ISO/IEC JTC 1/SC 22/OWGV N 0100
Approved Minutes: Meeting #6 of ISO/IEC JTC 1/SC 22/OWG: Vulnerability
1-3 October 2007, Kona, Hawaii, USA

These minutes were approved at meeting #7.

Meeting Times:

01 Oct 2007 09:00-12:00, 13:30-17:00
02 Oct 2007 09:00-12:00, 13:30-17:00
03 Oct 2007 09:00-12:00

Meeting Location:

Royal Kona Resort
75-5852 Alii Drive
Kailua-Kona, HI   96740 USA
Phone:       +1-808-329-3111 or +1-800-919-8333
FAX:         +1-808-329-9532

Meeting Information:

            Logistics information [N0096], also see Hotel reservation form [N0058]

Host:

InterNational Committee for Information Technology Standards
USA

Host Contact information:

Plum Hall, Inc.
3 Waihona Box 44610
Kamuela, HI 96743
Email: Thomas Plum

Agenda

1. Opening activities

1.1 Opening Comments (Plum, Benito)

John Benito convened the meeting at 9:10 am, Monday, 1 October.

Plum Hall provided a wireless network for the meetings. Tom Plum had to join the meeting late. He welcomed us to the meeting and checked to ensure that our facilities were satisfactory.

1.2 Introduction of Participants/Roll Call

Those attending all or part of the meeting included:

1.3 Procedures for this Meeting (Benito)

The convener briefly reviewed the procedures for the meeting, emphasizing the role of decision-making by consensus.

1.4 Approval of previous Minutes, [N0089] (Moore)

The minutes were approved.

1.5 Review of previous actions items and resolutions,  Action Item and Decision Logs

We reviewed the log and updated it.

1.6 Approval of Agenda [N0097]

The agenda was approved.

1.7 Information on Future Meetings.

1.7.1 Future Meeting Schedule

SC22 meets Sep 22-25. We need to meet in either the previous week or the next week.

1.7.2 Future Agenda Items
1.7.3 Future Mailings

2. Reports on Liaison Activities

2.1 SC 22

At last week's meeting, the OWGV was continued for another year with the same officers. The draft document [N0095] was registered as a PDTR.

No other reports were provided.

3. Document Review  (ADD DOCUMENTS to REVIEW HERE)

3.1 Business Plan and Convener's Report to SC22 [N0094]

The requests made by OWGV were approved at the plenary meeting of SC22.

3.2 Editor's draft 070806 of PDTR 24772 [N0095]

The most current version of the document appears on the Wiki at any given time.

3.3 [Added] Review Wagoner's submission [N0099]

We reviewed the document. Wagoner tried to perform an analysis from the safety point of view that was similar to his earlier analysis from the security point of view. It was difficult to find an empirical analysis of safety vulnerabilities. The best analysis that he could find was Les Hatton's. He tried to convert Hatton's 20 rules to a language-neutral description. Ploedereder said that some rules (e.g. rule 9) are problematic because of decideability issues. Ploedereder said that he would want some agreed wording that requires that such issues must be decideable at reasonable cost.

Wagoner then analyzed MISRA C 2004 for additional rules, as well as the JSF C++ standard and the Holtzmann rules from NASA/JPL.

As we discussed the submission, the secretary made annotations to [N0099], thus creating [N0102].

Tom Plum took an action item: "Consider the practicality of a set of vulnerability descriptions related to object-oriented programming. Consider JSF C++ rules 70 thru 100, 177, 178, 179, 185, 219, as well as OOTIA." [Action Item 06-01]

4. Other Business

4.1 Discussion: Should there be a rationale document associated with TR 24772? [Action Item #05-02]

We discussed free availability of the TR. We decided to select a strategy that MITRE should provide the TR as a deliverable to the government. This would provide the rationale for free availability from ISO. The criteria for free availability are in JTC 1 N7269, SC 22 N 4114.

5. Resolutions

5.1 Review of Decisions Reached

The secretary will annotate the vulnerability database based on the results of the meeting. The convener will update the draft TR. The officers will advise participants when this is done. We would then expect individual participants to update assigned subsets of the vulnerabilities.

5.2 Formal Votes on Resolutions

None

5.3 Review of Action Items

None

5.4 Thanks to Host

We thanked our host, Tom Plum of Plum Hall.

6. Adjournment

The meeting was adjourned at approximately noon on Wednesday.