Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 2: Ada

This document specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, this document is applicable to the software developed, reviewed or maintained for any application. Vulnerabilities described in this document present the way that the vulnerability described in ISO/IEC TR 24772-1 are manifested in Ada.

Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation — Partie 2: Ada

General Information

Status
Published
Publication Date
01-Apr-2020
Current Stage
6060 - International Standard published
Start Date
02-Apr-2020
Due Date
20-Sep-2019
Completion Date
02-Apr-2020
Ref Project

Relations

Buy Standard

Technical report
ISO/IEC TR 24772-2:2020 - Programming languages -- Guidance to avoiding vulnerabilities in programming languages
English language
45 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/IEC TR
REPORT 24772-2
First edition
2020-04
Programming languages — Guidance
to avoiding vulnerabilities in
programming languages —
Part 2:
Ada
Langages de programmation — Conduite pour éviter les
vulnérabilités dans les langages de programmation —
Partie 2: Ada
Reference number
ISO/IEC TR 24772-2:2020(E)
©
ISO/IEC 2020

---------------------- Page: 1 ----------------------
ISO/IEC TR 24772-2:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 24772-2:2020(E)

Contents Page
Foreword .vii
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Language concepts . 6
4.1 Enumeration type . 6
4.2 Exception. 6
4.3 Hiding . 6
4.4 Implementation defined . 6
4.5 Type conversions . 6
4.6 Operational and Representation Attributes . 7
4.7 User defined types . 7
4.8 Pragma compiler directives . 7
4.8.1 Pragma Atomic .7
4.8.2 Pragma Atomic_Components .7
4.8.3 Pragma Convention .7
4.8.4 Pragma Detect_Blocking .7
4.8.5 Pragma Discard_Names .7
4.8.6 Pragma Export .8
4.8.7 Pragma Import .8
4.8.8 Pragma Normalize_Scalars .8
4.8.9 Pragma Pack .8
4.8.10 Pragma Restrictions .8
4.8.11 Pragma Suppress .8
4.8.12 Pragma Unchecked_Union .8
4.8.13 Pragma Volatile .8
4.8.14 Pragma Volatile_Components .8
4.9 Separate compilation . 8
4.10 Storage pool . 8
4.11 Unsafe programming . 9
5 General guidance for Ada . 9
5.1 Ada language design . 9
5.2 Top avoidance mechanisms .10
6 Specific guidance for Ada .11
6.1 General .11
6.2 Type system [IHN] .11
6.2.1 Applicability to language .11
6.2.2 Guidance to language users .11
6.3 Bit representation [STR] .11
6.3.1 Applicability to language .11
6.3.2 Guidance to language users .11
6.4 Floating-point arithmetic [PLF] .12
6.4.1 Applicability to language .12
6.4.2 Guidance to language users .12
6.5 Enumerator issues [CCB] .12
6.5.1 Applicability to language .12
6.5.2 Guidance to language users .13
6.6 Conversion errors [FLC] .13
6.6.1 Applicability to language .13
6.6.2 Guidance to language users .13
6.7 String termination [CJM] .14
© ISO/IEC 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 24772-2:2020(E)

