🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BSI PD ISO/IEC TR 24772:2013

BSI PD ISO/IEC TR 24772:2013

$215.11

Information technology. Programming languages. Guidance to avoiding vulnerabilities in programming languages through language selection and use

Published By Publication Date Number of Pages
BSI 2013 340
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

PDF Catalog

PDF Pages PDF Title
17 Foreword
18 Introduction
19 1. Scope
2. Normative references
3. Terms and definitions, symbols and conventions
3.1 Terms and definitions
3.1.1 Communication
20 3.1.2 Execution model
22 3.1.3 Properties
3.1.4 Safety
23 3.1.5 Vulnerabilities
3.2 Symbols and conventions
3.2.1 Symbols
3.2.2 Conventions
24 4. Basic concepts
4.1 Purpose of this Technical Report
4.2 Intended audience
25 4.3 How to use this document
26 5 Vulnerability issues
5.1 Predictable execution
27 5.2 Sources of unpredictability in language specification
5.2.1 Incomplete or evolving specification
28 5.2.2 Undefined behaviour
5.2.3 Unspecified behaviour
5.2.4 Implementation-defined behaviour
5.2.5 Difficult features
5.2.6 Inadequate language support
5.3 Sources of unpredictability in language usage
5.3.1 Porting and interoperation
29 5.3.2 Compiler selection and usage
6. Programming Language Vulnerabilities
6.1 General
6.2 Terminology
30 6.3 Type System [IHN]
6.3.1 Description of application vulnerability
6.3.2 Cross reference
6.3.3 Mechanism of failure
31 6.3.4 Applicable language characteristics
6.3.5 Avoiding the vulnerability or mitigating its effects
32 6.3.6 Implications for standardization
6.4 Bit Representations [STR]
6.4.1 Description of application vulnerability
6.4.2 Cross reference
33 6.4.3 Mechanism of failure
6.4.4 Applicable language characteristics
6.4.5 Avoiding the vulnerability or mitigating its effects
6.4.6 Implications for standardization
34 6.5 Floating-point Arithmetic [PLF]
6.5.1 Description of application vulnerability
6.5.2 Cross reference
6.5.3 Mechanism of failure
35 6.5.4 Applicable language characteristics
6.5.5 Avoiding the vulnerability or mitigating its effects
6.5.6 Implications for standardization
36 6.6 Enumerator Issues [CCB]
6.6.1 Description of application vulnerability
6.6.2 Cross reference
6.6.3 Mechanism of failure
37 6.6.4 Applicable language Characteristics
6.6.5 Avoiding the vulnerability or mitigating its effects
6.6.6 Implications for standardization
38 6.7 Numeric Conversion Errors [FLC]
6.7.1 Description of application vulnerability
6.7.2 Cross reference
6.7.3 Mechanism of failure
39 6.7.4 Applicable language characteristics
6.7.5 Avoiding the vulnerability or mitigating its effects
40 6.7.6 Implications for standardization
6.8 String Termination [CJM]
6.8.1 Description of application vulnerability
6.8.2 Cross reference
6.8.3 Mechanism of failure
41 6.8.4 Applicable language characteristics
6.8.5 Avoiding the vulnerability or mitigating its effects
6.8.6 Implications for standardization
6.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
6.9.1 Description of application vulnerability
6.9.2 Cross reference
42 6.9.3 Mechanism of failure
6.9.4 Applicable language characteristics
43 6.9.5 Avoiding the vulnerability or mitigating its effects
6.9.6 Implications for standardization
6.10 Unchecked Array Indexing [XYZ]
6.10.1 Description of application vulnerability
44 6.10.2 Cross reference
6.10.3 Mechanism of failure
6.10.4 Applicable language characteristics
45 6.10.5 Avoiding the vulnerability or mitigating its effects
6.10.6 Implications for standardization
6.11 Unchecked Array Copying [XYW]
6.11.1 Description of application vulnerability
6.11.2 Cross reference
6.11.3 Mechanism of failure
46 6.11.4 Applicable language characteristics
6.11.5 Avoiding the vulnerability or mitigating its effects
6.11.6 Implications for standardization
