Baseline for Ed 2 of TR 24772 s2
Baseline Edition – 3 TR 24772-1
ISO/IEC JTC 1/SC22/WG23N068477
Date: 10 January9 September 20176
ISO/IEC TR 24772-1
Edition 3
ISO/IEC JTC 1/SC 22/WG 23
Secretariat: ANSI
Information Technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages
Document type: International standard
Document subtype: if applicable
Document stage: (10) development stage
Document language: E
Élément introductif— Élément principal—Partien: Titre de la partie
Warning
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.
Copyright notice
This ISO document is a working draft or committee draft and is copyright-protected by ISO. While the reproduction of working drafts or committee drafts in any form for use by participants in the ISO standards development process is permitted without prior permission from ISO, neither this document nor any extract from it may be reproduced, stored or transmitted in any form for any other purpose without prior written permission from ISO.
Requests for permission to reproduce this document for the purpose of selling it should be addressed as shown below or to ISO’s member body in the country of the requester:
ISO copyright office
Case postale 56, CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
Web www.iso.org
Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
Contents Page
Foreword vii
Introduction viii
1. Scope 1
2. Normative references 1
3. Terms and definitions, symbols and conventions 1
3.1 Terms and definitions 1
3.2 Symbols and conventions 5
4. Basic concepts 6
4.1 Purpose of this Technical Report 6
4.2 Intended audience 6
4.3 How to use this document 7
5 Vulnerability issues and general avoidance mechanisms 8
5.1 Predictable execution 8
5.2 Sources of unpredictability in language specification 9
5.2.1 Incomplete or evolving specification 9
5.2.2 Undefined behaviour 10
5.2.3 Unspecified behaviour 10
5.2.4 Implementation-defined behaviour 10
5.2.5 Difficult features 10
5.2.6 Inadequate language support 10
5.3 Sources of unpredictability in language usage 10
5.3.1 Porting and interoperation 10
5.3.2 Compiler selection and usage 11
5.4 Top avoidance mechanisms (guidance?) 11
6. Programming Language Vulnerabilities 12
6.1 General 12
6.2 Type System [IHN] 13
6.3 Bit Representations [STR] 15
6.4 Floating-point Arithmetic [PLF] 17
6.5 Enumerator Issues [CCB] 20
6.6 Conversion Errors [FLC] 22
6.7 String Termination [CJM] 24
6.8 Buffer Boundary Violation (Buffer Overflow) [HCB] 25
6.9 Unchecked Array Indexing [XYZ] 27
6.10 Unchecked Array Copying [XYW] 29
6.11 Pointer Type Conversions [HFC] 30
6.12 Pointer Arithmetic [RVG] 31
6.13 Null Pointer Dereference [XYH] 32
6.14 Dangling Reference to Heap [XYK] 33
6.15 Arithmetic Wrap-around Error [FIF] 35
6.16 Using Shift Operations for Multiplication and Division [PIK] 37
6.17 Choice of Clear Names [NAI]. 38
6.18 Dead Store [WXQ] 40
6.19 Unused Variable [YZS] 41
6.20 Identifier Name Reuse [YOW] 42
6.21 Namespace Issues [BJL] 44
6.22 Initialization of Variables [LAV] 46
6.23 Operator Precedence and Associativity [JCW] 48
6.24 Side-effects and Order of Evaluation of Operands [SAM] 49
6.25 Likely Incorrect Expression [KOA] 51
6.26 Dead and Deactivated Code [XYQ] 53
6.27 Switch Statements and Static Analysis [CLL] 55
6.28 Demarcation of Control Flow [EOJ] 57
6.29 Loop Control Variables [TEX] 58
6.30 Off-by-one Error [XZH] 59
