These minutes were approved at Meeting #10, 15 April 2009
- 29 September 2008: 09:00 to 12:00 and 13:30 to 17:00
- 30 September 2008: 09:00 to 12:00 and 13:30 to 17:00
- 01 October 2008: 09:00 to 12:00
University of Stuttgart
Universitaetsstr. 38
Room 1.212
Stuttgart, DE
Meeting place is University of Stuttgart, Universitaetsstr. 38, Room 1.212, Stuttgart. The campus is in a suburb called Vaihingen (do not use this name unfiltered for navigation; you'll end up in the wrong place).
Closest airport is STR (Stuttgart). From the US, direct flights on Delta go there from Atlanta, everything else from the US connects somewhere. From within Europe, STR is your choice. The meeting place is a 15 minutes metro-ride from the airport.
The other decent airport is FRA (Frankfurt). It connects by high-speed train to Stuttgart. Some trains even count as flights and are sold by Lufthansa. (If not cheaply added, this leg is better paid directly to the train system, since not all trains are flights and you do not need reservations. The regular one-way fare is 54 Euro, 2.Class.) The trains run every 30-60 minutes depending on time-of-day. The ride takes about 70 minutes; the main train-station in Stuttgart is 12 minutes metro-ride to the meeting place. Flights connecting thru Frankfurt may have a long connect time; there just are not many flights because of the trains.
- University of Stuttgart
- Germany
Erhard Ploedereder
1.1 Opening Comments (Ploedereder, Benito)
The meeting was convened by John Benito at 9:19. Our host, Erhard Ploedereder, described the meeting facilities.
1.2 Introduction of Participants/Roll Call
The following persons attended the meeting:
- John Benito (Convener)
- Derek Jones (UK)
- Stephen Michell (Canada)
- James Moore (US)
- Dan Nagle (US)
- Erhard Ploedereder (WG9)
- Clive Pygott (UK, MISRA)
- Larry Wagoner (invited expert)
1.3 Procedures for this Meeting (Benito)
This is the first meeting of WG23 (see 2.1). The change in the status of the group requires some greater formality. For example, it will be necessary for national bodies to send in delegation lists.
We agreed to move all of the existing documents to WG23 with the same document numbers and to continue numbering the meetings in the same series of numbers. The Secretary will implement appropriate changes in the website.
1.4 Approval of previous Minutes [N0128] (Moore)
[For information: N0136 summarizes the Results of OWGV Editorial Meeting, 30 June to 02 July 2008 [dir] [zip]
The minutes of meeting #8 were approved.
1.5 Review of previous actions items and resolutions, Action Item and Decision Logs
The action item log was reviewed and updated.
1.6 Approval of Agenda [N0147]
The agenda was approved with changes. They are marked in place in red.
1.7 Information on Future Meetings
1.7.1 Future Meeting Schedule
- San Diego, CA, USA, 13-20 April 2009 (Tentative)
This discussion was postponed to the end of the meeting so that the up-to-date status of the document could be considered. The plan is to meet with SC22 in Delft, Netherlands. Italy and Canada have volunteered to host meetings. Possibilities in Canada include Banff, Calgary, Ottawa and Toronto.
The following schedule was decided:
- 9 December 2008: Jim Moore will host an editing meeting via web/telecon. Invitees are Benito, Moore, Pygott and Wagoner. The intention is to study additions to the PDTR.
- 15-17 April 2009, San Diego, CA, USA (Jim Moore will host)
- 13-15 July 2009, Ottawa or Toronto, CA (Steve Michell will host)
- Early September 2009, Delft, Netherlands (Willem Wakker will host)
1.7.2 Future Agenda Items
- At December 2008 editors' meetiing, consider adding descriptions DTK, PUS, NSQ, and SLH, resulting from consideration at Meeting #9 of [N0164].
1.7.3 Future Mailings
- Post meeting mailing: 29 October
- Pre meeting mailing: TBD
2.1 SC 22
N0137 2008-07-29 Business Plan and Convener's Report, ISO/IEC JTC 1/SC 22/OWG:Vulnerability, 2008-07-11, contributed by John Benito [pdf] John Benito reported: In the resolutions [N0154] from its recent plenary meeting, SC22 approved the creation of WG23, Programming Language Vulnerabilities, to take up the work of the OWGV. John Benito was named as convener. There will be a call for additional countries to participate in the WG:
Resolution 08-03: Establishment of JTC 1/SC 22/WG 23, Programming Language Vulnerabilities
JTC 1/SC 22, noting that
- the JTC 1/SC 22 Other Working Group on Vulnerabilities (OWG-V) has been in existence since 2006; and
- OWG-V is responsible for the development and maintenance of ISO/IEC TR 24772, Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use
establishes JTC 1/SC 22/WG 23, Programming Language Vulnerabilities.
