federation, G06F 11/36. Complex of automation and visualization of testing the embedded software of electronic devices / Prudkov V.V .; applicant and patentee of the Russian Federation, on behalf of which the State Corporation for Space Activities "Roskosmos" acts - 2017138949; declared 0911.2017; publ. 04/12/2019]. The complex consists of a unified environment for writing, editing and executing tests, models of functional devices that interact with an electronic device with embedded software through expansion cards, a database, automated information analysis tools and filling the database.

The disadvantage of the solution is that a reduction in the labor intensity of specialists and a reduction in the total testing time is achieved only through a unified approach to building a software package and a single template for interaction functions and model dialog boxes; the formation of an optimal set of tests for identifying software bookmarks is not provided.

A known method of forming tests [RF Patent No. 2261471 C1 - Method of forming diagnostic tests / Strakhov AF, Strakhov OA, Palkeev EP, Belokrylov V.D. (RU) publ. September 27, 2005], based on the formation of combinations of input test signals with specified combinations of signal parameters and with specified sequences of input signals corresponding to the supply of input signals during normal operation of real diagnosed products of this type, as well as on the determination of the parameters of combinations of output signals for performing each combination input test signals.

The method for generating diagnostic tests has the following disadvantages: limited scope and insufficient reliability of the generated tests, as well as large time costs due to the use of the exhaustive search method.

The known method of creating a test base, described in [Kotov S. L., Demirsky A. A., Meshcheryakova V. In. Conducting certification tests of frequently updated software systems using an automated test base // Vestn. VNIIMASH, 2010; Melnikova V.V., Kotov S.L., Palyukh B.V., Proskuryakov M.A. Testing programs using genetic algorithms // Software products and systems. - 2011. - № 4. - pp. 107 - 110], which involves the creation of tests based on the analysis of functional requirements. The method consists in the following sequence of actions: analyze the functional requirements for software, rank functional requirements for software depending on their complexity and importance, formalize and write functional requirements in the form of specifications, develop a set of tests, form a test base.

The disadvantage of this method is the high labor intensity and significant time costs due to the high probability of redundant testing. [Kogay GD Advantages and disadvantages of modern types of software testing / GD Kogay, A. Zh. Amirov, RV Starodubenko, KV Starodubenko. // Young scientist. - 2016. - No. 21 (125). - S. 153-156.]

A known method for generating optimized for manual execution of scripts for testing applications with a graphical user interface, described in (Barantsev A.V., Groshev S.V., Omelchenko V.A.Generation of scripts optimized for manual execution // Proceedings of the Institute for System Programming of the Russian Academy of Sciences. - 2009 - v. 17, pp. 75 - 92. The method consists in the following sequence of actions: build a graph of states and transitions, determine test coverage criteria, taking into account the size and structure of the state graph, fix the limitation on the length of individual tests, build a test suite with minimum total test length, satisfying the following constraints:

1. Each test in the test set has a length not exceeding the specified one;

2. The test suite must provide coverage of all possible test situations with the restriction in clause 1.

If some test situations can only be covered by tests of length greater than the constraint specified in Section 1, then tests of the minimum total length covering all such test situations are constructed and added to the constructed test suite. It is checked whether the added long tests do not cover all test situations at once covered by some of the previously constructed short tests, and if such "unnecessary" short tests are found, they are removed from the test suite. The built test suite is filtered and sorted, while the ordering of the test suite by the time of adding tests to it is used.

The disadvantage of this method is the limited scope (aimed at testing applications with a graphical user interface), significant time spent on execution (involves manual testing).

