1 Report of Progress of ISO/IEC 24772, Programming Language Vulnerabilities, in ISO/IEC JTC 1/SC 22 John Benito, Convener Jim Moore, Secretary ISO/IEC.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Software Requirements

Elements of an Effective Safety and Health Program

Chapter 7 System Models.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 12 Introduction to ASP.NET.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.

Blue Pilot Consulting, Inc. 1 A new type of Working Group used for a new SC22 Working Group OWG: Vulnerability John Benito JTC 1/SC 22 WG14.

For OWGV Meeting #1, 2006 June, Washington, DC, USA 1D Terms of Reference: ISO/IEC Project , Guidance to Avoiding Vulnerabilities in Programming.

1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore, Secretary.

For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.

1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use. ISO/IEC JTC 1/SC 22/ OWGV N0139.

1 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore,

For OWGV Meeting #1, 2006 June, Washington, DC, USA 1D Conveners Remarks, Meeting #1 of ISO/IEC JTC 1/SC 22/OWG:V Jim Moore Convener, ISO/IEC JTC.

1 Formal Modeling & Verification of Messaging Framework of Simple Object Access Protocol (SOAP) Manzur Ashraf Faculty,BRAC University.

Making the System Operational

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Configuration management

Software change management

EMS Checklist (ISO model)

1 Title I Program Evaluation Title I Technical Assistance & Networking Session May 23, 2011.

Software testing.

Main Index Contents 11 Main Index Contents Shifting blocks of elements… Shifting blocks of elements… Model of a list object… Model of a list object… Sample.

Proposal by CA Technologies, IBM, SAP, Vnomic

Checking & Corrective Action

Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.

Digital Futures International Forum - Tuesday 18th September 1 Digital Futures International Forum The Digitisation Standard: Back & Forth Stephen Clarke.

Software Requirements

Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Milan Zoric, ETSI.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software processes 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management.

Key Stage 3 National Strategy Standards and assessment: session 3.

Pointers and Arrays Chapter 12

Chapter 11 Component-Level Design

Lesson 11 Presentation Graphics

9.2 Absolute Value Equations and Inequalities

14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation (Adapted) Object-Oriented Systems Analysis and Design Joey F. George, Dinesh.

© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 13 – Salary Survey Application: Introducing.

1 Personal Development and Performance Review Professional Development.

* College Intern, West Virginia Wesleyan, Buckhannon, WV.

Names and Bindings.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.

International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

TC3 Meeting in Montreal (Montreal/Secretariat)6 page 1 of 10 Structure and purpose of IEC ISO - IEC Specifications for Document Management.

ISBN Chapter 9 Subprograms. Copyright © 2006 Addison-Wesley. All rights reserved.1-2 Introduction Two fundamental abstraction facilities.

QinetiQ Proprietary AN ISO standard for high integrity software.

CSCI 5801: Software Engineering

Operator Precedence First the contents of all parentheses are evaluated beginning with the innermost set of parenthesis. Second all multiplications, divisions,

CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University

Computer Security and Penetration Testing

Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.

18. DECLARATIONS.

Advantage of File-oriented system: it provides useful historical information about how data are managed earlier. File-oriented systems create many problems.

CSCE 548 Integer Overflows Format String Problem.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Secure Coding Rules for C++ Copyright © 2016 Curt Hill

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Security Issues Formalization

Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming.

C++ and Programming Language Vulnerabilities

Covering CWE with Programming Languages and Tools

Presentation transcript:

1 Report of Progress of ISO/IEC 24772, Programming Language Vulnerabilities, in ISO/IEC JTC 1/SC 22 John Benito, Convener Jim Moore, Secretary ISO/IEC JTC 1/SC 22/WG 23 1 December 2008 This version of the presentation is an update of ISO/IEC JTC 1/SC 22/WG 23 N0140. ISO/IEC JTC 1/SC 22/WG 23 N 0171

22 The Problem Any programming language has constructs that are imperfectly defined, implementation dependent or difficult to use correctly. As a result, software programs sometimes execute differently than intended by the writer. In some cases, these weaknesses can be exploited by hostile parties, or can lead to failure in anticipated environments. Can compromise safety, security, privacy, dependability or other critical properties. A vulnerability in any program can be used as a springboard to make additional attacks on other programs.

33 Complicating Factors The choice of programming language for a project is not solely a technical decision and is not made solely by software engineers. Some vulnerabilities cannot be mitigated by better use of the language but require mitigation by other methods, e.g. review, static analysis.

44 Planned ISO/IEC A type III Technical Report A document containing information of a different kind from that which is normally published as an International Standard The report will not contain normative statements, but information and suggestions. Project is to work on a set of common mode failures that occur across a variety of languages However, not all vulnerabilities are common to all languages. Some are manifest themselves in different ways in different languages. Annexes to the report will describe how the vulnerabilities relate to specific languages.

