In case you do not know the series of books “for Dummies”, its principle is to explore a subject from the ground up, with rich explanations and examples for non-experts. That’s in my view a valid alternative title for the recently published “Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use”. Rich (around 70 vulnerabilities explored) + detailed (130 pages!) + accessible (it contains the best discussion I’ve read of unspecified/implementation-defined/undefined behavior).
The ISO/IEC committee has produced here a language-neutral evaluation of the ways in which a language may “come in the way”, and how to avoid traps and pitfalls either upfront (in language design) or in the field (through coding standards and use of static analysis tools). This is a must-read for anyone whose task is to establish coding guidelines, recommend the usage of a static analysis tool, or choose a programming language for some project.
While Ada and SPARK naturally stand as the languages with fewer vulnerabilities, it also shows the many uses of static analysis tools, from coding standard checking (like GNATcheck) to static analysis (like CodePeer) and formal proof (like SPARK toolset). The recommendations also match well the restrictions for the Alfa subset of Ada that we are defining in project Hi-Lite. (See for example the discussion of aliasing in section 6.39 “Passing Parameters and Return Values”.)
5 Comments
As usual with ISO/IEC documents, you should pay for the final version and it is overpriced. Why would expect people to follow this document guidelines, if the document is not widely available?
Of course, one can use a draft of the document, available on the web. I just hope the latest draft is not too buggy.
For me, now that we have Internet, the whole ISO/IEC process is bound to fail its purpose. Such document should have been RFC or W3C standards (i.e. available freely for everybody).
Agreed! Hence the link on lmgtfy, which lets you find what google finds…
Here is the latest draft: http://grouper.ieee.org/groups/plv/DocLog/300-399/380-thru-399/22-WG23-N-0389/n0389.pdf
Amazing things here. I am very satisfied to look your article.
Thanks so much and I am looking ahead to touch you.
Will you kindly drop me a e-mail?
Also visit my blog post – taxi
Tһey attended concerns ᧐f people ѡho felt discriminated against somebody operate ѕuch
ɑs tһe discover һow tο present a complaint. Shօuld the
director not ᴡish tо make a disqualification undertaking, оr ԝon’t answer the
Insolvency Service’ѕ communication, thеn tһіѕ case for disqualification is forwarded
tо tһe courts. Fraud agaіnst credit cards
ɑnd looк systems haѕ gotten more sophisticated tһrough the years, as defenses havе ցotten modern-day.
My blog post :: NV Registered Agent in Lynwood California
One Trackback
raovat.thieungoc.gov.vn…
Language Vulnerabilities for Dummies…