Meeting #8 of ISO/IEC JTC 1/SC 22/OWG: Vulnerability
9-11 April 2008

These minutes (formerly Draft 2) were approved at Meeting #9.

Meeting Times:

09 April 2008: 09:00 to 12:00 and 13:30 to 17:00
10 April 2008: 09:00 to 12:00 and 13:30 to 17:00
11 April 2008: 09:00 to 12:00

Meeting Location:

De Ruyterkade 113
1011 AB Amsterdam
The Netherlands
Tel: +31 20 6646416
Fax: +31 20 6750389

Meeting Logistics:



The Netherlands

Host Contact information:

Willem Wakker


1. Opening activities

1.1 Opening Comments (Wakker, Benito)

Willem Wakker welcomed us to ACE and described meeting arrangements. An outside wireless connection will be supplied a bit later in the meeting. For now, we can use the hardwire network. Refreshments and snacks will be provided; also lunch. There will be a small reception on Thursday; we can visit the ACE museum also.

1.2 Introduction of Participants/Roll Call

Rex Jaeschke, the acting chair of ISO/IEC JTC 1/SC 22 joined the meeting on Friday.

1.3 Procedures for this Meeting (Benito)

The convener reminded us that there will be no formal votes but may be strawpolls. Everyone is permitted to participate.

1.4 Approval of previous Minutes [N0111] (Moore)

The minutes were approved.

1.5 Review of previous actions items and resolutions, Action Item and Decision Logs

We reviewed the log of action items, closing several of them.

1.6 Approval of Agenda [N0126]

The agenda was approved as circulated.

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule

Dates for subsequent meetings were discussed early in the meeting and again at the end. Originally, meetings for the remainder of 2008 were schedule in Washington, DC (July), Stuttgart, Germany (Sept), and San Diego, CA (tentative Dec). We discussed a schedule for getting to PDTR ballot and as a result, cancelled the July 2008 meeting of OWGV in favor of a meeting of an editorial team (during the week of 30 June to 7 July, in Washington, DC). The schedule is contained in document [N0130]. In addition to the project editor, the editorial team will consist of Larry Wagoner and Clive Pygott. Other OWGV participants may attend the meeting if they desire.

The Stuttgart meeting is scheduled to follow the SC22 plenary. Moore will organize a meeting in San Diego during the week of 13-20 April 2009. We will need hosts for 2009 meetings. There probably will be two meetings in DC at ITIC. The UK is willing to host a meeting. Ottawa is a possibility, maybe in July. So the summary of scheduled meetings is as follows:

1.7.2 Future Agenda Items

None were suggested.

1.7.3 Future Mailings

The post-meeting mailing was scheduled for May 7.

2. Reports on Liaison Activities

2.1 SC 22

Has not met. No report.

2.2 J3/WG5 (Fortran)

No report

2.3 J4/WG4 (COBOL)

No report

2.4 WG9 (Ada)

No report

2.5 J11/WG14 (C)

Tom reported that WG14 has not met since the most recent meeting of OWGV. It will meet next week.

2.6 J16/WG21 (C++)

They met recently and Tom briefed them on our work. He solicited volunteers to review our draft. The new version of C++ is intended to reduce the number of errors that cannot be detected until link time.

2.7 ECMA TC39/TG2 (C#)

No report because there is no activity in the group.

2.8 MISRA (C)

Derek reported that the current revision effort will be based upon C99.

2.9 MISRA (C++)

Clyve reports that publication of the document has been delayed slightly and should be launched in June.

2.10 SPARK

No report

2.11 MDC (MUMPS)

No report

2.12 SC7/WG19 (UML)

No report

2.13 Other Liaison Activities or National body reports

No reports

3. Document Review  (ADD DOCUMENTS to REVIEW HERE)

3.1 Editor's report, 24772 [N0123]

All vulnerability descriptions have been moved into the TR. The vulnerability directory is now obsolete. The final content is archived as [N131].

3.2 Editor's draft of PDTR 24772 [N0125]

We go through the draft and assign action items for missing sections.

For mechanism of failure in EOJ, the text should be: "The failure occurs because the language compiler determines the control flow to be different than the control flow intended by the programmer. Therefore the program executes differently than intended."

