Scuola Superiore Sant'Anna,
Pisa, Italy
Meeting Times:
14-15 June 2016: 0900-1700 Central European daylight time (0700-1500 UTC)
N/A
IMPORTANT:
Stephen
Michell
Erhard Ploedereder
Clive Pygott WebEx)
Tullio
Vardenega
Larry Wagoner (WebEx)
Florian Schanda
Approved
|
|
||||
|
2017 |
||||
|
pre-mtg-51 |
20/11/17 |
Teleconference (UTC 2000, 2 hr) |
|
|
|
post-mtg-50 |
16/10/17 |
Teleconference (UTC 2000, 2 hr) |
|
|
|
#50 |
17-18 August 2017 |
In-person (with SC 22 Plenary) |
|
|
|
#49 |
Week of 15 (12-13?) June 2017 |
In-Person (2 day) Vienna with Ada Europe |
|
|
|
pre-mtg-49 |
15/05/17 |
Teleconference (UTC 2000, 2 hr) |
|
|
|
#48 |
6-7 April 2017 |
In-person (2 day) Toronto, Canada. |
|
|
|
pre-mtg-48 |
06/03/17 |
Teleconference (UTC 2100, 2 hr) |
||
|
#47 |
23-24 January 2017 |
In-person (2 day), Orlando, Steve local host. |
||
|
|
||||
|
2016 |
||||
|
pre-mtg-47 |
21/11/16 |
Teleconference (UTC 2000, 2 hr) |
oo |
|
|
post-mtg-46 |
11/10/16 |
Teleconference (UTC 2000, 2 hr) |
||
|
#46 |
15-16 Sep 2016 |
Vienna, Austria (with SC 22 Plenary) |
||
|
pre-mtg-46 |
15/08/16 |
Teleconference (UTC 2000, 2 hr) |
||
|
|
|
|
||
|
|
|
|
||
|
|
|
|
||
|
|
|
|
||
AI 45-02 Tullio – Confirm meeting dates and locale availability in Vienna for 12-13 June 2017
Steve – nothing to report.
Erhard – The work of WG 9 in capturing the Concurrency Vulnerabilities and doing significant rewording is reported to be complete with the document in the hands of the convenor. There will be a distribution for comment, followed by a vote of members and then the document will be returned to WG 23 before meeting 46. Joyce Tokar expressed interest in being a co-editor for TR 24772-2.
Clive – Nothing new to report
Clive – Latest version of MISRA C has just been published, and is including rules from Secure C Coding Standard. ISO IEC TS 17961
Clive – Working on a TC for the 2008 version. Looking at static analysis (formal verification) of C++ programs, including the inclusion of annotations in the code to help with formal verification.
WG 9/HRG has taken responsibility for SPARK. Florian will work with WG 9 on the document.
No report
Steve - No report
Stephen reports that he has been in contact with MITRE, who have expressed interest in continuing to work with WG 23.
Stephen reports that David Keaton has passed the names of CERT participants interested in Python and C++. Steve will follow up.
Document N658,
Consider adding “C should consider requiring IEC 60559 for floating-point arithmetic, rather than providing it as an option, as is the case in ISO/IEC 9899:2011[4]. from clause 6.5.6 to Part 3 clause 7” – AI 45-03 Clive.
We examine the analysis of clause 7 by Erhard (N0662), and try to determine if we should do a major reorganization of clause 7. In following the analysis, it became apparent that we could add keywords to each vulnerability in a taxonomy of issues or weaknesses. An argument against renumbering is that it may be very unusual for users of the TR to read the document from end to end. Rather a reader may start from a dirty-dozen guideline and drill down to understand the problem.
We examine the floating point vulnerability (subclause 6.5) and make edits on the text to remove corner cases that will very rarely be reached.
We look at the order of section 7 vulnerabilities, based on N-662 and the table that it was based on. Idea of creating a mapping from recognized sucurity and safety concepts to put a taxonomy on the system. Larry proposes an official mapping (N???).
We decide to reorganize the section 7 vulnerabilities following N0662.
We will create section 7.2 to contain taxonomy mappings, both based on attack vectors and on effects.
AI 45-04 – Erhard – reorganize section 7 and return
AI 45-05 – Larry – Map the sect 7 vulnerabilities to the categorizations in N???.
Clause 6.44, 6.45-
AI 45-06 – Larry, check references (6.44.2) for CWE and CERT.
AI 45-07 – Steve – clause 60, 61, 62, 63 (.2) – rationalize references to academic papers, etc. At least just do the bibliography references.
AI 45-08 – Steve – Fix the cross references in Annex ???
AI 45-10 – Larry. We identify an issue that seems to be largely a C/C++ and scripting language issie that aggregates and assignment of fat objects can be done with a list of values that pay no regard to the structure of the object being assigned. This issue needs a writeup and allocation to either an existing vulnerability (say 6.22 initialization) or the creation of a new vulnerability. Reference from JSF 142, 144, 145, etc.
AI 45-11 – Steve – incorporate results of N0666 into TR 24772-1. Identify places where addition writeup may be needed.
Waiting for a proposal from SC 22/WG 9
We review N0649. Changes to the document decided in the meeting are captured in N0665.
AI 45-12 – Clive – reorder clause 3 Terminology to make it either alphabetical or hierarchical.
Existing AI 41-17 on writing C language concepts for clause 4 is changed from David Keaton/Larry to Clive Pygott, Larry Wagoner.
Document N0592.
AI 45-09 Florian to review the spark annex in current TR 24772
to help develop the steps needed to update the Annex viz-a-viz the
current TR by the end of July 2016
Steve to send current TR to
Florian together with explicit guidance.
Florian to consider
ways to reference or copy Ada guidance into the Spark part, making
the heritage obvious. See minutes of June 2015 meeting, N0559.
Document [N0560] needs review.
Strategy on how to use and incorporate such rules.
Attracting new talent.
Presentations, personal communication
Larry – good strategy => interest => members
Talk to companies (tool providers) involved in program analysis about
Existing AI 41-17 on writing C language concepts for clause 4 is changed from David Keaton/Larry to Clive Pygott, Larry Wagoner.
AI 45-01Steve to confirm arrangements for WG 23 meeting in Vienna with Sally and local host.
AI 45-02 Tullio – Confirm meeting dates and locale availability in Vienna for 12-13 June 2017
AI 45-03 NULL
AI 45-04 – Erhard – reorganize section 7 and return
AI 45-05 – Larry – Map the sect
7 vulnerabilities to the categorizations in N???.
AI 45-06 – Larry, check references (6.44.2) for CWE and CERT.
AI 45-07 – Steve – clause 60,
61, 62, 63 (.2) – rationalize references to academic papers, etc.
At least just do the bibliography references.
AI 45-08 – Steve – Fix the
cross references in Annex A
AI 45-09 Florian to review the
spark annex in current TR 24772 to help develop the steps needed to
update the Annex viz-a-viz the current TR by the end of July
2016
Steve to send current TR to Florian together with explicit
guidance.
Florian to consider ways to reference or copy Ada
guidance into the Spark part, making the heritage obvious. See
minutes of June 2015 meeting, N0559.
AI 45-10 – Larry. Writeup the
vulnerability identified associated with C/C++ and scripting
languages that aggregates and assignment of fat objects can be done
with a list of values that pay no regard to the structure of the
object being assigned. Allocate it to either an existing
vulnerability (say 6.22 initialization) or the creation of a new
vulnerability. Reference from JSF 142, 144, 145, etc.
AI 45-11 – Steve – incorporate
results of N0666 into TR 24772-1. Identify places where addition
writeup may be needed.
AI 45-12 – Clive – reorder
clause 3 Terminology to make it either alphabetical or hierarchical.
AI 45-13 – Erhard – consider 6.37 Fault Tolerance and rewrite to eliminate concurrency aspects and to focus on vulnerabilities associated with failures, recovery and fault tolerance.
Adjourned at 1700, Wed 15 June 2016.