Nowadays, web applications are one of the most popular types of target of evaluation within the framework of the information security certification. The relevance of the study of web applications vulnerabilities during information security certification is due to the fact that web technologies are actively used while producing modern information systems, including information systems critical from the information security point of view, and on the other hand carrying out basic attacks on such information systems do not require violators of high technical competence, since data on typical vulnerabilities and attacks, including the attacking tools are heavily represented in publicly available sources of information, and the information systems themselves are usually available from public communication networks. The paper presents the results of a study of the security of web applications that are target of evaluation within the framework of certification for information security requirements against cross-site requests forgery attacks. The results of systematization and generalization of information about the cross-site requests forgery attacks and security controls used by web application developers are presented. The results of experimental studies of 10 web applications that have passed certification tests against information security requirements are presented. The results of experimental studies have shown that most developers do not pay enough attention to protection from cross-site request forgery attack - 7 out of 10 web applications tested have been vulnerable to this type of attack. Based on the results of processing the results of experimental studies, the distribution of security controls used in web applications and identified vulnerabilities by programming languages were obtained. Recommendations regarding the protection of web applications against cross-site request forgery attack for developers planning to certify their software are formulated.

Several known methods allow to estimate the overall effort(s) to be used up for the software development. The approach based on story points is preferable and quite common in the context of Sсrum agile development methodology. However, it might be rather challenging for people, who are new to this methodology or to a specific Scrum team to estimate the amount of work with story points. The proposed approach involves estimation of features on the basis of linguistic terms that are both habitual and clear for everyone. The presented fuzzy inference system (Mamdani’s model) makes it possible to calculate story points using people’s opinions expressed as sentences in natural language - the study shows empirically that beginners to Scrum methodology consider the proposed approach to be more convenient and easier in use than the ‘plain’ story points estimation. Also, four groups of people with different levels of qualification in Scrum were asked to estimate several features of a certain project using the developed approach and common story points approach to prove the relevance of the approach - it was shown that the results of basic story points estimation for Scrum experts differ slightly from the results revealed by proposed approach, while for Scrum beginners such difference is significant. To the opinion of authors, the proposed approach may allow to adapt to Scrum more smoothly, with better understanding of what is implied by story points, grasping the general idea and learning faster their use in practice. The experimental study conducted as a part of the research has shown results approaching the estimations provided by Scrum experts who have been working in real projects and making use of story points for several years. Continuation of the present work can be associated with intensive studies of more complicated methods of aggregation of the experts’ opinions, analysis of alternative representation forms of confidence degrees in estimates provided as well as the development of plugin for JIRA tracking system.

A method for constructing modified codes with summation of weighted transitions between bits in data vectors occupying neighboring positions is proposed. New codes with summation have the same number of check bits as the classic Berger codes, but they detect more errors in data vectors. Modified codes with summation of weighted transitions in comparison with Berger codes also have improved error detection characteristics in the area of small multiplicity. In addition, for some values of the lengths of information vectors codes can be constructed with the detection of any twofold and any triple errors. The authors developed a method for synthesizing concurrent error detection systems of combinational circuits, based on the analysis of the topology of the object of diagnosis with the selection of groups of checkable outputs, taking into account the properties of error detection by modified codes with summation of weighted transitions. An algorithm for the synthesis of a concurrent error detection systems has been developed.

The enhanced utilization of outsourcing services for a part of VLSIs (Intellectual Property cores, reprogramming components based on FPGA and so on) to cut VLSI cost increases risk of inserting Trojan Circuits (TCs) that may destroy VLSI or provide leakage of confidential information. TCs as a rule act in rare operation situations, therefore they are not detectable neither during VLSI verification nor VLSI testing. The approach to partially programmable circuit design from gates, programmable LUTs and MUXs oriented to masking TCs is suggested. The approach allows getting a circuit that masks TC when it has been found or deriving a circuit that is tolerant to TCs actions. The method of reprogramming LUTs for masking TCs is developed. The condition of replacing a function corresponding to free LUT input is formulated. It is based on using incompletely specified Boolean functions of internal nodes of the circuit. The functions are obtained with using operations on ROBDDs corresponding to the circuit fragments. The operations have a polynomial complexity.

Modern automatic devices are more and more equipped with microcontroller units. The logic of work of the automatic equipment is supported by a number of various embedded software applications, which run under an embedded real-time operating system (OS). The OS reliability is extremely important for correct functionality of the whole automatic system. Therefore, the embedded OS should be tested thoroughly with an appropriate automated test suite. Such test suite for testing of an embedded OS is usually organized as a set of multi-task test applications to be executed in a data-driven manner. The paper features a special language to define the respective testing task logic and the concept of flat charts to efficiently perform an embedded OS execution-based testing. To avoid heavy interpreting of text strings during the test run, the respective test presentation is pre-processed in order to convert the initial string form into a regular array form and thus to increase its efficiency.

