WG 23
Programming Language Vulnerabilities
Maintained by
Jim Moore,
James.W.Moore@ieee.org
If you don't see two frames, click here.

Formerly called the "OWGV"

Disclaimer

ISO/IEC Project 22.24772:
Programming Language Vulnerabilities

All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the security of a system, or lead to unanticipated situations where safety or privacy are compromised.

ISO/IEC JTC 1/SC 22/WG 23 prepares comparative guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code processing tools that can discover and eliminate coding errors that lead to vulnerabilities. Finally the guidance can be used by the developers of the language specifications themselves to improve language design.

The project has prepared an ISO/IEC Technical Report containing guidance to users of programming languages on how to avoid the vulnerabilities that exist in the programming language selected for a particular project. The first edition of the Technical Report was published in 2010 and is available for free. Unlike many ISO/IEC documents, single-user copies are licensed at no charge.

The project is now preparing a second edition describing additional vulnerabilities and providing annexes that describe how the vulnerabilities manifest themselves in different languages.

Currently, the group enjoys the participation of representatives from many of the important programming languages and hopes to attract more. The group plans to obtain information about vulnerabilities and their treatment from initiatives such as MISRA (C and C++), the Common Weakness Enumeration dictionary, and the CERT Secure Coding Initiative.

[ Project Organization ] [ Project Status ]

The work of WG23 is supplemented by an archived mailer.

You can use Google to search this web site:

Entire WebWG 23 Web Site

Project Organization

ISO/IEC JTC1/SC22 has the scope of "programming languages and their environments". WG 23 (Vulnerabilities) is a working group reporting to SC 22. It has been assigned responsibility for project 22.24772 to write an ISO/IEC Technical Report, "Programming Language Vulnerabilities." More information regarding the project can be found in our FAQ.

Leadership:

(All email addresses have been altered to discourage automatic harvesting of them):

SC 22 Officers

Chair Rex Jaeschke rex at RexJaeschke dot com

Secretariat ANSI Marisa Peacock mpeacock at ansi dot org

WG 23 Officers

Convener John Benito benito at bluepilot dot com

Secretary Jim Moore James dot W dot Moore at IEEE dot org

Identified Participants:

Many individuals have attended meetings or participated via email. The following persons are officers of WG 23 or identified points of contact for participating organizations:

Individual Participant Point of contact for a National Body (see below) Liaison with a Working Group of ISO / IEC JTC1 / SC22 Liaison with another Organization

John Benito (convener) .

Ben Brosgol Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology

Paul Caseley UK MOD

Rod Chapman SPARK

Douglas Crockford ECMA TC39 (ECMAScript)

Franco Gasperoni France

Cesar Gonzalez-Perez ISO/IEC JTC1 / SC7 / WG19

Roman Grahle Germany

Chris Hills MISRA Languages L (Category C Liaison)

Kiyoshi Ishihata Japan

Rex Jaeschke

Derek Jones UK

Stephen Michell [1] Canada, SCC

Ed de Moel MDC (MUMPS)

Jim Moore (secretary)

Dan Nagle WG5 (Fortran) PL22.3 (Fortran)

Erhard Ploedereder WG9 (Ada) Ada-Europe

Tom Plum US, INCITS PL22 WG14 (C)
WG21 (C++) [2] ECMA TC49 / TG2 (C#)

Clive Pygott MISRA C++

Robert Seacord CERT

Bill Spees US FDA

Nick Stoughton . SC22 (POSIX) Austin Group

Barry Tauber WG4 (Cobol) PL22.4 (Cobol)

Tullio Vardanega Italy

[1] Additional designated experts from Canada include: Robert Klarer and Michell Wong.

