programming language vulnerabilities within the iso iec
play

Programming Language Vulnerabilities within the ISO/IEC - PowerPoint PPT Presentation

Mar 15, 2024 •269 likes •557 views

Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming Language Vulnerabilities Canadian HoD to ISO/IEC/JTC 1SC 22 Programming Language

  1. Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming Language Vulnerabilities Canadian HoD to ISO/IEC/JTC 1SC 22 Programming Language Subcommittee stephen.michell@maurya.on.ca 1

  2. Meet JTC 1 ● ISO is the International Standards Organization ● IEC is the International Electrotechnical Commission – Both have international treaties to develop International Standards – Both work through internationally manned Technical Committees to develop standards ● e.g. – ISO 9001 Quality – IEC 61508 Safety – Why? - International standards can be readily adopted by countries and put into national regulations. – Work is done by consensus ● Wide agreement, no strong sustained opposition 2

  3. JTC 1 ● ISO and IEC jointly formed the Joint Technical Committee 1(circa 1988) – Everything IT ● Printers, media, network protocols, databases. software engineering, big data ● and oh yes – programming languages – Has own procedures and Subcommittees to do the work 3

  4. Meet Subcommittee(SC) 22 Programming languages and their environments ● APL COBOL Fortran Basic Mumps POSIX Pascal Ada Internationalization C Lisp Prolog Modula 2 Formal Methods C++ Vulnerabilities 4

  5. Meet SC 22 (cont) Member Countries (20 P members) ● Austria Canada China France Denmark Germany Japan Korea Spain Switzerland USA UK and others that are not usually in plenary Also O Members ● Belgium New Zealand Singapore India Italy Argentina 5

  6. How Standardized? ● National Body (NB) participation and voting ● Project steps – New Work Item Proposal (NB approval) – Working Draft (technical expert consensus) – Committee Draft (national body consensus) – Draft International Standard (JTC 1 vote) – Standard ● Countries provide technical experts that do the work ● Documents iterate through the projects steps with international votes 6 – Last one (FDIS) -> Standard!

  7. How Standardized? Also produce other international products ● – Technical Corrigendum to standard – Amendment to standard – Technical Specification (pre-standard) – Technical Report 7

  8. What about innovation? ● Working with some of the best in the world ● Adding new capabilities and ideas as they mature enough to standardize – Interfaces, Containers (Ada) – Assertions, Ravenscar profile (Ada) – Bounded Libraries(C) – Concurrency features, Static Assertions (C) – Parallelism (fine-grained) (Ada, C, C++, Fortran) – Concepts, Lambdas (C++) – Async methods (C#, C++) – Interfacing to C (Fortran) – OO (Fortran, COBOL) 8

  9. Programming Language Vulnerabilities (WG 23) ● Develop a Technical Report on language independent vulnerabilities with language- dependent annexes to map each language to the common ones. – Published as TR 24772:2010 – Revised 2012 with annexes for C, Ada, Ruby, Python, Spark and PHP. – Revising TR 24772 to add more vulnerabilities (OO, Time) and more languages (Fortran, C++) ● Published FDIS 17960 Code Signing for Source Code 9

  10. Outreach ● Work with other groups – ISO/IEC/JTC 1/SC 27 Security (liaison) – Programming language WG’s (WG 9 Ada, WG 14 C, WG 5 Fortran, etc) – IEC SC 65 for Safety (liaison being initiated) 10

  11. Vulnerabilities ● Various groups look at programming language vulnerabilities – MITRE/Homeland Security ● Common Vulnerabilities and Exposures (CVE) – Enumerates every vulnerability instance reported by type, OS, application (thousands) ● Common Weakness Exposures (CWE) – Groups reported vulnerabilities by type (about 900) – SANS/CWE Top 10 ● Open Wasp Application Project – OWASP Top 25

  12. Vulnerabilities (WG 23) ● Different look at vulnerabilities – More than Security – Safety also – Consider much more than attacks ● Programming mistakes – From classic to obscure – Consider real time issues ● Weaknesses that can be attacked – Aggregated more than CWE ● Document about 90 vulnerabilities that match 900 CWE weaknesses – Consider how vulnerabilities appear in specific programming languages ● Separate annex for each programming 12 language