JTC 1/SC 22 appoints Mr. John Benito (US) as Convener.
The scope of this Working Group is to address any issues related to programming language vulnerabilities. Development and maintenance of ISO/IEC TR 24772, Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use, is assigned to this Working Group.
The following JTC 1/SC 22 members have agreed to participate in this Working Group: Canada, Italy, Japan, the Netherlands, the United Kingdom and the United States. JTC 1/SC 22 instructs its Secretary to issue a three-month call for additional members.
Liaisons established between the former OWG-V and any other Working Groups and organizations shall be carried forward.
The title of the document was changed accordingly in the Programme of Work to Programming Language Vulnerabilities.
SC22 has a new chair, Rex Jaeschke. WG21 (C++) has a new convener, P J Plaugher.
A representative of the Ruby community attended the SC22 plenary as a part of the Japanese delegation. He may join WG23.
The convener of WG17 (Prolog) has asked to be added as the WG17 liaison to OWGV.
2.2 J3/WG5 (Fortran)
Dan Nagle reported: The recent meeting of J3 reviewed his draft of a Fortran annex [N0145] for two hours. The Fortran standard editor was unable to attend the review and provided comments [N0149] although lacking the background provided by the review. The committee seems generally supportive of the annex. Some vendors are concerned that they might have to detect additional conditions at compile-time; this can be viewed as an advantage or a disadvantage.
Nagle will report to WG5 and hopes to get a supportive resolution from their meeting in November. WG23 may have to be very tactful in describing recommendations for improvement to the language.
Erhard suggested that each language-specific annex should explain the language-specific terminology related to the general terminology described in the body of the TR. We should add this to the template.
2.3 J4/WG4 (COBOL)
No report
2.4 WG9 (Ada)
N0140 2008-07-29 Presentation made by Jim Moore to ISO/IEC JTC 1/SC 22/WG 9 with slide added to record discussion [pdf], 2006-08 Moore reported on the results of discussions with WG9 following his presentation in June 2008. (The discussion is summarized on the final page of [N0140].) Erhard Ploedereder emphasized the point that WG9 is concerned that adding language-specific annexes late in the process will run up against reluctance to chance the main body of the TR accordingly. After discussing the issue: WG23 resolved that all comments resulting from the PDTR ballot will be carefully considered and comments will not be rejected solely on the grounds that the existing text is "insufficiently wrong". WG23 will welcome drafts of language-specific annexes, as well as comments on the body resulting from drafting of the annexes, prepared during the PDTR ballot and thereafter as the document moves through technical balloting at the SC22 level.
2.5 J11/WG14 (C)
John Benito reported: WG14's current documents are in the final stages of approval; they have no open defects; and all of the WGs effort is being focused on their language revision. The biggest change is a memory model that supports concurrency. We anticipate that WG14 will draft a language-specific annex but, perhaps, not as quickly as the Fortran and Ada working groups.
2.6 J16/WG21 (C++)
John Benito reported: WG21 voted out a draft at their recent meeting; it will go to CD ballot shortly. It is a huge document containing many additions to the language. They have adopted all of the C99 changes as well as one of the Technical Reports on extended character types. They pulled back two work items for TRs because of heavy workload.
Derek Jones pointed out that because we don't have object-oriented vulnerablities, it is likely, at the moment, that the language-specific annex for C++ will look a lot like the C annex.
2.7 ECMA TC39/TG2 (C#)
No report
2.8 MISRA (C)
Clive Pygott reported: This group is now looking at C99 as a possible basis for MISRA C version 3.
2.9 MISRA (C++)
MISRA C++ was published. There is a forum for collecting comments from users.
2.10 SPARK
No report, but Praxis Critical Systems has indicated interest in contributing an annex.
