Introducing SC 22/WG23 Stephen Michell SC 22/WG 23 (A/)Convener Tatsuaki Takebe SC 22/WG 23 expert,...

ISO/IEC JTC1 SC 22/WG 23 – SC27/WG 3

Introducing SC 22/WG23

Stephen Michell SC 22/WG 23 (A/)Convener

Tatsuaki Takebe SC 22/WG 23 expert, SC 27/WG 3, WG 4 expert

1

Agenda• SC 22 Structure• WG 23 projects• IS 17960 Code Signing• TR 24772 Guidance to avoiding

programming language vulnerabilitieso Structureo Conceptso How to useo Example Vulnerability

• SC 22/WG 23 – SC 27/WG 3,4 Co-operation

ISO/IEC JTC1 SC 22/WG 23 – SC27/WG 3 2


SC 22• SC 22 Structure

o WG4 - COBOLo WG5 - Fortrano WG9 - Adao WG14 - Co WG17 - PrologWG21 - C++oWG23 Programming Language

Vulnerabilities

3


WG23 Projects• ISO/IEC TR 24772

o Guidance to avoiding vulnerabilities in programming languages through language selection and use

o Edition 1 published 2010: language independent parto Edition 2 published 2012: added language-specific annexes and

revisionso Edition 3 document stage: (10) development stage

• ISO/IEC IS 17960o Code Signing for Source Codeo Document Stage: finished DIS

5


What is ISO/IEC 17960

• Information Technology—Programming languages, their environments and system software interfaces—Code Signing for Source Code

• Specify the process for signing source code in large systems where code comes from diverse sources

• Ensure the integrity and authenticity of the source code

• Ensure a means for rolling back the source code to previously signed versions

• Baseline for the secure configuration management• Baseline for the secure supply chain

6


IS 17960 Code Signing• Put a complete model/interface of services but

had to remove them because we could not get a standardized interface that would cover tool creators.

• Want help strengthening and improving for V2.

7


What is ISO/IEC TR 24772

• Technical Report• Programming language specific vulnerabilities• Guidance to avoid or mitigate vulnerabilities• Main Sources

o Safety Guidelines (MISRA, MISRA C++ )o CERT C guidelineso Ada Quality and Style Guideo JSF AV C++ Guidelineso CWE / OWASPo Expertise of technical experts

8


Structure of TR24772• 0 Intro, 1 Scope, 2 Ref, 3 Term4. Concepts5. Vulnerability issues6. Programming language vulnerabilities7. Application vulnerabilities8. New vulnerabilitiesA. Vulnerability taxonomy and listB. Language specific templateC. Language–specific Annexes

C - Ada D - C (language) E – PythonF - Ruby G – SPARK H - PHP

I - Fortran (coming)

9


Concepts• Purpose

o Specifies software programming language vulnerabilities to be avoided

o Body -> Language independent view of vulnerabilities

• Intended audienceo Those who are concerned with assuring the predictable

execution of the softwareo Coding guideline writers, Developers, QA, maintainer of SW

system

• Explicitly address CWE/SANS top 25 and OWASP Top ten vulnerabilities.

10


How to use this document

o Programmers • to learn vulnerabilities of unfamiliar

languages• (and their own language)

o Tool vendors - to identify vulnerabilities in the tools

o Reference to write coding guidelines in organizations

11


Vulnerability issues1. Predictable execution2. Sources of unpredictability in language

specification3. Sources of unpredictability in language usage

12


Example Vulnerability• Enumerator Issues (section 6.6/D.6/C.6)

o file://localhost/Users/stephenmichell/STANDARDS/WG23/Documents/N0436.pdf

13


Possible Cooperation• SC 27 can help improve TR 24772 by providing

expertise on vulnerability• TR 24772 can help Code Assurance for ISO/IEC 15408,

Proj 20004 etc.• 14. Project 20004-2: Secure software development

and evaluation under ISO/IEC 15408 and ISO/IEC 18405 Part 2: CWE and CAPEC based software penetration testing