  13. What WG 23 has not done ● Coding Standards – Many levels of integrity (safety and security) will use this document – Many programming domains will use documents, from general usage to real time community – Concerns of each community is different and the ways that they address vulnerabilities will differ – No hope that a single coding standard will meet the needs of any (let alone all) community – Writing to the people that create coding standards – WG 23, however, is consolidating common guidance that many will use as coding guidelines 13

  14. Vulnerabilities (WG 23) ● Intend that document will be used to develop coding standards ● Provide explicit guidance to programmer to avoid vulnerability – Use static analysis tools – Adopt specific coding conventions – Always check for error return ● Recommend to language designers on steps to eliminate vulnerability from language – Provide move/copy/etc operations that obey buffer size and boundaries 14

  15. Vulnerabilities (WG 23) Vulnerabilities covered ● – Type system – Bit representation – Floating point arithmetic – Enumeration issues – Numeric conversion issues – String termination Issues – Buffer boundary violations – Unchecked array indexing – Unchecked array copying – Pointer type changes – Pointer arithmetic – Null pointer dereference 15

  16. Vulnerabilities (WG 23) ● Vulnerabilities covered (more) – Identifier name reuse – Unused variable – Operator precedence / order of evaluation – Switch statements and static analysis – Ignored status return and unhandled exceptions – OO Issues (overloading, inheritance, etc) – Concurrency Issues (activation, directed termination, premature termination, concurrent data access) – Time Issues (time jumps, jitter, representation) 16

  17. Vulnerabilities (WG 23) Application Vulnerabilities ● Design errors that cannot be traced to language weaknesses – Adherence to least privilege (not) – Loading/executing untrusted code – Unrestricted file upload – Resource exhaustion – Cross site scripting – Hard coded password – Insufficiently protected credentials 17

  18. Vulnerabilities (WG 23) ● Look at one vulnerability 6.5 Enumerator Issues [CCB] – 6.5.1 Description of Vulnerability – ● What is enumeration ● Issue of non-default representation, duplicate values, ● Issue of arrays indexed by enumerations – Holes ● Issue of static coverage 6.5.2 References – ● Reference – CWE counterpart, – MISRA C and C++ rules, – CERT C guidelines, – JSF AV rules, – Ada Quality Style and Guide 18

  19. Vulnerabilities (WG 23) – 6.5.3 Mechanism of Failure ● Interplay between order of enumerators in list, how (and where) new members added, and changes in representation. ● Expressions that depend on any of these are fragile – Incorrect assumptions can lead to unbounded behaviours – 6.5.4 Applicable Language Characteristics ● Languages that permit incomplete mappings (to theoretical enumeration) ● Languages that provide only mapping of integer to enumerator ● Languages that have no enumerator capability 19

  20. Vulnerabilities (WG 23) – 6.5.5 Avoiding Vulnerability & Mitigating Effects ● Use static analysis tools to detect problematic use ● Ensure coverage of all enumeration values ● Use enumeration types selected from limited set of values – 6.5.6 Implications for Standardization ● Provide a mechanism to prevent arithmetic operations on enumeration types ● Provide mechanisms to enforce static matching between enumerator definitions and initialization expressions 20

  21. Vulnerabilities (WG 23) ● Ada’s response to Enumerator Issues – Complete coverage mandatory – Order must be preserved, but holes in representation permitted – Arrays indexed by enumeration type may have holes (implementation dependent) – When “others” option used in enumeration choice, unintended consequences can occur – Guidance ● Do not use “others” choice for case statements & aggregates ● Mistrust subranges as choices after enumeration values added in middle 21

  22. Vulnerabilities (WG 23) ● C’s response on Enumerator Issues – Follow guidance of main part – Use enumerators starting at 0 and incrementing by 1 – Avoid loops that step over enumerator with non- default representation – Select from limited set of choices, and use static analysis tools 22

  23. Vulnerabilities (WG 23) ● Python’s response on Enumerator Issues – Python only has named integers and sets of strings – Variable can be rebound at any time, so no consistent use as an enumerator 23

  24. Vulnerabilities (WG 23) ● First version of TR 24772 published in 2010 – No language specific annexes ready ● Second edition published in 2012 – Language annexes for Ada, C, Python, Ruby, Spark, PHP – New vulnerabilities for concurrency but no language-specific response 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

C++ and Programming Language Vulnerabilities Stephen Michell Convenor of ISO/IEC/JTC 1/SC 22/WG

C++ and Programming Language Vulnerabilities Stephen Michell Convenor of ISO/IEC/JTC 1/SC 22/WG

