Document ISO/IEC/JTC 1/SC 22/WG 23 N0610

Minutes of Meeting #41
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
11 January 2015


Meeting Location :

Drury Inn & Suites Orlando

7301 W Sand Lake Rd,

Orlando, FL USA 32819

(407) 354-1101



Agenda

1 Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Stephen Michell – Convenor

Larry Wagoner

Erhard Ploedereder

Clive Pygott

David Keaton



1.3 Procedures for this Meeting

1.4 Approval of previous Minutes (meeting 40)

Minutes of Mtg 40 is N0602. Approved.

1.5 Review of actions items and resolutions, Action Item and Decision Logs

Done.

1.6 Approval of Agenda [N 0601]

1.7 Future Meeting Schedule

AI – Steve Update meeting schedule document on web site.

AI – steve – correct documents in N607 and reissue . Dates are 14 Apr @1330 – 16 Apr @ 1400.


2017

#58

TBD November 2017

In-person or Teleconference


#57

TBD October 2017

Teleconference


#56

TBD August 2017

London, UK (with SC 22 Plenary)


#55

TBD June 2017

Face-to Face, with Ada Europe


#54

TBD May 2017

Teleconference (UTC 2000, 2 hr)


#53

TBD April 2017

In-person (2 day), with WG 14, possible


#52

TBD March 2017

Teleconference (UTC 2100, 2 hr)

#51

TBD February 2017

Teleconference (UTC 2100, 2 hr)

#50

TBD January 2017

In-person, Tampa or St Petersburg, FL


2016

#49

21/11/16

Teleconference

oo

#48

11/10/16

Teleconference

#47

15-16 Sep 2016

Vienna, Austria (with SC 22 Plenary)

#46

14-15 June 2016

Face-to Face, Piza, Italy with Ada Europe

#45

16/05/16

Teleconference (UTC 2000, 2 hr)

#44

April 15-16 2016

BSI, London UK, with SC 22/WG 14

#43

07/03/16

Teleconference (UTC 2100, 2 hr)

#42

08/02/16

Teleconference (UTC 2100, 2 hr)



2. Liaison Activities

2.1 SC 22

Stephen

Nothing new to report. All actions requested from SC 22 for project split and initiation of -1, -2, and -3 were done.

2.2 PL 22 (Open)

David Keaton

PL 22 is the mirror committee of SC 22. Tom Plum has resigned as chair, but is remaining as acting chair.

2.3 PL22.3/WG5 (Fortran)

Dan Nagel

2.4 WG4 (COBOL)

Robert Karlin

2.5 WG9 (Ada)

Erhard Ploedereder

No news from Alan Burns or the convenor. Erhard to request status.

2.6 PL22.11/WG14 ©

Clive Pygott

Working on

Added a Technical Corrigendum to TS 17961 Secure C coding rules.

Expect to work on TR 24772-3 at April meeting.

2.7 PL22.16/WG21 (C++)

Patrice Roy – possible, to be determined after June WG 21 meeting.

(Stephen) WG 21 is working on the next revision and on on more than a dozen Technical Specifications.

Herb and Bjarne are working on C++ Core Guidelines, which are of interest to WG 23.

2.8 Ecma International, TC49/TG2 (C#)

2.9 Ecma International, TC39 (ECMAScript)

Stephen

2.10 MISRA ©

Steve to contact Andrew Banks, MISRA C chair

(Clive) MISRA C are adding rules to cover the C Secure Coding Rules, a TS produced by WG 14.

2.11 MISRA (C++)

Clive

2.12 SPARK

Florian

AdaCore and team are working on migrating Spark to integrate better with Ada compilers and to improve static proof technologies for Spark.

2.13 SC7/WG19 (UML)

We decide to terminate liaison with SC 7/WG 19.

AI - Stephen to converse with SC 7 chair and ask if they still want a liaison.

2.14 SC27/WG3, WG4 Security

AI – Stephen chase WG 27

2.15 Other Liaison Activities or National body reports

3. Document Review

3.1 TR 24772-1 Vulnerabilities, language independent

As required

AI – Steve – find an ISO editor to ask about bibliography references [1], [2] and [3].


AI – Steve – Look into how you do automated references to bibliography in Word, and then update Parts 1, 2 and 3 with that.


AI – Erhard [REU] Fault Tolerance – rework

AI – Erhard – RIP Inheritance – consider RIP in light of multiple inheritance.

