IBSI London
389 Chiswick High Road
London, UK
Meeting Times: 0900-1700
16-17 August 2017: 0900-1700 Eastern Standard Time (1400-2200 UTC)
Meeting commenced at 0900 UK Summer time 16 Aug 2017.
Stephen Michell (Convenor)
Erhard Ploedereder (Ada Europe, WG 9)
Chris Szalwinski (Canada, WG 21)
Michael Wong (Canada, WG 21)
Haibo Li (China)
Miao Zong Li (China)
Clive Pygott (United Kingdom, MISRA, WG 14)
David Keaton (WG 9 Convenor, US)
Ulrich Neumerkel (Austria)
Keld Simonsen (Denmark)
Yong Woo Lee (Korea)
Haesun Jung (China)
Cheolsang Yoon (China)
Accepted.
|
|
||||
|
2018 |
||||
|
|
|
|
|
|
|
Pre-mtg 56 |
01/11/18 |
|
|
|
|
#55 |
12-14/09/18 |
Toronto, Ontario, Canada |
|
|
|
#54 |
15-16/06/18 |
With WG 9 and Ada Europe |
Possible alternate dates 17-18 or 22-23. Do a doodle poll. |
|
|
Pre-mtg-54 |
Teleconference |
|
|
|
|
#53 |
26-27 April 2018 |
Brno Chez Republic |
|
|
|
Pre-mtg 53 |
TBD March 2018 |
|
||
|
#52 |
22-23 January 2018 |
Phoenix, AZ |
||
|
|
||||
|
2017 |
||||
|
pre-mtg-52 |
11/12/17 |
Teleconference (UTC 2000, 2 hr) |
|
|
|
#51 |
6-7 Nov 2017 |
Alburquerque, NM with SC 21 |
|
|
|
post-mtg-50 |
16/10/17 |
Teleconference (UTC 2000, 2 hr) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
||
AI – 50-05 – outreach to COBOL (C Tandy, IBM) about a Part 11.
Stephen met with WG 21/SG 12, who have renamed to include Vulnerabilities. They are working with us to define a documentation process.
Working to develop guidelines for C11. Looking towards publication in 2018.
Working to develop guidelines for C++14. Looking towards publication in 2019.
No report
Discussion of WG 21 Liaison activities. Stephen met with WG 21 in Toronto July 2017. WG 21 has amended the scope of SG 12 to include vulnerabilities. Michael Wong reported on C++ issues and ways of working together. We agree to focus some future joint meetings to co-locate with WG 21 if possible.
Latest version of TR24772-1
Include AI 47-08
We review N07??, in particular clause 6.64. AI 50-6 Clive Pygott. Change title to “Malformed format strings” Rewrite 6.64 to include the use of mistakes as well as tainted input, and to reflect that the vulnerability is associated with the interpretation of format strings at run time.
We move a new vulnerability on constantness (N0737) into clause 8 of TR 24772-1 (now N0742).
50.3.3 TR 24772-6 Spark
Latest version of TR 24772-3 C
We review N073?. Changes made are reflected in N074?.
Document N0592.
Latest version of TR24772-8.
Discussions of document N0691 or later version.
We look at the C++ Core guidelines
Use enumeration vulnerability in 6.5 as a sample case.
AI 50-06.– Chris Szalwinski, Clive Pygott, Michael Wong – Take the results of N0741, explicitly clause 6.5, and rework other sample vulnerabilities following this format.
Review how the rules are incorporated into Part 1 and Part 3. Consider the generic rules for other Parts.
We review N0735 which provides a collection of coding guidelines that may evolve into a standard. We discuss process vs product evaluation.
There is general agreement that the list of rules provided are a good start, but there will be significant discussion on the order, completeness, inclusion/exclusion. There also needs to be significant context added to wrap the rules.
We discuss where such a document could be placed. One view is that this would be IS 24772, and the TR 2477-1 and beyond are supporting documents that support the sale of the standard. The other view is that new project should adopt another number. There was more support for such an IS being the parent (i.e. IS 24772)
AI 50-07– SM – Find out from SC 22 secretary and/or ITTF any restrictions on part numbering (i.e., ability to have XXX and XX-1, -2, etc).
AI 50--08 - All, Review N0735 and recommend text and structure that may be needed to make this a standard that would be valuable to the community.
50.3.11 Guidance to Language Designers
We discuss document N0727, which is a suggested list of guidance to language designers based on vulnerabilities identified in TR 24772-1. There was general agreement that such recommendations would be not well received as a stand-alone document. We discuss potential placement in clause 5. We discuss explicit guidance, and alternative approaches or wording. There is general agreement that this could become that basis of clause 5.X.
AI 50-09 Larry Wagoner – reproduce N0727 as one or more tables for inclusion in TR 24772-1 in clause 5.
Suggestion - look into domain-specific areas – finance, embedded, automotive, nuclear,
AI 50-02 – VOID
AI – 50-04 – Steve - outreach to COBOL (C Tandy, IBM) about a Part 11.
AI 50-05.– Chris Szalwinski, Clive Pygott, Michael Wong – Take the results of N0741, explicitly clause 6.5, and rework other sample vulnerabilities following this format.
AI 50-06– SM – Determine with SC 22 secretary and/or ITTF any restrictions on part numbering (i.e., ability to have XXX and XX-1, -2, etc).
AI 50-07 – All - Review N0735 and recommend text and structure that may be needed to make this a standard that would be valuable to the community.
AI 50-8 Larry Wagoner – reproduce N0727 as one or more tables for inclusion in TR 24772-1 in clause 5.
Adjourned at 1600 on 17 August 2017.