Document ISO/IEC/JTC 1/SC 22/WG 23 N0739

Minutes of Meeting #50
ISO/IEC JTC 1/SC 22/WG23
16-17 August 2017


Meeting Location :

IBSI London

389 Chiswick High Road

London, UK


Meeting Times: 0900-1700

16-17 August 2017: 0900-1700 Eastern Standard Time (1400-2200 UTC)

Agenda

50.1 Opening activities

50.1.1 Opening Comments

Meeting commenced at 0900 UK Summer time 16 Aug 2017.

50.1.2 Introduction of Participants/Roll Call

Stephen Michell (Convenor)

Erhard Ploedereder (Ada Europe, WG 9)

Chris Szalwinski (Canada, WG 21)

Michael Wong (Canada, WG 21)

Haibo Li (China)

Miao Zong Li (China)

Clive Pygott (United Kingdom, MISRA, WG 14)

David Keaton (WG 9 Convenor, US)

Ulrich Neumerkel (Austria)

Keld Simonsen (Denmark)

Yong Woo Lee (Korea)

Haesun Jung (China)

Cheolsang Yoon (China)

50.1.3 Procedures for this Meeting

50.1.4 Approval of previous Minutes (meeting 48, 49, pre-mtg-49-document, pre-meeting-50 N703, N714, N716, 732)

Accepted.

50.1.5 Review of actions items and resolutions, Action Item and Decision Logs

50.1.6 Approval of Agenda [N 0680]

50.1.7 Future Meeting Schedule


2018





Pre-mtg 56

01/11/18



#55

12-14/09/18

Toronto, Ontario, Canada


#54

15-16/06/18

With WG 9 and Ada Europe

Possible alternate dates 17-18 or 22-23. Do a doodle poll.

Pre-mtg-54

Teleconference



#53

26-27 April 2018

Brno Chez Republic


Pre-mtg 53

TBD March 2018


#52

22-23 January 2018

Phoenix, AZ


2017

pre-mtg-52

11/12/17

Teleconference (UTC 2000, 2 hr)


#51

6-7 Nov 2017

Alburquerque, NM with SC 21


post-mtg-50

16/10/17

Teleconference (UTC 2000, 2 hr)




















AI 50-04 – Steve – outreach to EcmaScript and C# folks (Rex Jaesche) about a colocated meeting

AI – 50-05 – outreach to COBOL (C Tandy, IBM) about a Part 11.



50.2. Liaison Activities

50.2.1 PL22.3/WG5 (Fortran)

50.2.2 WG4 (COBOL)

50.2.3 WG9 (Ada) Erhard Ploedereder

50.2.4 PL22.11/WG14 C Clive Pygott

50.2.5 PL22.16/WG21 (C++) Michael Wong

Stephen met with WG 21/SG 12, who have renamed to include Vulnerabilities. They are working with us to define a documentation process.

50.2.6 Ecma International, TC49/TG2 (C#) and TC 39 (EcmaScript) Stephen Michell

50.2.7 MISRA C Clive Pygott

Working to develop guidelines for C11. Looking towards publication in 2018.

50.2.8 MISRA (C++) Clive

Working to develop guidelines for C++14. Looking towards publication in 2019.

50.2.9 SPARK

50.2.10 SC27/WG3, WG4 Security Stephen Michell

No report

50.2.11 Other Liaison Activities or National body reports

Discussion of WG 21 Liaison activities. Stephen met with WG 21 in Toronto July 2017. WG 21 has amended the scope of SG 12 to include vulnerabilities. Michael Wong reported on C++ issues and ways of working together. We agree to focus some future joint meetings to co-locate with WG 21 if possible.

50.3. Document Review

50.3.1 TR 24772-1 Vulnerabilities, language independent

Latest version of TR24772-1

Include AI 47-08

We review N07??, in particular clause 6.64. AI 50-6 Clive Pygott. Change title to “Malformed format strings” Rewrite 6.64 to include the use of mistakes as well as tainted input, and to reflect that the vulnerability is associated with the interpretation of format strings at run time.

50.3.2 TR 24772-2 Ada language specific part

We move a new vulnerability on constantness (N0737) into clause 8 of TR 24772-1 (now N0742).

50.3.3 TR 24772-6 Spark

50.3.4 TR 24772-3 C language specific part

Latest version of TR 24772-3 C

We review N073?. Changes made are reflected in N074?.



50.3.5 TR 24772-4 Python language specific part

Document N0592.

50.3.6 TR 24772-8 Fortran

Latest version of TR24772-8.

50.3.7 TR 24772-9 C++

Discussions of document N0691 or later version.

We look at the C++ Core guidelines

Use enumeration vulnerability in 6.5 as a sample case.

AI 50-06.– Chris Szalwinski, Clive Pygott, Michael Wong – Take the results of N0741, explicitly clause 6.5, and rework other sample vulnerabilities following this format.


50.3.8 Bibliography for each TR24772 Part

50.3.9 Dirty Dozen Rules for C, generic, and other languages

Review how the rules are incorporated into Part 1 and Part 3. Consider the generic rules for other Parts.

50.3.10 Document N0735 Standard for Coding Guidelines

We review N0735 which provides a collection of coding guidelines that may evolve into a standard. We discuss process vs product evaluation.

There is general agreement that the list of rules provided are a good start, but there will be significant discussion on the order, completeness, inclusion/exclusion. There also needs to be significant context added to wrap the rules.

We discuss where such a document could be placed. One view is that this would be IS 24772, and the TR 2477-1 and beyond are supporting documents that support the sale of the standard. The other view is that new project should adopt another number. There was more support for such an IS being the parent (i.e. IS 24772)

AI 50-07– SM – Find out from SC 22 secretary and/or ITTF any restrictions on part numbering (i.e., ability to have XXX and XX-1, -2, etc).

AI 50--08 - All, Review N0735 and recommend text and structure that may be needed to make this a standard that would be valuable to the community.

      50.3.11 Guidance to Language Designers

        We discuss document N0727, which is a suggested list of guidance to language designers based on vulnerabilities identified in TR 24772-1. There was general agreement that such recommendations would be not well received as a stand-alone document. We discuss potential placement in clause 5. We discuss explicit guidance, and alternative approaches or wording. There is general agreement that this could become that basis of clause 5.X.

        AI 50-09 Larry Wagoner – reproduce N0727 as one or more tables for inclusion in TR 24772-1 in clause 5.

50.4 Strategy (Face to face meetings only)

Suggestion - look into domain-specific areas – finance, embedded, automotive, nuclear,

50.5 Publicity (Face to face meetings only)

50.6 Other Business

50.6.1 Review of Assignment of responsibilities


50.7. Resolutions and Action Items

AI 50-01 – Erhard Ploedereder - Work on TR 24772-10 C++ to connect C subset in each section (CLOSE)

AI 50-02 – VOID

AI 50-03 – Steve – outreach to EcmaScript and C# folks (Rex Jaesche) about a colocated meeting

AI – 50-04 – Steve - outreach to COBOL (C Tandy, IBM) about a Part 11.

AI 50-05.– Chris Szalwinski, Clive Pygott, Michael Wong – Take the results of N0741, explicitly clause 6.5, and rework other sample vulnerabilities following this format.


AI 50-06– SM – Determine with SC 22 secretary and/or ITTF any restrictions on part numbering (i.e., ability to have XXX and XX-1, -2, etc).


AI 50-07 – All - Review N0735 and recommend text and structure that may be needed to make this a standard that would be valuable to the community.

        AI 50-8 Larry Wagoner – reproduce N0727 as one or more tables for inclusion in TR 24772-1 in clause 5.



50.8. Adjournment

Adjourned at 1600 on 17 August 2017.