The closest in technical essence to the proposed system is the invention "Method and system of software testing automation", which consists in the fact that the software testing automation system includes at least one user and / or tester device, at least one base data, at least one database of tests and a software and hardware complex, made with the ability to:

- software testing according to the prepared test plans through the interactive interaction of the tester with the user interface of the software under test,

- records of the specified user actions in automatic mode in predetermined terms of the business logic level of the software under test, storing the results in the test base as test scenarios,

- records of changes in the database, made during the execution of the specified test scenarios, in automatic mode in predetermined terms, assigning the sign "Reference changes" to these changes and saving the results in the test database,

- after changing the software, the implementation of its regression testing:

- playing test scripts from the test base in automatic mode,

- records of changes in the database made during the execution of the specified test scenarios, in automatic mode in predetermined terms, assigning the sign "Actual changes" to these changes and saving the results in the test database,

- carrying out verification for each test scenario, comparing "Reference changes" and "Actual changes" and saving the comparison results in the test database,

- formation of a list of test scenarios that have not been verified, while the changes that have not been verified mean the discrepancies between the "Reference changes" and "Actual changes" (RF patent application No. 2013126869/08), which is selected as a prototype.

The disadvantage of the prototype is the limited scope, the lack of the possibility of forming an optimal set of tests for identifying software bugs.

The closest in technical essence to the proposed method is the method for pseudo-random test generation described in (https://portal.tpu.ru/SHARED/t/TRACEY/Courses/theory/Tab_automata_textbooks/04.pdf). The method is as follows: generate a pseudo-random test set, using the simulation program to determine the number of faultsn (X _i )that it detects (excluding those that are already detected by the setX = {X _one ,… X _i-1 }... If an (X _i ) exceeds some predetermined threshold, then the setX _i add to the setX , and the next set is generated. This process continues until a user-specified completeness of the test sequence, or a threshold value for the length or time of building a test, is reached.

The disadvantage of the prototype method is the limited scope (provides testing only digital devices), the use of a pseudo-random test set, which leads to insufficient reliability of the generated tests, as well as to an increase in the selection time of the required test sets.

The technical problem to be solved by the proposed solution is the limited time, hardware, instrumental, and human resources used in the certification of software for security requirements, which leads to a decrease in the probability of detection of PP.

The technical problem is solved by preliminary formation of an optimal set of tests for identifying software bugs as a result of modeling the confrontation between the intruder and the expert.

The technical result of the invention is to increase the likelihood of detecting PZ when certifying software for safety requirements, increasing the number of detected PZ, reducing time, hardware, instrumental, human resources spent on certification tests.

In the claimed system, the technical result is achieved by the fact that the system is a prototype that includes at least one user and / or tester device, at least one database, at least one test base and a software and hardware complex made with the ability to test software provision, compilation of test scenarios and saving them in the database as reference, formation of the test database, additionally include interconnected block of input of initial data, block of analysis and filling of databases, base of initial data, block of control and management, block of modeling of program tabs , a database of program tabs, a block for generating tests, a database of tests, a block for modeling the confrontation between an intruder and an expert, which includes a block of embedded action, a block for selecting tests, a block for modeling the process of identifying a software bookmark, while a block of embedded action, the output of which is connected to the first input of the block model the process of identifying software bookmarks, to the second input of which the test selection unit is connected, consists of a series-connected block for activating a software bookmark, a block for selecting a software bookmark and a block for implementing a software bookmark, a block for analyzing simulation results, a block for generating an optimal set of tests and the most dangerous set of software bookmarks , the database of the optimal set of tests, the database of the most dangerous set of program tabs, the block for outputting the results, and the output of the input data block is connected to the input of the block for analyzing and populating the databases, the outputs of the block for analyzing and populating the databases are connected to the inputs of the input data base, database of program tabs, database of tests, block of control and management, the second input of the block of control and management is connected to the database of initial data, the first output of the block of control and management is connected to the block of modeling of program tabs, the output of which is connected to the input of the program tabs database, the second output of the control and management unit is connected to the test generation unit, the output of which is connected to the input of the test database, the third output of the control and management unit is connected to the first input of the unit for modeling the confrontation between the intruder and the expert, to the second and third the inputs of the block for modeling the process of confrontation between the intruder and the expert are connected to the outputs of the database of program tabs and the database of tests, the output of the block for modeling the process of confrontation between the intruder and the expert is connected to the input of the block for analyzing the results of modeling, the output of which is connected to the input of the block for forming the optimal set of tests and the most dangerous set of software bookmarks, the first and second outputs of the block for generating the optimal set of tests and the most dangerous set of program bookmarks are connected to the inputs of the database of the optimal set of tests and the database of the most dangerous set of program bookmarks, respectively Actually, the third output of the block for generating the optimal set of tests and the most dangerous set of program tabs is connected to the block for outputting the results.

