WG 14 Document: N 1590

G3  New Work Item Proposal

March 2007

PROPOSAL FOR A NEW WORK ITEM

Date of presentation of proposal:
YYYY-MM-DD

Proposer: ISO/IEC JTC 1/SC 22/WG 14

Secretariat:
ANSI (United States)

ISO/IEC JTC 1 N XXXX
ISO/IEC JTC 1/SC 22 N XXX


A proposal for a new work item shall be submitted to the secretariat of the ISO/IEC joint technical committee concerned with a copy to the ISO Central Secretariat.

Presentation of the proposal - to be completed by the proposer.

Title Information Technology — Programming languages, their environments and system software interfaces — C Secure Coding Rules

Scope This Technical Specification will specify a set of secure coding rules for the C Programming Language. Each rule will contain:

  • a complete explanation of the security flaw being addressed

  • any cross reference to other coding standards

  • example of the flaw in code form


This International Standard will not specify:

  • any C Programming Language coding style

  • method for enforcing the rules

Purpose and justification

An important part of secure coding in any programming language is a set of well-documented and enforceable coding rules. The rules specified in this Technical Specification will apply only to the C Programming Language. These rules are intended to apply to analyzers, including static and/or dynamic tools, and C language compilers that diagnose insecure code beyond the requirements of the current ISO C language standard. All rules are meant to be enforceable by some type of a static analysis tool.

Programme of work

If the proposed new work item is approved, which of the following document(s) is (are) expected to be developed?
___ a single International Standard
___   more than one International Standard (expected number: ........  )
____ a multi-part International Standard consisting of ..........  parts
____ an amendment or amendments to the following International Standard(s) ....................................
_X__ a technical report , type II, Technical Specification

And which standard development track is recommended for the approved new work item?

_X_ a. Default Timeframe
____b. Accelerated Timeframe
____c. Extended Timeframe

Relevant documents to be considered

  • [ISO/IEC 9899:1999] Programming Languages – C.

  • [ISO/IEC 9899:1999] Cor 1:2001, Programming Languages – C – Technical Corrigendum 1.

  • [ISO/IEC 9899:1999] Cor 2:2004, Programming Languages – C – Technical Corrigendum 2.

  • [ISO/IEC 9899:1999] Cor 3:2007, Programming Languages – C – Technical Corrigendum 3.

  • [ISO/IEC 9899-C1X] Committee Draft of upcoming revision of Programming Languages – C.

  • [ISO/IEC TR 24731-1:2007] Extensions to the C Library, Part I: Bounds-checking interfaces.

  • [ISO/IEC TR 24731-2] ISO/IEC TR 24731-2 Extensions to the C Library, Part II: Dynamic Allocation Functions.

  • [ISO/IEC TR 24772:2010] Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use

  • [ISO/IEC/IEEE 9945:2009] Information technology – Portable Operating System Interface (POSIX®) Base Specifications, Issue 7.

Co-operation and liaison

Liaison with ISO/IEC JTC 1/SC 22/WG 23 (Programming Language Vulnerabilities)

Preparatory work offered with target date(s)

A preliminary working draft is circulated with this New Work Item Proposal

Signature:

Will the service of a maintenance agency or registration authority be required? ........No..............
- If yes, have you identified a potential candidate? ................
- If yes, indicate name .............................................................

Are there any known requirements for coding? ........No.............
-If yes, please specify on a separate page

Does the proposed standard concern known patented items? .......No............
- If yes, please provide full information in an annex

 

Are there any known accessibility requirements and/or dependencies (see: http://www.jtc1access.org)?........No............

-If yes, please specify on a separate page

 

Are there any known requirements for cultural and linguistic adaptability?.........No..................

-If yes, please specify on a separate page


Comments and recommendations of the JTC 1 or SC XXSecretariat - attach a separate page as an annex, if necessary

Comments with respect to the proposal in general, and recommendations thereon:
It is proposed to assign this new item to JTC 1/SC XX


Voting on the proposal - Each P-member of the ISO/IEC joint technical committee has an obligation to vote within the time limits laid down (normally three months after the date of circulation).

Date of circulation:
YYYY-MM-DD

Closing date for voting:
YYYY-MM-DD

Signature of Secretary:

 

NEW WORK ITEM PROPOSAL -
PROJECT ACCEPTANCE CRITERIA

 

 

Criterion

Validity                   

Explanation           

A. Business Requirement   

 

 

A.1 Market Requirement

Essential _X__
Desirable ___
Supportive ___

 An essential element of secure coding in the C programming language is a set of well-documented and enforceable coding rules.

B.  Related Work

 

 

B.1 Completion/Maintenance of current standards

Yes ___

No__X_  

 

B.2 Commitment to other organization

Yes ___

No__X_

 

B.3 Other Source of standards

Yes ___

No__X_

 

C.  Technical Status

 

 

C.1 Mature Technology

Yes ___

No_X__

The immaturity of the technology is the reasoning behind requesting a TS.

