ISO/IEC JTC 1/SC 22/WG 23 N0289
Draft Minutes: Meeting #16
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
14-16 December 2010


Meeting Times:

14 December 2010: 09:00 to 12:00 and 13:30 to 17:00
15 December 2010: 09:00 to 12:00 and 13:30 to 17:00
16 December 2010: 09:00 to 12:00

Meeting Location:

The MITRE Corporation
2280 Historic Decatur Road
Suite 100
San Diego, CA 92106
1.619.758.6002

Meeting Logistics:

N0252

Local Contact information:

Jim Moore, 703-850-3019
Sherry Marti

Web/Telecon Details

Meeting ID: 06061948
Meeting Password: 06061948

TO ATTEND THE AUDIO CONFERENCE:
Dial 781-271-6338 from the Bedford, MA region.
Dial 703-983-6338 from the Washington DC region, Nationally or Internationally.

TO ATTEND THE MeetingPlace Collaboration CONFERENCE:
1. Go to: http://audioconference.mitre.org/a/bd4bb6a5541d91c93eb391d90d10ac2c
2. Click on Attend Meeting.
- Accept any security warnings you receive and wait for the Meeting Room to initialize.
3. If MeetingPlace Collaboration Window does not automatically open, press connect.

Agenda

1. Opening activities

1.1 Opening Comments (Moore, Benito)

The meeting began at approximately 9:00 am. Moore welcomed the group to The MITRE Corporation's site in San Diego.

1.2 Introduction of Participants/Roll Call

Attendees in person:

Erhard Ploedereder (WG 9), Stephen Michell (Canada HOD), Jim Moore (Secretary, US HOD), Tom Plum, John Benito (convener and editor), Bob Karlin, Beth Karlin

Attendees on phone:

Jim Johnson, Larry Wagoner, Clive Pygott (UK HOD), David Keaton

1.3 Procedures for this Meeting (Benito)

As always, anyone can speak. There are no formal votes.

1.4 Approval of previous Minutes (Moore) [N0274]

One correction made noting that Moore was US HOD at meeting #15. Corrected minutes were approved.

1.5 Review of previous actions items and resolutions, Action Item and Decision Logs

Several action items were closed.

1.6 Approval of Agenda [N0256]

Added documents to be reviewed and future meeting schedule. The result was approved.

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule
WG 23 #17 2011-03-23/25 Madrid, Spain WG 23 Meeting #17 (in conjunction with WG21) Logistics [N0277]
WG 23 #18 2011-06-19/20 Edinburgh, Scotland, UK WG 23 Meeting #18 (in conjunction with WG9)  
WG 23 #19 2011-09 TBD Copenhagen, Denmark WG 23 Meeting #19 (in conjunction with SC 22 plenary meeting)  

If we enter balloting prior to meeting #19, we might have to reschedule it.

There will be a meeting fee for meeting #18.

Jim Moore proposes the following venue for meeting #20:

WG 23 #20 2011-12-13/15 McLean, VA WG23 Meeting #20 .

Ploedereder noted that the meeting is scheduled for Tuesday through Thursday. He mentioned that scheduling Wednesday through Friday is more convenient for European participants because they get lower air fares for Saturday night stayover. Moore will try to shift the meeting accordingly.

1.7.2 Future Agenda Items

Note Action Item #13-07 re MISRA comments.

2. Reports on Liaison Activities

2.1 SC 22

Benito: we don't yet have the result of the ballot for the New Work Item Proposal [N0265].

Moore: JTC 1 approved WG 23's request for free availability of 24772. However, the future of free availability is currently in doubt.

2.2 PL22.3/WG5 (Fortran)

No report.

2.3 PL22.4/WG4 (COBOL)

Bob Karlin: Cobol just finished its FCD ballot. One member has expressed interest in developing a language-specific annex for 24772. Bob Karlin took action item #16-01 to follow up.

2.4 WG9 (Ada)

Ploedereder: WG9's contribution to WG23 (their draft of the language-specific annex) was published in Ada Letters.