6.12 Pointer Casting and Pointer Type Changes [HFC]
6.12.1 Description of application vulnerability
6.12.2 Cross reference
47 6.12.3 Mechanism of failure
6.12.4 Applicable language characteristics
6.12.5 Avoiding the vulnerability or mitigating its effects
6.12.6 Implications for standardization
6.13 Pointer Arithmetic [RVG]
6.13.1 Description of application vulnerability
48 6.13.2 Cross reference
6.13.3 Mechanism of failure
6.13.4 Applicable language characteristics
6.13.5 Avoiding the vulnerability or mitigating its effects
6.13.6 Implications for standardization
6.14 Null Pointer Dereference [XYH]
6.14.1 Description of application vulnerability
6.14.2 Cross reference
49 6.14.3 Mechanism of failure
6.14.4 Applicable language characteristics
6.14.5 Avoiding the vulnerability or mitigating its effects
6.14.6 Implications for standardization
6.15 Dangling Reference to Heap [XYK]
6.15.1 Description of application vulnerability
50 6.15.2 Cross reference
6.15.3 Mechanism of failure
6.15.4 Applicable language characteristics
51 6.15.5 Avoiding the vulnerability or mitigating its effects
6.15.6 Implications for standardization
52 6.16 Arithmetic Wrap-around Error [FIF]
6.16.1 Description of application vulnerability
6.16.2 Cross reference
6.16.3 Mechanism of failure
53 6.16.4 Applicable language characteristics
6.16.5 Avoiding the vulnerability or mitigating its effects
6.16.6 Implications for standardization
6.17 Using Shift Operations for Multiplication and Division [PIK]
6.17.1 Description of application vulnerability
6.17.2 Cross reference
6.17.3 Mechanism of failure
54 6.17.4 Applicable language characteristics
6.17.5 Avoiding the vulnerability or mitigating its effects
6.17.6 Implications for standardization
6.18 Sign Extension Error [XZI]
6.18.1 Description of application vulnerability
6.18.2 Cross reference
6.18.3 Mechanism of failure
55 6.18.4 Applicable language characteristics
6.18.5 Avoiding the vulnerability or mitigating its effects
6.18.6 Implications for standardization
6.19 Choice of Clear Names [NAI]
6.19.1 Description of application vulnerability
56 6.19.2 Cross reference
6.19.3 Mechanism of Failure
6.19.4 Applicable language characteristics
6.19.5 Avoiding the vulnerability or mitigating its effects
57 6.19.6 Implications for standardization
6.20 Dead Store [WXQ]
6.20.1 Description of application vulnerability
6.20.2 Cross reference
6.20.3 Mechanism of failure
58 6.20.4 Applicable language characteristics
6.20.5 Avoiding the vulnerability or mitigating its effects
6.20.6 Implications for standardization
6.21 Unused Variable [YZS]
6.21.1 Description of application vulnerability
6.21.2 Cross reference
59 6.21.3 Mechanism of failure
6.21.4 Applicable language characteristics
6.21.5 Avoiding the vulnerability or mitigating its effects
6.21.6 Implications for standardization
6.22 Identifier Name Reuse [YOW]
6.22.1 Description of application vulnerability
60 6.22.2 Cross reference
6.22.3 Mechanism of failure
61 6.22.4 Applicable language characteristics
6.22.5 Avoiding the vulnerability or mitigating its effects
6.22.6 Implications for standardization
6.23 Namespace Issues [BJL]
6.23.1 Description of Application Vulnerability
62 6.23.2 Cross references
6.23.3 Mechanism of Failure
63 6.23.4 Applicable Language Characteristics
6.23.5 Avoiding the Vulnerability or Mitigating its Effects
6.23.6 Implications for Standardization
6.24 Initialization of Variables [LAV]
6.24.1 Description of application vulnerability
64 6.24.2 Cross reference
6.24.3 Mechanism of failure
6.24.4 Applicable language characteristics
6.24.5 Avoiding the vulnerability or mitigating its effects
65 6.24.6 Implications for standardization
6.25 Operator Precedence/Order of Evaluation [JCW]
6.25.1 Description of application vulnerability
6.25.2 Cross reference
66 6.25.3 Mechanism of failure