The complexity of existing Legacy systems and the difficulty of amending it led to the development of the new concept of variability of systems specified by a model of the characteristics of FM (Feature Model). In the paper, we discuss the approaches to formal definition of FM and creating on its basis variants of program systems (PS), operating systems (OS) and families of program systems (FPS) for PS and OS. We give methods of manufacturing of PS in the Product Family/Product Lines, the conveyor of K.Czarnecki for assembling of artifacts in the space of problems and solutions, logical-mathematical modeling of PS from the functional and interface objects by Object-Components Method (OCM), extraction of the functional elements from OS kernel to FM for the generation of new variants of the OS. We discuss approaches for formalization of variability of legacy and new PS and their FPS. The new concept of management of variability systems with help OCM is defined. The approach to verify models of the FM, PS, FPS and OS and to configuration of functional and interface objects for obtaining the variants of the resulting product are proposed. We elaborate the characteristics for the testing process of variants of the PS, OS and FPS.

Historically program analysis methods are divided into two groups - static program analysis methods and dynamic program analysis methods. In this paper, we present a combined approach which allows to determine reachability for defects found by static program analysis techniques through applying dynamic symbolic execution for a program. This approach is an extension of our previously proposed approach for determining the reachability of specific program instructions using dynamic symbolic execution. We focus on several points in the program which include a defect initialisation point, a defect realisation point, and additional intermediate conditional jumps related to the defect in question. Our approach can be described as follows. First of all, we perform static analysis of program executable code to gather information on execution paths which guide dynamic symbolic execution to the point of defect initialisation. Next, we perform concolic execution in order to obtain an input data set to reach the defect initialisation point as well as the defect realisation point through intermediate conditional jumps. Concolic execution is guided by minimizing the distance from a previous path to the next defect trace point when selecting execution paths. The distance metric is calculated using an extended graph of the program combining its call graph and portions of its control flow graph that include all the paths through which the defect realisation point can be reached. We have evaluated our approach using several open source command line programs from Linux Debian. The evaluation confirms that the proposed approach can be used for classification of defects found by static program analysis. However, we have found some limitations, which prevent deploying this approach to industrial program analysis tools. Mitigation of these limitations serves as one of the possible directions for future research.

Currently the problem of information security during designing and exploiting the objects of critical information infrastructure is paid special attention to. One of the most common approaches to providing information security, processed on the objects, is creating isolated programming environment. The environment security is determined by its invariability. However, the evolutional development of data processing systems gives rise to the necessity of implementing the new components and software in this environment under condition that security requirements are satisfied. The most important requirement consists in trust in the new programming code. The given paper is devoted to developing formal logical language of description of functional requirements for programming code, allowing to make further demands at the stage of static analysis and to control their implementation in dynamics.

Concurrent programs have behaviors, which cannot be explained by interleaving execution of their threads on a single processing unit due to optimizations, which are performed by modern compilers and CPUs. How to correctly and completely define a semantics of a programming language, which accounts for the behaviors, is an open research problem. There is an auspicious attempt to solve the problem - promising memory model. To show that the model might be used as a part of an industrial language standard, it is necessary to prove correctness of compilation from the model to memory models of target processor architectures. In this paper, we present a proof of compilation correctness from a subset of promising memory model to an axiomatic ARMv8.3 memory model. The subset contains relaxed memory accesses and release and acquire fences. The proof is based on a novel approach of an execution graph traversal.

In the article, a novel approach to the development, analysis and transformation of parallel programs is considered. A functional dataflow parallel programming language is used. It supports writing programs independently of any resource limitations. This allows to develop algorithms with maximal level of parallelism. Support tools for translation, execution, debugging, optimization and verification of functional dataflow parallel programs are developed. The translator transforms source code of a program to an intermediate representation, in which each function is defined by its dataflow graph. A dataflow graph describes data dependencies in the function and allows to construct the control graph, which defines the organization of computations by specifying the order of the operators execution. The optimization and verification of the program is carried out on their dataflow and control graphs. In order to execute a program the maximal parallelism is to be «compressed» according to particular computing systems' resource limitations. A computation process is considered as a juxtaposition of the control graph and the dataflow graph. It is possible to employ different control strategies by means of control graphs modification. The developed support tools allow to change computation control strategies adapting them to the peculiarities of a computational environment. The suggested tools provide generation of intermediate representation, which could be used as a basis for the following transformations of a program to the program for existed parallel computing systems architecture.

In this paper, we discuss principles of the organization and functioning of the software framework intended for development of models, methods and applications of motion planning theory. Developed within an object-oriented paradigm the framework includes a wide variety of ready-to-use components that provide the functionality required for automatic search for collision-free trajectories for robots moving in both static and dynamic complex 3D environments. The proposed software design provides extensibility, adaptation and flexible configuration of the developed program components as a part of target applications. The developed architecture provides ability to integrate with third-party systems via interfaces of different level and extension points.