AI – Erhard – BKK.3, Consider the issue raised in the note to BKK.3

AI – David – SHL Uncontrolled Format String – send around examples and text if appropriate.

AI – Stephen – SHL Uncontrolled format string - Consider generalizing SHL to capture the more general problem


AI – Stephen – [AMV] Type-breaking reinterpretation of data – rework the recommendations to remove excess verbage.


AI – Clive – determine references to MISRA C++ (and C) in new vulnerabilities submitted by Erhard & concurrency vulnerabilities

AI – Larry – determine references to CWE in new vulnerabilities submitted by Erhard & concurrency vulnerabilities

AI – David – determine references to CERT C in new vulnerabilities submitted by Erhard & concurrency vulnerabilities

AI – Erhard – determine references to JSF AV in new vulnerabilities submitted by Erhard & concurrency vulnerabilities

AI – Stephen – determine references to AQSD, in new vulnerabilities submitted by Erhard & concurrency vulnerabilities

AI – Erhard – research [SYM] Templates and Generics as specified by the note in SYM.3


AI – All – Review changes made to XYL Memory Leaks and Heap Fragmentation as it is a major change

AI – All – Review additions BKK, PPH, YON, and BLP.


Changes made to the document:

  1. Added new vulnerability

3.2 TR 24772-2 Ada language specific part

Waiting for a proposal from SC 22/WG 9

3.3 TR 24772-3 C language specific part

Look at material contributed by David Keaton

Consider placement of Top N avoidance mechanisms

AI – Larry and David – for TR 24772-3 consider clause 4 and propose some C language concepts for inclusion.

AI – Clive – for TR 24772-3, put references from clause 6 into section 5 recommendations

AI – all, review new section 5 and bibliography and any remaining changes in TR 24772-3.

AI – Clive – TR 24772-3, include provisions for copying structs and characters of different sizes to [FLC] conversion errors.

AI – Steve – Integrate new sections associated with new vulnerabilities, renumber and resolve references and return to Clive and David.

3.4 TR 24772-4 Python language specific part

Discuss at meeting 41

3.5 TR 24772-8 Fortran

Document [N0560] needs review.

3.6 TR 24772-X C++

Consider document [N0582] and CPP Core Guidelines, found at http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines.html.


The CPP core guidelines, version 0.9, was examined and discussed. We agree that some of the material in the document is suitable for inclusion or reference in a TR 24772-C++. There is obviously a very different approach taken in the Core Guidelines. Efficiency,



3.7 Bibliography for each TR24772 Part

To be done for each part.

3.8 Dirty Dozen Rules for C, generic, and other languages

Strategy on how to use and incorporate such rules.

We incorporated the generic Top 10 rules into section 5.4 of Part 1. We incorporated the C-specific top 10 rules into clause 5 of Part 3. We then considered if a rearrangement of the rules in subsubclause 5 in each subclause by moving the .5 immediately after the general description. After examination of an example, we decide to put such discussions on hold.

4 Strategy (Face to face meetings only)

Discussions about making parts of the document a standard or a technical specification. There is some sentiment for this, but numerous challenges, including reworking the document(s) to move explicit guidance together to make it normative, and labelling supporting tect as informative. There would also need to be JTC 1 NWIP to change the scope of the projects. Given the amount of work to rework existing documents, such a change would happen after a republication of Part 1, Part 2, Part 3, part Fortran and possibly others.

5 Publicity (Face to face meetings only)

Possible Presentations

a) Industrial presentation to Ada Europe, June 2016 – Agree to do it.

b) London April 2016 – ACCU Meeting, April 19-23

AI – Clive, contact Derrick Jones to see if they are interested.
AI – Clive, Steve to investigate MoD and auto companies for possible fit.

c) Vienna September 2016
AI – Steve to ask Austrian Host for contacts to make a university or industrial presentation (1 hour) on the Monday.

  1. Real Time Ada Workshop position paper, April 2016
    AI – Steve to draft a small position paper (2 pages) Steve and Erhard to discuss.

  2. Safety and security circuit. - send Steve info. If anyone is attending such a conference, offer a talk and we will work up a set presentation.

  3. Larry to look into SC 7 and possibility of presentation.

6 Other Business

6.1 Review of Assignment of responsibilities


7. Resolutions and Action Items

8. Adjournment