6.25.4 Applicable language characteristics
6.25.5 Avoiding the vulnerability or mitigating its effects
6.25.6 Implications for standardization
67 6.26 Side-effects and Order of Evaluation [SAM]
6.26.1 Description of application vulnerability
6.26.2 Cross reference
6.26.3 Mechanism of failure
68 6.26.4 Applicable language characteristics
6.26.5 Avoiding the vulnerability or mitigating its effects
6.26.6 Implications for standardization
6.27 Likely Incorrect Expression [KOA]
6.27.1 Description of application vulnerability
69 6.27.2 Cross reference
6.27.3 Mechanism of failure
6.27.4 Applicable language characteristics
6.27.5 Avoiding the vulnerability or mitigating its effects
70 6.27.6 Implications for standardization
6.28 Dead and Deactivated Code [XYQ]
6.28.1 Description of application vulnerability
6.28.2 Cross reference
71 6.28.3 Mechanism of failure
72 6.28.4 Applicable language characteristics
6.28.5 Avoiding the vulnerability or mitigating its effects
6.28.6 Implications for standardization
6.29 Switch Statements and Static Analysis [CLL]
6.29.1 Description of application vulnerability
6.29.2 Cross reference
73 6.29.3 Mechanism of failure
6.29.4 Applicable language characteristics
6.29.5 Avoiding the vulnerability or mitigating its effects
6.29.6 Implications for standardization
74 6.30 Demarcation of Control Flow [EOJ]
6.30.1 Description of application vulnerability
6.30.2 Cross reference
6.30.3 Mechanism of failure
6.30.4 Applicable language characteristics
6.30.5 Avoiding the vulnerability or mitigating its effects
75 6.30.6 Implications for standardization
6.31 Loop Control Variables [TEX]
6.31.1 Description of application vulnerability
6.31.2 Cross reference
6.31.3 Mechanism of failure
6.31.4 Applicable language characteristics
6.31.5 Avoiding the vulnerability or mitigating its effects
76 6.31.6 Implications for standardization
6.32 Off-by-one Error [XZH]
6.32.1 Description of application vulnerability
6.32.2 Cross reference
6.32.3 Mechanism of failure
77 6.32.4 Applicable language characteristics
6.32.5 Avoiding the vulnerability or mitigating its effects
6.32.6 Implications for standardization
78 6.33 Structured Programming [EWD]
6.33.1 Description of application vulnerability
6.33.2 Cross reference
6.33.3 Mechanism of failure
6.33.4 Applicable language characteristics
6.33.5 Avoiding the vulnerability or mitigating its effects
79 6.33.6 Implications for standardization
6.34 Passing Parameters and Return Values [CSJ]
6.34.1 Description of application vulnerability
6.34.2 Cross reference
6.34.3 Mechanism of failure
80 6.34.4 Applicable language characteristics
81 6.34.5 Avoiding the vulnerability or mitigating its effects
6.34.6 Implications for standardization
6.35 Dangling References to Stack Frames [DCM]
6.35.1 Description of application vulnerability
6.35.2 Cross reference
82 6.35.3 Mechanism of failure
83 6.35.4 Applicable language characteristics
6.35.5 Avoiding the vulnerability or mitigating its effects
6.35.6 Implications for standardization
6.36 Subprogram Signature Mismatch [OTR]
6.36.1 Description of application vulnerability
6.36.2 Cross reference
84 6.36.3 Mechanism of failure
6.36.4 Applicable language characteristics
6.36.5 Avoiding the vulnerability or mitigating its effects
6.36.6 Implications for standardization
85 6.37 Recursion [GDL]
6.37.1 Description of application vulnerability
6.37.2 Cross reference
6.37.3 Mechanism of failure
6.37.4 Applicable language characteristics
86 6.37.5 Avoiding the vulnerability or mitigating its effects
6.37.6 Implications for standardization
6.38 Ignored Error Status and Unhandled Exceptions [OYB]
6.38.1 Description of application vulnerability
6.38.2 Cross reference
6.38.3 Mechanism of failure
87 6.38.4 Applicable language characteristics
6.38.5 Avoiding the vulnerability or mitigating its effects
