Information Technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages
Document type: International standard
Document subtype: if applicable
Document stage: (10) development stage
Document language: E
Élément introductif — Élément principal — Partie n: Titre de la partie
Warning
This ISO document is a working draft or committee draft and is copyright-protected by ISO. While the reproduction of working drafts or committee drafts in any form for use by participants in the ISO standards development process is permitted without prior permission from ISO, neither this document nor any extract from it may be reproduced, stored or transmitted in any form for any other purpose without prior written permission from ISO.
Requests for permission to reproduce this document for the purpose of selling it should be addressed as shown below or to ISO’s member body in the country of the requester:
ISO copyright office
Case postale 56, CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
Contents Page
Foreword 5
Introduction 6
1. Scope 7
2. Normative references 7
3. Terms and definitions, symbols and conventions 8
3.1 Terms and definitions 8
3.2 Symbols and conventions 14
4. Basic concepts 15
4.1 Purpose of this Technical Report 15
4.2 Intended audience 15
4.3 How to use this document 16
5 Vulnerability issues and general avoidance mechanisms 19
5.1 Predictable execution 19
5.2 Sources of unpredictability in language specification 21
5.2.1 Incomplete or evolving specification 21
5.2.2 Undefined behaviour 21
5.2.3 Unspecified behaviour 21
5.2.4 Implementation-defined behaviour 21
5.2.5 Difficult features 22
5.2.6 Inadequate language support 22
5.3 Sources of unpredictability in language usage 22
5.3.1 Porting and interoperation 22
5.3.2 Compiler selection and usage 23
5.4 Top avoidance mechanisms (guidance?) 23
6. Programming Language Vulnerabilities 26
6.1 General 26
6.2 Type System [IHN] 27
6.3 Bit Representations [STR] 31
6.4 Floating-point Arithmetic [PLF] 33
6.5 Enumerator Issues [CCB] 38
6.6 Conversion Errors [FLC] 41
6.7 String Termination [CJM] 44
6.8 Buffer Boundary Violation (Buffer Overflow) [HCB] 46
6.9 Unchecked Array Indexing [XYZ] 50
6.10 Unchecked Array Copying [XYW] 52
6.11 Pointer Type Conversions [HFC] 54
6.12 Pointer Arithmetic [RVG] 56
6.13 Null Pointer Dereference [XYH] 58
6.14 Dangling Reference to Heap [XYK] 59
6.15 Arithmetic Wrap-around Error [FIF] 63
6.16 Using Shift Operations for Multiplication and Division [PIK] 65
6.17 Choice of Clear Names [NAI]. 67
6.18 Dead Store [WXQ] 70
6.19 Unused Variable [YZS] 72
6.20 Identifier Name Reuse [YOW] 73
6.21 Namespace Issues [BJL] 77
6.22 Initialization of Variables [LAV] 79
6.23 Operator Precedence and Associativity [JCW] 83
6.24 Side-effects and Order of Evaluation of Operands [SAM] 85
6.25 Likely Incorrect Expression [KOA] 87
6.26 Dead and Deactivated Code [XYQ] 90
6.27 Switch Statements and Static Analysis [CLL] 94
6.28 Demarcation of Control Flow [EOJ] 96
6.29 Loop Control Variables [TEX] 98
6.30 Off-by-one Error [XZH] 100
6.31 Structured Programming [EWD] 102
6.32 Passing Parameters and Return Values [CSJ] 104
6.33 Dangling References to Stack Frames [DCM] 108
6.34 Subprogram Signature Mismatch [OTR] 111
6.35 Recursion [GDL] 114
6.36 Ignored Error Status and Unhandled Exceptions [OYB] 116
6.37 6.37 Fault Tolerance and Failure Strategies [REU] 120
6.38 Type-breaking Reinterpretation of Data [AMV] 125
6.39 Deep vs. Shallow Copying [YAN] 128
6.40 Memory Leaks and Heap Fragmentation [XYL] 130
6.41 Templates and Generics [SYM] 133
6.42 Inheritance [RIP] 136
6.43 Violations of the Liskov Liskov Substitution Principle or the Contract Model [BLP] 140
6.44 Redispatching [PPH] 142
6.45 Polymorphic variables [BKK] 145
6.46 Extra Intrinsics [LRM] 148
6.47 Argument Passing to Library Functions [TRJ] 150
6.48 Inter-language Calling [DJS] 151
6.49 Dynamically-linked Code and Self-modifying Code [NYY] 154
6.50 Library Signature [NSQ] 156
6.51 Unanticipated Exceptions from Library Routines [HJW] 158