2.5 PL22.11/WG14 (C)

Plum: Tomorrow (15 December) from 11 am to 1 pm (PT), WG14 will have a telecon of its Secure Coding Study Group. Keaton: There are many parallels between the WG14 study group and WG23. In WG14, the focus is on what an analyzer should do. David Keaton will send an agenda to Jim for distribution.

The revision of the C language is undergoing a CD ballot.

There is also a group developing a C language binding to the latest revision of IEEE 754.

2.6 PL22.16/WG21 (C++)

Plum: C++ hopes to create its FDIS draft at its March 2011 meeting.

2.7 Ecma International, TC49/TG2 (C#)

No report. We need to replace Plum as liaison for C#. The convener took Action Item #16-02 to identify a replacement.

2.8 Ecma International, TC39 (ECMAScript)

No report. The convener will try to revitalize the liaison [Action Item #16-03].

2.9 MISRA (C)

Pygott: They are still updating their document to reference the C99 standard.

2.10 MISRA (C++)

Pygott: This work is proceeding slowly because there are only a small number of users.

2.11 MISRA L (MISRA L)

Pygott doesn't know of any activity.

2.12 SPARK

Moore has advised Chapman that we won't ask for revision of the SPARK annex until the Ada annex is settled.

2.13 MDC (MUMPS)

No report

2.14 SC7/WG19 (UML)

No report

2.15 Other Liaison Activities or National body reports

Johnson: Jim Johnson is a colleague of Larry Wagoner. He's drafting a language annex for Ruby. Twenty or so descriptions do not apply to Ruby; the remainder will be described in the annex. So far, he hasn't found anything in the main document that needs to be revised. Wagoner predicts that the initial draft will be completed in another month or so. Johnson asked if he should use the proposed Japanese standard as the language specification; Benito said yes. Michell says that the Japanese standard will be fast-tracked into JTC 1/SC 22.

3. Document Review 

3.1 Revised baseline draft of TR edition 2 (without language annexes)

N0286 2010-10-11 Replaces [N0283] and [N0282] Baseline working draft for preparation of Edition 2 of TR 24772 [pdf], contributed by the editor based on the results of Meeting #15

We discuss "dead store" [WXQ]. We decide to keep the description, but to re-orient it toward "non-volatile" variables. Tom Plum prepared a proposed revision overnight [N0300], which was passed on to Beth Karlin (see next paragraph).

We go on to discuss "unused variable" [YZS]. Beth proposes that we remove the description and add a passing mention of it in "dead store" [WXQ]. Add a footnote explaining why unused variable is not a programming language vulnerability. Beth Karlin will take Tom Plum's proposed revision (see previous paragraph) and modify it to deal with this issue. [Action Item #16-04]

By email on 14 December, David Keaton submitted the following comment:

I would like to see a bullet point similar to the following added to GDL.5 (mitigation for recursion) in the base document.

The editor said that he would include the comment in the next draft.

3.2 Revised drafts of language annexes

N0287 2010-12-10 Replaces [N0276] and [N0278]. Revised draft language-specific annex for the programming language C, contributed by John Benito [docx, pdf]

N0288 2010-12-10 Replaces [N0258]. Revised draft language-specific annex for Ada, contributed by John Benito [docx, pdf]

(During the course of the following discussion, we inserted notes into [N0286], the draft of the body of the TR. The results of that are recorded as [N0301]).