88 6.38.6 Implications for standardization
6.39 Termination Strategy [REU]
6.39.1 Description of application vulnerability
89 6.39.2 Cross reference
6.39.3 Mechanism of failure
6.39.4 Applicable language characteristics
90 6.39.5 Avoiding the vulnerability or mitigating its effects
6.39.6 Implications for standardization
6.40 Type-breaking Reinterpretation of Data [AMV]
6.40.1 Description of application vulnerability
6.40.2 Cross reference
91 6.40.3 Mechanism of failure
6.40.4 Applicable language characteristics
6.40.5 Avoiding the vulnerability or mitigating its effects
92 6.40.6 Implications for standardization
6.41 Memory Leak [XYL]
6.41.1 Description of application vulnerability
6.41.2 Cross reference
6.41.3 Mechanism of failure
93 6.41.4 Applicable language characteristics
6.41.5 Avoiding the vulnerability or mitigating its effects
6.41.6 Implications for standardization
94 6.42 Templates and Generics [SYM]
6.42.1 Description of application vulnerability
6.42.2 Cross reference
6.42.3 Mechanism of failure
95 6.42.4 Applicable language characteristics
6.42.5 Avoiding the vulnerability or mitigating its effects
6.42.6 Implications for standardization
96 6.43 Inheritance [RIP]
6.43.1 Description of application vulnerability
6.43.2 Cross reference
6.43.3 Mechanism of failure
6.43.4 Applicable language characteristics
97 6.43.5 Avoiding the vulnerability or mitigating its effects
6.43.6 Implications for standardization
6.44 Extra Intrinsics [LRM]
6.44.1 Description of application vulnerability
6.44.2 Cross reference
6.44.3 Mechanism of failure
98 6.44.4 Applicable language characteristics
6.44.5 Avoiding the vulnerability or mitigating its effects
6.44.6 Implications for standardization
6.45 Argument Passing to Library Functions [TRJ]
6.45.1 Description of application vulnerability
6.45.2 Cross reference
99 6.45.3 Mechanism of failure
6.45.4 Applicable language characteristics
6.45.5 Avoiding the vulnerability or mitigating its effects
6.45.6 Implications for standardization
6.46 Inter-language Calling [DJS]
6.46.1 Description of application vulnerability
100 6.46.2 Cross reference
6.46.3 Mechanism of failure
101 6.46.4 Applicable language characteristics
6.46.5 Avoiding the vulnerability or mitigating its effects
Software developers can avoid the vulnerability or mitigate its ill effects in the following ways:
 Use the inter-language methods and syntax specified by the applicable language standard(s). For example, Fortran and Ada specify how to call C functions.
 Understand the calling conventions of all languages used.
 For items comprising the inter-language interface:
o Understand the data layout of all data types used.
o Understand the return conventions of all languages used.
o Avoid assuming that the language makes a distinction between upper case and lower case letters in identifiers.
o Avoid using a special character as the first character in identifiers.
o Avoid using long identifier names.
6.46.6 Implications for standardization
In future standardization activities, the following items should be considered:
 Standards committees should consider developing standard provisions for inter-language calling with languages most often used with their programming language.
6.47 Dynamically-linked Code and Self-modifying Code [NYY]
6.47.1 Description of application vulnerability
102 6.47.2 Cross reference
6.47.3 Mechanism of failure
6.47.4 Applicable language characteristics
6.47.5 Avoiding the vulnerability or mitigating its effects
6.47.6 Implications for standardization
6.48 Library Signature [NSQ]
6.48.1 Description of application vulnerability
103 6.48.2 Cross reference
6.48.3 Mechanism of failure
6.48.4 Applicable language characteristics
6.48.5 Avoiding the vulnerability or mitigating its effects
6.48.6 Implications for standardization
104 6.49 Unanticipated Exceptions from Library Routines [HJW]