55 Planned ISO/IEC (continued) No single programming language or family of programming languages is to be singled out As many programming languages as possible should be involved Need not be just the languages defined by ISO Standards

66 Audience Safety: those developing, qualifying, or maintaining a system where it is critical to prevent behaviour that might lead to loss of human life or human injury, or damage to the environment. Security: those developing, qualifying, or maintaining a system where it is critical to exhibit security properties of confidentiality, integrity, and availability. Mission-Critical: those developing, qualifying, or maintaining a system where it is critical to prevent behaviour that might lead to property loss or damage, or economic loss or damage. Modeling and Simulation: those who are primarily experts in areas other than programming but need to use computation as part of their work [and who] require high confidence in the applications they write and use.

77 Approach to Identifying Vulnerabilities Empirical approach: Observe the vulnerabilities that occur in the wild and describe them, e.g. buffer overrun, execution of unvalidated remote content Analytical approach: Identify potential vulnerabilities through analysis of programming languages This just might help in identifying tomorrows vulnerabilities.

88 Desired Outcomes Provide guidance to users of programming languages that: Assists them in improving the predictability of the execution of their software even in the presence of an attacker Informs their selection of an appropriate programming language for their job Provide feedback to programming language standardization groups, resulting in the improvement of programming language standards.

99 WG 23 Participants National Bodies Canada Germany Italy Japan France United Kingdom USA Other Groups RT/SC Java MISRA C/C++ CERT Language Standards Groups SC 22/WG 9 SC 22/WG14 SC 22/WG 5, INCITS J3 (Fortran) SC 22/WG 4, INCITS J4 (Cobol) MDC (Mumps) ECMA (C#, C++CLI)

10 WG 23 (Vulnerabilities) Progress Organization: Project was originally assigned to a temporary group, an other working group called OWGV. In September 2008, SC 22 created WG 23 to continue the work Meetings: reflector, Wiki and Web site are used during and between meetings Nine meetings have been held, hosted by six national bodies. Meetings planned through 2009 Progress through standards process: Working Group Level Working Draft (WD) – several of them Parent (SC 22) Level PDTR registration PDTR ballot - repeated until consensus is obtained, typically two or three times Management (JTC 1) Level DTR Ballot Publication by ISO/IEC (Planned in 2009) More information:

11 Outline of Current Draft Scope References Terms and Definitions Vulnerability Issues Programming Language Vulnerabilities (Currently 48 of them) Application Vulnerabilities (Currently 18 of them, selected because of relationship to languages)

12 Vulnerability Template The major portion of Technical Report describes vulnerabilities in a generic manner, including: Brief description of application vulnerability Cross-reference to enumerations and other classifications, e.g. CWE Description of failure mechanism, i.e. how coding problem relates to application vulnerability Applicable language characteristics Avoiding or mitigating the vulnerability Implications for standardization Annexes will provide language-specific treatments of each vulnerability. The following slides provide an example.

13 Example Description 6.17 Boundary Beginning Violation [XYX] Description of application vulnerability A buffer underwrite condition occurs when an array is indexed outside its lower bounds, or pointer arithmetic results in an access to storage that occurs before the beginning of the intended object Cross reference [Cross references to CWE, JSF, MISRA, CERT, etc.]

14 Continued… Mechanism of failure There are several kinds of failures (in some cases an exception may be raised if the accessed location is outside of some permitted range): A read access will return a value that has no relationship to the intended value, e.g., the value of another variable or uninitialized storage. An out-of-bounds read access may be used to obtain information that is intended to be confidential. A write access will not result in the intended value being updated and may result in the value of an unrelated object (that happens to exist at the given storage location) being modified. When the array has been allocated storage on the stack an out-of- bounds write access may modify internal runtime housekeeping information (e.g., a functions return address) which might change a programs control flow.

15 Continued… Applicable language characteristics This vulnerability description is intended to be applicable to languages with the following characteristics: Languages that do not detect and prevent an array being accessed outside of its declared bounds. Languages that do not automatically allocate storage when accessing an array element for which storage has not already been allocated.

16 Continued… Avoiding the vulnerability or mitigating its effects Software developers can avoid the vulnerability or mitigate its ill effects in the following ways:. Use of implementation provided functionality to automatically check array element accesses and prevent out-of-bounds accesses. Use of static analysis to verify that all array accesses are within the permitted bounds. Such analysis may require that source code contain certain kinds of information, e.g., that the bounds of all declared arrays be explicitly specified, or that pre- and post-conditions be specified. Sanity checks should be performed on all calculated expressions used as an array index or for pointer arithmetic. Some guideline documents recommend only using variables having an unsigned type when indexing an array, on the basis that an unsigned type can never be negative. This recommendation simply converts an indexing underflow to an indexing overflow because the value of the variable will wrap to a large positive value rather than a negative one. Also some language support arrays whose lower bound is greater than zero, so an index can be positive and be less than the lower bound. In the past the implementation of array bound checking has sometimes incurred what has been considered to be a high runtime overhead (often because unnecessary checks were performed). It is now practical for translators to perform sophisticated analysis that significantly reduces the runtime overhead (because runtime checks are only made when it cannot be shown statically that no bound violations can occur).

17 Continued… Implications for standardization Languages that use pointer types should consider specifying a standard for a pointer type that would enable array bounds checking, if such a pointer is not already in the standard Bibliography [None]