Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use

ISO/IEC TR 24772:2013 specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, this guidance is applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

Technologies de l'information — Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation à travers la sélection et l'usage de la langue

General Information

Status
Withdrawn
Publication Date
03-Mar-2013
Withdrawal Date
03-Mar-2013
Current Stage
9599 - Withdrawal of International Standard
Completion Date
10-Dec-2019
Ref Project

Relations

Buy Standard

Technical report
ISO/IEC TR 24772:2013 - Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use
English language
319 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/IEC
REPORT TR
24772
Second edition
2013-03-01


Information technology — Programming
languages — Guidance to avoiding
vulnerabilities in programming languages
through language selection and use
Technologies de l'information — Langages de programmation —
Conduite pour éviter les vulnérabilités dans les langages de
programmation à travers la sélection et l'usage de la langue




Reference number
ISO/IEC TR 24772:2013(E)
©
ISO/IEC 2013

---------------------- Page: 1 ----------------------
ISO/IEC TR 24772:2013(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2013 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 24772:2013
Contents Page
Foreword . xv
Introduction . xvi
1. Scope. 1
2. Normative references . 1
3. Terms and definitions, symbols and conventions . 1
3.1 Terms and definitions . 1
3.2 Symbols and conventions . 5
4. Basic concepts . 6
4.1 Purpose of this Technical Report . 6
4.2 Intended audience . 6
4.3 How to use this document . 7
5 Vulnerability issues . 8
5.1 Predictable execution . 8
5.2 Sources of unpredictability in language specification . 9
5.2.1 Incomplete or evolving specification . 9
5.2.2 Undefined behaviour . 10
5.2.3 Unspecified behaviour . 10
5.2.4 Implementation-defined behaviour . 10
5.2.5 Difficult features . 10
5.2.6 Inadequate language support . 10
5.3 Sources of unpredictability in language usage . 10
5.3.1 Porting and interoperation . 10
5.3.2 Compiler selection and usage . 11
6. Programming Language Vulnerabilities . 11
6.1 General . 11
6.2 Terminology . 11
6.3 Type System [IHN] . 12
6.4 Bit Representations [STR] . 14
6.5 Floating-point Arithmetic [PLF] . 16
6.6 Enumerator Issues [CCB] . 18
6.7 Numeric Conversion Errors [FLC] . 20
6.8 String Termination [CJM] . 22
6.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 23
6.10 Unchecked Array Indexing [XYZ] . 25
6.11 Unchecked Array Copying [XYW] . 27
6.12 Pointer Casting and Pointer Type Changes [HFC] . 28
6.13 Pointer Arithmetic [RVG] . 29
© ISO/IEC 2013 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 24772:2013
6.14 Null Pointer Dereference [XYH] . 30
6.15 Dangling Reference to Heap [XYK] . 31
6.16 Arithmetic Wrap-around Error [FIF] . 34
6.17 Using Shift Operations for Multiplication and Division [PIK] . 35
6.18 Sign Extension Error [XZI] . 36
6.19 Choice of Clear Names [NAI] . 37
6.20 Dead Store [WXQ] . 39
6.21 Unused Variable [YZS] . 40
6.22 Identifier Name Reuse [YOW] . 41
6.23 Namespace Issues [BJL] . 43
6.24 Initialization of Variables [LAV] . 45
6.25 Operator Precedence/Order of Evaluation [JCW] . 47
6.26 Side-effects and Order of Evaluation [SAM] . 49
