ISO/IEC JTC 1/SC 22/WG 23 N0227
Meeting #12
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
21-23 October 2009

These minutes are not official until approved at a subsequent meeting.

1. Opening activities

The meeting was called to order at 9:00 am. John is the local contact if any problems arise.

1.2 Introduction of Participants/Roll Call

John Benito (convener), Jim Moore (secretary), Dan Nagle, Bill Seymour, Clive Pygott, Beth Karlin, Bob Karlin, Larry Wagoner, Steve Michell, Bill Spees, Tom Plum, Robert Seacord, James Widman (PL22.16), and Nick Stoughton (POSIX AG) attended all or part of the meeting.

Main focus of meeting is to resolve comments received on the PDTR.2 ballot. Goal is to publish the TR next year. After that, we work on revising the TR, including adding the language-dependent annexes.

1.5 Review of previous actions items and resolutions, Action Item and Decision Logs

The log was reviewed and updated.

The secretary noted that submitted documents were added to the agenda under Item 3. In addition, item 3.7 was added to the agenda. It was noted that the primary purpose of this meeting is item 3.1. Review of the other documents on the agenda will be performed as time is available. An email from Tom Plum was discussed for addition to the agenda. It was decided that this discussion was sufficient and the item was not added to the agenda but instead converted into a document and posted as [N0236].

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule

Bob Karlin requested that teleconferencing facilities be made available for the Padova meeting.

Steve Michell has volunteered for a September meeting in conjunction with the SC22 plenary, 15-17 September 2010.

The convener asked if someone wants to volunteer for a late June meeting. It was suggested that a Washington, DC meeting might be appropriate. Action items #12-01 through #12-04 were assigned to various persons to check various locales for availability.

1.7.2 Future Agenda Items

Discuss plans for a revision of the TR, including annexes.

2. Reports on Liaison Activities

2.1 SC 22, Jim Moore

At its plenary meeting in September, SC 22 decided to use the Excel-based commenting format that is currently used by SC 7. To my knowledge, no ballots have gone out yet with the new commenting form.

2.2 PL22.3/WG5 (Fortran), Dan Nagle

A subgroup is very interested in a language-dependent annex. Some others are indifferent; some are hostile. There is a rumor that Los Alamos is considering a code-checker that would reflect the contents of the current draft TR.

Dan mentioned UPC (Unified Parallel C), a C language extension. It might be an appropriate target for liaison when we take up concurrency issues. The convener mentioned that he has made some contacts and trying to encourage some interest.

2.3 PL22.4/WG4 (COBOL), Barry Tauber

Bob Karlin reported that WG4 has a new convener from Japan, Wataru Takagi. They are developing a revision that they hope to publish in 2009 or early 2010. It might be appropriate to ask WG4 for increased participation in the WG23 project. Starting in December, new work will be done in an OWG of WG4 rather than in PL22.4.

2.4 WG9 (Ada), Erhard Ploedereder

WG9 through its HRG rapporteur group has initiated the production of the Ada Annex to the Technical Report produced by WG23. Work has progressed since June 2009. For the next meeting in Tampa, FL, in early November 2009, the document is expected to contain all sections and to be reviewed once. It is a fair assumption that the document will be ready for discussion at the Spring meeting of WG23.

Steve Michell mentioned that WG9's next workshop will consider the draft of the Ada-specific annex. This will be November 3-5 in Tampa, FL.

2.5 PL22.11/WG14 (C), Tom Plum

No report received. WG14 is meeting next week.

2.6 PL22.16/WG21 (C++), Tom Plum

No report received. WG21 is meeting concurrently with WG23.

2.7a Ecma International, TC49/TG2 (C#), Tom Plum

No report received.

2.7b Ecma International, TC39 (ECMAScript), Douglas Crockford

No report received.

2.8 MISRA (C)

No report received. The convener said that he has been trying to obtain a liaison between MISRA and JTC1. He thinks this may have been approved yesterday, allowing MISRA to submit documents.

2.9 MISRA (C++), Clive Pygott

They are now reviewing comments that resulted from publication.

2.10 SPARK, Rod Chapman

No report received. Michell said that Rod Chapman may have submitted a draft for a SPARK annex.

2.11 MDC (MUMPS), Ed de Moel

No report received.

2.12 SC7/WG19 (UML), Cesar Gonzalez-Perez

No report received.

2.13 Other Liaison Activities or National body reports

Nick Stoughton said that POSIX issued a revised standard in 2008/2009 as a single combined document.

3. Document Review 

[Throughout the remainder of the minutes, there are suggestions for future work. They should be considered at the appropriate time.]

3.1 Comments on PDTR.2 ballot [N0224]

UK comments had been submitted without indicating whether they were technical or editorial. The secretary, after a review, had classified them as editorial. Clive Pygott briefly reviewed them and changed the classification of selected ones to technical.

The meeting proceeded to review the general and technical comments and then reviewed the editorial comments.

During discussion, there was a suggestion that the next edition of the TR should add a subsection to the vulnerability description template to address the consequences and risks of each coding problem.

The line "Annexes apply the guidance to some particular programming languages." was removed from the description of Scope. It should be re-inserted in future editions.

Several documents [N0231, N0232, N0234, and N0235] were offered, considered, and revised as dispositions of selected comments; they are specifically referenced in the disposition document. The completed disposition of comments was logged as N0230.

3.2 J-P Rosen's paper, "On Removing Programming Language Bias from the Vulnerabilities Document," [N0218]

The convener believes that little can be done with this document at the current late stage of balloting. However, the paper should be considered carefully in the preparation of the second edition of the TR.

3.3 Burns/Wellings paper, "Language Vulnerabilities -- Let's not forget about concurrency," [N0226]

The convener believes that little can be done with this document at the current late stage of balloting. However, the paper should be considered carefully in the preparation of the second edition of the TR.

There was some discussion regarding the role of concurrency in various languages.

3.4 Olwen Morgan, "Metriqa C Coding Standard," [N0228]

This paper should be consulted as we continue to develop the language-specific annex for C.

3.5 Erhard Ploedereder, Revised proposal for a vulnerability description on namespace issues, [N0229 doc, pdf]

This document is a candidate for the second edition of the TR.

3.6 Language-specific annexes

3.6.1 C [N0221]

This was replaced during the meeting by an updated version, [N0233]. A workshop following the current meeting will review the document.

3.6.2 Fortran [N0220]

The Fortran committee has not had the opportunity to view this version yet.

3.6.3 Revised format for language-specific annexes [N0217]

This document simply records decisions made at Meeting #11. It should be added to the DTR ballot draft.

3.7 Possible plans for revision of the TR [N0212 ppt, pdf]

It was suggested that there should be a telephone conference with representatives of other working groups to consider how to obtain language-dependent annexes and/or additional parts of 24772.

4. Other Business

5.1 Review of Decisions Reached

We reviewed the minutes.

5.2 Review of Action Items

See 1.7 regarding Meeting #14.