The article describes the practical experience of developing a prospective visual planning system based on an object-oriented framework. The used framework is a system of classes and interfaces intended for software implementation of models, methods and applications of scheduling theory. Due to the availability of ready-to-use components for the solution of typical problems as well as the mechanisms for their configuration and extension, development of applications becomes a relatively simple process. The application of the framework allows to implement the necessary functional for project planning in the target system as well as to provide its subsequent evolution by generalizing the statements of the problems and expanding the arsenal of algorithms used to solve them. The described experience can be claimed when building other applications of scheduling theory. The paper discusses the general issues of organizing a software toolkit in the form of the object-oriented framework, a methodology for creation of scheduling theory applications on its basis, as well as a process of developing a target system for visual planning of projects based on the methodology and the framework. Results of computational experiments comparing the performance of the developed system with some popular project management systems are also presented in the paper. Recommendations on the development and evolution of scheduling theory applications based on the framework are summarized in conclusion.

Hardware-software systems are widely used now and must be safe and reliable. Manual analysis of risks for structural complex systems is very expensive, so formal automated methods are required. The most important aspect here is the possibility to describe safety requirements in terms used in safety theory, such as Markov chains or logic-probabilistic functions, since for the decades of development of the theory, a large number of very useful results have been accumulated. Different approaches to assessing safety of systems do not compete, but complement each other, so having some universality in describing safety requirements is a very valuable quality. In this article, we demonstrate the advisability of using the AADL modeling language and its extension Error Model Annex to describe safety requirements of a system under design. First, we describe a mathematical model of safety requirements expressible in AADL Error Model Annex. Next, we present algorithms to perform the following automated risk analysis on the base of AADL models: Fault Tree Analysis (including calculation of minimal cut sets and ranking of primary events with respect to different relevant importance measures), Failure Mode and Effects Analysis, and Markovian Analysis. At last, we consider an example of a real avionic system. We present an architecture of an AADL model of the system under design and describe how to develop Error Model Annex specifications for the model. With the help of risk analysis, we show how one can identify, localize and fix a bug in the architecture of the system on the design stage of the system development. All presented algorithms are implemented in MASIW framework for design of modern avionics systems.

Distributed algorithms of solving problems on undirected graphs are considered. In section 2, a model is defined featuring a root as a starting and ending point of the algorithm execution. Synchronous and asynchronous versions of the model are described. In section 3, algorithms of solving any problems are suggested based on collecting information on the whole graph in the root or in any vertex, as well as, on the graph labeling (its vertices and/or edges), if required. Emphasis is made on the time of the algorithm execution or on saving memory in vertices and total size of transferred messages, if this time is minimal. The rest of the paper considers optimizations for particular problems: creation of Maximal Independent Set (MIS), Finding Set of Bridges (FSB), creation of Minimum Spanning Tree (MST) in a edge-weighted graph. In section 4, a modification of general algorithms for these problems is suggested decreasing the estimate of memory size of vertices and messages. Section 5 includes lower-bound estimates of solution complexity for these problems. In section 6, for synchronous model, the time of algorithms execution with graph labeling is decreased to the lower bound for problems with single-valued solution depending on only simple cycles of the graph, in particular, FSB, MST and the problem of Hamiltonian cycle search. In section 7, time-optimal algorithms for FSB and MST are considered for both synchronous and asynchronous models. Conclusion summarizes the results and outlines the directions for further research.

In this paper, we present a software package for the construction of an adaptive finite-difference grid by expanding physical variables into a sparse wavelet series. Some technical details of the program implementation are given. In particular, we describe data structures used for the grid representation in computer memory and tools for organizing parallel calculations on the adaptive grid. Also the results of several numerical simulations involving the developed package are shown.

Numerical investigation is focused to heat transfer of rectangular channel with dimples. Developed model was tested for adequacy by simulating of experiment, conducted by Kazan National Research Technical University named after A. N. Tupolev - KAI. Numerical model was verified too for adequacy by reproducing of experiment by A. Tsynaeva, S. Razorenov. The test has been held with Reynolds number Re=3000...30000. The results was found in enough agreement. The heat transfer in rectangular channel with shallow curly dimples was modeled with source Code_Sarurne. Numerical modeling are based by RANS approach with k-w SST model. The study was conducted to air (ν=13.28 10^-6 m²/s, J/(kg^.K) ). The 3D computation domain was meshed with source Salome by version 7.6.0. The SIMPLEC algorithm are used for U-p calculation. Generation time of mesh and calculation was estimated. The study of heat transfer was demonstrated by efficiency of curly dimples. Developed model shows heat transfer advantage up to 15.6 % of curly dimples over cylindrical ones of the same depth ( h/D =0.11, h= 2 mm) and contact patch area (S = 252.02 mm²).