ISO/IEC JTC 1/SC 22/WG 23/N 0401
Minutes: Meeting #22
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
20-22 June 2012


30 July 2012: Correction: In 1.3, change "where the he" to "where he" as reported by Erhard Ploedereder.

These minutes are not final until approved at a subsequent meeting.

Meeting Times:

20 June 2012: 09:00 am to 4:30 pm (Central European Time)
21 June 2012: 09:00 am to 4:30 pm (CET)
22 June 2012: 09:00 am to 12:00 pm (CET)

Meeting Location:

N 0374

Teleconference information:

Topic: WG 23 Meeting #22
Date: Every 1 day, from Wednesday, June 20, 2012 to Friday, June 22, 2012
Time:

9:00 am Germany
8:00 am United Kingdom
3:00 am New York
12:00 am, California
9:00 pm (previous day), Hawaii

Meeting Number: 957 751 512
Meeting Password: wg23

To start or join the online meeting, go to iso_meetings

To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code.

Switzerland toll free: 0800-894627
USA/Canada toll free: 1-855-299-5224

Having trouble dialing in? Try these backup numbers:

Call-in toll-free number (UK): 0800-051-3810
Call-in toll number (UK): +44-20-310-64804
Global call-in numbers: iso_meetings call-in numbers
Toll-free dialing restrictions: tollfree restrictions

Access code: 957 751 512

For assistance:

1. Go to iso_meetings support
2. On the left navigation bar, click "Support".
To add this meeting to your calendar program (for example Microsoft Outlook), click this link: iso_meetings to calendar

Agenda

1. Opening activities

1.1 Opening Comments (Ploedereder, Benito)

The convener was unable to attend the meeting in person because of airline problems, so our meeting is even more dispersed than originally planned.

1.2 Introduction of Participants/Roll Call

In person at the meeting site: Erhard Ploedereder (host, WG9 liaison), Larry Wagoner, Clive Pygott (UK HOD), Tatsuaki Takebe (Japan HOD).

Attending all or part of the meeting via web/telecon: John Benito (convener), Tom Plum, Jim Moore (secretary, US HOD), Steve Michell (Canada HOD), David Keaton, Kevin Coyne

1.3 Procedures for this Meeting (Benito)

The convener mentioned that this is the first time that he has run a meeting where the he is not at the meeting site. We will experiment with procedures as we progress.

1.4 Approval of previous Minutes [N0392] (Moore)

Minutes were approved as distributed.

1.5 Review of previous actions items and resolutions, Action Item and Decision Logs

Some action items were updated by the secretary prior to the meeting. The remaining open items were considered at the meeting and updated. (Subsequently, throughout the meeting, items were added to the log.)

1.6 Approval of Agenda [N0400]

The agenda was approved with the addition of the document [N0402] from the Japanese National Body in item 3.1. Additional documents were received during the meeting as the result of "homework". They were considered as shown in the minutes.

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule

2013
.        
WG23 #28 2013-12   (Will probably be an electronic meeting.)  
WG23 #27 2013-09 Tokyo, Japan WG23 meeting colocated with SC22 plenary meeting.  
WG23 #26 2013-06   Possibly colocated with WG 9 in Berlin.  
WG23 #25 2013-03   (Location has not yet been determined.)  

2012
WG23 #24 2012-12/14 Electronic meeting WG23 Meeting #24. Three hours each day, starting at 17:00 Germany; 16:00 UK; 11:00 US-east coast; 8:00 US-west coast; 6:00 US-Hawaii  
WG23 #23 2012-09-12/14 Geneva, Switzerland Colocated with SC 22 plenary meeting Logistics [N0395]. Preliminary agenda [N0354]
SC22 2012-09-10/11 Geneva, Switzerland SC 22 plenary meeting  

Regarding meeting #23: Attendees may find it less expensive to stay in France and commute to the meeting. A Webex conference will be made available. The Geneva meeting will probably be in the midst of a balloting period, so we will discuss other business there, notably the working draft on code signing.

Meeting #24 will be an all-electronic format, where we meet for three hours on each day and do homework at other times.