C++ and Programming Language Vulnerabilities Stephen Michell Convenor of ISO/IEC/JTC 1/SC 22/WG 23 Programming Language Vulnerabilities stephen.michell@csagroup.org stephen.michell@maurya.on.ca Outline History of WG 23 Edition 3

196 views • 15 slides
HOC programming language HOC programming language p. 1/27 Why learn the language GUI will

HOC programming language HOC programming language p. 1/27 Why learn the language GUI will

HOC programming language HOC programming language p. 1/27 Why learn the language GUI will get you started but then want to manipulate output Dump to .ses file and edit Can load .ses and run without graphics (for large sims) Network

638 views • 27 slides
ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through

ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through

ISO/IEC JTC 1/SC 22/WG 23 N0192 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore, Secretary June 2009 1 The Problem Any programming

367 views • 26 slides
Programming language shapes Programming thought So why study PL ? Language affects how:

Programming language shapes Programming thought So why study PL ? Language affects how:

CMPS 116: Fall 2019 Introduction to Functional Programming Lecture 1: Course Overview. Owen Arden UC Santa Cruz A Programming Language Two variables L1: x++; x , y y--; Three operations (y=0)?L2:L1 x++

585 views • 16 slides
Q: A Functional Programming Language for Q: A Functional Programming Language Multimedia

Q: A Functional Programming Language for Q: A Functional Programming Language Multimedia

Q: A Functional Programming Language for Q: A Functional Programming Language Multimedia Applications Albert Grf Dept. of Music-Informatics Q: A Functional Programming Language Quick overview What? Why? The Library MIDI,

496 views • 12 slides
The Programming Language Co re The Programming Language Co re W olfgang Schreiner

The Programming Language Co re The Programming Language Co re W olfgang Schreiner

The Programming Language Co re The Programming Language Co re W olfgang Schreiner Resea rch Institute fo r Symb olic Computation (RISC-Linz) Johannes Kepler Universit y , A-4040 Linz, Austria W

920 views • 30 slides
Programming language shapes Programming thought programming languages are not merely

Programming language shapes Programming thought programming languages are not merely

CMPS 112: Spring 2019 Comparative Programming Languages Lecture 1: Course Overview. Owen Arden UC Santa Cruz A Programming Language Two variables L1: x++; x , y y--; Three operations (y=0)?L2:L1 x++ L2:

476 views • 18 slides
Programming Language A programming language is a translator between human and machine.

Programming Language A programming language is a translator between human and machine.

Programming Language A programming language is a translator between human and machine. Machine language is a set of codes each consists of a binary string usually of length multiple of 8 (00000101,1000000,..) Since it is

143 views • 10 slides
The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You Thank you to rust-lang.org for providing content and examples! Overview The sales pitch Use cases The Rust language Other Languages

1.18k views • 63 slides
Python In a Nutshell Why another programming language? **All Programming Languages are created

Python In a Nutshell Why another programming language? **All Programming Languages are created

Python In a Nutshell Why another programming language? **All Programming Languages are created equal ** ;-) Bohm & Jacopini demonstrate that any programming language that allows you to write sequence conditional structure loops can

348 views • 10 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides
The programming language C hic 1 The programming language C invented by Dennis Ritchie in

The programming language C hic 1 The programming language C invented by Dennis Ritchie in

The programming language C hic 1 The programming language C invented by Dennis Ritchie in early 1970s who used it to write the first Hello World program C was used to write UNIX Standardised as K&R (Kernighan &

594 views • 25 slides
The CEAS The CEAS Programming Language Programming Language Luis Alonso (lra2103) Hila Becker

The CEAS The CEAS Programming Language Programming Language Luis Alonso (lra2103) Hila Becker

The CEAS The CEAS Programming Language Programming Language Luis Alonso (lra2103) Hila Becker (hb2143) Kate McCarthy (km2302) Isa Muqattash (imm2104) Motivation Webpages contain clutter extraneous menus, links, corporate logos,

167 views • 13 slides
Lecture #23: The Scheme Language Scheme is a dialect of Lisp: The only programming language

Lecture #23: The Scheme Language Scheme is a dialect of Lisp: The only programming language

Lecture #23: The Scheme Language Scheme is a dialect of Lisp: The only programming language that is beautiful. Neal Stephenson The greatest single programming language ever designed Alan Kay Last modified: Mon Mar 14