6.8 Buffer boundary violation (buffer overflow) [HCB] .14
6.9 Unchecked array indexing [XYZ] .14
6.9.1 Applicability to language .14
6.9.2 Guidance to language users .14
6.10 Unchecked array copying [XYW] .14
6.11 Pointer type conversions [HFC] .14
6.11.1 Applicability to language .14
6.11.2 Guidance to language users .15
6.12 Pointer arithmetic [RVG] .15
6.13 Null pointer dereference [XYH] .15
6.13.1 Applicability to the language .15
6.13.2 Guidance to language users .15
6.14 Dangling reference to heap [XYK] .15
6.14.1 Applicability to language .15
6.14.2 Guidance to language users .16
6.15 Arithmetic wrap-around error [FIF] .16
6.16 Using shift operations for multiplication and division [PIK] .16
6.17 Choice of clear names [NAI].16
6.17.1 Applicability to language .16
6.17.2 Guidance to language users .17
6.18 Dead store [WXQ] .17
6.18.1 Applicability to language .17
6.18.2 Guidance to language users .17
6.19 Unused variable [YZS] .17
6.19.1 Applicability to language .17
6.19.2 Guidance to language users .17
6.20 Identifier name reuse [YOW] .18
6.20.1 Applicability to language .18
6.20.2 Guidance to language users .18
6.21 Namespace issues [BJL].18
6.22 Initialization of variables [LAV] .18
6.22.1 Applicability to language .18
6.22.2 Guidance to language users .19
6.23 Operator precedence/order of evaluation [JCW].19
6.23.1 Applicability to language .19
6.23.2 Guidance to language users .19
6.24 Side-effects and order of evaluation [SAM] .20
6.24.1 Applicability to language .20
6.24.2 Guidance to language users .20
6.25 Likely incorrect expression [KOA] .20
6.25.1 Applicability to language .20
6.25.2 Guidance to language users .21
6.26 Dead and deactivated code [XYQ] .21
6.26.1 Applicability to language .21
6.26.2 Guidance to language users .21
6.27 Switch statements and static analysis [CLL] .21
6.27.1 Applicability to language .21
6.27.2 Guidance to language users .22
6.28 Demarcation of control flow [EOJ] .22
6.29 Loop control variables [TEX] .22
6.30 Off-by-one error [XZH] .22
6.30.1 Applicability to language .22
6.30.2 Guidance to language users .23
6.31 Unstructured programming [EWD] .23
6.31.1 Applicability to language .23
6.31.2 Guidance to language users .23
6.32 Passing parameters and return values [CSJ] .23
6.32.1 Applicability to language .23
iv © ISO/IEC 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 24772-2:2020(E)

6.32.2 Guidance to language users .23
6.33 Dangling references to stack frames [DCM] .23
6.33.1 Applicability to language .23
6.33.2 Guidance to language users .24
6.34 Subprogram signature mismatch [OTR] .24
6.34.1 Applicability to language .24
6.34.2 Guidance to language users .24
6.35 Recursion [GDL] .25
6.35.1 Applicability to language .25
6.35.2 Guidance to language users .25
6.36 Ignored error status and unhandled exceptions [OYB] .25
6.36.1 Applicability to language .25
6.36.2 Guidance to language users .25
6.37 Type-breaking reinterpretation of data [AMV] .25
6.37.1 Applicability to language .25
6.37.2 Guidance to language users .26
6.38 Deep vs. shallow copying [YAN] .26
6.38.1 Applicability to language .26
6.38.2 Guidance to language users .26
6.39 Memory leak and heap fragmentation [XYL] .26
6.39.1 Applicability to language .26
6.39.2 Guidance to language users .27
6.40 Templates and generics [SYM] .27
6.41 Inheritance [RIP] .27
6.41.1 Applicability to language .27
6.41.2 Guidance to language users .27
6.42 Violations of the Liskov substitution principle or the contract model [BLP] .28
6.42.1 Applicability to language .28
6.42.2 Guidance to language users .28
6.43 Redispatching [PPH] .28
6.43.1 Applicability to language .28
6.43.2 Guidance to language users .28
6.44 Polymorphic variables [BKK] .29
6.44.1 Applicability to language .29
6.44.2 Guidance to language users .29
6.45 Extra intrinsics [LRM] .29
6.46 Argument passing to library functions [TRJ .29
6.46.1 Applicability to language .29
6.46.2 Guidance to language users .30
6.47 Inter-language calling [DJS] .30
6.47.1 Applicability to language .30
6.47.2 Guidance to language users .30
6.48 Dynamically-linked code and self-modifying code [NYY] .30
6.49 Library signature [NSQ] .30
6.49.1 Applicability to language .30
6.49.2 Guidance to language users .31
6.50 Unanticipated exceptions from library routines [HJW] .31
6.50.1 Applicability to language .31
6.50.2 Guidance to language users .31
6.51 Pre-processor directives [NMP] .31
6.52 Suppression of language-defined run-time checking [MXB].31
6.52.1 Applicability to Language .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.