6.49.1 Description of application vulnerability
6.49.2 Cross reference
6.49.3 Mechanism of failure
6.49.4 Applicable language characteristics
6.49.5 Avoiding the vulnerability or mitigating its effects
105 6.49.6 Implications for standardization
6.50 Pre-processor Directives [NMP]
6.50.1 Description of application vulnerability
6.50.2 Cross reference
6.50.3 Mechanism of failure
106 6.50.4 Applicable language characteristics
6.50.5 Avoiding the vulnerability or mitigating its effects
6.50.6 Implications for standardization
107 6.51 Suppression of Language-defined Run-time Checking [MXB]
6.51.1 Description of application vulnerability
6.51.2 Cross reference
6.51.3 Mechanism of Failure
6.51.4 Applicable language characteristics
6.51.5 Avoiding the vulnerability
6.51.6 Implications for standardization
108 6.52 Provision of Inherently Unsafe Operations [SKL]
6.52.1 Description of application vulnerability
6.52.2 Cross reference
6.52.3 Mechanism of Failure
6.52.4 Applicable language characteristics
6.52.5 Avoiding the vulnerability
109 6.53 Obscure Language Features [BRS]
6.53.1 Description of application vulnerability
6.53.2 Cross reference
6.53.3 Mechanism of failure
6.53.4 Applicable language characteristics
6.53.5 Avoiding the vulnerability or mitigating its effects
110 6.53.6 Implications for standardization
6.54 Unspecified Behaviour [BQF]
6.54.1 Description of application vulnerability
6.54.2 Cross reference
6.54.3 Mechanism of failure
111 6.54.4 Applicable language characteristics
6.54.5 Avoiding the vulnerability or mitigating its effects
112 6.54.6 Implications for standardization
6.55 Undefined Behaviour [EWF]
6.55.1 Description of application vulnerability
6.55.2 Cross reference
6.55.3 Mechanism of failure
6.55.4 Applicable language characteristics
6.55.5 Avoiding the vulnerability or mitigating its effects
113 6.55.6 Implications for standardization
6.56 Implementation-defined Behaviour [FAB]
6.56.1 Description of application vulnerability
6.56.2 Cross reference
6.56.3 Mechanism of failure
114 6.56.4 Applicable language characteristics
6.56.5 Avoiding the vulnerability or mitigating its effects
115 6.56.6 Implications for standardization
6.57 Deprecated Language Features [MEM]
6.57.1 Description of application vulnerability
6.57.2 Cross reference
6.57.3 Mechanism of failure
116 6.57.4 Applicable language characteristics
6.57.5 Avoiding the vulnerability or mitigating its effects
6.57.6 Implications for standardization
7. Application Vulnerabilities
7.1 General
117 7.2 Terminology
7.3 Unspecified Functionality [BVQ]
7.3.1 Description of application vulnerability
7.3.2 Cross reference
7.3.3 Mechanism of failure
7.3.4 Avoiding the vulnerability or mitigating its effects
118 7.4 Distinguished Values in Data Types [KLK]
7.4.1 Description of application vulnerability
7.4.2 Cross reference
7.4.3 Mechanism of failure
119 7.4.4 Avoiding the vulnerability or mitigating its effects
7.5 Adherence to Least Privilege [XYN]
7.5.1 Description of application vulnerability
7.5.2 Cross reference
7.5.3 Mechanism of failure
120 7.5.4 Avoiding the vulnerability or mitigating its effects
7.6 Privilege Sandbox Issues [XYO]
7.6.1 Description of application vulnerability
7.6.2 Cross reference
7.6.3 Mechanism of failure
121 7.6.4 Avoiding the vulnerability or mitigating its effects
7.7 Executing or Loading Untrusted Code [XYS]
7.7.1 Description of application vulnerability
7.7.2 Cross reference
7.7.3 Mechanism of failure
122 7.7.4 Avoiding the vulnerability or mitigating its effects
7.7.5 Implications for standardization
7.8 Memory Locking [XZX]
7.8.1 Description of application vulnerability
7.8.2 Cross reference
123 7.8.3 Mechanism of failure
7.8.4 Avoiding the vulnerability or mitigating its effects
7.8.5 Implications for standardization
7.9 Resource Exhaustion [XZP]