[2] Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Those interested in representing their national body or participating in a national "shadow group" should contact the standards body of the nation in which they reside or work. In the case of the following nations, a point of contact has been identified. (All email addresses have been altered to discourage automatic harvesting of them):

Canada SCC Steve Michell stephen dot michell at maurya dot on dot ca

France AFNOR Franco Gasperoni gasperon at act-europe dot fr

Germany DIN Roman Grahle roman dot grahle at din dot de

Italy UNI Tullio Vardanega tullio dot vardanega at math dot unipd dot it

Japan JSA Kiyoshi Ishihata ishihata at cs dot meiji dot ac dot jp

Netherlands NEN Willem Wakker willemw at ace dot nl

UK BSI IST-5 Derek Jones derek at knosof dot co dot uk

USA INCITS PL22 Tom Plum tplum at plumhall dot com

Status of Formal Standards Process

Completed

Preliminaries

Jun-Sep 2005 New Work Item Proposal, "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use," was balloted by SC22 and JTC1 to authorize project. [N0001]

2 Oct 2005 SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.

5 Oct 2005
SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]:

Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.

6 Oct 2005 Plan for "Moving Forward" [N0004]

13 Mar 2006 Prepared disposition of the comments received on New Work Item Proposal [N0007]

21 Sep 2006 SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.

28 Sep 2007 SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110]

24 Sep 2008 SC22 plenary: Resolution 08-03 established WG 23 to carry on the work of OWGV. It named John Benito as convener. Resolution 08-06 renamed the document as "Programming Language Vulnerabilities".

First Edition

9 Dec 2008 Draft of 24772 [N0170] prepared for PDTR ballot.

11 Feb 2009 Balloting of PDTR 24772 was completed with 11 nations voting in favor, 1 nation voting against, and 5 nations abstaining. [N0176]

2 Jun 2009 Draft of 24772 [N0191] prepared for 2nd PDTR ballot.

23 Jun 2009 2nd PDTR ballot of 24772 [N0191] initiated. Ballot closes 23 Sep 2009.

27 Sept 2009 Balloting of PDTR 24772 was completed with 8 nations voting in favor, 1 nation voting against, and 8 nations abstaining [N0224]

23 Nov 2009 Draft of 24772 [N0238] prepared for DTR ballot.

15 Dec 2009 DTR ballot of 24772 [N0238] initiated. Ballot closes 16 March 2010.

16 Mar 2010 Balloting of DTR 24772 was completed with 18 nations voting in favor, 0 nations voting against and 13 nations abstaining [N0243]

3 June 2010 Draft submitted for publication [N0257]

23 July 2010 Draft revised and resubmitted [N0267]

23 Sep 2010 Publication proof reviewed and approved [N0285]

29 Sep 2010 ISO/IEC TR 24772:2010 published

July 2011 Technical Report made publicly available here

Second Edition

24 Jan 2012 Draft prepared for PDTR ballot

24 Apr 2012 Balloting of PDTR completed with 15 nations voting in favor, 0 voting against, and 5 abstentions

11 Jul 2012 Draft prepared for PDTR.2 ballot

10 Sep 2012 Scheduled completion of PDTR.2 ballot

History

The work of the study group leading to creation of the OWGV and, ultimately, WG 23, is summarized on the History page.

Disclaimer Most of the items contained in this web site and its associated files and directories are preliminary working material of ISO/IEC JTC 1/SC 22, subject to review and correction.

The web site is maintained for the convenience of the participants in SC 22/WG 23 by:

James W. Moore, James.W.Moore@ieee.org.

ISO/IEC JTC 1/SC 22/WG 23 Programming Language Vulnerabilities	Maintained by Jim Moore, James.W.Moore@ieee.org	If you don't see two frames, click here.
Formerly called the "OWGV"

SC 22 Officers
Chair		Rex Jaeschke	rex at RexJaeschke dot com
Secretariat	ANSI	Marisa Peacock	mpeacock at ansi dot org
WG 23 Officers
Convener		John Benito	benito at bluepilot dot com
Secretary		Jim Moore	James dot W dot Moore at IEEE dot org

