Methods for analyzing the impact of software changes on objective functions and safety functions

Objectives. This paper examines the various approaches to analyzing the impact of software changes, and suggests a new method using function control flows. Impact analysis of software change can require the investment of a lot of time and competence on the part of the expert conducting it. There is no detailed description of methodology for analyzing the impact of changes and it is not established at a legislative level. The proposed method has three aims: reducing the level of requirements for an expert when conducting software research; localizing code areas to establish defects in information protection functions; and reducing the time spent on analyzing the impact of changes.
Methods. The study analyzes the common methods for analyzing software changes with a description of their positive and negative sides. The possibility of analyzing changes in the control flow of software functions is considered as an alternative to line-by-line comparison of the full volume of source codes. Represented as tree-shaped graphs, the control flows of different versions of the same software are subject to a merging procedure. The final result is analyzed by an expert from the research organization.
Results. The research results of the software change analysis methods are presented with a description of their disadvantages. A description is given of the method for change analysis using function control. This complements existing methods, while eliminating their disadvantages. The study also analyzes the possibility of using this method beyond the tasks defined in the introduction.
Conclusions. The use of methods to localize the most vulnerable code sections is considered one of the most promising areas for analyzing change impact. In addition to searching for vulnerable code sections, it is important to evaluate the effectiveness of the control flow comparison method in the analysis of source code when transferred to another code base.

1. Karpov Yu.G. Model checking. Verifikatsiya parallel’nykh i raspredelennykh programmnykh system (Model checking. Verification of Parallel and Distributed Software Systems). St. Petersburg: BHV-Petersburg; 2010. 560 р. (in Russ.). ISBN 978-5-9775-0404-1

2. Belikov D.V. The use of static source code analysis in software development and testing. Studencheskii forum = Student Forum. 2021;41:90–93 (in Russ.).

3. Belikov D.V. Methods for conducting static analysis of program code. Studencheskii forum = Student Forum. 2022;13(192):15–18 (in Russ.).

4. Kazarin O.V., Skiba V.Yu. About one method of verification of settlement programs. Bezopasnost’ informatsionnykh tekhnologii = IT Security (Russia). 1997;3:40–33 (in Russ.).

5. Shchedrin D.A. Application of machine learning methods and analysis of static code of intelligent systems. Nauchno-issledovatel’skii tsentr “Technical Innovations” = Scientific Journal “Research Center Technical Innovations.” 2023;16:28–32 (in Russ.).

6. Ivannikov V.P., Belevantsev A.A., Borodin A.E., Ignatiev V.N., Zhurikhin D.M., Avetisyan A.I., Leonov M.I. Static analyzer Svace for finding of defects in program source code. Тrudy Instituta sistemnogo programmirovaniya RAN = Proceedings of the Institute for System Programming of the RAS. 2014;26(1):231–250 (in Russ.). https://doi.org/10.15514/ISPRAS-2014-26(1)-7

7. Viktorov D.S., Samovolina E.V., Mokeeva O.A. The effectiveness of static analysis for finding software defects. Vestnik Voennoi akademii vozdushno-kosmicheskoi oborony = Bulletin of the Military Academy of Aerospace Defense. 2021;6:25–39 (in Russ.).

8. Buryakova N.A., Chernov A.V. Classification of partially formalized and formal models and methods of software verification. Inzhenernyi Vestnik Dona = Eng. J. Don. 2010;4:129–134 (in Russ.).

9. Efimov A.I. The problem of technological security of software for weapons systems. Bezopasnost’ informatsionnykh tekhnologii = IT Security (Russia). 1994;3–4:22–33 (in Russ.).

10. Efimov A.I., Palchun B.P., Ukhlinov L.M. Methodology for constructing tests for checking technological safety of programming automation tools based on their functional diagrams. Voprosy zashchity informatsii = Information Security Questions. 1995;3:30:52–54 (in Russ.).

11. Glukhikh M.I., Itsykson V.M., Tsesko V.A. Using dependencies to improve precision of code analysis. Aut. Control Comp. Sci. 2012;46(7):338–344. https://doi.org/10.3103/S0146411612070097 [Original Russian Text: Glukhikh M.I., Itsykson V.M., Tsesko V.A. Using dependencies to improve precision of code analysis. Modelirovanie i Analiz Informatsionnykh Sistem, 2011;18(4):68–79 (in Russ.).]

12. Malikov O.R. Automatic detection of vulnerabilities in the source code of programs. Izvestiya TRTU. 2005;4:48–53 (in Russ.).

13. Nesov V.S., Malikov O.R. Using information about linear dependencies to detect vulnerabilities in the source code of programs. Тrudy Instituta sistemnogo programmirovaniya RAN = Proceedings of the Institute for System Programming of the RAS. 2006;9:51–57 (in Russ.).

14. Vorotnikova T.Yu. Reliable code: static analysis of program code as a means of improving the reliability of software for information systems. Informatsionnye tekhnologii v UIS = Information Technologies in the UIS. 2020;2:22–27 (in Russ.).

15. Fritz C., Arzt S., Rashofer S., et al. Highly Precise Taint Analysis for Android Applications. Technical Report TUD-CS-2013-0113. EC SPRIDE. May 2013. 14 p. Available from URL: http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf