WG 23
Programming Language Vulnerabilities
Maintained by
Jim Moore,
James.W.Moore@ieee.org
If you don't see two frames, click here.

Formerly called the "OWGV"

Disclaimer

ISO/IEC Project 22.24772:
Programming Language Vulnerabilities

All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the safety, security, and privacy of a system.

The OWGV project is preparing comparative guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code evaluation tools that can discover and eliminate coding errors that lead to vulnerabilities.

The project is preparing an ISO/IEC Technical Report containing guidance to users of programming languages on how to avoid the vulnerabilities that exist in the programming language selected for a particular project. The document is tentatively scheduled for publication in 2010.

Currently, the group enjoys the participation of representatives from many of the important programming languages and hopes to attract more. The group plans to obtain information about vulnerabilities and their treatment from initiatives such as MISRA (C and C++), the Common Vulnerabilities and Exposures database and the CERT Secure Coding Initiative.

[ Project Organization ] [ Project Status ]

The work of WG23 is supplemented by an archived mailer and by a wiki.

You can use Google to search this web site:

Entire WebWG 23 Web Site

Project Organization

ISO/IEC JTC1/SC22 has the scope of "programming languages and their environments". WG 23 (Vulnerabilities) is a working group reporting to SC 22. It has been assigned responsibility for project 22.24772 to write an ISO/IEC Technical Report, "Programming Language Vulnerabilities." More information regarding the project can be found in our FAQ.

Leadership:

SC 22 Officers:

Rex Jaeschke (Chair)
Sally Seitz, ANSI (Secretariat)

WG 23 Officers:

John Benito (Convener)
Jim Moore (Secretariat)
(Email addresses are shown as images to prevent automatic harvesting.)

Identified Participants:

Many individuals have attended meetings or participated via email. The following persons are officers of WG 23 or identified points of contact for participating organizations:

Individual Participant Point of contact for a National Body (see below) Liaison with a Working Group of ISO / IEC JTC1 / SC22 Liaison with another Organization

John Benito (convener) .

Ben Brosgol Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology

Paul Caseley UK MOD

Rod Chapman SPARK

Douglas Crockford ECMA TC39 (ECMAScript)

Franco Gasperoni France

Cesar Gonzalez-Perez ISO/IEC JTC1 / SC7 / WG19

Roman Grahle Germany

Chris Hills MISRA C

Kiyoshi Ishihata Japan

Rex Jaeschke

Derek Jones UK

Stephen Michell Canada

Ed de Moel MDC (MUMPS)

Jim Moore (secretary)

Dan Nagle WG5 (Fortran) J3 (Fortran)

Erhard Ploedereder WG9 (Ada) Ada-Europe

Tom Plum US, INCITS PL22 WG14 (C)
WG21 (C++)* ECMA TC49 / TG2 (C#)

Clive Pygott MISRA C++

Robert Seacord CERT

Bill Spees US FDA

Nick Stoughton . SC22 (POSIX) Austin Group

Barry Tauber WG4 (Cobol) J4 (Cobol)

Tullio Vardanega Italy

* Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Those interested in representing their national body or participating in a national "shadow group" should contact the standards body of the nation in which they reside or work. In the case of the following nations, a point of contact has been identified. (All email addresses have been altered to discourage automatic harvesting of them):

Canada SCC Steve Michell stephen dot michell at maurya dot on dot ca

France AFNOR Franco Gasperoni gasperon at act-europe dot fr

Germany DIN Roman Grahle roman dot grahle at din dot de

Italy UNI Tullio Vardanega tullio dot vardanega at math dot unipd dot it

Japan JSA Kiyoshi Ishihata ishihata at cs dot meiji dot ac dot jp

Netherlands NEN Willem Wakker willemw at ace dot nl

UK BSI IST-5 Derek Jones derek at knosof dot co dot uk

USA INCITS PL22 Tom Plum tplum at plumhall dot com

Status of Formal Standards Process

Completed

[Listed in reverse chronological order]

24 Sep 2008 SC22 plenary: Resolution 08-03 established WG 23 to carry on the work of OWGV. It named John Benito as convener. Resolution 08-06 renamed the document as "Programming Language Vulnerabilities".