7.9.1 Description of application vulnerability
7.9.2 Cross reference
124 7.9.3 Mechanism of failure
7.9.4 Avoiding the vulnerability or mitigating its effects
125 7.10 Unrestricted File Upload [CBF]
7.10.2 Cross reference
7.10.3 Mechanism of failure
7.10.4 Avoiding the vulnerability or mitigating its effects
126 7.10.5 Implications for standardization
7.11 Resource Names [HTS]
7.11.1 Description of application vulnerability
7.11.2 Cross reference
127 7.11.3 Mechanism of Failure
7.11.4 Avoiding the vulnerability or mitigating its effects
7.11.5 Implications for standardization
7.12 Injection [RST]
7.12.1 Description of application vulnerability
128 7.12.2 Cross reference
129 7.12.3 Mechanism of failure
130 7.12.4 Avoiding the vulnerability or mitigating its effects
7.13 Cross-site Scripting [XYT]
7.13.1 Description of application vulnerability
7.13.2 Cross reference
131 7.13.3 Mechanism of failure
132 7.13.4 Avoiding the vulnerability or mitigating its effects
133 7.14 Unquoted Search Path or Element [XZQ]
7.14.1 Description of application vulnerability
7.14.2 Cross reference
7.14.3 Mechanism of failure
7.14.4 Avoiding the vulnerability or mitigating its effects
7.15 Improperly Verified Signature [XZR]
7.15.1 Description of application vulnerability
134 7.15.2 Cross reference
7.15.3 Mechanism of failure
7.15.4 Avoiding the vulnerability or mitigating its effects
7.15.5 Implications for standardization
7.16 Discrepancy Information Leak [XZL]
7.16.1 Description of application vulnerability
7.16.2 Cross reference
7.16.3 Mechanism of failure
135 7.16.4 Avoiding the vulnerability or mitigating its effects
7.17 Sensitive Information Uncleared Before Use [XZK]
7.17.1 Description of application vulnerability
7.17.2 Cross reference
7.17.3 Mechanism of failure
136 7.17.4 Avoiding the vulnerability or mitigating its effects
7.18 Path Traversal [EWR]
7.18.1 Description of application vulnerability
7.18.2 Cross reference
7.18.3 Mechanism of failure
137 7.18.4 Avoiding the vulnerability or mitigating its effects
138 7.19 Missing Required Cryptographic Step [XZS]
7.19.1 Description of application vulnerability
7.19.2 Cross reference
7.19.3 Mechanism of failure
7.19.4 Avoiding the vulnerability or mitigating its effects
139 7.20 Insufficiently Protected Credentials [XYM]
7.20.1 Description of application vulnerability
7.20 .2 Cross reference
7.20.3 Mechanism of failure
7.20.4 Avoiding the vulnerability or mitigating its effects
140 7.21 Missing or Inconsistent Access Control [XZN]
7.21.1 Description of application vulnerability
7.21.2 Cross reference
7.21.3 Mechanism of failure
7.21.4 Avoiding the vulnerability or mitigating its effects
7.22 Authentication Logic Error [XZO]
7.22.1 Description of application vulnerability
7.22.2 Cross reference
141 7.22.3 Mechanism of failure
142 7.22.4 Avoiding the vulnerability or mitigating its effects
7.23 Hard-coded Password [XYP]
7.23.1 Description of application vulnerability
7.23.2 Cross reference
7.23.3 Mechanism of failure
143 7.23.4 Avoiding the vulnerability or mitigating its effects
8. New Vulnerabilities
8.1 General
8.2 Terminology
8.3 Concurrency – Activation [CGA]
8.3.1 Description of application vulnerability
144 8.3.2 Cross References
8.3.3 Mechanism of Failure
8.3.4 Applicable language characteristics
145 8.3.5 Avoiding the vulnerability or mitigating its effects
8.3.6 Implications for standardization
8.4 Concurrency – Directed termination [CGT]
8.4.1 Description of application vulnerability
8.4.2 Cross references
146 8.4.3 Mechanism of failure
8.4.4 Applicable language characteristics
8.4.5 Avoiding the vulnerability or mitigating its effect
8.4.6 Implications for standardization
147 8.5 Concurrent Data Access [CGX]
8.5.1 Description of application vulnerability
8.5.2 Cross references
8.5.3 Mechanism of failure