6.31 Structured Programming [EWD] 61
6.32 Passing Parameters and Return Values [CSJ] 62
6.33 Dangling References to Stack Frames [DCM] 64
6.34 Subprogram Signature Mismatch [OTR] 66
6.35 Recursion [GDL] 68
6.36 Ignored Error Status and Unhandled Exceptions [OYB] 69
6.37 Fault Tolerance and Failure Strategies [REU] 71
6.38 Type-breaking Reinterpretation of Data [AMV] 74
6.39 Deep vs. Shallow Copying [YAN] 75
6.40 Memory Leaks and Heap Fragmentation [XYL] 77
6.41 Templates and Generics [SYM] 79
6.42 Inheritance [RIP] 81
6.43 Violations of the Liskov Principle or the Contract Model [BLP] 82
6.44 Redispatching [PPH] 84
6.45 Polymorphic variables [BKK] 85
6.46 Extra Intrinsics [LRM] 87
6.47 Argument Passing to Library Functions [TRJ] 89
6.48 Inter-language Calling [DJS] 90
6.49 Dynamically-linked Code and Self-modifying Code [NYY] 92
6.50 Library Signature [NSQ] 93
6.51 Unanticipated Exceptions from Library Routines [HJW] 94
6.52 Pre-processor Directives [NMP] 95
6.53 Suppression of Language-defined Run-time Checking [MXB] 97
6.54 Provision of Inherently Unsafe Operations [SKL] 98
6.55 Obscure Language Features [BRS] 99
6.56 Unspecified Behaviour [BQF] 101
6.57 Undefined Behaviour [EWF] 102
6.58 Implementation-defined Behaviour [FAB] 104
6.59 Deprecated Language Features [MEM] 106
6.60 Concurrency – Activation [CGA] 107
6.61 Concurrency – Directed termination [CGT] 109
6.62 Concurrent Data Access [CGX] 110
6.63 Concurrency – Premature Termination [CGS] 112
6.64 Protocol Lock Errors [CGM] 114
6.65 Reliance on External Format String [SHL] 116
7. Application Vulnerabilities 118
7.1 General 118
7.2 Taxonomy 118
7.3 Unrestricted File Upload [CBF] 118
7.3 Download of Code Without Integrity Check [DLB] 119
7.4 Inclusion of Functionality from Untrusted Control Sphere [DHU] 120
7.5 URL Redirection to Untrusted Site ('Open Redirect') [PYQ] 121
7.6 Use of unchecked data from an uncontrolled or tainted source [EFS] 122
7.7 Cross-site Scripting [XYT] 123
7.8 Adherence to Least Privilege [XYN] 126
7.9 Privilege Sandbox Issues [XYO] 127
7.10 Executing or Loading Untrusted Code [XYS] 128
7.11 Missing Required Cryptographic Step [XZS] 129
7.12 Insufficiently Protected Credentials [XYM] 130
7.13 Missing or Inconsistent Access Control [XZN] 131
7.14 Authentication Logic Error [XZO] 131
7.15 Hard-coded Password [XYP] 133
7.16 Sensitive Information Uncleared Before Use [XZK] 134
7.17 Improperly Verified Signature [XZR] 135
7.18 Use of a One-Way Hash without a Salt [MVX] 135
7.19 Inadequately Secure Communication of Shared Resources [CGY] 136
7.20 Memory Locking [XZX] 138
7.22.1 Description of application vulnerability 140
7.23 Incorrect Authorization [BJE] 141
7.24 Improper Restriction of Excessive Authentication Attempts [WPL] 142
7.25 Unspecified Functionality [BVQ] 142
7.26 Distinguished Values in Data Types [KLK] 143
7.27 Resource Names [HTS] 145
7.28 Injection [RST] 146
7.29 Unquoted Search Path or Element [XZQ] 149
7.30 Discrepancy Information Leak [XZL] 150
7.31 Path Traversal [EWR] 151
7.32 Clock Issues [CCI] 153
AnnexA (informative) Vulnerability Taxonomy and List 157
A.1 General 157
A.2 Outline of Programming Language Vulnerabilities 157
A.3 Outline of Application Vulnerabilities 159
A.4 Vulnerability List 160
AnnexB (informative) Language Specific Vulnerability Template 163
Bibliography 166
Index 169
Foreword vii
