ISO/IEC JTC 1/SC 22/WG 23/N 0420
Minutes: Meeting #23
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
12-14 September 2012


These minutes are not final until approved at a subsequent meeting.

Meeting Times:

20 June 2012: 09:00 am to 4:30 pm (Central European Time)
21 June 2012: 09:00 am to 4:30 pm (CET)
22 June 2012: 09:00 am to 12:00 pm (CET)

Meeting Location:

N 0374

Teleconference information:

Topic: WG 23 Meeting #23
Date: Every 1 day, from Wednesday, September 12, 2012 to Friday, September 14, 2012
Time:
9:00 am Germany
8:00 am United Kingdom
3:00 am New York
12:00 am, California
9:00 pm (previous day), Hawaii
Meeting Number: 950 652 945
Meeting Password: wg23

To start or join the online meeting, go to iso_meetings

To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code.

Switzerland toll free: 0800-894627
USA/Canada toll free: 1-855-299-5224

Having trouble dialing in? Try these backup numbers:
Call-in toll-free number (UK): 0800-051-3810
Call-in toll number (UK): +44-20-310-64804
Global call-in numbers: iso_meetings call-in numbers
Toll-free dialing restrictions: tollfree restrictions

Access code: 957 751 512
For assistance:

1. Go to iso_meetings support
2. On the left navigation bar, click "Support".
To add this meeting to your calendar program (for example Microsoft Outlook), click this link: iso_meetings to calendar

Agenda

1. Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N0414]

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule

2013

WG23 #28

2013-12

Web conference

 

WG23 #27

2013-09

Tokyo, Japan

WG23 meeting colocated with SC22 plenary meeting.

 

WG23 #26

2013-06

Berlin, DE

Colocated with WG 9, Ada Europe

 

WG23 #25

2013-03-13/15

New York, USA - ANSI

See [N0413].

 

2012

WG23 #24

2012-12-12/14

Electronic meeting

WG23 Meeting #24. Three hours each day, starting at 17:00 Germany; 16:00 UK; 11:00 US-east coast; 8:00 US-west coast; 6:00 US-Hawaii

 

WG23 #23

2012-09-12/14

Geneva, Switzerland

Colocated with SC 22 plenary meeting

Logistics [N0395
Preliminary agenda [N0354]

SC22

2012-09-10/11

Geneva, Switzerland

SC 22 plenary meeting

 



1.7.2 Future Agenda Items

2. Reports on Liaison Activities

2.1 SC 22

2.2 PL22.3/WG5 (Fortran)

2.3 PL22.4/WG4 (COBOL)

None

2.4 WG9 (Ada)

2.5 PL22.11/WG14 (C)

2.6 PL22.16/WG21 (C++)

None

2.7 Ecma International, TC49/TG2 (C#)

None

2.8 Ecma International, TC39 (ECMAScript)

2.9 MISRA (C)

2.10 MISRA (C++)

None

2.11 SPARK

None

2.12 SC7/WG19 (UML)

None

2.13 Other Liaison Activities or National body reports

3. Document Review

  1. [N0416] — Informal comments from UK
  2. [N0417] — Japan Ballot comments on 24772
  3. [N0418] — Canadian Ballot comments on 24772
  4. [N0419] — Takebe, CWE SANS 25 compared to PDTR 24772.2
  5. [N0420] — Reserved for minutes
  6. [N4021] — Reserved for ballot resolutions
  7. [N0422] – Comments from Clive Pygott regarding [N0417]
We discuss JA-?? file download. Consider the option of merging this with 7.10 Unrestricted file upload. We are concerned about the size of the changes and and the amount of change that would be added to TR 24772. The editor suggests that we accept the comments, put the editorial ones into the TR and work on adding the other comments into the next revision.
Committee formed of Takebe, Pygott, Benito to work these proposals into a form of the TR.
Comments from Willem.
JA-2 Incorrect Authorization. - Needs to be added.
Larry – Might be able to merge into 7.21 Access Control.


JA-3 Inclusion of Functionality from untrusted control sphere.
Suggest merging with 7.7 Execution or loading of untrusted code.
David notes that PHP (and possibly other web-oriented language) does “include”s from other domains, and hence this may need description in section 6.
AI 23-4 – David – distribute information on the PHP include issue for education and consideration.
JA-4 Improper restriction of excessive authentication attempts
Should be added.
Larry states that it could be added to 7.22, but may be a stretch.
Would require a rewrite of 7.22.
JA-5 URL redirection to untrusted site (open redirect)
Suggest add as a new vulnerability.
JA-?? 6 Uncontrolled format string
Suggests that this is a language issue – belongs in 6.
JA-?? 7 Use of a one-way hash without salt.
Suggests that this belongs in 7.22. Title of 7.22 may need changing.
Larry Wagoner comments [N0423] Python (as a response to UK comments [N0416])
Comment was line 50 on UK contribution.
Open, to be discussed with UK technical expert and original Python annex author.
Finish the Canadian comments. Resolution is documented in the [N0421].


4. Other Business

      4.1Temporary web site.

      For the duration of the meeting we shall use the temporary web site set up at www.open-std.org/jtc1/sc22/wg23.

      Thanks to Keld Simonsen and Willem Wakker for providing this facility.

      If you follow the link from the SC 22 page on www.open-std.org/jtc1/sc22 it takes you to the usual ieee web page.

      4.2 Code Signing IS 17960

      Current proposed of the document (still in author's hands) is fairly prescriptive in terms of file formats,etc. Concern expressed that developers of applications will not meet such an approach. Suggestion made that the actual way to interface would be implementation-defined, meaning that it must be documented.

4.3 Promotion of WG23 Products, Steve Michell, per Action Item #21-6

Promotion by speaking at events – Ada Europe, Ruby conference.
Presentation to functional safety and security experts (Japan).

Idea to ask CWE to put a reference to our document on the “related efforts”.

AI 23-5 John Benito to contact CWE to discuss inclusion of TR 24772 in CWE, CVE, etc in the related efforts pages.

5. Resolutions

Editor to incorporate the changes into the document and disposition of comments and submit to ITTF for a 3-month DTR ballot.
Thanks to IEC international, and Gabriel Barta and Jennifer Lack for their help in arranging and supporting the meeting.

6. Adjournment