ISO/IEC/SC22/WG23 Document N0684
19 December 2016
Minutes of Meeting
JTC 1/SC 22/WG 23 Programming Language Vulnerabilities
Pre-Meeting 47 Telecon
Held 19 December 2016 2000-2200 UTC
Approval of Agenda
Approved with changes.
Next meeting 47 (23-24 Jan 2017) Logistics
At Holiday Vacation Resorts at Orange Lake, Kissimmee, FL.
Review of action items
SM – Replace N0666.docx (seems to be missing).
SM – S0001 new version appears to be in the wrong place. FIX.
Erhard – New NIST document written by Paul Black. Check out.
SM – Organize a telecon of C++ people for the development of a new C++ Part.
All – Consider what changes should be made to the document (section 4.3 How to use this document) and 6.x.5 (guidance) in a domain where the TR becomes a standard and these clauses are normative.
Items for discussion
5.1 Changing TR 24772 (all parts) to International Standard or Technical Specification
Basically, ISO insists that most of the TR’s published by JTC 1 are not Technical Reports but IS or TS. JTC 1 is beginning to transform such TR’s into IS’s or TS’s. SC 7 is republishing TR 10000-1 into an IS with updates but no format changes, without submitting an NWIP. We need to consider how we want to publish our document. I expect that this discussion will be significant in meeting 47, but initiate it here for consideration.
We discuss safety and security approaches. How this document as a standard would work in formal safety and security controlled development environments, and where such environments would be absent. We conclude that we need to attempt to craft guidance for use of the document in such environments.
We discuss the “decidability” issue – i.e. If one were to rely upon formal analysis tools, adherance to many of the rules would not be decidable, meaning that corner cases could exist that the tool would not detect.
We consider approach that we use sect 4.3 (How to use this document) to describe how to use it for higher integrity approaches.Also, how to apply the rules of 6.x.5 (and Some groups could consider the document to be normative, and some only informative. Michael suggests that we start presenting a CPPCon, etc.
CPP has suggested that we consider using the C++ Core Guidelines, available from https://github.com/isocpp/cppcoreguidelines. We will research this document for usability and suitability
AI – All review https://github.com/isocpp/cppcoreguidelines for suitability for development of C++ vulnerability descriptions.
5.2 Erhard suggests renaming 6.x.6 to “Implications for Language design and Evolution” with the lead-in saying “For Language design and evolution, the following can be considered”.
AI – Steve – do an email poll on this wording change above.
5.3 Ada (Part 2) has been delivered back from WG 9. We will discuss next steps
5.4 AI – Steve to document requested changes to Ada part in Agenda for meeting 47.
New energy for a C++ Part
Steve is organizing a C++ telecon for interested parties. The intention is that we would plan to spend some time at the April WG 23 meeting (Mtg 48) in Toronto discussion ways forward for C++ Part.
New draft of TR24772-3 (N0682)
NIST has produced a document that intersects with our work at http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf.
Should we cite it, how do we get them on board?
AI – Steve – attempt to contact authors of the report and see if we can increase visibility and work together.
8. Close of meeting