Document ISO/IEC/JTC 1/SC 22/WG 23 N0663

Draft Minutes Meeting #45
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
14-15 June 2016


Meeting Location :

Scuola Superiore Sant'Anna,

Pisa, Italy


Meeting Times:

14-15 June 2016: 0900-1700 Central European daylight time (0700-1500 UTC)

Local Contacts:

N/A

IMPORTANT:

Agenda

1 Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Stephen Michell
Erhard Ploedereder
Clive Pygott WebEx)
Tullio Vardenega
Larry Wagoner (WebEx)
Florian Schanda

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes (meeting 44, document N648)

1.5 Review of actions items and resolutions, Action Item and Decision Logs

Done.

1.6 Approval of Agenda [N 0652]

Approved

1.7 Future Meeting Schedule


2017

pre-mtg-51

20/11/17

Teleconference (UTC 2000, 2 hr)


post-mtg-50

16/10/17

Teleconference (UTC 2000, 2 hr)


#50

17-18 August 2017

In-person (with SC 22 Plenary)


#49

Week of 15 (12-13?) June 2017

In-Person (2 day) Vienna with Ada Europe


pre-mtg-49

15/05/17

Teleconference (UTC 2000, 2 hr)


#48

6-7 April 2017

In-person (2 day) Toronto, Canada.


pre-mtg-48

06/03/17

Teleconference (UTC 2100, 2 hr)

#47

23-24 January 2017

In-person (2 day), Orlando, Steve local host.


2016

pre-mtg-47

21/11/16

Teleconference (UTC 2000, 2 hr)

oo

post-mtg-46

11/10/16

Teleconference (UTC 2000, 2 hr)

#46

15-16 Sep 2016

Vienna, Austria (with SC 22 Plenary)

pre-mtg-46

15/08/16

Teleconference (UTC 2000, 2 hr)













AI 45-01Steve to confirm arrangements for WG 23 meeting in Vienna with Sally and local host.

AI 45-02 Tullio – Confirm meeting dates and locale availability in Vienna for 12-13 June 2017

2. Liaison Activities

2.1 SC 22

Steve – nothing to report.

2.2 PL 22 (Open)

2.3 PL22.3/WG5 (Fortran)

2.4 WG4 (COBOL)

2.5 WG9 (Ada)

Erhard – The work of WG 9 in capturing the Concurrency Vulnerabilities and doing significant rewording is reported to be complete with the document in the hands of the convenor. There will be a distribution for comment, followed by a vote of members and then the document will be returned to WG 23 before meeting 46. Joyce Tokar expressed interest in being a co-editor for TR 24772-2.

2.6 PL22.11/WG14 (C)

Clive – Nothing new to report

2.7 PL22.16/WG21 (C++)

2.8 Ecma International, TC49/TG2 (C#)

2.9 Ecma International, TC39 (ECMAScript)

2.10 MISRA ©

Clive – Latest version of MISRA C has just been published, and is including rules from Secure C Coding Standard. ISO IEC TS 17961

2.11 MISRA (C++)

Clive – Working on a TC for the 2008 version. Looking at static analysis (formal verification) of C++ programs, including the inclusion of annotations in the code to help with formal verification.

2.12 SPARK

WG 9/HRG has taken responsibility for SPARK. Florian will work with WG 9 on the document.

2.13 SC7/WG19 (UML)

No report

2.14 SC27/WG3, WG4 Security

Steve - No report

2.15 Other Liaison Activities or National body reports

Stephen reports that he has been in contact with MITRE, who have expressed interest in continuing to work with WG 23.

Stephen reports that David Keaton has passed the names of CERT participants interested in Python and C++. Steve will follow up.

3. Document Review

3.1 TR 24772-1 Vulnerabilities, language independent

Document N658,

Consider adding “C should consider requiring IEC 60559 for floating-point arithmetic, rather than providing it as an option, as is the case in ISO/IEC 9899:2011[4]. from clause 6.5.6 to Part 3 clause 7” – AI 45-03 Clive.


We examine the analysis of clause 7 by Erhard (N0662), and try to determine if we should do a major reorganization of clause 7. In following the analysis, it became apparent that we could add keywords to each vulnerability in a taxonomy of issues or weaknesses. An argument against renumbering is that it may be very unusual for users of the TR to read the document from end to end. Rather a reader may start from a dirty-dozen guideline and drill down to understand the problem.

We examine the floating point vulnerability (subclause 6.5) and make edits on the text to remove corner cases that will very rarely be reached.

We look at the order of section 7 vulnerabilities, based on N-662 and the table that it was based on. Idea of creating a mapping from recognized sucurity and safety concepts to put a taxonomy on the system. Larry proposes an official mapping (N???).