401 views • 18 slides
PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 PROGRAMMING LANGUAGES A programming language is a

PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 PROGRAMMING LANGUAGES A programming language is a

PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 PROGRAMMING LANGUAGES A programming language is a formal language that specifies a set of instructions that can be used to produce various kinds of output. Programming languages generally consist of

576 views • 35 slides
Programming Language Concepts Principles of Programming Languages Colorado School of Mines

Programming Language Concepts Principles of Programming Languages Colorado School of Mines

Programming Language Concepts Principles of Programming Languages Colorado School of Mines https://lambda.mines.edu CSCI-400 With your learning group: 1 Share your defjnitions of a programming language. Discuss what each defjnition entails,

903 views • 23 slides
Escapement Enumeration Continuance of 2016 Pilot Project 2017 (2 nd Year) GOAL: to enumerate

Escapement Enumeration Continuance of 2016 Pilot Project 2017 (2 nd Year) GOAL: to enumerate

2017 Chilliwack River Chum Escapement Enumeration Continuance of 2016 Pilot Project 2017 (2 nd Year) GOAL: to enumerate total Fraser River Chum Salmon escapement by combining a high precision estimate of Chilliwack River Chum escapement

510 views • 19 slides
2 On or before November 7, 2016 If you identify a health plan in a covered transaction,

2 On or before November 7, 2016 If you identify a health plan in a covered transaction,

Laurie Darst Mayo Clinic Revenue Cycle Regulatory Advisor & WEDI HPID Workgroup Co-Chair 1 Health Plan: an individual or group plan that provides or pays the cost of medical care Individual or group plans Health insurance issuers

346 views • 5 slides
An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Lara.Pudwell@valpo.edu

An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Lara.Pudwell@valpo.edu

Pattern-Avoiding Permutations Enumeration Schemes Summary An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Lara.Pudwell@valpo.edu AWM Workshop Washington, DC January 8, 2009 Pattern-Avoiding Permutations

475 views • 32 slides
Making enumeration count: Conducting a PiTC/Registry Week November 17, 2017 Emergency and

Making enumeration count: Conducting a PiTC/Registry Week November 17, 2017 Emergency and

Making enumeration count: Conducting a PiTC/Registry Week November 17, 2017 Emergency and Community Services Amanda DiFalco Housing Services Division Presentation Overview 1 Hamilton Context 2 Registry Week Components Stakeholder

420 views • 23 slides
IEEE Std 1722.1-2013 The AVB Control Protocol AES NY 2013 Jeff Koftinoff

IEEE Std 1722.1-2013 The AVB Control Protocol AES NY 2013 Jeff Koftinoff

IEEE Std 1722.1-2013 The AVB Control Protocol AES NY 2013 Jeff Koftinoff <jeffk@meyersound.com> Saturday, October 19, 13 IEEE Std 1722.1-2013 A udio V ideo D iscovery E numeration C onnection management C ontrol

515 views • 23 slides
a friendly place. 1 2020 CENSUS YOUR COMMUNITIES COUNT! Atlanta Regional Office Managing

a friendly place. 1 2020 CENSUS YOUR COMMUNITIES COUNT! Atlanta Regional Office Managing

Where we enjoy a relaxing pace in a friendly place. 1 2020 CENSUS YOUR COMMUNITIES COUNT! Atlanta Regional Office Managing Census Operations in AL, FL, GA, LA, MS, NC, SC Instructors Training Guide The goal of Census 2020 is to

481 views • 32 slides
521493S Computer Graphics Exercise 3 Question 3.1 Most graphics systems and APIs use the simple

521493S Computer Graphics Exercise 3 Question 3.1 Most graphics systems and APIs use the simple

521493S Computer Graphics Exercise 3 Question 3.1 Most graphics systems and APIs use the simple lighting and reflection models that we introduced for polygon rendering. Describe the ways in which each of these models is incorrect. For each

264 views • 22 slides
Upda pdate te o on Natural En Envi viro ronme ment W Work ork Pro Progra ram m

Upda pdate te o on Natural En Envi viro ronme ment W Work ork Pro Progra ram m

PDS 1 DS 10-2019 2019 Upda pdate te o on Natural En Envi viro ronme ment W Work ork Pro Progra ram m February 20, 2019 Presentation to Planning and Economic Development Committee Background PDS 41-2017 outlined the 8

337 views • 9 slides

More recommend