Introduction viii
1. Scope 1
2. Normative references 1
3. Terms and definitions, symbols and conventions 1
3.1 Terms and definitions 1
3.2 Symbols and conventions 5
4. Basic concepts 6
4.1 Purpose of this Technical Report 6
4.2 Intended audience 6
4.3 How to use this document 7
5 Vulnerability issues and general avoidance mechanisms 8
5.1 Predictable execution 8
5.2 Sources of unpredictability in language specification 9
5.2.1 Incomplete or evolving specification 9
5.2.2 Undefined behaviour 10
5.2.3 Unspecified behaviour 10
5.2.4 Implementation-defined behaviour 10
5.2.5 Difficult features 10
5.2.6 Inadequate language support 10
5.3 Sources of unpredictability in language usage 10
5.3.1 Porting and interoperation 10
5.3.2 Compiler selection and usage 11
5.4 Top avoidance mechanisms (guidance?) 11
6. Programming Language Vulnerabilities 13
6.1 General 13
6.2 Type System [IHN] 14
6.3 Bit Representations [STR] 16
6.4 Floating-point Arithmetic [PLF] 18
6.5 Enumerator Issues [CCB] 21
6.6 Conversion Errors [FLC] 23
6.7 String Termination [CJM] 25
6.8 Buffer Boundary Violation (Buffer Overflow) [HCB] 26
6.9 Unchecked Array Indexing [XYZ] 28
6.10 Unchecked Array Copying [XYW] 30
6.11 Pointer Type Conversions [HFC] 31
6.12 Pointer Arithmetic [RVG] 32
6.13 Null Pointer Dereference [XYH] 33
6.14 Dangling Reference to Heap [XYK] 34
6.15 Arithmetic Wrap-around Error [FIF] 36
6.16 Using Shift Operations for Multiplication and Division [PIK] 38
6.17 Choice of Clear Names [NAI]. 39
6.18 Dead Store [WXQ] 41
6.19 Unused Variable [YZS] 42
6.20 Identifier Name Reuse [YOW] 43
6.21 Namespace Issues [BJL] 45
6.22 Initialization of Variables [LAV] 47
6.23 Operator Precedence and Associativity [JCW] 49
6.24 Side-effects and Order of Evaluation of Operands [SAM] 50
6.25 Likely Incorrect Expression [KOA] 52
6.26 Dead and Deactivated Code [XYQ] 54
6.27 Switch Statements and Static Analysis [CLL] 56
6.28 Demarcation of Control Flow [EOJ] 57
6.29 Loop Control Variables [TEX] 59
6.30 Off-by-one Error [XZH] 60
6.31 Structured Programming [EWD] 61
6.32 Passing Parameters and Return Values [CSJ] 63
6.33 Dangling References to Stack Frames [DCM] 65
6.34 Subprogram Signature Mismatch [OTR] 67
6.35 Recursion [GDL] 69
6.36 Ignored Error Status and Unhandled Exceptions [OYB] 70
6.37 6.37 Fault Tolerance and Failure Strategies [REU] 72
6.38 Type-breaking Reinterpretation of Data [AMV] 75
6.39 Deep vs. Shallow Copying [YAN] 77
6.40 Memory Leaks and Heap Fragmentation [XYL] 79
6.41 Templates and Generics [SYM] 80
6.42 Inheritance [RIP] 82
6.43 Violations of the Liskov Principle or the Contract Model [BLP] 84
6.44 Redispatching [PPH] 86
6.45 Polymorphic variables [BKK] 88
6.46 Extra Intrinsics [LRM] 90
6.47 Argument Passing to Library Functions [TRJ] 91
6.48 Inter-language Calling [DJS] 92
6.49 Dynamically-linked Code and Self-modifying Code [NYY] 94
6.50 Library Signature [NSQ] 95
6.51 Unanticipated Exceptions from Library Routines [HJW] 96
6.52 Pre-processor Directives [NMP] 97
6.53 Suppression of Language-defined Run-time Checking [MXB] 99
6.54 Provision of Inherently Unsafe Operations [SKL] 100
6.55 Obscure Language Features [BRS] 101
6.56 Unspecified Behaviour [BQF] 103
6.57 Undefined Behaviour [EWF] 104
6.58 Implementation-defined Behaviour [FAB] 106
6.59 Deprecated Language Features [MEM] 108
6.60 Concurrency – Activation [CGA] 109