We decide to reorganize the section 7 vulnerabilities following N0662.

We will create section 7.2 to contain taxonomy mappings, both based on attack vectors and on effects.

AI 45-04 – Erhard – reorganize section 7 and return

AI 45-05 – Larry – Map the sect 7 vulnerabilities to the categorizations in N???.

Clause 6.44, 6.45-

AI 45-06 – Larry, check references (6.44.2) for CWE and CERT.

AI 45-07 – Steve – clause 60, 61, 62, 63 (.2) – rationalize references to academic papers, etc. At least just do the bibliography references.

AI 45-08 – Steve – Fix the cross references in Annex ???

AI 45-10 – Larry. We identify an issue that seems to be largely a C/C++ and scripting language issie that aggregates and assignment of fat objects can be done with a list of values that pay no regard to the structure of the object being assigned. This issue needs a writeup and allocation to either an existing vulnerability (say 6.22 initialization) or the creation of a new vulnerability. Reference from JSF 142, 144, 145, etc.

AI 45-11 – Steve – incorporate results of N0666 into TR 24772-1. Identify places where addition writeup may be needed.

3.2 TR 24772-2 Ada language specific part

Waiting for a proposal from SC 22/WG 9

3.3 TR 24772-3 C language specific part

We review N0649. Changes to the document decided in the meeting are captured in N0665.

AI 45-12 – Clive – reorder clause 3 Terminology to make it either alphabetical or hierarchical.

Existing AI 41-17 on writing C language concepts for clause 4 is changed from David Keaton/Larry to Clive Pygott, Larry Wagoner.

3.4 TR 24772-4 Python language specific part

Document N0592.

3.5 TR 24772-5 Spark language specific part

      AI 45-09 Florian to review the spark annex in current TR 24772 to help develop the steps needed to update the Annex viz-a-viz the current TR by the end of July 2016
      Steve to send current TR to Florian together with explicit guidance.
      Florian to consider ways to reference or copy Ada guidance into the Spark part, making the heritage obvious. See minutes of June 2015 meeting, N0559.

3.6 TR 24772-7 Fortran

Document [N0560] needs review.

3.7 TR 24772-X C++


3.8 Bibliography for each TR24772 Part

3.8 Dirty Dozen Rules for C, generic, and other languages

Strategy on how to use and incorporate such rules.

4 Strategy (Face to face meetings only)

Attracting new talent.

Presentations, personal communication

Larry – good strategy => interest => members

Talk to companies (tool providers) involved in program analysis about

5 Publicity (Face to face meetings only)

6 Other Business

6.1 Review of Assignment of responsibilities


7. Resolutions and Action Items

      Existing AI 41-17 on writing C language concepts for clause 4 is changed from David Keaton/Larry to Clive Pygott, Larry Wagoner.

AI 45-01Steve to confirm arrangements for WG 23 meeting in Vienna with Sally and local host.


AI 45-02 Tullio – Confirm meeting dates and locale availability in Vienna for 12-13 June 2017


AI 45-03 NULL


AI 45-04 – Erhard – reorganize section 7 and return


AI 45-05 – Larry – Map the sect 7 vulnerabilities to the categorizations in N???.

AI 45-06 – Larry, check references (6.44.2) for CWE and CERT.


AI 45-07 – Steve – clause 60, 61, 62, 63 (.2) – rationalize references to academic papers, etc. At least just do the bibliography references.


AI 45-08 – Steve – Fix the cross references in Annex A


AI 45-09 Florian to review the spark annex in current TR 24772 to help develop the steps needed to update the Annex viz-a-viz the current TR by the end of July 2016
Steve to send current TR to Florian together with explicit guidance.
Florian to consider ways to reference or copy Ada guidance into the Spark part, making the heritage obvious. See minutes of June 2015 meeting, N0559.


AI 45-10 – Larry. Writeup the vulnerability identified associated with C/C++ and scripting languages that aggregates and assignment of fat objects can be done with a list of values that pay no regard to the structure of the object being assigned. Allocate it to either an existing vulnerability (say 6.22 initialization) or the creation of a new vulnerability. Reference from JSF 142, 144, 145, etc.


AI 45-11 – Steve – incorporate results of N0666 into TR 24772-1. Identify places where addition writeup may be needed.


AI 45-12 – Clive – reorder clause 3 Terminology to make it either alphabetical or hierarchical.

AI 45-13 – Erhard – consider 6.37 Fault Tolerance and rewrite to eliminate concurrency aspects and to focus on vulnerabilities associated with failures, recovery and fault tolerance.

8. Adjournment

Adjourned at 1700, Wed 15 June 2016.