• 14.1 Project Editor’s Report• 14.2 US NB endorsement on appointment of co-

editorship• 14.3 Text for 2nd WD• 14.4 NB comments• 14.5 Further work

14


Possible Cooperation• SC 27 can help improve 17960 by providing

expertise of Crypto usage• 17960 can help ALC of codes, libraries, objects,

etc

15


Thank you very much for your attention

16


DETAILS

17


Programming language

vulnerabilities 0

• Statically• Data representation

o Data type, Bit representation, Floating point, Numeric conversion, String termination, Buffer boundary, Null Pointer etc

• Machine dependent• Independent from Usage

18



vulnerabilities 11. General2. Terminology3. Type System [IHN]4. Bit Representations [STR]5. Floating-point Arithmetic [PLF]6. Enumerator Issues [CCB]7. Numeric Conversion Errors [FLC]8. String Termination [CJM]9. Buffer Boundary Violation (Buffer Overflow) [HCB]10.Unchecked Array Indexing [XYZ]11.Unchecked Array Copying [XYW]12.Pointer Casting and Pointer Type Changes [HFC]13.Pointer Arithmetic [RVG]14.Null Pointer Dereference [XYH]15.Dangling Reference to Heap [XYK] 19



vulnerabilities 216. Arithmetic Wrap-around Error [FIF]17. Using Shift Operations for Multiplication and Division [PIK]18. Sign Extension Error [XZI]19. Choice of Clear Names [NAI]20. Dead Store [WXQ]21. Unused Variable [YZS]22. Identifier Name Reuse [YOW]23. Namespace Issues [BJL]24. Initialization of Variables [LAV]25. Operator Precedence/Order of Evaluation [JCW]26. Side-effects and Order of Evaluation [SAM]27. Likely Incorrect Expression [KOA]28. Dead and Deactivated Code [XYQ]29. Switch Statements and Static Analysis [CLL]30. Demarcation of Control Flow [EOJ]31. Loop Control Variables [TEX]32. Off-by-one Error [XZH]33. Structured Programming [EWD]34. Passing Parameters and Return Values [CSJ]35. Dangling References to Stack Frames [DCM]36. Subprogram Signature Mismatch [OTR] 20



vulnerabilities 337. Recursion [GDL]38. Ignored Error Status and Unhandled Exceptions [OYB]39. Termination Strategy [REU]40. Type-breaking Reinterpretation of Data [AMV]41. Memory Leak [XYL]42. Templates and Generics [SYM]43. Inheritance [RIP]44. Extra Intrinsics [LRM]45. Argument Passing to Library Functions [TRJ]46. Inter-language Calling [DJS]47. Dynamically-linked Code and Self-modifying Code [NYY]48. Library Signature [NSQ]49. Unanticipated Exceptions from Library Routines [HJW]50. Pre-processor Directives [NMP]51. Suppression of Language-defined Run-time Checking [MXB]52. Provision of Inherently Unsafe Operations [SKL]53. Obscure Language Features [BRS]54. Unspecified Behaviour [BQF]55. Undefined Behaviour [EWF]56. Implementation-defined Behaviour [FAB]57. Deprecated Language Features [MEM]

21


Application vulnerabilities 0• Dynamically• Vulnerabilities created by usages

22


Application vulnerabilities 11. General2. Terminology3. Unspecified Functionality [BVQ]4. Distinguished Values in Data Types [KLK]5. Adherence to Least Privilege [XYN]6. Privilege Sandbox Issues [XYO]7. Executing or Loading Untrusted Code [XYS]8. Memory Locking [XZX]9. Resource Exhaustion [XZP]10.Unrestricted File Upload [CBF]11.Resource Names [HTS]12.Injection [RST]13.Cross-site Scripting [XYT]14.Unquoted Search Path or Element [XZQ]15.Improperly Verified Signature [XZR] 23