6.27 Likely Incorrect Expression [KOA] . 50
6.28 Dead and Deactivated Code [XYQ]. 52
6.29 Switch Statements and Static Analysis [CLL] . 54
6.30 Demarcation of Control Flow [EOJ] . 56
6.31 Loop Control Variables [TEX] . 57
6.32 Off-by-one Error [XZH] . 58
6.33 Structured Programming [EWD] . 60
6.34 Passing Parameters and Return Values [CSJ] . 61
6.35 Dangling References to Stack Frames [DCM] . 63
6.36 Subprogram Signature Mismatch [OTR] . 65
6.37 Recursion [GDL] . 67
6.38 Ignored Error Status and Unhandled Exceptions [OYB] . 68
6.39 Termination Strategy [REU] . 70
6.40 Type-breaking Reinterpretation of Data [AMV] . 72
6.41 Memory Leak [XYL] . 74
6.42 Templates and Generics [SYM] . 76
6.43 Inheritance [RIP] . 78
6.44 Extra Intrinsics [LRM] . 79
6.45 Argument Passing to Library Functions [TRJ] . 80
6.46 Inter-language Calling [DJS] . 81
6.47 Dynamically-linked Code and Self-modifying Code [NYY] . 83
6.48 Library Signature [NSQ] . 84
6.49 Unanticipated Exceptions from Library Routines [HJW] . 86
6.50 Pre-processor Directives [NMP] . 87
6.51 Suppression of Language-defined Run-time Checking [MXB] . 89
6.52 Provision of Inherently Unsafe Operations [SKL] . 90
6.53 Obscure Language Features [BRS] . 91
6.54 Unspecified Behaviour [BQF] . 92
6.55 Undefined Behaviour [EWF] . 94
6.56 Implementation-defined Behaviour [FAB] . 95
6.57 Deprecated Language Features [MEM] . 97
iv © ISO/IEC 2013 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 24772:2013
7. Application Vulnerabilities . 98
7.1 General . 98
7.2 Terminology . 99
7.3 Unspecified Functionality [BVQ] . 99
7.4 Distinguished Values in Data Types [KLK] . 100
7.5 Adherence to Least Privilege [XYN] . 101
7.6 Privilege Sandbox Issues [XYO] . 102
7.7 Executing or Loading Untrusted Code [XYS] . 103
7.8 Memory Locking [XZX] . 104
7.9 Resource Exhaustion [XZP] . 105
7.10 Unrestricted File Upload [CBF] . 107
7.11 Resource Names [HTS] . 108
7.12 Injection [RST] . 109
7.13 Cross-site Scripting [XYT] . 112
7.14 Unquoted Search Path or Element [XZQ] . 115
7.15 Improperly Verified Signature [XZR] . 115
7.16 Discrepancy Information Leak [XZL] . 116
7.17 Sensitive Information Uncleared Before Use [XZK] . 117
7.18 Path Traversal [EWR] . 118
7.19 Missing Required Cryptographic Step [XZS] . 120
7.20 Insufficiently Protected Credentials [XYM] . 121
7.21 Missing or Inconsistent Access Control [XZN] . 122
7.22 Authentication Logic Error [XZO] . 122
7.23 Hard-coded Password [XYP] . 124
8. New Vulnerabilities . 125
8.1 General . 125
8.2 Terminology . 125
8.3 Concurrency – Activation [CGA] . 125
8.4 Concurrency – Directed termination [CGT] . 127
8.5 Concurrent Data Access [CGX] . 129
8.6 Concurrency – Premature Termination [CGS] . 130
8.7 Protocol Lock Errors [CGM] . 132
8.8 Inadequately Secure Communication of Shared Resources [CGY] . 134
Annex A (informative) Vulnerability Taxonomy and List . 136
A.1 General . 136
A.2 Outline of Programming Language Vulnerabilities . 136
A.3 Outline of Application Vulnerabilities . 138
A.4 Vulnerability List . 138
Annex B (informative) Language Specific Vulnerability Template . 141
Annex C (informative) Vulnerability descriptions for the language Ada . 143
C.1 Identification of standards and associated documentation . 143
C.2 General terminology and concepts . 143
© ISO/IEC 2013 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 24772:2013