We begin a side-by-side viewing of the two annexes. We collect comments inline (by using Track Changes). The results are posted as [N0295] and [N0296]. During the discussion, Wagoner suggests that we create a set of guidelines. The following were mentioned during the discussion:

We decide that inter-language calling should be a distinct vulnerability so that it is not an exceptional case in every other vulnerability description. Benito takes an action item to propose some text. [Action Item #16-05]

We consider the idea that circumventing checks (YUK) should be a distinct vulnerability. This would provide the opportunity to talk about the nature of checking systems in the various languages and how they are avoided or used. Ploedereder volunteered to write up the general vulnerability. [Action Item #16-06]

We decide to add a vulnerability concerning exception handling. This would deal with escaped exceptions, inconvenient default exception handling, difficulties in understanding propagation (propagating via the lexical structure or the dynamic structure), throwing arbitrary objects, situations where exceptions should not be permitted at all, race conditions. NZN (returning error status) should be mined for material also, leaving NZN much simpler than it currently is. Ploedereder and Bob Karlin will each write some material and we can take a look. [Action Items #16-07 and #16-08]

Ploedereder agreed to propose some sensible words for section 1 of CLL. [Action Item #16-09]

Moore took Action Item #16-12 to look at XYY in the main document and both annexes to try to tease apart two vulnerabilities: one concerning arithmetic over/underflow and one concerning performing bit/shift operations on numeric values. In both, note that unsigned and signed arithmetic present two different challenges.Ploedereder took action item #16-13 to revise the Ada description of LAV based on comments noted in [N0296].

N0291 2010-12-14   Initial draft language-specific annex for Java, contributed by Ben Brosgol [pdf]

Ben Brosgol prepared this initial document. He and Kelvin Nilsen will collaborate to complete the annex and will attempt to recruit participation of other members of the Expert Groups from the Real-Time Specification for Java (JSR-286) and the Safety-Critical Java Specification (JSR-302).

This annex is intended as an analysis of the Java language itself, but issues concerning the safety-critical subset of Java may be mentioned. He hopes to have a complete draft by the June 2011 meeting of WG23.

We thanked Brosgol for initiating this work. The markup from the discussion is saved as [N0292]. Brosgol reacted overnight to provide a revision, [N0294].

Michell commented on this sentence in Java.3.1: "This style may be appropriate in some circumstances but adds overhead and notational clumsiness and
in general is not a realistic solution". He thinks that there should be an explanation of why this is not a realistic solution. There was some agreement. Bob Karlin mentioned that the word "boxing" is not generic and should be defined at the beginning of the annex. Overnight, Ben provided a revised draft [N0299] that was reviewed favorably at the meeting.

Participants are encouraged to review the result and send further comments to Brosgol.

3.3 Revised format for language annexes

N0284 2010-09-17 Replaces [N0271] Revised format for language-specific annexes [html]

We discussed the template briefly and decided to continue using it.

3.4 Proposed revision of XYQ

N0290 2010-12-13   Proposed revision of “6.26 Dead and Deactivated Code [XYQ]”, contributed by David Keaton [pdf]

The markup from the discussion is saved as [N0293] Keaton will revise to deal with the comments. David Keaton revised the document overnight, creating [N0297]. We marked it up again to create [N0298].

4. Other Business

4.1 Schedule for balloting the revision

We believe that after the Madrid meeting, we may have updated Ada, C, Java, Ruby, Python annexes. We will also have some new vulnerabilities in the base document. We will need a bit of time for the annexes to catch up. So, we make a plan to go to our first PDTR ballot coming out of the June meeting. The document will probably still be in ballot during the September meeting. (If we have a new work item approved by then, we can work on it during the September meeting.) We could do comment disposition meetings by phone so that a new draft could be prepared for the December 2011 meeting. Following that meeting, the second PDTR could be balloted. Similarly, we would submit a DTR after the June 2012 meeting. So we would hope to publish the second edition by January 2013. Moore took action item #16-11 to post a document describing the schedule.

Steve Michell noted that the next Real-time Ada Workshop is 14-16 September 2011 in Santander, Spain. That might be an opportunity for a workshop on concurrency vulnerabilities. Steve took action item #16-10 to explore the subject with the organizers.

5. Resolutions

We reviewed the action items that were assigned.

John will revise the current draft document in about two weeks to pick up the changes suggested at this meeting and via email. Two version should be produced: one with changes marked and one without. That will provide a new baseline for commenting.

6. Adjournment

The convener thanked The MITRE Corporation for hosting the meeting and adjourned at approximately 11:30 am.