In the claimed method, the technical result is achieved by specifying the initial data, analyzing, identifying the input data and filling in the corresponding databases, forming a database of program tabs, forming a database of tests, simulating the process of confrontation between an expert and an intruder, for which purpose, to simulate the actions of an intruder activates the software bookmark, selects the software bookmark, implements the selected software bookmark, to simulate the expert's actions, select a test to identify the software bookmark, simulate the process of identifying the software bookmark, analyze the simulation results, determine and write in the appropriate database the optimal set of tests for detecting the i-th program bookmark, determine and write in the corresponding database the most dangerous set of program bookmarks, carry out the output of the result.

From the prior art, no solutions have been identified regarding methods, devices and systems for generating an optimal set of tests for identifying software tabs characterized by the claimed set of features, therefore, which indicates the compliance of the claimed method with the "novelty" patentability condition.

The results of the search for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototypes of the features of the claimed invention, have shown that they do not follow explicitly from the prior art. The prior art determined by the applicant has not revealed the influence of the essential features of the claimed invention on the achievement of the specified technical result. Therefore, the claimed invention meets the “inventive step” requirement of patentability.

The "industrial applicability" of the method is due to the presence of a hardware and software base, on the basis of which devices that implement the method and the system can be made.

The claimed method is illustrated by the following figures:

FIG. 1 is a block diagram of a system for generating an optimal set of tests for identifying software bookmarks;

FIG. 2 is a block diagram of a method for generating an optimal set of tests for identifying software bookmarks;

FIG. 3 is a block diagram of an algorithm for modeling a confrontation between an expert and an intruder.

The system for generating an optimal set of tests for identifying software bookmarks, the block diagram of which is shown in Fig. 2, consists of an interconnected unit for inputting initial data 10, a unit for analyzing and filling databases 20, a database of initial data 30, a control and management unit 40, a unit for modeling software tabs 50, a database of software tabs 60, a unit for generating tests 70, a database of tests 80, a block for modeling the confrontation between an intruder and an expert 90, including a block of embedded action 91, consisting of a block for activating a program bookmark 911, a block for selecting a program bookmark 912, a block for implementing a program bookmark 913, a block for selecting test sets 92, a block for simulating the process of identifying a PZ 93, a block for analyzing simulation results 100, a block for forming an optimal set of tests and the most dangerous set of PZ 110, a database of an optimal set of tests 120, a database of the most dangerous set of PZ 130, a block for outputting results 140.

The output of the initial data input unit 10 is connected to the input of the analysis unit and filling the databases 20, designed to analyze the documentation describing the software under test, as well as the rest of the input data and filling the database in the order of the data belonging to its type of purpose and use and internal binding between yourself.

The outputs of the block for analysis and filling of databases 20 are connected to the inputs of the database of initial data 30, the database PZ 60, the database of tests 80, the control and management unit 40, designed to configure the internal parameters of the system elements (both hardware and internal structures , data and entities of models), management of system elements at any stage of operation, logging information about the state of all elements of the system during the entire operation time of the system. The second input of the monitoring and control unit 40 is connected to the initial data base 30, which is designed to store data, including information about system parameters, information necessary for visualization and data provision at any stage of operation, information about the software under test, data required for operation models, etc.