We don't yet have a host for meeting #25. We may have to conduct it as an electronic meeting also. Michell suggests that we meet in Washington (INCITS) or New York (ANSI) at a date adjacent to March 20-22 (when he will be in New York). ACTION ITEM 22-1[Benito]: The convener will check availability at ANSI for Meeting #25. He will schedule it in New York or Washington accordingly, at a date adjacent to 20-22 March.

John took ACTION ITEM 22-2 to close on plans to colocate meeting #26 with WG9. The conference is 10-14 June. Erhard took ACTION ITEM 22-3 to provide a logistics document. The cost would be about Euro160 per day, including room and full board. We would meet on Saturday-Monday, 8-10 June.

Meeting #27 will be at the Japanese standards organization across the street from the Tokyo Tower, colocated with SC 22.

Meeting #28 will be an electronic meeting. In the future, we will generally use electronic meetings in December.

1.7.2 Future Agenda Items

ACTION ITEM 22-04 [Benito, Moore]: Remove MUMPS and UML from future agendas.

2. Reports on Liaison Activities

2.1 SC 22

Nothing to report.

2.2 PL22.3/WG5 (Fortran)

They are meeting soon and will take a look at the Fortran Annex.

2.3 PL22.4/WG4 (COBOL)

No report.

2.4 WG9 (Ada)

Erhard reported that Ada 2012 is in the voting process at the JTC 1 level and should be published by the end of the year. The new "accelerated" process has worked well for them.WG9 is waiting to receive any comments that we might pass on as a result of PDTR balloting. Erhard told them that he thought WG23 could handle most of the comments.

2.5 PL22.11/WG14 (C)

Benito reported that the new C standard was published and is available from ANSI for $30 USD. The working group has started some study on secure coding and binding to IEEE floating point.

2.6 PL22.16/WG21 (C++)

Benito reported that the new C++ standard is also available from ANSI for $30 USD.

2.7 Ecma International, TC49/TG2 (C#)

No report.

2.8 Ecma International, TC39 (ECMAScript)

No report.

2.9 MISRA (C)

Pygott reported that MISRA is reviewing comments received on the draft of Issue 3. It might be published this year. The new MISRA standard is based on C99.

2.10 MISRA (C++)

Little has occurred for 18 months or so.

2.11 MISRA L (MISRA L) [removed from agenda]

2.12 SPARK

No report. Ploedereder reported that the WG9 HRG is willing to work on comments from the PDTR ballot.

2.13 MDC (MUMPS)

No report.

2.14 SC7/WG19 (UML)

No report.

2.15 Other Liaison Activities or National body reports

Ploedereder reported on the recent Ada-Europe conference. They will publish the Ada 2012 specification and rationale via Springer.

3. Document Review

3.1 Balloting Results, PDTR 24772, Edition 2

N0389 2012-01-20 Replaces [N0378]. Results are [N0396, N0397]. PDTR draft of 24772, Edition 2 (without change bars), contributed by editor [pdf

N0396 2012-04-26 Results of [N0389] Result of Voting on SC 22 N 4704, ISO/IEC PDTR 24772, contributed by secretary [pdf]

N0397 2012-04-28 Results of [N0389] Results of Balloting on PDTR 24772: Collated comments [pdf, xlsx], contributed by convener

N0402 2012-06-20   Comments on PDTR, contributed by Takebe-san [doc, pdf]

The result of balloting was that the PDTR [N0389] was approved [N0396]. (There were 13 approval votes and 2 additional approval votes with comments. There were no votes to disapprove.) Pygott noted that the UK panel had voted to approved, but the ballot was submitted by BSI too late to be recorded. We plan a second PDTR ballot to provide the opportunity to add additional language annexes and to provide the opportunity for additional review.

The meeeting disposed of the comments in [N0397] logging the result as [N0403]. The editor was given ACTION ITEM #22-07 to incorporate the comment disposition of [N0403] into the next balloting draft.

Re Comment 71 (JP-7): It was given a pro forma rejection but Japan was invited to write a more specific comment in the next round of balloting. The convener was given ACTION ITEM #22-8 to contact the Japan national body.

