iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC TR 24772:2013

(Main)

Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use

Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use

ISO/IEC TR 24772:2013 specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, this guidance is applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

Technologies de l'information — Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation à travers la sélection et l'usage de la langue

General Information

Status
Withdrawn
Publication Date
03-Mar-2013
Withdrawal Date
03-Mar-2013
ICS
35.060 - Languages used in information technology
Technical Committee
ISO/IEC JTC 1/SC 22 - Programming languages, their environments and system software interfaces
Drafting Committee
ISO/IEC JTC 1/SC 22 - Programming languages, their environments and system software interfaces
Current Stage
9599 - Withdrawal of International Standard
Completion Date
10-Dec-2019
Ref Project

Relations

Revised
ISO/IEC TR 24772-2:2020 - Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 2: Ada
Effective Date
09-Apr-2016
Revised
ISO/IEC TR 24772-3:2020 - Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 3: C
Effective Date
09-Apr-2016
Revised
ISO/IEC TR 24772-1:2019 - Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 1: Language-independent guidance
Effective Date
09-Apr-2016
Revises
ISO/IEC TR 24772:2010 - Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use
Effective Date
04-Feb-2012

Buy Standard

ISO/IEC TR 24772:2013 - Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and useISO/IEC TR 24772:2013 - Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use
PreviousNext
Technical report
ISO/IEC TR 24772:2013 - Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use
English language
319 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/IEC
REPORT TR
24772
Second edition
2013-03-01


Information technology — Programming
languages — Guidance to avoiding
vulnerabilities in programming languages
through language selection and use
Technologies de l'information — Langages de programmation —
Conduite pour éviter les vulnérabilités dans les langages de
programmation à travers la sélection et l'usage de la langue