6.52 Pre-processor Directives [NMP] 160
6.53 Suppression of Language-defined Run-time Checking [MXB] 162
6.54 Provision of Inherently Unsafe Operations [SKL] 164
6.55 Obscure Language Features [BRS] 166
6.56 Unspecified Behaviour [BQF] 168
6.57 Undefined Behaviour [EWF] 170
6.58 Implementation-defined Behaviour [FAB] 173
6.59 Deprecated Language Features [MEM] 176
6.60 Concurrency – Activation [CGA] 178
6.61 Concurrency – Directed termination [CGT] 181
6.62 Concurrent Data Access [CGX] 183
6.63 Concurrency – Premature Termination [CGS] 186
6.64 Protocol Lock Errors [CGM] 189
6.65 Reliance on External Format String [SHL] 193
7. Application Vulnerabilities 195
7.1 General 195
7.2 Unrestricted File Upload [CBF] 195
7.3 Download of Code Without Integrity Check [DLB] 197
7.4 Inclusion of Functionality from Untrusted Control Sphere [DHU] 198
7.5 URL Redirection to Untrusted Site ('Open Redirect') [PYQ] 200
7.6 Use of unchecked data from an uncontrolled or tainted source [EFS] 201
7.7 Cross-site Scripting [XYT] 203
7.8 Adherence to Least Privilege [XYN] 207
7.9 Privilege Sandbox Issues [XYO] 208
7.10 Executing or Loading Untrusted Code [XYS] 210
7.11 Missing Required Cryptographic Step [XZS] 212
7.12 Insufficiently Protected Credentials [XYM] 213
7.13 Missing or Inconsistent Access Control [XZN] 214
7.14 Authentication Logic Error [XZO] 215
7.15 Hard-coded Password [XYP] 218
7.16 Sensitive Information Uncleared Before Use [XZK] 220
7.17 Improperly Verified Signature [XZR] 221
7.18 Use of a One-Way Hash without a Salt [MVX] 222
7.19 Inadequately Secure Communication of Shared Resources [CGY] 223
7.20 Memory Locking [XZX] 226
7.21 Resource Exhaustion [XZP] 227
7.22 Time Consumption Measurement [CCM] 229
7.23 Incorrect Authorization [BJE] 231
7.24 Improper Restriction of Excessive Authentication Attempts [WPL] 232
7.25 Unspecified Functionality [BVQ] 233
7.26 Distinguished Values in Data Types [KLK] 235
7.27 Resource Names [HTS] 237
7.28 Injection [RST] 239
7.29 Unquoted Search Path or Element [XZQ] 244
7.30 Discrepancy Information Leak [XZL] 245
7.31 Path Traversal [EWR] 247
7.32 Clock Issues [CCI] 251
7.33 Time Drift and Jitter [CDJ] 255
Annex A
(informative)
Vulnerability Taxonomy and List 258
A.1 General 258
A.2 Outline of Programming Language Vulnerabilities 258
A.3 Outline of Application Vulnerabilities 261
A.4 Vulnerability List 262
Annex B
(informative)
Language Specific Vulnerability Template 267
Bibliography 272
Index 276
Foreword 5
Introduction 6
1. Scope 7
2. Normative references 7
3. Terms and definitions, symbols and conventions 8
3.1 Terms and definitions 8
3.2 Symbols and conventions 14
4. Basic concepts 15
4.1 Purpose of this Technical Report 15
4.2 Intended audience 15
4.3 How to use this document 16
5 Vulnerability issues and general avoidance mechanisms 19
5.1 Predictable execution 19
5.2 Sources of unpredictability in language specification 21
5.2.1 Incomplete or evolving specification 21
5.2.2 Undefined behaviour 21
5.2.3 Unspecified behaviour 21
5.2.4 Implementation-defined behaviour 21
5.2.5 Difficult features 22
5.2.6 Inadequate language support 22
5.3 Sources of unpredictability in language usage 22
5.3.1 Porting and interoperation 22
5.3.2 Compiler selection and usage 23
5.4 Top avoidance mechanisms (guidance?) 23
6. Programming Language Vulnerabilities 26
6.1 General 26
6.2 Type System [IHN] 27
6.3 Bit Representations [STR] 31
6.4 Floating-point Arithmetic [PLF] 33
6.5 Enumerator Issues [CCB] 38
6.6 Conversion Errors [FLC] 41
6.7 String Termination [CJM] 44
6.8 Buffer Boundary Violation (Buffer Overflow) [HCB] 46
6.9 Unchecked Array Indexing [XYZ] 50
6.10 Unchecked Array Copying [XYW] 52
6.11 Pointer Type Conversions [HFC] 54
6.12 Pointer Arithmetic [RVG] 56
6.13 Null Pointer Dereference [XYH] 58
6.14 Dangling Reference to Heap [XYK] 59
6.15 Arithmetic Wrap-around Error [FIF] 63
6.16 Using Shift Operations for Multiplication and Division [PIK] 65
6.17 Choice of Clear Names [NAI]. 67
