iTeh Standards logo
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 24772-1:2024

(Main)

Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities

Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities

This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation — Partie 1: Catalogue de vulnérabilités indépendant du langage

General Information

Status
Published
Publication Date
28-Oct-2024
ICS
35.060 - Languages used in information technology
Technical Committee
ISO/IEC JTC 1/SC 22 - Programming languages, their environments and system software interfaces
Drafting Committee
ISO/IEC JTC 1/SC 22 - Programming languages, their environments and system software interfaces
Current Stage
6060 - International Standard published
Start Date
29-Oct-2024
Due Date
19-Nov-2024
Completion Date
29-Oct-2024
Ref Project

Relations

Revises
ISO/IEC TR 24772-1:2019 - Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 1: Language-independent guidance
Effective Date
06-Jun-2022
ISO/IEC 24772-1:2024 - Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities Released:10/29/2024ISO/IEC 24772-1:2024 - Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities Released:10/29/2024
PreviousNext
Standard
ISO/IEC 24772-1:2024 - Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities Released:10/29/2024
English language
153 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO/IEC 24772-1
First edition
Programming languages — Avoiding
2024-10
vulnerabilities in programming
languages —
Part 1:
Language-independent catalogue of
vulnerabilities
Langages de programmation — Conduite pour éviter les
vulnérabilités dans les langages de programmation —
Partie 1: Catalogue de vulnérabilités indépendant du langage
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Communication .1
3.2 Execution model .1
3.3 Properties .2
3.4 Safety and security .3
3.5 Vulnerabilities .3
3.6 Specific vulnerabilities .3
4 Using this document . 4
4.1 Purpose of this document .4
4.2 Applying this document .5
4.3 Structure of this document .6
5 General vulnerability issues and primary avoidance mechanisms . 7
5.1 General vulnerability issues .7
5.1.1 Predictable execution .7
5.1.2 Sources of unpredictability in language specification .8
5.1.3 Sources of unpredictability in language usage .9
5.2 Primary avoidance mechanisms .9
6 Programming language vulnerabilities.11
6.1 General .11
6.2 Type system [IHN]. 12
6.2.1 Description of application vulnerability . 12
6.2.2 Related coding guidelines . 12
6.2.3 Mechanism of failure . 12
6.2.4 Applicable language characteristics . 13
6.2.5 Avoiding the vulnerability or mitigating its effects . 13
6.2.6 Implications for language design and evolution .14
6.3 Bit representations [STR] .14
6.3.1 Description of application vulnerability .14
6.3.2 Related coding guidelines .14
6.3.3 Mechanism of failure . 15
6.3.4 Applicable language characteristics . 15
6.3.5 Avoiding the vulnerability or mitigating its effects . 15
6.3.6 Implications for language design and evolution .16
6.4 Floating-point arithmetic [PLF] .16
6.4.1 Description of application vulnerability .16
6.4.2 Related coding guidelines .16
6.4.3 Mechanism of failure .16
6.4.4 Applicable language characteristics .17
6.4.5 Avoiding the vulnerability or mitigating its effects .17
6.4.6 Implications for language design and evolution .18
6.5 Enumerator issues [CCB] .18
6.5.1 Description of application vulnerability .18
6.5.2 Related coding guidelines .19
6.5.3 Mechanism of failure .19
6.5.4 Applicable language Characteristics .19
6.5.5 Avoiding the vulnerability or mitigating its effects . 20
6.5.6 Implications for language design and evolution . 20
6.6 Conversion errors [FLC] . 20
6.6.1 Description of application vulnerability . 20