6.61 Concurrency – Directed termination [CGT] 111
6.62 Concurrent Data Access [CGX] 112
6.63 Concurrency – Premature Termination [CGS] 114
6.64 Protocol Lock Errors [CGM] 116
6.65 Reliance on External Format String [SHL] 118
7. Application Vulnerabilities 120
7.1 General 120
7.2 Unrestricted File Upload [CBF] 120
7.3 Download of Code Without Integrity Check [DLB] 121
7.4 Inclusion of Functionality from Untrusted Control Sphere [DHU] 122
7.5 URL Redirection to Untrusted Site ('Open Redirect') [PYQ] 123
7.6 Use of unchecked data from an uncontrolled or tainted source [EFS] 124
7.7 Cross-site Scripting [XYT] 125
7.8 Adherence to Least Privilege [XYN] 127
7.9 Privilege Sandbox Issues [XYO] 128
7.10 Executing or Loading Untrusted Code [XYS] 129
7.11 Missing Required Cryptographic Step [XZS] 130
7.12 Insufficiently Protected Credentials [XYM] 131
7.13 Missing or Inconsistent Access Control [XZN] 132
7.14 Authentication Logic Error [XZO] 132
7.15 Hard-coded Password [XYP] 134
7.16 Sensitive Information Uncleared Before Use [XZK] 135
7.17 Improperly Verified Signature [XZR] 136
7.18 Use of a One-Way Hash without a Salt [MVX] 137
7.19 Inadequately Secure Communication of Shared Resources [CGY] 137
7.20 Memory Locking [XZX] 139
7.21 Resource Exhaustion [XZP] 140
7.22 Time Consumption Measurement [CCM] 141
7.23 Incorrect Authorization [BJE] 142
7.24 Improper Restriction of Excessive Authentication Attempts [WPL] 143
7.25 Unspecified Functionality [BVQ] 143
7.26 Distinguished Values in Data Types [KLK] 144
7.27 Resource Names [HTS] 146
7.28 Injection [RST] 147
7.29 Unquoted Search Path or Element [XZQ] 150
7.30 Discrepancy Information Leak [XZL] 151
7.31 Path Traversal [EWR] 152
7.32 Clock Issues [CCI] 154
7.33 Time Drift and Jitter [CDJ] 156
AnnexA (informative) Vulnerability Taxonomy and List 158
A.1 General 158
A.2 Outline of Programming Language Vulnerabilities 158
A.3 Outline of Application Vulnerabilities 160
A.4 Vulnerability List 161
AnnexB (informative) Language Specific Vulnerability Template 165
Bibliography 168
Index 171
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IECJTC1.
International Standards are drafted in accordance with the rules given in the ISO/IECDirectives, Part2.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide to publish a Technical Report. A Technical Report is entirely informative in nature and shall be subject to review every five years in the same manner as an International Standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
The committee responsible for this document is Joint Technical Committee ISO/IECJTC1, Information technology, Subcommittee SC22, Programming languages, their environments and system software interfaces.
This edition cancels and replaces ISO IEC TR 24772:2012. The main changes between this document and the previous version are:
· Language-specific annexes (Annexes C through H) have been removed from the document and are being republished as language-specific parts, TR 24772-2 Programming Language Vulnerabilities – Specific guidance for Ada, TR 24772-3 Programming Language Vulnerabilities – Specific guidance for C, etc.
· Vulnerabilities that were documented in clause 8 of version 2 are now documented as part of clauses 6 and 7.
· New vulnerabilities are added.
· Guidance material for each vulnerability given in subclause 6.X.5 is reworded to be more explicit and directive.