The first output of the monitoring and control unit 40 is connected to the block for modeling software tabs 50, the output of which is connected to the input of the PZ 60 database. The second output of the monitoring and control unit 40 is connected to the test generation unit 70, the output of which is connected to the input of the test database 80. The third the output of the monitoring and control unit 40 is connected to the first input of the unit for modeling the process of confrontation between the intruder and the expert 90. The outputs of the database PZ 6 and the database of tests 80 are connected to the second and third inputs of the unit for modeling the process of the confrontation between the intruder and the expert 90.

The block for modeling the process of the confrontation between the intruder and the expert 9 consists of a block of embedded action 91, a block for selecting tests 92, a block for modeling the process of identifying PZ 93, and the output of the block for identifying PZ 93 is connected to the first input of the block for modeling the process of identifying PZ 93, to the second input of which the selection block is connected tests 92.

The block of embedded action 91 consists of a series-connected activation block PZ 911, a block for selecting PZ 912, and an implementation unit PZ 913.

The output of the block for modeling the process of confrontation between the intruder and the expert 90 is connected to the block for analyzing the simulation results 100, the output of which is connected to the input of the block for forming the optimal set of tests and the most dangerous set of PZ 110.

The first and second outputs of the block for generating the optimal set of tests and the most dangerous set of PZ 110 are connected to the inputs of the database of the optimal set of tests 120 and the database of the most dangerous set of PZ 130, respectively. The third output of the block for generating the optimal set of tests and the most dangerous set of PZ 110 is connected to the block of outputs of the results 140.

The purpose of the blocks is clear from their names.

The system operates as follows:

At the first stage, input (block 10 of Fig. 1) of the initial data is carried out, their correctness is checked, and also the conversion to the desired format is carried out. From the output of the input unit 10 of the initial data, the data is sent to the unit for analyzing and filling the databases 20, where they are analyzed, identified and filled in the corresponding databases: the database of the initial data 30, the database PZ 60, the database of tests 70, etc.

Further, in the control and management unit 40, the parameters of all elements of the system are configured, control commands are generated and transmitted to start the simulation unit PZ 50 and the unit for generating tests 70. The generated PZ and tests are sent to the database PZ 60 and the database of tests 80, respectively. After the formation of the database PZ 60 and the database of tests 80, a control command is generated and transmitted to start the block for modeling the process of confrontation between the intruder and the expert 90.

When a control command is received in the block of the embedded action 91, namely in the block for activating the program bookmark 911, the mechanism for activating the PZ is started. In the case of PP implementation in the PP 912 selection block, a software tab is selected from the PP 60 database. In the PP 913 implementation unit, a software component is determined into which this PP can be embedded and the selected software tab is implemented.

When a control command is received from the monitoring and control unit 40, in the test selection unit 92, tests are selected for detecting PZ.

In block 93, the process of identifying the PZ is simulated.

The data obtained as a result of the simulation is fed to the block for analyzing the simulation results 100. Based on the analysis performed in the block for generating the optimal set of tests and the most dangerous set of PZ 110, the optimal set of tests for identifying the i-th PZ is determined and written into the corresponding database (block 120 of Fig. 1) and the most dangerous set of PZ (block 130 of Fig. 1).

At block 140 of FIG. 1 carry out the output of the result.

During the operation of the system, the claimed method of forming an optimal set of tests for identifying software bookmarks can be implemented, the block diagram of which is shown in Fig. 2.

In block 1 of FIG. 2 sets the source data.