Reference number
ISO/IEC TR 24772:2013(E)
©
ISO/IEC 2013

---------------------- Page: 1 ----------------------
ISO/IEC TR 24772:2013(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2013 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 24772:2013
Contents Page
Foreword . xv
Introduction . xvi
1. Scope. 1
2. Normative references . 1
3. Terms and definitions, symbols and conventions . 1
3.1 Terms and definitions . 1
3.2 Symbols and conventions . 5
4. Basic concepts . 6
4.1 Purpose of this Technical Report . 6
4.2 Intended audience . 6
4.3 How to use this document . 7
5 Vulnerability issues . 8
5.1 Predictable execution . 8
5.2 Sources of unpredictability in language specification . 9
5.2.1 Incomplete or evolving specification . 9
5.2.2 Undefined behaviour . 10
5.2.3 Unspecified behaviour . 10
5.2.4 Implementation-defined behaviour . 10
5.2.5 Difficult features . 10
5.2.6 Inadequate language support . 10
5.3 Sources of unpredictability in language usage . 10
5.3.1 Porting and interoperation . 10
5.3.2 Compiler selection and usage . 11
6. Programming Language Vulnerabilities . 11
6.1 General . 11
6.2 Terminology . 11
6.3 Type System [IHN] . 12
6.4 Bit Representations [STR] . 14
6.5 Floating-point Arithmetic [PLF] . 16
6.6 Enumerator Issues [CCB] . 18
6.7 Numeric Conversion Errors [FLC] . 20
6.8 String Termination [CJM] . 22
6.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 23
6.10 Unchecked Array Indexing [XYZ] . 25
6.11 Unchecked Array Copying [XYW] . 27
6.12 Pointer Casting and Pointer Type Changes [HFC] . 28
6.13 Pointer Arithmetic [RVG] . 29
© ISO/IEC 2013 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 24772:2013
6.14 Null Pointer Dereference [XYH] . 30
6.15 Dangling Reference to Heap [XYK] . 31
6.16 Arithmetic Wrap-around Error [FIF] . 34
6.17 Using Shift Operations for Multiplication and Division [PIK] . 35
6.18 Sign Extension Error [XZI] . 36
6.19 Choice of Clear Names [NAI] . 37
6.20 Dead Store [WXQ] . 39
6.21 Unused Variable [YZS] . 40
6.22 Identifier Name Reuse [YOW] . 41
6.23 Namespace Issues [BJL] . 43
6.24 Initialization of Variables [LAV] . 45
6.25 Operator Precedence/Order of Evaluation [JCW] . 47
6.26 Side-effects and Order of Evaluation [SAM] . 49
6.27 Likely Incorrect Expression [KOA] . 50
6.28 Dead and Deactivated Code [XYQ]. 52
6.29 Switch Statements and Static Analysis [CLL] . 54
6.30 Demarcation of Control Flow [EOJ] . 56
6.31 Loop Control Variables [TEX] . 57
6.32 Off-by-one Error [XZH] . 58
6.33 Structured Programming [EWD] . 60
6.34 Passing Parameters and Return Values [CSJ] . 61
6.35 Dangling References to Stack Frames [DCM] . 63
6.36 Subprogram Signature Mismatch [OTR] . 65
6.37 Recursion [GDL] . 67
6.38 Ignored Error Status and Unhandled Exceptions [OYB] . 68
6.39 Termination Strategy [REU] . 70
6.40 Type-breaking Reinterpretation of Data [AMV] . 72
6.41 Memory Leak [XYL] . 74
6.42 Templates and Generics [SYM] . 76
6.43 Inheritance [RIP] . 78
6.44 Extra Intrinsics [LRM] . 79
6.45 Argument Passing to Library Functions [TRJ] . 80
6.46 Inter-language Calling [DJS] . 81
6.47 Dynamically-linked Code and Self-modifying Code [NYY] . 83
6.48 Library Signature [NSQ] . 84
6.49 Unanticipated Exceptions from Library Routines [HJW] . 86
6.50 Pre-processor Directives [NMP] . 87
6.51 Suppression of Language-defined Run-time Checking [MXB] . 89
6.52 Provision of Inherently Unsafe Operations [SKL] . 90
6.53 Obscure Language Features [BRS] . 91
6.54 Unspecified Behaviour [BQF] . 92
6.55 Undefined Behaviour [EWF] . 94
6.56 Implementation-defined Behaviour [FAB] . 95
6.57 Deprecated Language Features [MEM] . 97
iv © ISO/IEC 2013 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 24772:2013
7. Application Vulnerabilities . 98
7.1 General . 98
7.2 Terminology . 99
7.3 Unspecified Functionality [BVQ] . 99
7.4 Distinguished Values in Data Types [KLK] . 100
7.5 Adherence to Least Privilege [XYN] . 101
7.6 Privilege Sandbox Issues [XYO] . 102
7.7 Executing or Loading Untrusted Code [XYS] . 103
7.8 Memory Locking [XZX] . 104
7.9 Resource Exhaustion [XZP] . 105
7.10 Unrestricted File Upload [CBF] . 107
7.11 Resource Names [HTS] . 108
7.12 Injection [RST] . 109
7.13 Cross-site Scripting [XYT] . 112
7.14 Unquoted Search Path or Element [XZQ] . 115
7.15 Improperly Verified Signature [XZR] . 115
7.16 Discrepancy Information Leak [XZL] . 116
7.17 Sensitive Information Uncleared Before Use [XZK] . 117
7.18 Path Traversal [EWR] . 118
7.19 Missing Required Cryptographic Step [XZS] . 120