C.2 Prospective Technology

Yes ___

No_X_

 

C.3 Models/Tools

Yes ___

No_X_

 

D.  Conformity Assessment and Interoperability

 

 

D.1 Conformity Assessment

Yes ___

No_X_

 

D.2 Interoperability

Yes ___

No__X_

 

E. Adaptability to Culture, Language, Human Functioning and Context of Use

 

 

E.1 Cultural and Linguistic Adaptability

Yes ___

No__X_

 We believe the technology being developed for the secure coding rules will support cultural and linguistic adaptability.

E.2 Adaptability to Human Functioning and Context of Use

Yes ___

No__X_

 

F.  Other Justification

 

 


Notes to Proforma

A.  Business Relevance.  That which identifies market place relevance in terms of what problem is being solved and or need being addressed.

A.1 Market Requirement.  When submitting a NP, the proposer shall identify the nature of the Market Requirement, assessing the extent to which it is essential, desirable or merely supportive of some other project.

A.2 Technical Regulation.  If a Regulatory requirement is deemed to exist -  e.g. for an area of public concern  e.g. Information Security, Data protection, potentially leading to regulatory/public interest action based on the use of this voluntary international standard - the proposer shall identify this here.

B.  Related Work.  Aspects of the relationship of this NP to other areas of standardisation work shall be identified in this section.

B.1 Competition/Maintenance.  If this NP is concerned with completing or maintaining existing standards, those concerned shall be identified here.

B.2 External Commitment.  Groups, bodies, or for a external to JTC 1 to which a commitment has been made by JTC for Co-operation and or collaboration on this NP shall be identified here.

B.3 External Std/Specification.  If other activities creating standards or specifications in this topic area are known to exist or be planned, and which might be available to JTC 1 as PAS, they shall be identified here.

C.  Technical Status.  The proposer shall indicate here an assessment of the extent to which the proposed standard is supported by current technology.

C.1 Mature Technology.  Indicate here the extent to which the technology is reasonably stable and ripe for standardisation.

C.2 Prospective Technology.  If the NP is anticipatory in nature based on expected or forecasted need, this shall be indicated here.

C.3 Models/Tools.  If the NP relates to the creation of supportive reference models or tools, this shall be indicated here.

D.  Conformity Assessment and Interoperability   Any other aspects of background information justifying this NP shall be indicated here.

D.1 Indicate here if Conformity Assessment is relevant to your project.  If so, indicate how it is addressed in your project plan.

D.2 Indicate here if Interoperability is relevant to your project.  If so, indicate how it is addressed in your project plan

E. Adaptability to Culture, Language, Human Functioning and Context of Use
NOTE: The following criteria do not mandate any feature for adaptability to culture, language, human functioning or context of use. The following criteria require that if any features are provided for adapting to culture, language, human functioning or context of use by the new Work Item proposal, then the proposer is required to identify these features.

E.1 Cultural and Linguistic Adaptability. Indicate here if cultural and natural language adaptability is applicable to your project. If so, indicate how it is addressed in your project plan.

ISO/IEC TR 19764 (Guidelines, methodology, and reference criteria for cultural and linguistic adaptability in information technology products) now defines it in a simplified way:

- "ability for a product, while keeping its portability and interoperability properties, to:
- be internationalized, that is, be adapted to the special characteristics of natural languages and the commonly accepted rules for their se, or of cultures in a given geographical region;
- take into account the usual needs of any category of users, with the exception of specific needs related to physical constraints


Examples of characteristics of natural languages are: national characters and associated elements (such as hyphens, dashes, and punctuation marks), writing systems, correct transformation of characters, dates and measures, sorting and searching rules, coding of national entities (such as country and currency codes), presentation of telephone numbers and keyboard layouts. Related terms are localization, jurisdiction and multilingualism.

E.2 Adaptability to Human Functioning and Context of Use. Indicate here whether the proposed standard takes into account diverse human functioning and diverse contexts of use. If so, indicate how it is addressed in your project plan.
NOTE:
1. Human functioning is defined by the World Health Organization at http://www3.who.int/icf/beginners/bg.pdf as: << In ICF (International Classification of Functioning, Disability and Health), the term functioning refers to all body functions, activities and participation. >>
2. Content of use is defined in ISO 9241-11:1998 (Ergonomic requirements for office work with visual display terminals (VDTs) Part 11: Guidance on usability) as: << Users, tasks, equipment (hardware, software and materials), and the physical and societal environments in which a product is used.>>
3. Guidance for Standard Developers to address the needs of older persons and persons with disabilities).

F. Other Justification   Any other aspects of background information justifying this NP shall be indicated here.