Explanation on TR24772 by Tatsuaki Takebe

Transcript

1. Explanation on Explanation on TR24772 TR24772 Tatsuaki Takebe ISO/IEC JTC

   1/SC 27/WG 3, WG 4 ISO/IEC JTC 1/SC 22 IEC TC 65/WG 10 Yokogawa Electric Corp. ISO/IEC TR 24772 1

2. What is ISO/IEC TR 24772 What is ISO/IEC TR 24772

   • Technical Report • Programming language specific vulnerabilities • Guidance to avoid or mitigate vulnerabilities • Sources are o Safety (MISRA, MISRA C++ etc) o CERT C guidelines o Ada Quality and Style Guide o JSF AV C++ Guidelines o CWE ISO/IEC TR 24772 2

3. Structure of TR24772 Structure of TR24772 • 0 Intro, 1

   Scope, 2 Ref, 3 Term 4. Concepts 5. Vulnerability issues 6. Programming language vulnerabilities 7. Application vulnerabilities 8. New vulnerabilities A. Vulnerability taxonomy and list B. Language specific template C.Ada D. C E. Python F. Ruby G.SPARK H. PHP I. Fortran ISO/IEC TR 24772 3

4. Who made TR24772 Who made TR24772 • ISO/IEC JTC 1

   SC 22/WG 23 + other WG • SC 22 Structure o WG4 - COBOL o WG5 - Fortran o WG9 - Ada o WG14 - C o WG17 - Prolog o WG19 - Formal Specification Languages o WG21 - C++ o WG23 Programming Language Vulnerabilities ISO/IEC TR 24772 4

5. The former SC 22 WGs The former SC 22 WGs

   • WG1 - PLIP (Programming Languages for Industrial Processes) • WG2 - Pascal* • WG3 - APL* • WG6 - Algol • WG7 - PL/I* • WG8 - Basic* • WG10 - Guidelines • WG11 - Binding Techniques • WG12 - Conformity • WG13 - Modula-2* • WG15 - POSIX* • WG16 - ISLisp • WG18 - FIMS (Form Interface Management System)* • WG20 - Internationalization* • WG22 - PCTE* • JSG - Java Study Group • I18NRG - Internationalization Rapporteur group • PAG - POSIX Advisory Group ISO/IEC TR 24772 5

6. Concepts Concepts • Purpose o Specifies software programming language vulnerabilities

   to be avoided o Body -> Language independent vulnerabilities • Intended audience o Those who are concerned with assuring the predictable execution of the software o Developers, QA, maintainer of SW system • How to use this document o Programmers to learn vul of unfamiliar lang o Tool vendors to identify vul label to implement in the tools o Reference to write coding guidelines @organization ISO/IEC TR 24772 6

7. Vulnerability issues Vulnerability issues 1. Predictable execution 2. Sources of

   unpredictability in language specification 3. Sources of unpredictability in language usage ISO/IEC TR 24772 7

8. Programming language vulnerabilities 0 Programming language vulnerabilities 0 • Statically

   • Data representation o Data type, Bit representation, Floating point, Numeric conversion, String termination, Buffer boundary, Null Pointer etc • Machine dependent • Independent from Usage ISO/IEC TR 24772 8

9. Programming language vulnerabilities 1 Programming language vulnerabilities 1 1. General

   2. Terminology 3. Type System [IHN] 4. Bit Representations [STR] 5. Floating-point Arithmetic [PLF] 6. Enumerator Issues [CCB] 7. Numeric Conversion Errors [FLC] 8. String Termination [CJM] 9. Buffer Boundary Violation (Buffer Overflow) [HCB] 10. Unchecked Array Indexing [XYZ] 11. Unchecked Array Copying [XYW] 12. Pointer Casting and Pointer Type Changes [HFC] 13. Pointer Arithmetic [RVG] 14. Null Pointer Dereference [XYH] 15. Dangling Reference to Heap [XYK] ISO/IEC TR 24772 9