It was suggested that the vulnerability descriptions in the Technical Report should be sorted in order of the assigned alphabetical code. However, it was decided to move the codes to the end of the title and to instead sort the descriptions in the order suggested by the outline in Annex A.

Larry Wagoner, Derek Jones and Clive Pygott supplied additional comments as the meeting progressed. With one exception, they were consolidated with those submitted prior to the meeting [N127]. The consolidated comments and their dispositions are recorded in [N129]. The exception is a set of editorial comments. They were logged as [N0132] and referred to the editor for action.

In response to his action item, Nick Stoughton suggested words for the Introduction of the TR. They were edited and accepted as follows:

All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the safety, security, and privacy of a system.

This Technical Report is intended to provide guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code evaluation tools for the discovery and elimination of coding errors that lead to vulnerabilities.

In response to his action item, Tom provided material that was edited as follows:

 In N0125 at PDF page 60, line 6, we currently have:

IEEE 754 uses a 24-bit mantissa (including the sign bit) and an 8-bit exponent, but the number of bits allocated to the mantissa and exponent can vary when using other representations as can the particular representation used for the mantissa and exponent. Typically special representations are specified for positive and negative zero and infinity.

After this, we could add:

Even within IEEE 754, various alternative representations are permitted for the "extended precision" format (from 80- to 128-bit representation, with or without a hidden bit).

At line 11 we currently have:

Relying on a particular bit representation is inherently problematic, especially when a new compiler is introduced or the code is reused on another platform.

After this, we could add:

The uncertainties arising from floating point can be divided into uncertainty about the actual bit representation of a given value (e.g., big-endian/little-endian) and the uncertainty arising from the rounding of arithmetic operations (e.g., the accumulation of errors when imprecise floating values are used as loop indices).

3.3 New vulnerability descriptions [Directory of vulnerabilities]

This directory is now obsolete and is replaced by the draft TR. The vulnerability directory is now obsolete. The final content is archived as [N131].

3.4 Consolidated comments on vulnerability descriptions [N0127]

Comments submitted prior to the meeting [N0127] and comments submitted during the meeting were consolidate into a single disposition spreadsheet [N0129]. As we developed the comment dispositions,several action items were assigned:

3.5 Review of the vulnerability template [Note: Issue from email reflector] [N0092]

It was decided that the 6.x.5 sub-clause should be labeled "Applicable language characteristics". It should be followed by the text: "This vulnerability description is applicable to languages with the following characteristics:"

We decide to drop item 6.x.3 from the template.

Jim took an action item to update the template and put it on the web site.

3.6 Mapping between OWGV language vulnerabilities and the JSF, MISRA C, CERT C and CERT C++, Seacord [N0124]

Action item for editor: Subject to the editor's discretion after a conversation with Seacord, add the cross-references to the draft PDTR noting any disagreements that arise. Send result to MISRA C, MISRA C++, CERT, and CWE for possible corrections. Clive volunteered to do the review for MISRA C++.

3.7 Array bounds checking bibliography, Jones [N0122]

It was noted that there are too many papers listed in this bibliography to include in the TR. Derek was given an action item to recommend two or three for inclusion in the generic description of array bounds checking. Also, the document will be retained as a resource for usage in language dependent annexes. It was suggested that Derek might put this on his web site -- along with some appropriate annotations -- and that we might reference the web site in the bibliography of the TR.

3.8 Forms of language specification: Examples from commonly used computer languages, Jones [N0121]

It was decided that Derek might post the document to his web site and that the draft TR might reference the URL in its bibliography.

3.9 "A new type of working group used for a new SC22 working group: OWG Vulnerability", Benito [N0119]

The presentation is a living document to be used as a resource whenever appropriate.

4. Other Business

We went through Nick's list of unanswered questions:

We decided to ask the SC22 plenary to re-designate OWGV as a working group. Reasons:

We hope that the NBs participating in OWGV will support the request. We gave an action item to NB HODs to inform their NBs and enlist support.

5. Resolutions

5.0 Review dates of future meetings

5.1 Review of Decisions Reached

5.2 Formal Vote on Resolutions

5.3 Review of Action Items

We reviewed the action items

5.4 Thanks to Host

We thanked Willem Wakker for the fine facilities.

6. Adjournment

We adjourned at 1:46 on Friday.