Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities

This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation — Partie 1: Catalogue de vulnérabilités indépendant du langage

General Information

Status
Published
Publication Date
28-Oct-2024
Current Stage
6060 - International Standard published
Start Date
29-Oct-2024
Due Date
29-Oct-2024
Completion Date
29-Oct-2024
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 24772-1:2024 - Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities Released:10/29/2024
English language
153 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO/IEC 24772-1
First edition
Programming languages — Avoiding
2024-10
vulnerabilities in programming
languages —
Part 1:
Language-independent catalogue of
vulnerabilities
Langages de programmation — Conduite pour éviter les
vulnérabilités dans les langages de programmation —
Partie 1: Catalogue de vulnérabilités indépendant du langage
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Communication .1
3.2 Execution model .1
3.3 Properties .2
3.4 Safety and security .3
3.5 Vulnerabilities .3
3.6 Specific vulnerabilities .3
4 Using this document . 4
4.1 Purpose of this document .4
4.2 Applying this document .5
4.3 Structure of this document .6
5 General vulnerability issues and primary avoidance mechanisms . 7
5.1 General vulnerability issues .7
5.1.1 Predictable execution .7
5.1.2 Sources of unpredictability in language specification .8
5.1.3 Sources of unpredictability in language usage .9
5.2 Primary avoidance mechanisms .9
6 Programming language vulnerabilities.11
6.1 General .11
6.2 Type system [IHN]. 12
6.2.1 Description of application vulnerability . 12
6.2.2 Related coding guidelines . 12
6.2.3 Mechanism of failure . 12
6.2.4 Applicable language characteristics . 13
6.2.5 Avoiding the vulnerability or mitigating its effects . 13
6.2.6 Implications for language design and evolution .14
6.3 Bit representations [STR] .14
6.3.1 Description of application vulnerability .14
6.3.2 Related coding guidelines .14
6.3.3 Mechanism of failure . 15
6.3.4 Applicable language characteristics . 15
6.3.5 Avoiding the vulnerability or mitigating its effects . 15
6.3.6 Implications for language design and evolution .16
6.4 Floating-point arithmetic [PLF] .16
6.4.1 Description of application vulnerability .16
6.4.2 Related coding guidelines .16
6.4.3 Mechanism of failure .16
6.4.4 Applicable language characteristics .17
6.4.5 Avoiding the vulnerability or mitigating its effects .17
6.4.6 Implications for language design and evolution .18
6.5 Enumerator issues [CCB] .18
6.5.1 Description of application vulnerability .18
6.5.2 Related coding guidelines .19
6.5.3 Mechanism of failure .19
6.5.4 Applicable language Characteristics .19
6.5.5 Avoiding the vulnerability or mitigating its effects . 20
6.5.6 Implications for language design and evolution . 20
6.6 Conversion errors [FLC] . 20
6.6.1 Description of application vulnerability . 20

© ISO/IEC 2024 – All rights reserved
iii
6.6.2 Related coding guidelines . 20
6.6.3 Mechanism of failure .21
6.6.4 Applicable language characteristics .21
6.6.5 Avoiding the vulnerability or mitigating its effects .21
6.6.6 Implications for language design and evolution . 22
6.7 String termination [CJM] . 22
6.7.1 Description of application vulnerability . 22
6.7.2 Related coding guidelines . 22
6.7.3 Mechanism of failure . 22
6.7.4 Applicable language characteristics . 22
6.7.5 Avoiding the vulnerability or mitigating its effects . 23
6.7.6 Implications for language design and evolution . 23
6.8 Buffer boundary violation (buffer overflow) [HCB] . 23
6.8.1 Description of application vulnerability . 23
6.8.2 Related coding guidelines . 23
6.8.3 Mechanism of failure .24
6.8.4 Applicable language characteristics .24
6.8.5 Avoiding the vulnerability or mitigating its effects .24
6.8.6 Implications for language design and evolution . 25
6.9 Unchecked array indexing [XYZ] . 25
6.9.1 Description of application vulnerability . 25
6.9.2 Related coding guidelines .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.