7.20 Insufficiently Protected Credentials [XYM] . 121
7.21 Missing or Inconsistent Access Control [XZN] . 122
7.22 Authentication Logic Error [XZO] . 122
7.23 Hard-coded Password [XYP] . 124
8. New Vulnerabilities . 125
8.1 General . 125
8.2 Terminology . 125
8.3 Concurrency – Activation [CGA] . 125
8.4 Concurrency – Directed termination [CGT] . 127
8.5 Concurrent Data Access [CGX] . 129
8.6 Concurrency – Premature Termination [CGS] . 130
8.7 Protocol Lock Errors [CGM] . 132
8.8 Inadequately Secure Communication of Shared Resources [CGY] . 134
Annex A (informative) Vulnerability Taxonomy and List . 136
A.1 General . 136
A.2 Outline of Programming Language Vulnerabilities . 136
A.3 Outline of Application Vulnerabilities . 138
A.4 Vulnerability List . 138
Annex B (informative) Language Specific Vulnerability Template . 141
Annex C (informative) Vulnerability descriptions for the language Ada . 143
C.1 Identification of standards and associated documentation . 143
C.2 General terminology and concepts . 143
© ISO/IEC 2013 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 24772:2013
C.3 Type System [IHN] . 149
C.4 Bit Representation [STR] . 149
C.5 Floating-point Arithmetic [PLF] . 150
C.6 Enumerator Issues [CCB] . 150
C.7 Numeric Conversion Errors [FLC] . 151
C.8 String Termination [CJM] . 151
C.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 152
C.10 Unchecked Array Indexing [XYZ] . 152
C.11 Unchecked Array Copying [XYW] . 152
C.12 Pointer Casting and Pointer Type Changes [HFC] . 152
C.13 Pointer Arithmetic [RVG] . 153
C.14 Null Pointer Dereference [XYH] . 153
C.15 Dangling Reference to Heap [XYK] . 153
C.16 Arithmetic Wrap-around Error [FIF] . 153
C.17 Using Shift Operations for Multiplication and Division [PIK] . 154
C.18 Sign Extension Error [XZI] . 154
C.19 Choice of Clear Names [NAI] . 154
C.20 Dead store [WXQ] . 155
C.21 Unused Variable [YZS] . 155
C.22 Identifier Name Reuse [YOW] . 156
C.23 Namespace Issues [BJL] . 156
C.24 Initialization of Variables [LAV] . 156
C.25 Operator Precedence/Order of Evaluation [JCW] . 157
C.26 Side-effects and Order of Evaluation [SAM] . 157
C.27 Likely Incorrect Expression [KOA] . 158
C.28 Dead and Deactivated Code [XYQ] . 159
C.29 Switch Statements and Static Analysis [CLL] . 159
C.30 Demarcation of Control Flow [EOJ] . 160
C.31 Loop Control Variables [TEX] . 160
C.32 Off-by-one Error [XZH] . 160
C.33 Structured Programming [EWD] . 161
C.34 Passing Parameters and Return Values [CSJ] . 161
C.35 Dangling References to Stack Frames [DCM] . 162
C.36 Subprogram Signature Mismatch [OTR] . 162
C.37 Recursion [GDL] . 163
C.38 Ignored Error Status and Unhandled Exceptions [OYB] . 163
C.39 Termination Strategy [REU] . 164
C.40 Type-breaking Reinterpretation of Data [AMV] . 164
C.41 Memory Leak [XYL] . 165
C.42 Templates and Generics [SYM] . 165
C.43 Inheritance [RIP] . 166
C.44 Extra Intrinsics [LRM] . 166
C.45 Argument Passing to Library Functions [TRJ] . 166
C.46 Inter-language Calling [DJS] . 167
vi © ISO/IEC 2013 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC TR 24772:2013
C.47 Dynamically-linked Code and Self-modifying Code [NYY] . 167
C.48 Library Signature [NSQ] . 167
C.49 Unanticipated Exceptions from Library Routines [HJW] . 167
C.50 Pre-Processor Directives [NMP] . 168
C.51 Suppression of Language-defined Run-time Checking [MXB] . 168
C.52 Provision of Inherently Unsafe Operations [SKL] . 168
C.53 Obscure Language Features [BRS] . 169
C.54 Unspecified Behaviour [BQF] . 169
C.55 Undefined Behaviour [EWF] . 170
C.56 Implementation-Defined Behaviour [FAB] . 171
C.57 Deprecated Language Features [MEM] . 172
C.58 Implications for standardization . 172
Annex D (informative) Vulnerability descriptions for the language C . 174
D.1 Identification of standards and associated documents . 174
D.2 General terminology and concepts . 174
D.3 Type System [IHN] . 177
D.4 Bit Representations [STR] . 178
D.5 Floating-point Arithmetic [PLF] . 179
D.6 Enumerator Issues [CCB] . 180
D.7 Numeric Conversion Errors [FLC] . 181
D.8 String Termination [CJM] . 183
D.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 183
D.10 Unchecked Array Indexing [XYZ] . 185
D.11 Unchecked Array Copying [XYW] . 185
D.12 Pointer Casting and Pointer Type Changes [HFC] . 186
D.13 Pointer Arithmetic [RVG] . 186
D.14 Null Pointer Dereference [XYH] . 187
D.15 Dangling Reference to Heap [XYK] .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 8652:2023(Main)
Information technology — Programming languages — Ada
oSIST ISO/IEC DIS 8652:2021

