Language Vulnerabilities for Dummies

In case you do not know the series of books “for Dummies”, its principle is to explore a subject from the ground up, with rich explanations and examples for non-experts. That’s in my view a valid alternative title for the recently published “Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use”. Rich (around 70 vulnerabilities explored) + detailed (130 pages!) + accessible (it contains the best discussion I’ve read of unspecified/implementation-defined/undefined behavior).

The ISO/IEC committee has produced here a language-neutral evaluation of the ways in which a language may “come in the way”, and how to avoid traps and pitfalls either upfront (in language design) or in the field (through coding standards and use of static analysis tools). This is a must-read for anyone whose task is to establish coding guidelines, recommend the usage of a static analysis tool, or choose a programming language for some project.

While Ada and SPARK naturally stand as the languages with fewer vulnerabilities, it also shows the many uses of static analysis tools, from coding standard checking (like GNATcheck) to static analysis (like CodePeer) and formal proof (like SPARK toolset). The recommendations also match well the restrictions for the Alfa subset of Ada that we are defining in project Hi-Lite. (See for example the discussion of aliasing in section 6.39 “Passing Parameters and Return Values”.)

This entry was posted in Certification, Papers and Slides. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. David
    Posted June 29, 2011 at 14:08 | Permalink

    As usual with ISO/IEC documents, you should pay for the final version and it is overpriced. Why would expect people to follow this document guidelines, if the document is not widely available?

    Of course, one can use a draft of the document, available on the web. I just hope the latest draft is not too buggy.

    For me, now that we have Internet, the whole ISO/IEC process is bound to fail its purpose. Such document should have been RFC or W3C standards (i.e. available freely for everybody).

  2. Yannick Moy
    Posted June 29, 2011 at 14:12 | Permalink

    Agreed! Hence the link on lmgtfy, which lets you find what google finds…

  3. Yannick Moy
    Posted February 6, 2012 at 09:56 | Permalink

One Trackback

  1. By raovat.thieungoc.gov.vn on June 16, 2018 at 10:36

    raovat.thieungoc.gov.vn…

    Language Vulnerabilities for Dummies…

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*
 
  • Categories

  • Open-DO Projects

  • Want to get involved?

  • Contact

    info @ open-do.org