8.5.4 Applicable language characteristics
8.5.5 Avoiding the vulnerability or mitigating its effect
148 8.5.6 Implications for standardization
8.6 Concurrency – Premature Termination [CGS]
8.6.1 Description of application vulnerability
8.6.2 Cross references
149 8.6.3 Mechanism of failure
8.6.4 Applicable language characteristics
8.6.5 Avoiding the vulnerability or mitigating its effect
150 8.6.6 Implications for standardization
8.7 Protocol Lock Errors [CGM]
8.7.1 Description of application vulnerability
8.7.2 Cross references
151 8.7.3 Mechanism of failure
8.7.4 Applicable language characteristics
152 8.7.5 Avoiding the vulnerability or mitigating its effect
8.7.6 Implications for standardization
8.8 Inadequately Secure Communication of Shared Resources [CGY]
8.8.1 Description of application vulnerability
8.8.2 Cross references
153 8.8.3 Mechanism of failure
8.8.4 Avoiding the vulnerability or mitigating its effect
154 Annex A (informative) Vulnerability Taxonomy and List
A.1 General
A.2 Outline of Programming Language Vulnerabilities
156 A.3 Outline of Application Vulnerabilities
A.4 Vulnerability List
159 Annex B (informative) Language Specific Vulnerability Template
161 Annex C (informative) Vulnerability descriptions for the language Ada
C.1 Identification of standards and associated documentation
C.2 General terminology and concepts
167 C.3 Type System [IHN]
C.3.1 Applicability to language
C.3.2 Guidance to language users
C.4 Bit Representation [STR]
C.4.1 Applicability to language
C.4.2 Guidance to language users
168 C.5 Floating-point Arithmetic [PLF]
C.5.1 Applicability to language
C.5.2 Guidance to language users
C.6 Enumerator Issues [CCB]
C.6.1 Applicability to language
169 C.6.2 Guidance to language users
C.7 Numeric Conversion Errors [FLC]
C.7.1 Applicability to language
C.7.2 Guidance to language users
C.8 String Termination [CJM]
170 C.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
C.10 Unchecked Array Indexing [XYZ]
C.10.1 Applicability to language
C.10.2 Guidance to language users
C.11 Unchecked Array Copying [XYW]
C.12 Pointer Casting and Pointer Type Changes [HFC]
C.12.1 Applicability to language
171 C.12.2 Guidance to language users
C.13 Pointer Arithmetic [RVG]
C.14 Null Pointer Dereference [XYH]
C.15 Dangling Reference to Heap [XYK]
C.15.1 Applicability to language
C.15.2 Guidance to language users
C.16 Arithmetic Wrap-around Error [FIF]
172 C.17 Using Shift Operations for Multiplication and Division [PIK]
C.18 Sign Extension Error [XZI]
C.19 Choice of Clear Names [NAI]
C.19.1 Applicability to language
173 C.19.2 Guidance to language users
C.20 Dead store [WXQ]
C.20.1 Applicability to language
C.20.2 Guidance to Language Users
C.21 Unused Variable [YZS]
C.21.1 Applicability to language
C.21.2 Guidance to language users
174 C.22 Identifier Name Reuse [YOW]
C.22.1 Applicability to language
C.22.2 Guidance to language users
C.23 Namespace Issues [BJL]
C.24 Initialization of Variables [LAV]
C.24.1 Applicability to language
175 C.24.2 Guidance to language users
C.25 Operator Precedence/Order of Evaluation [JCW]
C.25.1 Applicability to language
C.25.2 Guidance to language users
C.26 Side-effects and Order of Evaluation [SAM]
C.26.1 Applicability to language
176 C.26.2 Guidance to language users
C.27 Likely Incorrect Expression [KOA]
C.27.1 Applicability to language
177 C.27.2 Guidance to language users
C.28 Dead and Deactivated Code [XYQ]
C.28.1 Applicability to language
C.28.2 Guidance to language users
C.29 Switch Statements and Static Analysis [CLL]
C.29.1 Applicability to language
178 C.29.2 Guidance to language users
C.30 Demarcation of Control Flow [EOJ]
C.31 Loop Control Variables [TEX]
C.32 Off-by-one Error [XZH]
C.32.1 Applicability to language
Confusion between the need for < and and >= in a test.
Confusion as to the index range of an algorithm.