The initial data for the method are:

source codes of software, specifications and other necessary software, design and operational documentation for software described in [Markov A.S., Tsirlov V.L., Barabanov A.V. Methods for assessing the inconsistency of information security tools / A.S. Markov V. L. Tsirlov, A. V. Barabanov; ed. Assoc. A.S. Markov. - M .: Radio and communication, 2012 .-- 192 p .; Begaev A.N., Kashin S.V., Markevich N.A., Marchenko A.A., Identification of vulnerabilities and undeclared capabilities in software - St. Petersburg: ITMO University, 2020. - 38 p., Begaev A.N. , Kashin S.V., Zimnenko S.A. Certification of software and automated systems in various certification systems. - St. Petersburg: ITMO University, 2018 .-- 45 p .; Begaev A.N., Kashin S.V., Markevich N.A., Marchenko A.A., Pavlov D.D. Certification of software for trust requirements - St. Petersburg: ITMO University, 2020. - 40 p.];

many restrictions on the functioning of software that determine its compliance with security requirements, consisting of a subset of restrictions on the use of hardware and operating system (OS) resources, such as RAM, processor time, OS resources, interface capabilities and other resources, and a subset of restrictions governing access to objects containing data (information), that is, memory areas, files, etc.

many controlled parameters of the environment and software;

parameters necessary for the configuration and functioning of the models used,

data necessary to fill in the databases used (program tabs, tests, etc.), etc.

The initial data can be specified by recording them into the computer memory using known input devices.

In block 2 of Fig. 2, the analysis, identification of the input data and filling of the corresponding databases are carried out: the source data database, the PZ database, the test database, etc.

Analysis, identification of input data and filling in the corresponding databases can be carried out using automated tools described, for example, in (Patent 2678717 Russian Federation, G06F 11/36. Automation and visualization complex for testing embedded software of electronic devices / V.V. Prudkov. ; applicant and patentee Russian Federation, on behalf of which the State Corporation for Space Activities "Roskosmos" acts - 2017138949; application 0911.2017; published 12.04.2019), performing the analysis of the documentation for the software under test, identification of input data and filling in the database in the order of data belonging to to its type of purpose and use and internal binding to each other

In block 3 of Fig. 2, a database of program bookmarks is formed.

The database of program bookmarks can be formed in the following ways:

entering a set of all known software bookmarks into the database;

entering into the database a set of software bookmarks obtained as a result of modeling (for example, by generating a set of models of all possible (within the framework of this model) software bookmarks [Kazarin OV Theory and practice of program protection. M. 2004. - 389 p.] ).

In block 4 of Fig. 2, a database of tests is generated.

Tests can be generated using well-known tools for automatic test generation, as well as tools for writing and editing tests in the "manual" mode [Patent 2679350 Russian Federation, G06F 11/263. Test data generation system / Litvinenko A.M., Smetanin K.A .; applicant and patentee Federal State Budgetary Educational Institution of Higher Education "Voronezh State Technical University" - 2017124567; declared 07/10/2017; publ 07.02.2019; Patent 2678717 Russian Federation, G06F 11/36. Complex of automation and visualization of testing the embedded software of electronic devices / Prudkov V.V .; applicant and patentee of the Russian Federation, on behalf of which the State Corporation for Space Activities "Roskosmos" acts - 2017138949; declared 0911.2017; publ 12.04.2019, Kulyamin V.V. Software verification methods. - M .: Institute of System Programming RAS, 2008. - 111 p .; A.Yu. Zakonov, A.A. Shalyto Application of genetic algorithms to the generation of tests for automatic programs // Scientific and technical bulletin of the St. Petersburg State University of Information Technologies, Mechanics and Optics, 2011, No. 2 (72), pp. 66 - 72, etc.].

It should be noted that in accordance with the [RD of the State Technical Commission of Russia “Protection against unauthorized access to information. Part 1. Software for information security. Classification by the level of control over the absence of undeclared opportunities "(established by Order of the Chairman of the State Technical Commission of Russia No. 114 of 04.06.1999); Methodology for identifying vulnerabilities and undeclared capabilities in software (Electronic resource https://ict.moscow/presentation/metodika-vyiavleniia-uiazvimostei-i-nedeklarirovannykh-vozmozhnostei-v-po/. Date of treatment 07/12/2020); GOST R 56920-2016 Software testing; Markov A. S., Tsirlov V. L., Barabanov A. V. Methods for assessing the inconsistency of information protection means / A. S. Markov, V. L. Tsirlov, A. V. Barabanov; ed. Assoc. A.S. Markov. - M .: Radio and communication, 2012 .-- 192 p .; Begaev A.N., S.N. Begaev, S.V. Kashin Analysis of the program code during certification tests. - St. Petersburg: ITMO University, 2018 .-- 41 p .; Begaev A.N., Kashin S.V., Markevich N.A., Marchenko A.A., Identification of vulnerabilities and undeclared capabilities in software - St. Petersburg: ITMO University, 2020. - 38 p.] For software certification according to requirements The following types of security testing should be carried out:

- static (software testing performed without actually executing programs. Testing is performed on any version of the source or object code);

- dynamic (software testing performed by executing programs on a real or virtual processor).

Thus, tests must be formed and recorded in the database, allowing the listed types of testing to be carried out.

In block 5 of FIG. 2 begin to simulate the process of confrontation between the expert and the offender.

The algorithm of the confrontation process between the expert and the offender is shown in Fig. 3.

To simulate the actions of the offender:

In box 5.1 of FIG. 3 activates the software bookmark.

можно представить в виде функции

:Activation mechanism

can be represented as a function

:

.

...

If w = 0, the software bookmark will not be embedded; if w = 1 , it will be embedded.

In the case of the introduction of the PZ (with w = 1 ), the software bookmark is selected (block 5.2 of Fig. 3).

The introduced software bookmark can be selected equally probable or according to a different given distribution of a random variable (taking into account the degree of criticality, the frequency of application of the PP by violators, etc.).

In box 5.3 of FIG. 3 carry out the implementation of the selected software bookmark.

Methods and tools for PP implementation are described in [Kazarin OV. Theory and practice of software protection. M. 2004. - 389 p.].

To simulate the actions of the expert, the selection of tests is performed to identify the PZ (block 5.4 of Fig. 3).

In block 5.5 of FIG. 3 simulate the process of identifying the PP.

In the context of limitations on the time and quality of testing due to the difficulties of carrying out full-scale tests for modeling the process of identifying PZ it is possible to use the methods of game theory [Mironov S.V. Application of the game theory apparatus for solving the problem of detecting malicious bookmarks in the software of objects of critical information infrastructures // III International Conference "The 2019 Symposium on Cybersecurity of the Digital Economy - CDE'19". - p. 259 - 261; Shmatova E.S. The choice of a false information system strategy based on a game theory model // Cybersecurity Issues No. 5 (13) - 2015. - pp. 36 - 40; Mikhaleva U.A. Application of Game Theory Methods to Eliminate Vulnerabilities in Organizational Software // Automation and Software Engineering. 2016, No. 1 (15). P. 30 - 32; Sosnin Yu. V., Kulikov GV, Nepomnyashchikh AV A complex of mathematical models for optimizing the configuration of information protection means from unauthorized access // Software systems and computational methods - №1 (10). - 2015. p. 32 - 44].

In this case, the process of modeling the process of identifying a PP contains the following main stages:

1. Set the game Г by three:

,

,

where P is a finite set of program tabs,

N is a finite set of tests containing a set of signatures and atomic operations,

- платежная функция игры

от двух переменных

и

.

- payment function of the game

on two variables

and

...

можно представить следующим образом:Payment function of the game

can be represented as follows:

Where:

- максимальное время испытаний ПО;

- maximum software testing time;

- - вероятность выявления

-м тестовым набором

-ой ПЗ:

- - probability of detection

-m test suite

-th PZ:

;

;

- -тестовый набор

,

=1 в случае наличия

-го теста в наборе,

=0 - в случае отсутствия при d=

;

- - test set

,

= 1 if available

th test in the set,

= 0 - in the absence at d =

;

- - вероятность выявления

-ым тестом

-ой ПЗ.

- - probability of detection

th test

th PZ.

Characteristics of software tabs and tests that affect the detection process:

- время на выполнение одиночного

-го тестового набора в часах.