This document specifies the form and meaning of programs written in Ada. Its purpose is to promote the portability of Ada programs to a variety of computing systems. This document specifies: — The form of a program written in Ada; — The effect of translating and executing such a program; — The manner in which program units can be combined to form Ada programs; — The language-defined library units that a conforming implementation is required to supply; — The permissible variations in conformance to the rules of this document, and the manner in which they are to be documented; — Those violations of the requirements of this document that a conforming implementation is required to detect, and the effect of attempting to translate or execute a program containing such violations; — Those violations of the requirements of this document that a conforming implementation is not required to detect. This document does not specify: — The means whereby a program written in Ada is transformed into object code executable by a processor; — The means whereby translation or execution of programs is invoked and the executing units are controlled; — The size or speed of the object code, or the relative execution speed of different language constructs; — The form or contents of any listings produced by implementations; in particular, the form or contents of error or warning messages; — The effect of unspecified execution; — The size of a program or program unit that will exceed the capacity of a particular conforming implementation.

  • Standard
    1048 pages
    English language
    sale 15% off
ISO
ISO/IEC 1539-1:2018/Cor 2:2023(Corrigendum)
Information technology — Programming languages — Fortran — Part 1: Base language — Technical Corrigendum 2
  • Standard
    6 pages
    English language
    sale 15% off
  • Standard
    6 pages
    English language
    sale 15% off
ISO
ISO/IEC 1989:2023(Main)
Information technology — Programming languages, their environments and system software interfaces — Programming language COBOL

This document specifies the syntax and semantics of COBOL. Its purpose is to promote a high degree of machine independence to permit the use of COBOL on a variety of data processing systems. This document specifies: The form of a compilation group written in COBOL. The effect of compiling a compilation group. The effect of executing run units. The elements of the language for which a conforming implementation is required to supply a definition. The elements of the language for which meaning is explicitly undefined. The elements of the language that are dependent on the capabilities of the processor. This document does not specify: The means whereby a compilation group written in COBOL is compiled into code executable by a processor. The time at which method, function, or program runtime modules are linked or bound to an activating statement, except that runtime binding occurs of necessity when the identification of the appropriate program or method is not known at compile time. The time at which parameterized classes and interfaces are expanded. The mechanism by which locales are defined and made available on a processor. The form or content of error, flagging, or warning messages. The form and content of listings produced during compilation, if any. The form of documentation produced by an implementor of products conforming to this document. The sharing of objects and resources other than files among run units.

  • Standard
    1229 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 23619:2021(Main)
Information technology — C++ extensions for reflection

This document describes extensions to the C++ Programming Language (Clause 2) that enable operations on source code. These extensions include new syntactic forms and modifications to existing language semantics, as well as changes and additions to the existing library facilities. Instructions to modify or add paragraphs are written as explicit instructions. Modifications made directly to existing text from ISO/IEC 14882:2020 use underlining to represent added text and strikethrough to represent deleted text.

  • Technical specification
    46 pages
    English language
    sale 15% off
  • Draft
    46 pages
    English language
    sale 15% off
ISO
ISO/IEC 1539-1:2018/Cor 1:2021(Corrigendum)
Information technology — Programming languages — Fortran — Part 1: Base language — Technical Corrigendum 1
  • Standard
    6 pages
    English language
    sale 15% off
ISO
ISO/IEC 14882:2020(Main)
Programming languages — C++

This document specifies requirements for implementations of the C++ programming language. The first such requirement is that they implement the language, so this document also defines C++. Other requirements and relaxations of the first requirement appear at various places within this document. C++ is a general purpose programming language based on the C programming language as described in ISO/IEC 9899:2018 Programming languages — C (hereinafter referred to as the C standard). C++ provides many facilities beyond those provided by C, including additional data types, classes, templates, exceptions, namespaces, operator overloading, function name overloading, references, free store management operators, and additional library facilities.

  • Standard
    1853 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 24772-3:2020(Main)
Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 3: C

This document specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, this guidance is applicable to the software developed, reviewed, or maintained for any application. This document describes the way that the vulnerabilities listed in ISO/IEC TR 24772-1 are manifested or avoided in the C language.

  • Technical report
    42 pages
    English language
    sale 15% off
  • Technical report
    42 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 24772-2:2020(Main)
Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 2: Ada

This document specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, this document is applicable to the software developed, reviewed or maintained for any application. Vulnerabilities described in this document present the way that the vulnerability described in ISO/IEC TR 24772-1 are manifested in Ada.

  • Technical report
    45 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 24772-1:2019(Main)
Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 1: Language-independent guidance

This document specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. Language-specific descriptions of these vulnerabilities are provided in other parts of the ISO/IEC 24772 series. It is applicable to the software developed, reviewed, or maintained for any application. This document does not address software engineering and management issues such as how to design and implement programs, use configuration management tools, use managerial processes, and perform process improvement. Furthermore, the specification of properties and applications to be assured are not treated. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

  • Technical report
    166 pages
    English language
    sale 15% off
ISO
ISO/IEC 23270:2018(Main)
Information technology — Programming languages — C#

This specification describes the form and establishes the interpretation of programs written in the C# programming language. It describes: — The representation of C# programs; — The syntax and constraints of the C# language; — The semantic rules for interpreting C# programs; — The restrictions and limits imposed by a conforming implementation of C#. This specification does not describe — The mechanism by which C# programs are transformed for use by a data-processing system; — The mechanism by which C# applications are invoked for use by a data-processing system; — The mechanism by which input data are transformed for use by a C# application; — The mechanism by which output data are transformed after being produced by a C# application; — The size or complexity of a program and its data that will exceed the capacity of any specific data-processing system or the capacity of a particular processor; — All minimal requirements of a data-processing system that is capable of supporting a conforming implementation.

  • Standard
    511 pages
    English language
    sale 15% off