Application vulnerabilities 2

16.Discrepancy Information Leak [XZL]17.Sensitive Information Uncleared Before Use [XZK]18.Path Traversal [EWR]19.Missing Required Cryptographic Step [XZS]20.Insufficiently Protected Credentials [XYM]21.Missing or Inconsistent Access Control [XZN]22.Authentication Logic Error [XZO]23.Hard-coded Password [XYP]24.Download of Code Without Integrity Check [DLB]25.Incorrect Authorization [BJE]26.Inclusion of Functionality from Untrusted Control Sphere [DHU]27.Improper Restriction of Excessive Authentication Attempts

[WPL]28.URL Redirection to Untrusted Site ('Open Redirect') [PYQ]29.Use of a One-Way Hash without a Salt [MVX]

24


New vulnerabilities 01. Recently captured vulnerabilities2. Should go into either Cl 6 or Cl 7

25


New vulnerabilities 11. General2. Terminology3. Concurrency ? Activation [CGA]4. Concurrency ? Directed termination [CGT]5. Concurrent Data Access [CGX]6. Concurrency ? Premature Termination [CGS]7. Protocol Lock Errors [CGM]8. Inadequately Secure Communication of Shared

Resources [CGY]9. Use of unchecked data from an uncontrolled or

tainted source [EFS]10.Uncontrolled Format String [SHL]

26


Recent updates• Analyzed the TR 24772• Covered CWE top 25• OWASP top 10 is tightly linked with CWE top 25• OWASP is being incorporated• ISO/IEC JTC 1 SC 22/WG 23 appreciates mutual

cooperative relationship or liaison, if possible

27


Owasp <-> CWE OWASP A1 – Injection CWE-89 – SQL command (Top 25 #1) CWE-78 – OS command (Top 25 #2) OWASP A2 – Broken authentication (incl. session tampering, fixation, reuse, etc.) CWE-306 – Missing Authentication for Critical Function (Top 25 #5) CWE-307 – Improper Restriction of Excessive Authentication Attempts (Top 25 #21) CWE-798 – Use of Hard-coded Credentials (Top 25 #7) OWASP A3 / CWE-79 – XSS (Top 25 #4) OWASP A4 – Insecure direct object references CWE-22 – Unrestricted Use of a Pathname (Path Traversal) (Top 25 #13) CWE-434 – Unrestricted Upload of Dangerous Type File (Top 25 #9) CWE-829 – Untrusted Function Use (Sandboxing Violation) (Top 25 #16) CWE-862 & CWE-863 (Top 25 #6 & #15) Missing / improper Authorization OWASP A5 – Security misconfiguration CWE-250 – Least Privilege Principle Violation (#11) CWE-732 – Incorrect Permission Assignment for Critical Resource (#17)

28

Owasp <-> CWE OWASP A6 – Sensitive data exposure CWE-310 & CWE 326 – Bad encryption CWE-312 & CWE 319 – Cleartext storage / transmission OWASP A7 – Missing function-level access control CWE-285, CWE862, CWE-863 Missing / improper Authorization (#6 & #15) OWASP A8 / CWE-352 – CSRF (Top 25 #12) OWASP A9 – Using components with known vulnerabilities OWASP A10 / CWE-601 Unvalidated redirects and forwards (#22) Others – non-OWASP CWE-120 – Classic Buffer Overflow (#3) CWE-131 – Incorrect Calculation of Buffer Size (#20) CWE-134 – Uncontrolled Format String (#23) CWE-190 – Integer Overflow or Wraparound (#24) CWE-494 – Code Download Without Integrity Check (#14) CWE-676 – Use of Potentially Dangerous Function (#18) CWE-807 – Use of Untrusted Inputs in a Security Decision (#10)

ISO/IEC JTC1 SC 22/WG 23 – SC27/WG 3 29

Introducing SC 22/WG23 Stephen Michell SC 22/WG 23 (A/)Convener Tatsuaki Takebe SC 22/WG 23 expert,...

Documents

Transcript of Introducing SC 22/WG23 Stephen Michell SC 22/WG 23 (A/)Convener Tatsuaki Takebe SC 22/WG 23 expert,...