2.11 MDC (MUMPS)
No report
2.12 SC7/WG19 (UML)
No report
2.13 Other Liaison Activities or National body reports
N0139 2008-07-29 Presentation made by John Benito to Military & Aerospace Electronics Forum [pdf], 2008-04 There was interest in the presentation and in encouraging tool vendors to take up the work.
3.1 Editor's draft of PDTR 24772
N0138 2008-08-20 Replaces [N0134] Editor's draft of PDTR 24772, prepared by John Benito [pdf]. Spreadsheet for providing comments [xls].
N0146 2008-09-10 References [N0138] Consolidated comments on [N0138], as of the date issued. It includes comments from Jones and Pygott. [xls] The agenda was changed to substitute a later consolidation of the comments [N0148].
All of the comments were considered in the meeting. Their disposition is recorded in [N0159]. In some cases, dispositions are recorded in other documents as noted below.
3.2 New vulnerability descriptions
N0143 2008-08-26 New Vulnerability Descriptions Proposed by J3 (Fortran), contributed by Dan Nagle [doc, pdf] [N0143] was revised and logged as [N0164] with the following results:
- ACTION: Jim Moore. Revise CSJ as follows: add to CSJ the problem if an out parameter (using call by result), is never assigned by the called subprogram. This acts like an uninitialized variable. It is difficult to see that the variable is not initialized.
- ACTION: Jim Moore. Revise IHN as follows: add to the description of IHN that using a subtype that is too small, or a subtype with inadequate precision, might provide surprising results, particularly in array indexing, or numerical calculations where the number of calculations increase as a power of the problem size.
- ACTION: Jim Moore. Write a new description, DTK, based in part on the draft in [N0164]. Generalize it to deal with magic values and the ways that languages can deal with them. (Mention databases.) Put in 6 and note that the issues are often application issues but the solution is often language dependent. Mention that magic values should be outside the range permitted for the data values and mention that some languages lack the expressibility to ensure this. Moore took the action item to provide the revised description. It will be considered for inclusion at the Dec 2008 editors' meeting.
- ACTION: Dan Nagle. Make any desired changes to the draft in [N0164] of PUS for consideration at the Dec 2008 editors' meeting.
- ACTION: Dan Nagle. Make any desired changes to the draft in [N0164] of NSQ for consideration at the Dec 2008 editors' meeting. Focus on the idea that prototypes are always needed.
- ACTION: Erhard Ploedereder. Based, in part, on the draft of NSQ in [N0164], write a new description, SLH, for Clause 7 that involves verifying that you are actually calling the library that you intend to call. (Digital signing can be useful.) It will be considered for inclusion at the Dec 2008 editors' meeting.
Note that new descriptions will not be incorporated into the draft for the first PDTR ballot because they are not yet mature. They will be considered again at the December editor's telecon.
The agenda was changed to add Larry Wagoner's proposed rewrites of section 6.18 [N0150], section 7.10 [N0151], and section 7.13 [N0152].
[N0150] was revised as [N0158] and accepted as a rewrite of 6.18. [N0151] was revised as [N0162] and accepted as a rewrite of 7.10. [N0152] was revised as [N0163] and accepted as a rewrite of 7.13. These will appear in the draft for the first PDTR ballot.
3.3 Language specific annexes
N0145 2008-09-05 Draft of language-specific annex for Fortran, contributed by Dan Nagle [txt] N0144 2008-09-05 Proposed template for language specific annexes, contributed by Larry Wagoner [doc] The agenda was changed to add [N0149], comments on [N0145] from the editor of the Fortran standard.
[N0144] was revised and logged as [N0165].
ACTION: Dan will revise his proposal [N0145] to deal with comments from the Fortran editor [N0149] and the revised template for language-specific annexes [N0165] and will submit it to WG5. Ultimately, it will be sent back to us for inclusion in the TR.
ACTION: John and Dan will collaborate on a description of the logistics for handing annexes back and forth and dealing with comments with the goal that the language committee retains control over the technical content.
3.4 Documents received during meeting
The agenda was changed to consider -- as time permits -- contributions received during the course of the meeting.
N0155 2008-09-30 Proposed vulnerability description "Concurrency [CGW]," contributed by Steve Michell N0156 2008-09-30 Proposed revision of "6.20 Buffer Overflow [XZB]," contributed by Erhard Ploedereder N0157 2008-09-30 Proposed revision of "6.17 Unchecked Pointer Arithmetic in Buffer Access (XYX)", contributed by Erhard Ploedereder [N0157] was revised and accepted as [N0160] for inclusion in the PDTR.