- time to complete a single

test set in hours.

- степень критичности

-ой ПЗ, в соответствии с моделью DREAD={1,2,3,4,5}.

- degree of criticality

-th PZ, in accordance with the model DREAD = {1,2,3,4,5}.

- максимальная степень критичности закладок.

- the maximum degree of criticality of bookmarks.

The DREAD model is a way to assess risk in the following categories [Howard M., Leblanc D. Protected code / Per. from English - 2nd ed., Rev. - M .: Publishing house "Russian Edition", 2005. - 704 pages, pp. 80 - 81].

Damage potential is a measure of the actual damage from a successful attack.

Reproducibility is a measure of the possibility of a hazard being realized.

Exploitability is a measure of the effort and skill required to attack.

Affected users - The percentage of users who are disrupted due to a successful attack.

Discoverability.

The total DREAD score is equal to the arithmetic mean of all scores.

1. Carry out the construction of the game matrix.

Since the number of possible actions of the intruder and the expert is finite, the values of the function Ф can be represented in the form of a matrix, in the i- th row of which the payoffs of the first party are sequentially located in situations ( i , 1), ( i , 2), ..., ( i, m ), and in column j - its gains in situations (1, j ), ..., ( n, j ). The violator's choice of the i- th PP - strategy i - means the choice of row i , the expert's choice of the j -th test - strategy j - the choice of column j .

2. Criteria for stopping the minimization of the payment matrix are specified.

3. Find a solution to the matrix game.

The procedure for finding the solution of the matrix game Г is known and described, for example, in [Sosnin Yu. V., Kulikov GV, Nepomnyashchikh AV Complex of mathematical models for optimizing the configuration of information security tools against unauthorized access // Software systems and computational methods - No. 1 (10). - 2015. p. 32 - 44, Mikhaleva U.A. Application of Game Theory Methods to Eliminate Vulnerabilities in Organizational Software // Automation and Software Engineering. 2016, No. 1 (15). P. 30 - 32].

So, to solve a matrix game, the following sequence of actions can be applied:

- average efficiencies are calculated;

- check the fulfillment of the condition for removing the least effective from the PP / tests and decide on the continuation of the procedure;

- exclude the least effective from the PP and / or tests.

These actions are carried out until the condition of stopping the procedure for minimizing the payment matrix is fulfilled.

Finding a solution to the matrix game allows you to determine the most dangerous set of PPs that an intruder can implement, as well as the optimal set of tests for identifying these PPs, set by an expert.

In block 6 of Fig. 1, the simulation results are analyzed.

In the block bl. 7 fig. 1, the optimal set of tests for identifying the i-th PZ is determined and recorded in the corresponding database.

In the block bl. 8 fig. 1, the most dangerous set of PPs is determined and recorded in the appropriate database.

In block 9 of FIG. 1 carry out the output of the result.

The implementation of the proposed method does not cause difficulties, since all the blocks included in the system that implements the method are well known and widely described in the technical literature [Nechaev I.A. Constructions on logical elements of digital microcircuits. - Moscow: Radio and communication, 1992. - 123 p .; A.V. Belov We create devices on microcontrollers. - SPb .: Science and technology, 2007. - 304 p .; Design and technological design of electronic equipment. Textbook for universities. Series: Computer Science at the Technical University. Ed. Shakhnova V.A. - M .: Publishing house of MSTU im. N.E. Bauman, 2003. - 528 p .: ill .; Suvorova E., Sheinin Y. Design of digital systems on VHDL. Series "Tutorial". - SPb .: BHV-Petersburg, 2003 .-- 576 p .: ill .; Ovchinnikov V.A. Algorithmization of combinatorial-optimization problems in the design of computers and systems. Series: Computer Science at the Technical University. - M .: Publishing house of MSTU im. N.E. Bauman, 2001 .-- 288 p .: ill .; Yu.V. Novikov Fundamentals of digital circuitry. Basic elements and schemes. Design methods. - M .: Mir, 2001 .-- 379 p .; Levin V.I. Information carriers in the digital age / Under total. ed. D.G. Kraskovsky. - M .: ComputerPress, 2000. - 256 p .: ill .; Guk M. Disk subsystem of the PC. - SPb .: Peter, 2001 .-- 336 p .: ill., Pei An. Pairing a PC with external devices. - M .: DMK Press, 2003. - 320 p .: ill.].

