ISO/IEC TR 24772:2013 "Guidance to avoiding vulnerabilities in programming languages through language selection and use"

2013-10-28 00:00:00 +0000

ISO/IEC TR 24772:2013 “Guidance to avoiding vulnerabilities in programming languages through language selection and use” is one of the most useful application security resources I have seen so far, especially among ISO standards. This standard is an informative document that describes security features and pitfalls of a number of popular programming languages. In spite of a very broad scope, it’s not a high-level document — it systematically goes through features of most used languages and describes them from security point of view. Its most valuable part is probably large number of practical examples — code snippets, that are used to demonstrate both good and bad usage of language constructs.

The languages discussed are Ada, C/C++, Python, Ruby, SPARK (mission critical overlay for Ada) and PHP. The standard defines a taxonomy of programming language vulnerabilities, and application vulnerabilities (both cited below). Each language is analysed against this taxonomy. Most issues also reference existing taxonomies such as CWE (NIST) and other relevant documents (such as CERT C guidelines and MISRA C/C++ guidelines).

Programming language vulnerabilities:

A.2.1. Types A.2.1.1. Representation A. [IHN] Type System A. [STR] Bit Representations A.2.1.2. Floating-point A. [PLF] Floating-point Arithmetic A.2.1.3. Enumerated Types A. [CCB] Enumerator Issues A.2.1.4. Integers A. [FLC] Numeric Conversion Errors A.2.1.5. Characters and strings A. [CJM] String Termination A.2.1.6. Arrays A. [HCB] Buffer Boundary Violation (Buffer Overflow) A. [XYZ] Unchecked Array Indexing A. [XYW] Unchecked Array Copying A.2.1.7. Pointers A. [HFC] Pointer Casting and Pointer Type Changes A. [RVG] Pointer Arithmetic A. [XYH] Null Pointer Dereference A. [XYK] Dangling Reference to Heap A.2.2. Type-Conversions/Limits A.2.2.1. [FIF] Arithmetic Wrap-around Error A.2.2.1 [PIK] Using Shift Operations for Multiplication and Division A.2.2.2. [XZI] Sign Extension Error A.2.3. Declarations and Definitions A.2.3.1. [NAI] Choice of Clear Names A.2.3.2. [WXQ] Dead store A.2.3.3. [YZS] Unused Variable A.2.3.4. [YOW] Identifier Name Reuse A.2.3.5. [BJL] Namespace Issues A.2.3.6. [LAV] Initialization of Variables A.2.4. Operators/Expressions A.2.4.1. [JCW] Operator Precedence/Order of Evaluation A.2.4.2. [SAM] Side-effects and Order of Evaluation A.2.4.3. [KOA] Likely Incorrect Expression A.2.4.4. [XYQ] Dead and Deactivated Code A.2.5. Control Flow A.2.5.1. Conditional Statements A. [CLL] Switch Statements and Static Analysis A. [EOJ] Demarcation of Control Flow A.2.5.2. Loops A. [TEX] Loop Control Variables A. [XZH] Off-by-one Error A.2.5.3. Subroutines (Functions, Procedures, Subprograms) A. [EWD] Structured Programming A. [CSJ] Passing Parameters and Return Values A. [DCM] Dangling References to Stack Frames A. [OTR] Subprogram Signature Mismatch A. [GDL] Recursion A. [OYB] Ignored Error Status and Unhandled Exceptions A.2.5.4. Termination Strategy A. [REU] Termination Strategy A.2.6. Memory Models A.2.6.1. [AMV] Type-breaking Reinterpretation of Data A.2.6.2. [XYL] Memory Leak A.2.7. Templates/Generics A.2.7.1. [SYM] Templates and Generics A.2.7.2. [RIP] Inheritance A.2.8. Libraries A.2.8.1 [LRM] Extra Intrinsics A.2.8.2. [TRJ] Argument Passing to Library Functions A.2.8.3. [DJS] Inter-language Calling A.2.8.4. [NYY] Dynamically-linked Code and Self-modifying Code A.2.8.5. [NSQ] Library Signature A.2.8.6. [HJW] Unanticipated Exceptions from Library Routines A.2.9. Macros A.2.9.1. [NMP] Pre-processor Directives A.2.10. Compile/Run Time A.2.10.1 [MXB] Provision of Inherently Unsafe Operations A.2.10.2 [SKL] Suppression of Language-Defined Run-Time Checking A.2.11. Language Specification Issues A.2.11.1. [BRS] Obscure Language Features A.2.11.2. [BQF] Unspecified Behaviour A.2.11.3. [EWF] Undefined Behaviour A.2.11.4. [FAB] Implementation-defined Behaviour A.2.11.5. [MEM] Deprecated Language Features

Application vulnerability classification:

A.3.1. Design Issues A.3.1.1. [BVQ] Unspecified Functionality A.3.1.2. [KLK] Distinguished Values in Data Types A.3.2. Environment A.3.2.1. [XYN] Adherence to Least Privilege A.3.2.2. [XYO] Privilege Sandbox Issues A.3.2.3. [XYS] Executing or Loading Untrusted Code A.3.3. Resource Management A.3.3.1. Memory Management A. [XZX] Memory Locking A. [XZP] Resource Exhaustion A.3.3.2. Input A. [CBF] Unrestricted file upload A. [HTS] Resource names A. [RST] Injection A. [XYT] Cross-site Scripting A. [XZQ] Unquoted Search Path or Element A. [XZR] Improperly Verified Signature A. [XZL] Discrepancy Information Leak A.3.3.3. Output A. [XZK] Sensitive Information Uncleared Before Use A.3.3.4. Files A. [EWR] Path Traversal A.3.4. Concurrency A.3.4.1 [CGA] Concurrency – Activation A.3.4.2 [CGT] Concurrency – Directed termination A.3.4.3 [CGS] Concurrency – Premature Termination A.3.4.4 [CGX] Concurrent Data Access A.3.4.5 [CGY] Inadequately Secure Communication of Shared Resources A.3.4.6 [CGM] Protocal Lock Errors A.4.4. Flaws in Security Functions A.4.4.1. [XZS] Missing Required Cryptographic Step A.4.4.2. Authentication A. [XYM] Insufficiently Protected Credentials A. [XZN] Missing or Inconsistent Access Control A. [XZO] Authentication Logic Error A. [XYP] Hard-coded Password