Re Comment 57 (CA-22): The WG14 Liaison was requested to examine the issue overnight and come back with a suggested change to D.18. Overnight, Benito, Plum and Keaton produced the outline of a proposal to merge XZI into FLC and provide a better explanation of alternative models for numerics [N0408]. Of course, this would induce changes to the annexes. We decided to make a pro forma rejection of CA-22. We will send the TR to the second PDTR ballot without any change in this area. During the balloting, a group, led by Keaton, will draft a complete proposal, including changes to the annexes, and circulate it. Any NB interested in making the change can reference the proposal in its ballot. The working group will consider adopting the proposal during comment disposition of the PDTR 2 ballot. ACTION ITEM #22-9 (Keaton): Lead a group in drafting a more complete proposal, based on [N0408] to merge XZI into FLC--both for the body of the document and the annexes. ACTION ITEM #22-10: Any National Body is invited to offer a comment to merge XZI into FLC during the PDTR2 ballot.

ACTION ITEM 22-11 [Benito]: Investigate providing a set of links to the language specifications of each of the languages we are considering. This would include obtaining copies of the specifications, putting them on the website with appropriate protection, and making links available.

We decide that [N0402] should be the basis of a new standing document that records the relationship between CWE and TR 24772. Benito believes that most changes in the standing document would lead to editorial changes to the TR. New vulnerabilities, however, would trigger additional analysis to determine if new vulnerability descriptions should be added to the TR. Ploedereder believes that the document should label each CWE with its relevance to the TR. Also, the document should label whether the CWE entry has been examined or not. Wagoner mentioned that CWE is now providing a "difference report" with each new version. Benito is willing to serve as the editor of the standing document if someone volunteers to perform the periodic analysis and provide him with the information. ACTION ITEM 22-12 (Benito): Prepare skeleton of Standing Document [S0005] describing the relationship of 24772 to CWE. ACTION ITEM 22-13 (All): Consider volunteering to perform periodic analysis of relationship between evolving CWE and evolving 24772 to provide content for [S0005].

On Wednesday night, this document [N0405] was received in response to some of the dispositions in [N0403]:

N0405 2012-06-21   Python Clarifications and Edits v00, contributed by Kevin Coyne [docx, pdf]

[N0405] was reviewed. Coyne was requested to revise the treatment of TRJ and resubmit the document. Overnight, he provided v03 [N0406]. ACTION ITEM 22-14 (Benito): Incorporate N0406 into the next balloting draft.

3.2 Possible PHP Annex

N0398 2012-05-20 Replaces [N0393] Draft of possible PHP annex, contributed by Kevin Coyne [pdf]

The document was discussed and marked up as [N0407]. Coyne is requested (ACTION ITEM #22-05) to update the annex and provide it to convener and secretary by 30 June so that it may be incorporated into the next ballot draft. The editor was given ACTION ITEM #22-06 to incorporate the new annex into the next balloting draft.

3.3 Revised WD 17960, Code Signing

N0399 2012-05-30 Replaces [N0394] Revised Working draft 17960, Code Signing for Source Code, contributed by editor [pdf, docx]

Wagoner revised the document based on comments at the previous meeting. The result is [N0399]. He is looking for industry practices regarding the format of saving source code. Plum believes that architectural features of the current draft might make it difficult or impossible for existing suppliers of code signing software to conform. He agrees with Wagoner that picking any specific source repository implies freezing on old products rather than new products. Moore suggested that we are interested in the problem of transporting code from one repository to another rather than protecting it while it is inside a particular repository. However, each repository would have to preserve information, such as historical provenance, that is contained in the signature. So the focus would be on metadata to be captured and protected. Attempts to remove or modify the metadata should render the code unusable. (This is metadata about the source file, not about the version control system. It's the job of the version control system to maintain the metadata along with the source file.)

4. Other Business

4.1 Promotion of WG23 Products, Steve Michell, per Action Item #21-6

Michell was unable to attend the third day of the meeting due to a family emergency. This discussion did not occur.

5. Resolutions

Moore will circulate the action items shortly after the close of the meeting.

6. Adjournment

The convener thanked our host for the meeting facility and mentioned that Webex works well for telephone meetings. He adjourned the meeting at approximately 11:30 am (time in Germany).