10. Programming language vulnerabilities 2 Programming language vulnerabilities 2 16. Arithmetic

    Wrap-around Error [FIF] 17. Using Shift Operations for Multiplication and Division [PIK] 18. Sign Extension Error [XZI] 19. Choice of Clear Names [NAI] 20. Dead Store [WXQ] 21. Unused Variable [YZS] 22. Identifier Name Reuse [YOW] 23. Namespace Issues [BJL] 24. Initialization of Variables [LAV] 25. Operator Precedence/Order of Evaluation [JCW] 26. Side-effects and Order of Evaluation [SAM] 27. Likely Incorrect Expression [KOA] 28. Dead and Deactivated Code [XYQ] 29. Switch Statements and Static Analysis [CLL] 30. Demarcation of Control Flow [EOJ] 31. Loop Control Variables [TEX] 32. Off-by-one Error [XZH] 33. Structured Programming [EWD] 34. Passing Parameters and Return Values [CSJ] 35. Dangling References to Stack Frames [DCM] 36. Subprogram Signature Mismatch [OTR] ISO/IEC TR 24772 10

11. Programming language vulnerabilities 3 Programming language vulnerabilities 3 37. Recursion

    [GDL] 38. Ignored Error Status and Unhandled Exceptions [OYB] 39. Termination Strategy [REU] 40. Type-breaking Reinterpretation of Data [AMV] 41. Memory Leak [XYL] 42. Templates and Generics [SYM] 43. Inheritance [RIP] 44. Extra Intrinsics [LRM] 45. Argument Passing to Library Functions [TRJ] 46. Inter-language Calling [DJS] 47. Dynamically-linked Code and Self-modifying Code [NYY] 48. Library Signature [NSQ] 49. Unanticipated Exceptions from Library Routines [HJW] 50. Pre-processor Directives [NMP] 51. Suppression of Language-defined Run-time Checking [MXB] 52. Provision of Inherently Unsafe Operations [SKL] 53. Obscure Language Features [BRS] 54. Unspecified Behaviour [BQF] 55. Undefined Behaviour [EWF] 56. Implementation-defined Behaviour [FAB] 57. Deprecated Language Features [MEM] ISO/IEC TR 24772 11

12. Application vulnerabilities 0 Application vulnerabilities 0 • Dynamically • Vulnerabilities

    created by usages ISO/IEC TR 24772 12

13. Application vulnerabilities 1 Application vulnerabilities 1 1. General 2. Terminology

    3. Unspecified Functionality [BVQ] 4. Distinguished Values in Data Types [KLK] 5. Adherence to Least Privilege [XYN] 6. Privilege Sandbox Issues [XYO] 7. Executing or Loading Untrusted Code [XYS] 8. Memory Locking [XZX] 9. Resource Exhaustion [XZP] 10. Unrestricted File Upload [CBF] 11. Resource Names [HTS] 12. Injection [RST] 13. Cross-site Scripting [XYT] 14. Unquoted Search Path or Element [XZQ] 15. Improperly Verified Signature [XZR] ISO/IEC TR 24772 13

14. Application vulnerabilities 2 Application vulnerabilities 2 16. Discrepancy Information Leak

    [XZL] 17. Sensitive Information Uncleared Before Use [XZK] 18. Path Traversal [EWR] 19. Missing Required Cryptographic Step [XZS] 20. Insufficiently Protected Credentials [XYM] 21. Missing or Inconsistent Access Control [XZN] 22. Authentication Logic Error [XZO] 23. Hard-coded Password [XYP] 24. Download of Code Without Integrity Check [DLB] 25. Incorrect Authorization [BJE] 26. Inclusion of Functionality from Untrusted Control Sphere [DHU] 27. Improper Restriction of Excessive Authentication Attempts [WPL] 28. URL Redirection to Untrusted Site ('Open Redirect') [PYQ] 29. Use of a One-Way Hash without a Salt [MVX] ISO/IEC TR 24772 14

15. New vulnerabilities 0 New vulnerabilities 0 1. Recently captured vulnerabilities

    2. Should go into either Cl 6 or Cl 7 ISO/IEC TR 24772 15

16. New vulnerabilities 1 New vulnerabilities 1 1. General 2. Terminology

    3. Concurrency ? Activation [CGA] 4. Concurrency ? Directed termination [CGT] 5. Concurrent Data Access [CGX] 6. Concurrency ? Premature Termination [CGS] 7. Protocol Lock Errors [CGM] 8. Inadequately Secure Communication of Shared Resources [CGY] 9. Use of unchecked data from an uncontrolled or tainted source [EFS] 10.Uncontrolled Format String [SHL] ISO/IEC TR 24772 16