28 Sep 2007 SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110]

21 Sep 2006 SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.

13 Mar 2006 Prepared disposition of the comments received on New Work Item Proposal [N0007]

6 Oct 2005 Plan for "Moving Forward" [N0004]

5 Oct 2005
SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]:

Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.

2 Oct 2005 SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.

Jun-Sep 2005 New Work Item Proposal, "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use," was balloted by SC22 and JTC1 to authorize project. [N0001]

History

The work of the study group leading to creation of the OWGV and, ultimately, WG 23, is summarized on the History page.

Disclaimer Most of the items contained in this web site and its associated files and directories are preliminary working material of ISO/IEC JTC 1/SC 22, subject to review and correction.

The web site is maintained for the convenience of the participants in SC 22/WG 23 by:

James W. Moore, The MITRE Corporation, 7515 Colshire Drive, McLean, VA 22102, +1.703.983.7396, moorej@mitre.org, James.W.Moore@ieee.org.

ISO/IEC JTC 1/SC 22/WG 23 Programming Language Vulnerabilities	Maintained by Jim Moore, James.W.Moore@ieee.org	If you don't see two frames, click here.
Formerly called the "OWGV"

Individual Participant	Point of contact for a National Body (see below)	Liaison with a Working Group of ISO / IEC JTC1 / SC22	Liaison with another Organization
John Benito (convener)		.
Ben Brosgol			Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology
Paul Caseley			UK MOD
Rod Chapman			SPARK
Douglas Crockford			ECMA TC39 (ECMAScript)
Franco Gasperoni	France
Cesar Gonzalez-Perez			ISO/IEC JTC1 / SC7 / WG19
Roman Grahle	Germany
Chris Hills			MISRA C
Kiyoshi Ishihata	Japan
Rex Jaeschke
Derek Jones	UK
Stephen Michell	Canada
Ed de Moel			MDC (MUMPS)
Jim Moore (secretary)
Dan Nagle		WG5 (Fortran)	J3 (Fortran)
Erhard Ploedereder		WG9 (Ada)	Ada-Europe
Tom Plum	US, INCITS PL22	WG14 (C) WG21 (C++)*	ECMA TC49 / TG2 (C#)
Clive Pygott			MISRA C++
Robert Seacord			CERT
Bill Spees			US FDA
Nick Stoughton	.	SC22 (POSIX)	Austin Group
Barry Tauber		WG4 (Cobol)	J4 (Cobol)
Tullio Vardanega	Italy
* Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Canada	SCC	Steve Michell	stephen dot michell at maurya dot on dot ca
France	AFNOR	Franco Gasperoni	gasperon at act-europe dot fr
Germany	DIN	Roman Grahle	roman dot grahle at din dot de
Italy	UNI	Tullio Vardanega	tullio dot vardanega at math dot unipd dot it
Japan	JSA	Kiyoshi Ishihata	ishihata at cs dot meiji dot ac dot jp
Netherlands	NEN	Willem Wakker	willemw at ace dot nl
UK	BSI IST-5	Derek Jones	derek at knosof dot co dot uk
USA	INCITS PL22	Tom Plum	tplum at plumhall dot com


24 Sep 2008	SC22 plenary: Resolution 08-03 established WG 23 to carry on the work of OWGV. It named John Benito as convener. Resolution 08-06 renamed the document as "Programming Language Vulnerabilities".
28 Sep 2007	SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110]
21 Sep 2006	SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.
13 Mar 2006	Prepared disposition of the comments received on New Work Item Proposal [N0007]
6 Oct 2005	Plan for "Moving Forward" [N0004]
5 Oct 2005	SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]: Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.
2 Oct 2005	SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.
Jun-Sep 2005	New Work Item Proposal, "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use," was balloted by SC22 and JTC1 to authorize project. [N0001]

ISO/IEC JTC 1/SC 22/WG 23 Programming Language Vulnerabilities Maintained by Jim Moore, James.W.Moore@ieee.org If you don't see two frames, click here. Formerly called the "OWGV"