6.18 Dead Store [WXQ] 70
6.19 Unused Variable [YZS] 72
6.20 Identifier Name Reuse [YOW] 73
6.21 Namespace Issues [BJL] 77
6.22 Initialization of Variables [LAV] 79
6.23 Operator Precedence and Associativity [JCW] 83
6.24 Side-effects and Order of Evaluation of Operands [SAM] 85
6.25 Likely Incorrect Expression [KOA] 87
6.26 Dead and Deactivated Code [XYQ] 90
6.27 Switch Statements and Static Analysis [CLL] 94
6.28 Demarcation of Control Flow [EOJ] 96
6.29 Loop Control Variables [TEX] 98
6.30 Off-by-one Error [XZH] 100
6.31 Structured Programming [EWD] 102
6.32 Passing Parameters and Return Values [CSJ] 104
6.33 Dangling References to Stack Frames [DCM] 108
6.34 Subprogram Signature Mismatch [OTR] 111
6.35 Recursion [GDL] 114
6.36 Ignored Error Status and Unhandled Exceptions [OYB] 116
6.37 6.37 Fault Tolerance and Failure Strategies [REU] 120
6.38 Type-breaking Reinterpretation of Data [AMV] 125
6.39 Deep vs. Shallow Copying [YAN] 128
6.40 Memory Leaks and Heap Fragmentation [XYL] 130
6.41 Templates and Generics [SYM] 133
6.42 Inheritance [RIP] 136
6.43 Violations of the Liskov Liskov Substitution Principle or the Contract Model [BLP] 140
6.44 Redispatching [PPH] 142
6.45 Polymorphic variables [BKK] 145
6.46 Extra Intrinsics [LRM] 148
6.47 Argument Passing to Library Functions [TRJ] 150
6.48 Inter-language Calling [DJS] 151
6.49 Dynamically-linked Code and Self-modifying Code [NYY] 154
6.50 Library Signature [NSQ] 156
6.51 Unanticipated Exceptions from Library Routines [HJW] 158
6.52 Pre-processor Directives [NMP] 160
6.53 Suppression of Language-defined Run-time Checking [MXB] 162
6.54 Provision of Inherently Unsafe Operations [SKL] 164
6.55 Obscure Language Features [BRS] 166
6.56 Unspecified Behaviour [BQF] 168
6.57 Undefined Behaviour [EWF] 170
6.58 Implementation-defined Behaviour [FAB] 173
6.59 Deprecated Language Features [MEM] 176
6.60 Concurrency – Activation [CGA] 178
6.61 Concurrency – Directed termination [CGT] 181
6.62 Concurrent Data Access [CGX] 183
6.63 Concurrency – Premature Termination [CGS] 186
6.64 Protocol Lock Errors [CGM] 189
6.65 Reliance on External Format String [SHL] 193
7. Application Vulnerabilities 195
7.1 General 195
7.2 Unrestricted File Upload [CBF] 195
7.3 Download of Code Without Integrity Check [DLB] 197
7.4 Inclusion of Functionality from Untrusted Control Sphere [DHU] 198
7.5 URL Redirection to Untrusted Site ('Open Redirect') [PYQ] 200
7.6 Use of unchecked data from an uncontrolled or tainted source [EFS] 201
7.7 Cross-site Scripting [XYT] 203
7.8 Adherence to Least Privilege [XYN] 207
7.9 Privilege Sandbox Issues [XYO] 208
7.10 Executing or Loading Untrusted Code [XYS] 210
7.11 Missing Required Cryptographic Step [XZS] 212
7.12 Insufficiently Protected Credentials [XYM] 213
7.13 Missing or Inconsistent Access Control [XZN] 214
7.14 Authentication Logic Error [XZO] 215
7.15 Hard-coded Password [XYP] 218
7.16 Sensitive Information Uncleared Before Use [XZK] 220
7.17 Improperly Verified Signature [XZR] 221
7.18 Use of a One-Way Hash without a Salt [MVX] 222
7.19 Inadequately Secure Communication of Shared Resources [CGY] 223
7.20 Memory Locking [XZX] 226
7.21 Resource Exhaustion [XZP] 227
7.22 Time Consumption Measurement [CCM] 229
7.23 Incorrect Authorization [BJE] 231
7.24 Improper Restriction of Excessive Authentication Attempts [WPL] 232
7.25 Unspecified Functionality [BVQ] 233
7.26 Distinguished Values in Data Types [KLK] 235
7.27 Resource Names [HTS] 237
7.28 Injection [RST] 239
7.29 Unquoted Search Path or Element [XZQ] 244
7.30 Discrepancy Information Leak [XZL] 245
7.31 Path Traversal [EWR] 247
7.32 Clock Issues [CCI] 251
7.33 Time Drift and Jitter [CDJ] 255
Annex A
(informative)
Vulnerability Taxonomy and List 258
A.1 General 258
A.2 Outline of Programming Language Vulnerabilities 258
A.3 Outline of Application Vulnerabilities 261
A.4 Vulnerability List 262
Annex B
(informative)
Language Specific Vulnerability Template 267
Bibliography 272
Index 276