© ISO/IEC 2024 – All rights reserved
iii
6.6.2 Related coding guidelines . 20
6.6.3 Mechanism of failure .21
6.6.4 Applicable language characteristics .21
6.6.5 Avoiding the vulnerability or mitigating its effects .21
6.6.6 Implications for language design and evolution . 22
6.7 String termination [CJM] . 22
6.7.1 Description of application vulnerability . 22
6.7.2 Related coding guidelines . 22
6.7.3 Mechanism of failure . 22
6.7.4 Applicable language characteristics . 22
6.7.5 Avoiding the vulnerability or mitigating its effects . 23
6.7.6 Implications for language design and evolution . 23
6.8 Buffer boundary violation (buffer overflow) [HCB] . 23
6.8.1 Description of application vulnerability . 23
6.8.2 Related coding guidelines . 23
6.8.3 Mechanism of failure .24
6.8.4 Applicable language characteristics .24
6.8.5 Avoiding the vulnerability or mitigating its effects .24
6.8.6 Implications for language design and evolution . 25
6.9 Unchecked array indexing [XYZ] . 25
6.9.1 Description of application vulnerability . 25
6.9.2 Related coding guidelines . 25
6.9.3 Mechanism of failure . 25
6.9.4 Applicable language characteristics . 26
6.9.5 Avoiding the vulnerability or mitigating its effects . 26
6.9.6 Implications for language designers . 26
6.10 Unchecked array copying [XYW] .27
6.10.1 Description of application vulnerability .27
6.10.2 Related coding guidelines .27
6.10.3 Mechanism of failure .27
6.10.4 Applicable language characteristics .27
6.10.5 Avoiding the vulnerability or mitigating its effects . 28
6.10.6 Implications for language design and evolution . 28
6.11 Pointer type conversions [HFC] . 28
6.11.1 Description of application vulnerability . 28
6.11.2 Related coding guidelines . 28
6.11.3 Mechanism of failure . 29
6.11.4 Applicable language characteristics . 29
6.11.5 Avoiding the vulnerability or mitigating its effects . 29
6.11.6 Implications for language design and evolution . 29
6.12 Pointer arithmetic [RVG] . 29
6.12.1 Description of application vulnerability . 29
6.12.2 Related coding guidelines . 29
6.12.3 Mechanism of failure . 29
6.12.4 Applicable language characteristics . 30
6.12.5 Avoiding the vulnerability or mitigating its effects . 30
6.12.6 Implications for language design and evolution . 30
6.13 Null pointer dereference [XYH] . 30
6.13.1 Description of application vulnerability . 30
6.13.2 Related coding guidelines . 30
6.13.3 Mechanism of failure . 30
6.13.4 Applicable language characteristics . 30
6.13.5 Avoiding the vulnerability or mitigating its effects . 30
6.13.6 Implications for language design and evolution .31
6.14 Dangling reference to heap [XYK] . .31
6.14.1 Description of application vulnerability .31
6.14.2 Related coding guidelines .31
6.14.3 Mechanism of failure .31
6.14.4 Applicable language characteristics .32

© ISO/IEC 2024 – All rights reserved
iv
6.14.5 Avoiding the vulnerability or mitigating its effects .32
6.14.6 Implications for language design and evolution .32
6.15 Arithmetic wrap-around error [FIF] . 33
6.15.1 Description of application vulnerability . 33
6.15.2 Related coding guidelines . 33
6.15.3 Mechanism of failure . 33
6.15.4 Applicable language characteristics . 34
6.15.5 Avoiding the vulnerability or mitigating its effects . 34
6.15.6 Implications for language design and evolution . 34
6.16 Using shift operations for multiplication and division [PIK] . 34
6.16.1 Description of application vulnerability . 34
6.16.2 Related coding guidelines . 34
6.16.3 Mechanism of failure . 34
6.16.4 Applicable language characteristics . 34
6.16.5 Avoiding the vulnerability or mitigating its effects . 35
6.16.6 Implications for language design and evolution . 35
6.17 Choice of clear names [NAI] . 35
6.17.1 Description of application vulnerability . 35
6.17.2 Related coding guidelines . 36
6.17.3 Mechanism of Failure . 36
6.17.4 Applicable language characteristics . 36
6.17.5 Avoiding the vulnerability or mitigating its effects . 36
6.17.6 Implications for language design and evolution .37
6.18 Dead store [WXQ] .37
6.18.1 Description of application vulnerability .37
6.18.2 Related coding guidelines .37
6.18.3 Mechanism of failure .37
6.18.4 Applicable language characteristics .37
6.18.5 Avoiding the vulnerability or mitigating its effects . 38
6.18.6 Implications for language design and evolution . 38
6.19 Unused variable [YZS] . 38
6.19.1 Description of application vulnerability . 38
6.19.2 Related coding guidelines . 38
6.19.3 Mechanism of failure . 38
6.19.4 Applicable language characteristics . 38
6.19.5 Avoiding the vulnerability or mitigating its effects . 38
6.19.6 Implications for language design and evolution . 39
6.20 Identifier name reuse [YOW] . 39
6.20.1 Description of application vulnerability . 39
6.20.2 Related coding guidelines . 39
6.20.3 Mechanism of failure . 39
6.20.4 Applicable language characteristics . 40
6.20.5 Avoiding the vulnerability or mitigating its effects . 40
6.20.6 Implications for language design and evolution . 40
6.21 Namespace issues [BJL] .41
6.21.1 Description of application vulnerability .41
6.21.2 Related coding guidelines .41
6.21.3 Mechanism of Failure .41
6.21.4 Applicable language characteristics .41
6.21.5 Avoiding the Vulnerability or Mitigating its Effects .42
6.21.6 Implications for language design and evolution .42
6.22 Missing initialization of variables [LAV] .42
6.22.1 Description of application vulnerability .42
6.22.2 Related coding guidelines .42
6.22.3 Mechanism of failure .43
6.22.4 Applicable language characteristics .43
6.22.5 Avoiding the vulnerability or mitigating its effects .43
6.22.6 Implications for language design and evolution . 44
6.23 Operator precedence and associativity [JCW] . 44

© ISO/IEC 2024 – All rights reserved
v
6.23.1 Description of application vulnerability . 44
6.23.2 Related coding guidelines . 44
6.23.3 Mechanism of failure .45
6.23.4 Applicable language characteristics .45
6.23.5 Avoiding the vulnerability or mitigating its effects .45
6.23.6 Implications for language design and evolution .45
6.24 Side-effects and order of evaluation of operands [SAM] .45
6.24.1 Description of application vulnerability .45
6.24.2 Related coding guidelines . 46
6.24.3 Mechanism of failure . 46
6.24.4 Applicable language characteristics .47
6.24.5 Avoiding the vulnerability or mitigating its effects .47
6.24.6 Implications for language design and evolution .47
6.25 Likely incorrect expression [KOA] .47
6.25.1 Description of application vulnerability .47
6.25.2 Related coding guidelines .47
6.25.3 Mechanism of failure . 48
6.25.4 Applicable language characteristics . 48
6.25.5 Avoiding the vulnerability or mitigating its effects . 48
6.25.6 Implications for language design and evolution . 48
6.26 Dead and deactivated code [XYQ] . 49
6.26.1 Description of application vulnerability . 49
6.26.2 Related coding guidelines . 49
6.26.3 Mechanism of failure . 49
6.26.4 Applicable language characteristics . 50
6.26.5 Avoiding the vulnerability or mitigating its effects . 50
6.26.6 Implications for language design and evolution . 50
6.27 Switch statements and lack of static analysis [CLL].51
6.27.1 Description of application vulnerability .51
6.27.2 Related coding guidelines .51
6.27.3 Mechanism of failure .51
6.27.4 Applicable language characteristics .51
6.27.5 Avoiding the vulnerability or mitigating its effects .51
6.27.6 Implications for language design and evolution .52
6.28 Non-demarcation of control flow [EOJ] .52
6.28.1 Description of application vulnerability .52
6.28.2 Related coding guidelines .52
6.28.3 Mechanism of failure .52
6.28.4 Applicable language characteristics .52
6.28.5 Avoiding the vulnerability or mitigating its effects .52
6.28.6 Implications for language design and evolution . 53
6.29 Loop control variable abuse [TEX] . 53
6.29.1 Description of application vulnerability . 53
6.29.2 Related coding guidelines . 53
6.29.3 Mechanism of failure . 54
6.29.4 Applicable language characteristics . 54
6.29.5 Avoiding the vulnerability or mitigating its effects . 54
6.29.6 Implications for language design and evolution . 54
6.30 Off-by-one error [XZH] . 54
6.30.1 Description of application vulnerability . 54
6.30.2 Related coding guidelines . 55
6.30.3 Mechanism of failure . 55
6.30.4 Applicable language characteristics . 55
6.30.5 Avoiding the vulnerability or mitigating its effects . 55
6.30.6 Implications for language design and evolution . 55
6.31 Unstructured programming [EWD] . 56
6.31.1 Description of application vulnerability . 56
6.31.2 Related coding guidelines . 56
6.31.3 Mechanism of failure . 56

© ISO/IEC 2024 – All rights reserved
vi
6.31.4 Applicable language characteristics . 56
6.31.5 Avoiding the vulnerability or mitigating its effects . 56
6.31.6 Implications for language design and evolution .57
6.32 Passing parameters and return values [CSJ] .57
6.32.1 Description of application vulnerability .57
6.32.2 Related coding guidelines .57
6.32.3 Mechanism of failure .57
6.32.4 Applicable language characteristics . 58
6.32.5 Avoiding the vulnerability or mitigating its effects . 58
6.32.6 Implications for language design and evolution .59
6.33 Dangling references to stack frames [DCM].59
6.33.1 Description of application vulnerability .59
6.33.2 Related coding guidelines .59
6.33.3 Mechanism of failure .59
6.33.4 Applicable language characteristics . 60
6.33.5 Avoiding the vulnerability or mitigating its effects . 60
6.33.6 Implications for language design and evolution . 60
6.34 Subprogram signature mismatch [OTR] .61
6.34.1 Description of application vulnerability .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

ISO
ISO/IEC TS 13211-3:2025(Main)
Programming languages — Prolog — Part 3: Definite clause grammar rules as an extension of ISO/IEC 13211-1

This document promotes the applicability and portability of Prolog grammar rules in data processing systems that support standard Prolog as defined in ISO/IEC 13211–1:1995/Cor 1:2007/Cor 2:2012/Cor 3:2017 and ISO/IEC 13211–2:2000. This document specifies: a) The representation, syntax, and constraints of Prolog grammar rules b) A logical expansion of grammar rules into Prolog clauses c) A set of built-in predicates for parsing with grammar rules

  • Technical specification
    18 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 6010:2025(Main)
Programming languages — C — A provenance-aware memory object model for C

This document specifies the form and establishes the interpretation of programs written in the C programming language. It is not a complete specification of that language but builds upon ISO/IEC 9899:2018 by constraining and clarifying the Memory Object Model.

  • Technical specification
    23 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 18661-5:2025(Main)
Programming languages, their environments, and system software interfaces — Floating-point extensions for C — Part 5: Supplementary attributes

This document specifies extensions to programming language C to include pragmas corresponding to attributes specified and recommended in ISO/IEC 60559 but not supported in ISO/IEC 9899:2024 (also referred to as C23).

  • Technical specification
    20 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 18661-4:2025(Main)
Programming languages, their environments, and system software interfaces — Floating-point extensions for C — Part 4: Supplementary functions

This document specifies extensions to programming language C to include functions corresponding to operations specified and recommended in ISO/IEC 60559, but not supported in ISO/IEC 9899:2024 (also referred to as C23).

  • Technical specification
    13 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 24718:2025(Main)
Information technology — Programming languages — Guidance for the use of the Ada Ravenscar Profile in high integrity systems

This document provides guidance on the use of the Ravenscar profile for concurrent Ada software intended for verification up to, and including, the very highest levels of integrity. To this end, this document provides a complete description of the motivations behind the Ravenscar profile, to show how conformant programs can be analysed, and to give examples of usage. This document is aimed at a broad audience, including application programmers, implementers of run-time systems, those responsible for defining company or project guidelines, and academics. Familiarity with the Ada language is assumed.

  • Technical specification
    52 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 9922:2024(Main)
Programming Languages — Technical specification for C++ extensions for concurrency 2

This document builds upon ISO/IEC 14882 by describing requirements for implementations of an interface that computer programs written in the C++ programming language could use to invoke algorithms with concurrent execution. The algorithms described by this document are realizable across a broad class of computer architectures. This document is written as a set of differences from the base standard. Some of the functionality described by this document might be considered for standardization in a future version of C++, but it is not currently part of ISO/IEC 14882:2020. Some of the functionality in this document might never be standardized, and other functionality might be standardized in a substantially different form. The goal of this document is to build widespread existing practice for concurrency in the ISO/IEC 14882:2020 algorithms library. It gives advice on extensions to those vendors who wish to provide them.

  • Technical specification
    19 pages
    English language
    sale 15% off
ISO
ISO/IEC 9899:2024(Main)
Information technology — Programming languages — C

This document specifies the form and establishes the interpretation of programs written in the C programming language. It is designed to promote the portability of C programs among a variety of data-processing systems. It is intended for use by implementers and programmers. It specifies: — the representation of C programs; — the syntax and constraints of the C language; — the semantic rules for interpreting C programs; — the representation of input data to be processed by C programs; — the representation of output data produced by C programs; — the restrictions and limits imposed by a conforming implementation of C. This document does not specify: — the mechanism by which C programs are transformed for use by a data-processing system; — the mechanism by which C programs are invoked for use by a data-processing system; — the mechanism by which input data are transformed for use by a C program; — the mechanism by which output data are transformed after being produced by a C program; — the size or complexity of a program and its data that will exceed the capacity of any specific data-processing system or the capacity of a particular processor; — all minimal requirements of a data-processing system that is capable of supporting a conforming implementation. Annex J gives an overview of portability issues that a C program can encounter.

  • Standard
    758 pages
    English language
    sale 15% off
ISO
ISO/IEC 14882:2024(Main)
Programming languages — C++

This document specifies requirements for implementations of the C++ programming language. The first such requirement is that they implement the language, so this document also defines C++. Other requirements and relaxations of the first requirement appear at various places within this document. C++ is a general purpose programming language based on the C programming language as described in ISO/IEC 9899:2018 Programming languages — C (hereinafter referred to as the C standard). C++ provides many facilities beyond those provided by C, including additional data types, classes, templates, exceptions, namespaces, operator overloading, function name overloading, references, free store management operators, and additional library facilities.

  • Standard
    2104 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 19568:2024(Main)
Programming Languages — C++ Extensions for Library Fundamentals

This document describes extensions to the C++ Standard Library (2). These extensions are classes and functions that are likely to be used widely within a program and/or on the interface boundaries between libraries written by different organizations. It is intended that some of the library components be considered for standardization in a future version of C++. At present, they are not part of any C++ standard. The goal of this document is to build more widespread existing practice for an expanded C++ standard library. It gives advice on extensions to those vendors who wish to provide them.

  • Technical specification
    54 pages
    English language
    sale 15% off
ISO
ISO/IEC 1539-1:2023(Main)
Programming languages — Fortran — Part 1: Base language
  • Standard
    674 pages
    English language
    sale 15% off