ISO/IEC JTC 1/SC 22/WG 23/N 0466
Meeting Record: Meeting #27
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
19-20 September 2013


Meeting Times:

19 September 2013: 9:00 am to 4:00 pm (JST - Japan Standard Time)
20 September 2013: 9:00 am to 4:00 pm (JST - Japan Standard Time)

Meeting Information:

See document: N 0452

Meeting Location:

Kikai-Shinko-Kaikan Building, Room B3-2 (3rd basement floor)
3-5-8, Shiba-koen, Minato-ku
Tokyo 105-0011, Japan
Tel: +81-3-3431-2808
Fax: +81-3-3431-6493

Meeting Minutes

1. Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Attendees

Rex Jaesche – Acting convenor
Stephen Michell – WebEx
David Keaton – US and C
Tom Plum – US and C++
Tatsuaki Takebe – Japan
Wang Lei – CESI China
Kiyoshi Ishihata – Japan
Kazuyoshi Korosue – Japan
Wataru Takagi - Japan
John Benito – self, phone
Larry Wagoner – Editor 17960, US
Clive Pygott – UK, WebEx

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes [N 0456]

Adopted.

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N 0462]

1.7 Future Meeting Schedule


2014
#32

December
Web Conference

Dates not set.
#31

9-11 Sep
Madrid Spain

Co-locate with SC 22
#30

18-20 June
Rapperswil, Switzerland (tentative)

Co-located with WG 21
#29

24-26 March
Web conference


#28

January 14-15
Web conference



We agree to switch March meeting to teleconference only. Keep June meeting co-located with C++ in Rapperswil, Switzerland for now with option of dropping back to teleconference later. Ditto for Spain.

3. Reports on Liaison Activities

2.1 SC 22

WG 23 Business Plan and Convener's Report [N0460]

2.2 PL22.3/WG5 (Fortran)

2.3 PL22.4/WG4 (COBOL)

2.4 WG9 (Ada)

No work has been done on the Ada annex as it relates to the updated draft 24772. The WG 9 Ada HRG has committed to doing such a review.

2.5 PL22.11/WG14 ©

C Secure coding rules passed DIS ballot with no comments unanimously – goes straight to publication. The C convenor announced his intent to finish the current term and then not be renominated. The US will likely be looking for a new convenor in 2014. No work has been done on the C annex as it relates to the updated draft 24772.

2.6 PL22.16/WG21 (C++)

2.7 Ecma International, TC49/TG2 (C#)

2.8 Ecma International, TC39 (ECMAScript)

2.9 MISRA ©

Issue 3 has been published February 2013. MISRA is in the process resolving comments on Issue 3 of MISRA C.

2.10 MISRA (C++)

Nothing happening for now.

2.11 SPARK

No work has been done on the Spark annex as it relates to the updated draft 24772. The WG 9 Ada HRG has committed to doing such a review.

2.12 SC7/WG19 (UML)

2.13 Other Liaison Activities or National body reports

3. Document Review

Working draft of revision 3 of TR 24772 [N0461]

We had a significant discussion of the future of TR 24772. TR 24772 was published with 6 concurrency vulnerabilities in section 8 that were not addressed in the language specific annexes.


Working draft of IS 17960 [N0463]

Resolution of UK comments for 17960 CD ballot [N0464]
Resolution of Japan comments for 17960 CD ballot [N0465]

We reviewed the disposition of comments on the document, plus the changes that the editor made to satisfy the comments.

Japan NB agreed that their comments were satisfied by the statement that we intend to publish API's in a future revision.

Assuming a positive UK position, we need another ballot. The editor is to send the revised standard together with the combine the UK and Japan comments into a single “Disposition of Comments” document, submit to Marisa for a 2 month CD ballot.

Responded to comments. Japan was consulted and agreed that the document adequately addresses their NB issue.

UK was consulted and agreed that the updated document adequately addresses their issues. No further changes to the draft CD (N0463) are required. Therefore the editor can submit the document to the SC 22 secretary as soon as a complete disposition of comments is prepared. Such a disposition should reflect the decisions made in the Comment Resolution Meeting held as part of this meeting.

We agree that the next CD ballot will be a 2 month letter ballot, to begin as soon as possible after the WG 23 meeting completes.

Discussion as to whether or not code signing companies will sign up to 17960.

David Keaton suggests making this a Technical Specification. - Would just need a change in the project. The group was interested in the concept, but decided to leave as a standard for now, but keep that idea for later discussion.

4. Other Business

The termination of funding for the current chair/editor leaves the future of the group as an issue that must be discussed. The convenor is continuing to look for support, but we need to develop alternative plans if this does not materialize.

Options discussed -

a) Resolve code signing and disband group

b) Resolve code signing and minimal updates on 24772 - not an option.

c) Update 24772 with Fortran Annex but add language-specific annexes

In any case we need a convenor, in in c) and an editor.

It was agreed by the group, that if the convenor cannot continue, that the SC 22 secretary would be asked to appoint Stephen Michell as interim convenor until at least the next SC 22 plenary where the full discussion of the WG's progress amd makeup would be held.

The position of editor of TR 24772 was discussed. Larry Wagoner and Clive Pygott have volunteered to become co-editor's if the current editor officially resigns.

Discussion of the quality of the document, and added vulnerabilities to match the SANS top 25. Lang-specific annexes are missing the annex

5. Resolutions

6. Adjournment

Adjourned at 1015 September 20 2013.