The use of the proposed method to generate an optimal set of tests for identifying software bugs during certification tests of software for security requirements showed a significant reduction in the amount of work of specialists when testing software, a reduction in time costs, and an increase in the number of detected software bugs by 20%.

Thus, due to the preliminary formation of an optimal set of tests for identifying software bugs, obtained as a result of modeling a confrontation between an intruder and an expert, the declared technical result is achieved, namely, an increase in the probability of detecting a PD when certifying software according to safety requirements, an increase in the number of detected PD, a decrease in time. , hardware, instrumental, human resources spent on certification tests.

Claims (2)

1. A system for generating an optimal set of tests for identifying software bugs, including at least one user and / or tester's device, at least one database, at least one test base and a software and hardware complex capable of testing software, compilation of test scenarios and saving them in the database as reference ones, formation of the test database, characterized in that the system additionally includes interconnected block for input of initial data, block for analysis and filling of databases, base data base, control and management block, block modeling of software tabs, database of software tabs, block of formation of tests, database of tests, block of simulation of the confrontation between the intruder and the expert, including the block of the embedded influence, the block of the selection of tests, the block of modeling the process of identifying the software bookmark, while the block of the embedded influence, the output of which is connected it is connected to the first input of the block for modeling the process of identifying software bookmarks, to the second input of which the block for selecting tests is connected, consists of a series-connected block for activating a software bookmark, a block for selecting a software bookmark and a block for implementing a software bookmark; block for analysis of simulation results, block for forming the optimal set of tests and the most dangerous set of program tabs, database of the optimal set of tests, database of the most dangerous set of program bookmarks, block for outputting results, and the output of the input data input block is connected to the input of the block for analyzing and filling the databases , the outputs of the analysis and filling of the databases are connected to the inputs of the initial data database, the database of program tabs, the test database, the control and management unit, the second input of the control and management unit is connected to the initial data base, the first output of the control and management unit is connected to the block for modeling software bookmarks, the output of which is connected to the input of the database of software bookmarks, the second output of the control and management unit is connected to the block for generating tests, the output of which is connected to the input of the database of tests, the third output of the block of control and management is connected to the first input of the block of the process of confrontation between the intruder and the expert, the outputs of the database of program tabs and the database of tests are connected to the second and third inputs of the block of modeling the process of confrontation between the intruder and the expert, the output of the block of modeling the process of confrontation between the intruder and the expert is connected to the input of the block of analysis of simulation results, the output of which is connected to the input of the block for generating the optimal set of tests and the most dangerous set of software bookmarks, the first and second outputs of the block for forming the optimal set of tests and the most dangerous set of software bookmarks are connected to the inputs of the database of the optimal set of tests and the database of the most dangerous set of software bookmarks, respectively, the third output of the forming block the optimal set of tests and the most dangerous set of program tabs is connected to the block of results output. 2. A method of forming an optimal set of tests for identifying software bookmarks, which consists in setting initial data, performing analysis, identifying input data and filling in the corresponding databases, forming a database of software bookmarks, forming a database of tests, simulating the process of confrontation between an expert and by the intruder, for which, to simulate the actions of the intruder, activate the software bookmark, select the software bookmark, implement the selected software bookmark, to simulate the expert's actions, select a test to identify the software bookmark, simulate the process of identifying the software bookmark, analyze the simulation results, determine and record the optimal set of tests for identifying the i-th program bookmark into the corresponding database, the most dangerous set of program bookmarks is determined and recorded in the corresponding database, result.

Images