17. Recent updates Recent updates • Analyzed the TR 24772 •

    Covered CWE top 25 • OWASP top 10 is tightly linked with CWE top 25 • OWASP is being incorporated • ISO/IEC JTC 1 SC 22/WG 23 appreciates mutual cooperative relationship or liaison, if possible ISO/IEC TR 24772 17

18. Owasp < Owasp <- -> CWE > CWE OWASP A1

    – Injection CWE-89 – SQL command (Top 25 #1) CWE-78 – OS command (Top 25 #2) OWASP A2 – Broken authentication (incl. session tampering, fixation, reuse, etc.) CWE-306 – Missing Authentication for Critical Function (Top 25 #5) CWE-307 – Improper Restriction of Excessive Authentication Attempts (Top 25 #21) CWE-798 – Use of Hard-coded Credentials (Top 25 #7) OWASP A3 / CWE-79 – XSS (Top 25 #4) OWASP A4 – Insecure direct object references CWE-22 – Unrestricted Use of a Pathname (Path Traversal) (Top 25 #13) CWE-434 – Unrestricted Upload of Dangerous Type File (Top 25 #9) CWE-829 – Untrusted Function Use (Sandboxing Violation) (Top 25 #16) CWE-862 & CWE-863 (Top 25 #6 & #15) Missing / improper Authorization OWASP A5 – Security misconfiguration CWE-250 – Least Privilege Principle Violation (#11) CWE-732 – Incorrect Permission Assignment for Critical Resource (#17) ISO/IEC TR 24772 18

19. Owasp < Owasp <- -> CWE > CWE OWASP A6

    – Sensitive data exposure CWE-310 & CWE 326 – Bad encryption CWE-312 & CWE 319 – Cleartext storage / transmission OWASP A7 – Missing function-level access control CWE-285, CWE862, CWE-863 Missing / improper Authorization (#6 & #15) OWASP A8 / CWE-352 – CSRF (Top 25 #12) OWASP A9 – Using components with known vulnerabilities OWASP A10 / CWE-601 Unvalidated redirects and forwards (#22) Others – non-OWASP CWE-120 – Classic Buffer Overflow (#3) CWE-131 – Incorrect Calculation of Buffer Size (#20) CWE-134 – Uncontrolled Format String (#23) CWE-190 – Integer Overflow or Wraparound (#24) CWE-494 – Code Download Without Integrity Check (#14) CWE-676 – Use of Potentially Dangerous Function (#18) CWE-807 – Use of Untrusted Inputs in a Security Decision (#10) ISO/IEC TR 24772 19

20. Basic Concepts Basic Concepts • Security is not achieved without

    careful analysis, inspection and efforts ISO/IEC TR 24772 20

21. SW Engineering SW Engineering User Reqmnts Implementation Operation System SubSystem

    Concepts Module/Parts Config Concepts Test, Verify, Validate Retirement System SubSystem Specifications Module/Parts ISO/IEC TR 24772 21

22. Security Engineering Security Engineering User Reqmnts Implementation Operation System SubSystem

    Concepts Module/Parts Config Concepts Test, Verify, Validate Retirement System SubSystem Specifications Module/Parts Threats Policy Model Specification Design Implementation Comments on TR 27442 22

23. As presented on: http://cwe.mitre.org/community/swa/attacks.html Methodology described in the new ISO/IEC

    Technical Report 20004, "Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045” ISO/IEC TR 24772 23

24. Vulnerabilities in CC 2.3 Vulnerabilities in CC 2.3 • Find

    the vulnerabilities and provide countermeasures until the residual risk is acceptable. From CC Part 1 V2.3 ISO/IEC TR 24772 24

25. Possible Cooperation Possible Cooperation • Cooperation or Liaison between ISO/IEC

    JTC 1 SC 22/WG 23 and OWASP • Some suggestions or contributions from OWASP to TR 24772 annex like PHP, Python etc ISO/IEC TR 27442 25