2007-09-15 Blue Pilot Consulting, Inc. 1 A new type of Working Group used for a new SC22 Working Group OWG: Vulnerability John Benito JTC 1/SC 22 WG14.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Planning Reports and Proposals

Elements of an Effective Safety and Health Program

Significance of ISO to the Food Industry

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 10 Servlets and Java Server Pages.

Chapter 3 Introduction to Quantitative Research

Chapter 3 Introduction to Quantitative Research

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.

Doc.: IEEE /0006r0 Submission March 2005 Steve Shellhammer, Intel CorporationSlide 1 What is a CA document? Notice: This document has been prepared.

Doc.: IEEE /0953r1 Submission November 2009 Adrian Stephens, Intel CorporationSlide TGmb Editor Report - Nov 2009 Date: Authors:

For OWGV Meeting #1, 2006 June, Washington, DC, USA 1D Terms of Reference: ISO/IEC Project , Guidance to Avoiding Vulnerabilities in Programming.

1 Report of Progress of ISO/IEC 24772, Programming Language Vulnerabilities, in ISO/IEC JTC 1/SC 22 John Benito, Convener Jim Moore, Secretary ISO/IEC.

1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore, Secretary.

For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.

1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use. ISO/IEC JTC 1/SC 22/ OWGV N0139.

© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord.

1 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore,

For OWGV Meeting #1, 2006 June, Washington, DC, USA 1D Conveners Remarks, Meeting #1 of ISO/IEC JTC 1/SC 22/OWG:V Jim Moore Convener, ISO/IEC JTC.

Scaling up the global initiative on the implementation of the SNA and supporting statistics Meeting on Scaling up the coordination and resources for the.

The IEEE and International Standards Steve Mills July 2006 IEEE 802 Plenary.

© 2006 Open Grid Forum Joint Session on Information Modeling for Computing Resources OGF 20 - Manchester, 7 May 2007.

Slide 1 WGISS CEOS WGISS 22, Annapolis September 2006 WGISS – GEO Discussion.

ISO/IEC JTC 1 Special Working Group on Accessibility.

1Running title of presentation PR/mo/item ID Date Updates on work in Progress in ISO United Nations Road Safety Collaboration 9th meeting Geneva, 17 and.

Making the System Operational

WS-JDML: A Web Service Interface for Job Submission and Monitoring Stephen M C Gough William Lee London e-Science Centre Department of Computing, Imperial.

1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,

Multiple Indicator Cluster Surveys Survey Design Workshop MICS Technical Assistance MICS Survey Design Workshop.

Software change management

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

1 Title I Program Evaluation Title I Technical Assistance & Networking Session May 23, 2011.

Quality Assurance/Quality Control Plan Evaluation February 16, 2005.

1 Quality Indicators for Device Demonstrations April 21, 2009 Lisa Kosh Diana Carl.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

Reliable Interoperation between Open Office & MS office by UOML Alex Wang Chair/OASIS UOML TC Chairman / Sursen Co.

Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.

Copyright (c) 2006 Japan Network Information Center Comments from JP on “End site allocation policy for IPv6” (prop-033-v001 ) Izumi Okutani Japan Network.

FSC Chain-of-Custody & Controlled Wood Update for Audits November 2007.

Debris Avoidance and the CCSDS Navigation Working Group Presentation to NSPO in Taiwan November 2013 Mike Kearney CCSDS Chair & General Secretary NASA.

Addition 1’s to 20.

Test B, 100 Subtraction Facts

RTI Implementer Webinar Series: Establishing a Screening Process

Chapter 12: Project Management and Strategic Planning Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter

Presented to: NDIA PMSC By: Keith Kratzert Date: January 29, 2009 Federal Aviation Administration Improving Program Performance at FAA.

14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation (Adapted) Object-Oriented Systems Analysis and Design Joey F. George, Dinesh.

© 2007 BST. All rights reserved. Confidential Information. SLU – 1 PDS_139 (0503) L2 Applying Problem- Solving Tools.

1 Personal Development and Performance Review Professional Development.

Chapter 14 Fraud Risk Assessment.

SIGAda2001© 2001, The MITRE Corporation. Permission is granted to reproduce without modification.James W. Moore - 1 ISO/IEC Standardization James W. Moore.

International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

12/2/05CS591-F2005, UCCS Frank Gearhart 1 Why doesn’t “gets()” get it? Or more formally: An investigation into the use of the buffer overflow vulnerability.

QinetiQ Proprietary AN ISO standard for high integrity software.

Leaders in Asset Management ISO Asset Management Systems 1 Prepared by Jim Dieter, MIAM CPPM CF NPMA Executive Vice President Director of Strategic.

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

Page 1 ISO/IEC JTC 1/SC 7/WG 7 N Summary of the Alignment of System and Software Life Cycle Process Standards The material in this briefing.

ISO/IEC JTC1 SC 32 WG1 eBusiness July 2007 JTC1 SC32 N1620.

SC 37 “Biometrics” and correlations with JTC1 Special Working Group on Accessibility Ing. Mario Savastano IBB (CNR) and DIEL (Federico II University of.

Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AS 18 March 2014 Authors: NameCompanyPhone .

ISO/IEC JTC1 SC 32 WG1 eBusiness. WG 1 scope Standardization in the field of generic information technology standards for open electronic data interchange.