C.3 Type System [IHN] . 149
C.4 Bit Representation [STR] . 149
C.5 Floating-point Arithmetic [PLF] . 150
C.6 Enumerator Issues [CCB] . 150
C.7 Numeric Conversion Errors [FLC] . 151
C.8 String Termination [CJM] . 151
C.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 152
C.10 Unchecked Array Indexing [XYZ] . 152
C.11 Unchecked Array Copying [XYW] . 152
C.12 Pointer Casting and Pointer Type Changes [HFC] . 152
C.13 Pointer Arithmetic [RVG] . 153
C.14 Null Pointer Dereference [XYH] . 153
C.15 Dangling Reference to Heap [XYK] . 153
C.16 Arithmetic Wrap-around Error [FIF] . 153
C.17 Using Shift Operations for Multiplication and Division [PIK] . 154
C.18 Sign Extension Error [XZI] . 154
C.19 Choice of Clear Names [NAI] . 154
C.20 Dead store [WXQ] . 155
C.21 Unused Variable [YZS] . 155
C.22 Identifier Name Reuse [YOW] . 156
C.23 Namespace Issues [BJL] . 156
C.24 Initialization of Variables [LAV] . 156
C.25 Operator Precedence/Order of Evaluation [JCW] . 157
C.26 Side-effects and Order of Evaluation [SAM] . 157
C.27 Likely Incorrect Expression [KOA] . 158
C.28 Dead and Deactivated Code [XYQ] . 159
C.29 Switch Statements and Static Analysis [CLL] . 159
C.30 Demarcation of Control Flow [EOJ] . 160
C.31 Loop Control Variables [TEX] . 160
C.32 Off-by-one Error [XZH] . 160
C.33 Structured Programming [EWD] . 161
C.34 Passing Parameters and Return Values [CSJ] . 161
C.35 Dangling References to Stack Frames [DCM] . 162
C.36 Subprogram Signature Mismatch [OTR] . 162
C.37 Recursion [GDL] . 163
C.38 Ignored Error Status and Unhandled Exceptions [OYB] . 163
C.39 Termination Strategy [REU] . 164
C.40 Type-breaking Reinterpretation of Data [AMV] . 164
C.41 Memory Leak [XYL] . 165
C.42 Templates and Generics [SYM] . 165
C.43 Inheritance [RIP] . 166
C.44 Extra Intrinsics [LRM] . 166
C.45 Argument Passing to Library Functions [TRJ] . 166
C.46 Inter-language Calling [DJS] . 167
vi © ISO/IEC 2013 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC TR 24772:2013
C.47 Dynamically-linked Code and Self-modifying Code [NYY] . 167
C.48 Library Signature [NSQ] . 167
C.49 Unanticipated Exceptions from Library Routines [HJW] . 167
C.50 Pre-Processor Directives [NMP] . 168
C.51 Suppression of Language-defined Run-time Checking [MXB] . 168
C.52 Provision of Inherently Unsafe Operations [SKL] . 168
C.53 Obscure Language Features [BRS] . 169
C.54 Unspecified Behaviour [BQF] . 169
C.55 Undefined Behaviour [EWF] . 170
C.56 Implementation-Defined Behaviour [FAB] . 171
C.57 Deprecated Language Features [MEM] . 172
C.58 Implications for standardization . 172
Annex D (informative) Vulnerability descriptions for the language C . 174
D.1 Identification of standards and associated documents . 174
D.2 General terminology and concepts . 174
D.3 Type System [IHN] . 177
D.4 Bit Representations [STR] . 178
D.5 Floating-point Arithmetic [PLF] . 179
D.6 Enumerator Issues [CCB] . 180
D.7 Numeric Conversion Errors [FLC] . 181
D.8 String Termination [CJM] . 183
D.9 Buffer Boundary Violation (Buffer Overflow) [HCB] . 183
D.10 Unchecked Array Indexing [XYZ] . 185
D.11 Unchecked Array Copying [XYW] . 185
D.12 Pointer Casting and Pointer Type Changes [HFC] . 186
D.13 Pointer Arithmetic [RVG] . 186
D.14 Null Pointer Dereference [XYH] . 187
D.15 Dangling Reference to Heap [XYK] .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.