Individual Participant	Point of contact for a National Body (see below)	Liaison with a Working Group of ISO / IEC JTC1 / SC22	Liaison with another Organization
John Benito (convener)		.
Ben Brosgol			Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology
Paul Caseley			UK MOD
Rod Chapman			SPARK
Douglas Crockford			ECMA TC39 (ECMAScript)
Franco Gasperoni	France
Cesar Gonzalez-Perez			ISO/IEC JTC1 / SC7 / WG19
Roman Grahle	Germany
Chris Hills			MISRA Languages L (Category C Liaison)
Kiyoshi Ishihata	Japan
Rex Jaeschke
Derek Jones	UK
Stephen Michell [1]	Canada, SCC
Ed de Moel			MDC (MUMPS)
Jim Moore (secretary)
Dan Nagle		WG5 (Fortran)	PL22.3 (Fortran)
Erhard Ploedereder		WG9 (Ada)	Ada-Europe
Tom Plum	US, INCITS PL22	WG14 (C) WG21 (C++) [2]	ECMA TC49 / TG2 (C#)
Clive Pygott			MISRA C++
Robert Seacord			CERT
Bill Spees			US FDA
Nick Stoughton	.	SC22 (POSIX)	Austin Group
Barry Tauber		WG4 (Cobol)	PL22.4 (Cobol)
Tullio Vardanega	Italy
[1] Additional designated experts from Canada include: Robert Klarer and Michell Wong. [2] Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Canada	SCC	Steve Michell	stephen dot michell at maurya dot on dot ca
France	AFNOR	Franco Gasperoni	gasperon at act-europe dot fr
Germany	DIN	Roman Grahle	roman dot grahle at din dot de
Italy	UNI	Tullio Vardanega	tullio dot vardanega at math dot unipd dot it
Japan	JSA	Kiyoshi Ishihata	ishihata at cs dot meiji dot ac dot jp
Netherlands	NEN	Willem Wakker	willemw at ace dot nl
UK	BSI IST-5	Derek Jones	derek at knosof dot co dot uk
USA	INCITS PL22	Tom Plum	tplum at plumhall dot com

Preliminaries
Jun-Sep 2005	New Work Item Proposal, "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use," was balloted by SC22 and JTC1 to authorize project. [N0001]
2 Oct 2005	SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.
5 Oct 2005	SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]: Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.
6 Oct 2005	Plan for "Moving Forward" [N0004]
13 Mar 2006	Prepared disposition of the comments received on New Work Item Proposal [N0007]
21 Sep 2006	SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.
28 Sep 2007	SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110]
24 Sep 2008	SC22 plenary: Resolution 08-03 established WG 23 to carry on the work of OWGV. It named John Benito as convener. Resolution 08-06 renamed the document as "Programming Language Vulnerabilities".
First Edition
9 Dec 2008	Draft of 24772 [N0170] prepared for PDTR ballot.
11 Feb 2009	Balloting of PDTR 24772 was completed with 11 nations voting in favor, 1 nation voting against, and 5 nations abstaining. [N0176]
2 Jun 2009	Draft of 24772 [N0191] prepared for 2nd PDTR ballot.
23 Jun 2009	2nd PDTR ballot of 24772 [N0191] initiated. Ballot closes 23 Sep 2009.
27 Sept 2009	Balloting of PDTR 24772 was completed with 8 nations voting in favor, 1 nation voting against, and 8 nations abstaining [N0224]
23 Nov 2009	Draft of 24772 [N0238] prepared for DTR ballot.
15 Dec 2009	DTR ballot of 24772 [N0238] initiated. Ballot closes 16 March 2010.
16 Mar 2010	Balloting of DTR 24772 was completed with 18 nations voting in favor, 0 nations voting against and 13 nations abstaining [N0243]
3 June 2010	Draft submitted for publication [N0257]
23 July 2010	Draft revised and resubmitted [N0267]
23 Sep 2010	Publication proof reviewed and approved [N0285]
29 Sep 2010	ISO/IEC TR 24772:2010 published
July 2011	Technical Report made publicly available here
Second Edition
24 Jan 2012	Draft prepared for PDTR ballot
24 Apr 2012	Balloting of PDTR completed with 15 nations voting in favor, 0 voting against, and 5 abstentions
11 Jul 2012	Draft prepared for PDTR.2 ballot
10 Sep 2012	Scheduled completion of PDTR.2 ballot

ISO/IEC JTC 1/SC 22/WG 23 Programming Language Vulnerabilities Maintained by Jim Moore, James.W.Moore@ieee.org If you don't see two frames, click here. Formerly called the "OWGV"