[N0156] was revised and accepted as [N0161] for inclusion in the PDTR.
[N0155] was considered and Steve took notes regarding possible improvements. ACTION: Steve Michell. Revise and resubmit [N0155] to deal with issues raised during discussion at Meeting #9.
The agenda was changed to include a discussion of how to move forward after this meeting.
We reaffirmed the schedule in [N0130]. Action items needed for the ballot are due by 6 october, but...we will *not* include brand new descriptions in the document. There will be an editor's rationale explaining that the document is open to additional material.
The PDTR ballot will also be distributed to SC22 working groups with a request for their comments.
We discussed future meetings:
- MITRE will host a web/telecon on Tuesday, 9 December for the editors (Larry, Clive, Jim and John) to consider new material, notably new descriptions.
- Schedule the San Diego meeting for 15-17 April 2009.
- Schedule Canada meeting for week of 13-15 July 2009 in Ottawa or Toronto.
The intention is to do another PDTR ballot after the April 2009 meeting.
The July 2009 meeting would look at language annexes.
ACTION: Jim Moore. Update [N0130] in light of previous decisions and relog it.
5.1 Review of Decisions Reached
WG23 resolved that all comments resulting from the PDTR ballot will be carefully considered and comments will not be rejected solely on the grounds that the existing text is "insufficiently wrong". WG23 will welcome drafts of language-specific annexes, as well as comments on the body resulting from drafting of the annexes, prepared during the PDTR ballot and thereafter as the document moves through technical balloting at the SC22 level.
5.2 Review of Action Items
- ACTION: John Benito and Dan Nagle. Collaborate on a description of the logistics for handing annexes back and forth and dealing with comments with the goal that the language committee retains control over the technical content.
- ACTION: Steve Michell. Revise and resubmit [N0155] to deal with issues raised during discussion at Meeting #9.
- ACTION: Steve Michell. Re comment DMJ 5 of [N0159], propose a revision to more strongly differentiate between 6.19 and 6.20 of [N0138].
- ACTION: Jim Moore. Revise CSJ as follows: add to CSJ the problem if an out parameter (using call by result), is never assigned by the called subprogram. This acts like an uninitialized variable. It is difficult to see that the variable is not initialized.
- ACTION: Jim Moore. Revise IHN as follows: add to the description of IHN that using a subtype that is too small, or a subtype with inadequate precision, might provide surprising results, particularly in array indexing, or numerical calculations where the number of calculations increase as a power of the problem size.
- ACTION: Jim Moore. Write a new description, DTK, based in part on the draft in [N0164]. Generalize it to deal with magic values and the ways that languages can deal with them. (Mention databases.) Put in 6 and note that the issues are often application issues but the solution is often language dependent. Mention that magic values should be outside the range permitted for the data values and mention that some languages lack the expressibility to ensure this. Moore took the action item to provide the revised description. It will be considered for inclusion at the Dec 2008 editors' meeting.
- ACTION: Jim Moore. Update [N0130] in light of new meeting schedule and relog it.
- ACTION: Dan Nagle. Make any desired changes to the draft in [N0164] of PUS for consideration at the Dec 2008 editors' meeting.
- ACTION: Dan Nagle. Make any desired changes to the draft in [N0164] of NSQ for consideration at the Dec 2008 editors' meeting. Focus on the idea that prototypes are always needed.
- ACTION: Dan Nagle. Revise his proposal [N0145] to deal with comments from the Fortran editor [N0149] and the revised template for language-specific annexes [N0165] and submit it to WG5. Ultimately, it will be sent back to us for inclusion in the TR.
- ACTION: Erhard Ploedereder. Based, in part, on the draft of NSQ in [N0164], write a new description, SLH, for Clause 7 that involves verifying that you are actually calling the library that you intend to call. (Digital signing can be useful.) It will be considered for inclusion at the Dec 2008 editors' meeting.
- ACTION: Clive Pygott. Write a new vulnerability description on incomplete library specifications.
- ACTION: Larry Wagoner. Re comment CHP 36 of [N0159], propose a revision to 6.32.
5.3 Thanks to Host
We enthusiastically thanked Erhard and his staff for the fine meeting facilities.
The meeting adjourned at 13:02.