Avoiding Programming Language Vulnerabilities
By C Project Lead on Mar 28, 2006
This week I am in Berlin at a meeting of the ISO/SC22/WG14, the C programming language committee, in Berlin. One of the hottest topics are dealing with programming security issues and integerity systems.
JTC 1/SC 22 has created a new project to deal with the subject of vulnerabilities in programming languages. The basic technical concept is that all programming languages contain features that are poorly specified, difficult to use correctly, or dependent upon particular implementations. In some cases, these features cause software codes to become vulnerable to malicious parties. The intent of the project is to create guidance on dealing with these problems. In some cases, the guidance will be generic across languages; in other cases the guidance will be specific to languages.
The project is being implemented in an unusual manner. SC22 has created an OWG ("Other Working Group") on Vulnerabilities. This group is convened by, Jim Moore, and the co-convener is John Benito. Jim is the convener of WG9 (Ada) and John is the convener of WG14 (C); so they cover a wide range of programming language design. It is their intent to enlist experts from other working groups so that they can further broaden the range of expertise. They also have permission to enlist experts from non-ISO languages, like Java. Finally, of course, they need participants from national bodies.
The purpose of this blog is to encourage US participation. Because an OWG is not-quite-a-working-group, I believe that the arrangements to participate in it are somewhat informal.
For more information about participating or contacting Jim Moore, have a look at the ISO/IEC JTC 1/SC 22/OWG:Vulnerabilities website http://aitc.aitcnet.org/isai/
I'll be on Vacation next week seeing some of Germany ... :-)