Hussein Alhashimi. “If you can’t measure it, you can’t manage it” Tom DeMarco,

SC32/WG2 N Status report on ISO/IEC CD MMF Ontology Registration He Keqing and OKABE, Masao Project editor MMF Ontology Registration ISO/IEC JTC1.

ISO Asset Management Systems

C++ and Programming Language Vulnerabilities

Secure Coding Initiative

Presentation transcript:

Blue Pilot Consulting, Inc. 1 A new type of Working Group used for a new SC22 Working Group OWG: Vulnerability John Benito JTC 1/SC 22 WG14 Convener INCITS CT 22 Vice Chairman JTC 1/SC 22 OWG:V Convener ISO/IEC JTC 1/SC 22/OWGV N 0101

Blue Pilot Consulting, Inc. 2 The Problem Any programming language has constructs that are imperfectly defined, implementation dependent or difficult to use correctly. As a result, software programs sometimes execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by hostile parties. – Can compromise safety, security and privacy. – Can be used to make additional attacks.

Blue Pilot Consulting, Inc. 3 Complicating Factors The choice of programming language for a project is not solely a technical decision and is not made solely by software engineers. Some vulnerabilities cannot be mitigated by better use of the language but require mitigation by other methods, e.g. review, static analysis.

Blue Pilot Consulting, Inc. 4 An example While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack based buffer overflows: An Example in the C programming language: #define BUFSIZE 256 int main(int argc, char **argv) { char buf[BUFSIZE]; strcpy(buf, argv[1]); }

Blue Pilot Consulting, Inc. 5 Example Buffer overflows generally lead to the application halting or crashing. Other attacks leading to lack of availability are possible, that can include putting the program into an infinite loop. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.

Blue Pilot Consulting, Inc. 6 OWG: Vulnerability Status Response to NP Ballot comments is completed, see SC 22 N4027 Project is organized and on schedule to produce a document in 2009 Current draft is ready for its first SC 22 ballot The project has two officers – Convener/Project Editor, John Benito – Secretary, Jim Moore

Blue Pilot Consulting, Inc. 7 OWG: Vulnerability Status Five meetings have been held, hosted by US Italy Canada UK Meetings planned through 2008, hosted by Netherlands US Germany reflector, Wiki and Web site are used during and between meetings More information

Blue Pilot Consulting, Inc. 8 OWG: Vulnerability Status The body of Technical Report describes vulnerabilities in a generic manner, including: Brief description of application vulnerability Cross-reference to enumerations, e.g. CWE Categorizations by selected characteristics Description of failure mechanism, i.e. how coding problem relates to application vulnerability Points at which the causal chain could be broken Assumed variations among languages Ways to avoid the vulnerability or mitigate its effects Annexes will provide language-specific treatments of each vulnerability.

Blue Pilot Consulting, Inc. 9 Meeting Schedule for OWG:V Meeting # /3 INCITS/Plum Hall, Kona, Hawaii, USA Meeting # /14 INCITS/SEI, Pittsburgh, PA, USA Meeting # /11 NEN/ACE, Amsterdam, NL Meeting # INCITS/Blue Pilot, Washington DC, USA Meeting # – Stuttgart, Germany

Blue Pilot Consulting, Inc. 10 OWG: Vulnerability Participants Canada Germany Italy Japan France United Kingdom USA – CT 22 SC 22/WG 9 SC 22/WG14 MDC (Mumps) SC 22/WG 5, INCITS J3 (Fortran) SC 22/WG 4, INCITS J4 (Cobol) ECMA (C#, C++CLI) RT/SC Java MISRA C/C++ CERT

Blue Pilot Consulting, Inc. 11 OWG:Vulnerability Progress A document suitable for registration has been completed. A template for vulnerability descriptions has been completed. An initial set of vulnerabilities has been proposed for treatment.

Blue Pilot Consulting, Inc. 12 OWG:Vulnerability Product A type III Technical Report A document containing information of a different kind from that which is normally published as an International Standard Project is to work on a set of common mode failures that occur across a variety of languages Not all vulnerabilities are common to all languages, that is, some manifest in just a language The product will not contain normative statements, but information and suggestions

Blue Pilot Consulting, Inc. 13 OWG:Vulnerability Product No single programming language or family of programming languages is to be singled out As many programming languages as possible should be involved Need not be just the languages defined by ISO Standards

Blue Pilot Consulting, Inc. 14 Approach to Identifying Vulnerabilities Empirical approach: Observe the vulnerabilities that occur in the wild and describe them, e.g. buffer overrun, execution of unvalidated remote content Analytical approach: Identify potential vulnerabilities through analysis of programming languages This just might help in identifying tomorrows vulnerabilities.

Blue Pilot Consulting, Inc. 15 Audience Safety: Products where it is critical to prevent behavior which might lead to human injury, and it is justified to spend additional development money Security: Products where it is critical to secure data or access, and it is justified to spend additional development money Predictability: Products where high confidence in the result of the computation is desired Assurance: Products to be developed for dependability or other important characteristics

Blue Pilot Consulting, Inc. 16 Measure of Success Provide guidance to users of programming languages that: Assists them in improving the predictability of the execution of their software even in the presence of an attacker Informs their selection of an appropriate programming language for their job Provide feedback to programming language standardization groups, resulting in the improvement of programming language standards.

Blue Pilot Consulting, Inc. 17 OWG: Vulnerability Summary We are making progress! meetings scheduled out over a year Participation is good and is made up of a wide variety of technical expertise. Have a document that is ready for the first SC 22 ballot (registration). On track to publish in 2009.