179 Failing to allow for storage of a sentinel value.
C.32.2 Guidance to language users
C.33 Structured Programming [EWD]
C.33.1 Applicability to language
C.33.2 Guidance to language users
C.34 Passing Parameters and Return Values [CSJ]
C.34.1 Applicability to language
C.34.2 Guidance to language users
180 C.35 Dangling References to Stack Frames [DCM]
C.35.1 Applicability to language
C.35.2 Guidance to language users
C.36 Subprogram Signature Mismatch [OTR]
C.36.1 Applicability to language
181 C.36.2 Guidance to language users
C.37 Recursion [GDL]
C.37.1 Applicability to language
C.37.2 Guidance to language users
C.38 Ignored Error Status and Unhandled Exceptions [OYB]
C.38.1 Applicability to language
182 C.38.2 Guidance to language users
C.39 Termination Strategy [REU]
C.39.1 Applicability to language
C.39.2 Guidance to language users
C.40 Type-breaking Reinterpretation of Data [AMV]
C.40.1 Applicability to language
183 C.40.2 Guidance to language users
C.41 Memory Leak [XYL]
C.41.1 Applicability to language
C.41.2 Guidance to language users
C.42 Templates and Generics [SYM]
184 C.43 Inheritance [RIP]
C.43.1 Applicability to language
C.43.2 Guidance to language users
C.44 Extra Intrinsics [LRM]
C.45 Argument Passing to Library Functions [TRJ]
C.45.1 Applicability to language
C.45.2 Guidance to language users
185 C.46 Inter-language Calling [DJS]
C.46.1 Applicability to Language
C.46.2 Guidance to Language Users
C.47 Dynamically-linked Code and Self-modifying Code [NYY]
C.48 Library Signature [NSQ]
C.48.1 Applicability to language
C.48.2 Guidance to language users
C.49 Unanticipated Exceptions from Library Routines [HJW]
C.49.1 Applicability to language
186 C.49.2 Guidance to language users
C.50 Pre-Processor Directives [NMP]
C.51 Suppression of Language-defined Run-time Checking [MXB]
C.51.1 Applicability to Language
C.51.2 Guidance to Language Users
C.52 Provision of Inherently Unsafe Operations [SKL]
C.52.1 Applicability to Language
187 C.53 Obscure Language Features [BRS]
C.53.1 Applicability to language
C.53.2 Guidance to language users
C.54 Unspecified Behaviour [BQF]
C.54.1 Applicability to language
188 C.54.2 Guidance to language users
C.55 Undefined Behaviour [EWF]
C.55.1 Applicability to language
C.55.2 Guidance to language users
189 C.56 Implementation-Defined Behaviour [FAB]
C.56.1 Applicability to language
C.56.2 Guidance to language users
190 C.57 Deprecated Language Features [MEM]
C.57.1 Applicability to language
C.57.2 Guidance to language users
C.58 Implications for standardization
192 Annex D (informative) Vulnerability descriptions for the language C
D.1 Identification of standards and associated documents
D.2 General terminology and concepts
195 D.3 Type System [IHN]
D.3.1 Applicability to language
D.3.2 Guidance to language users
196 D.4 Bit Representations [STR]
D.4.1 Applicability to language
D.4.2 Guidance to language users
197 D.5 Floating-point Arithmetic [PLF]
D.5.1 Applicability to language
D.5.2 Guidance to language users
198 D.6 Enumerator Issues [CCB]
D.6.1 Applicability to language
D.6.2 Guidance to language users
199 D.7 Numeric Conversion Errors [FLC]
D.7.1 Applicability to language
200 D.7.2 Guidance to language users
201 D.8 String Termination [CJM]
D.8.1 Applicability to language
D.8.2 Guidance to language users
D.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
D.9.1 Applicability to language
202 D.9.2 Guidance to language users
203 D.10 Unchecked Array Indexing [XYZ]
D.10.1 Applicability to language
D.10.2 Guidance to language users
D.11 Unchecked Array Copying [XYW]
D.11.1 Applicability to language
D.11.2 Guidance to language users
204 D.12 Pointer Casting and Pointer Type Changes [HFC]
D.12.1 Applicability to language
D.12.2 Guidance to language users
D.13 Pointer Arithmetic [RVG]
D.13.1 Applicability to language
205 D.13.2 Guidance to language users
D.14 Null Pointer Dereference [XYH]
D.14.1 Applicability to language
D.14.2 Guidance to language users
D.15 Dangling Reference to Heap [XYK]
D.15.1 Applicability to language
207 D.15.2 Guidance to language users
D.16 Arithmetic Wrap-around Error [FIF]
D.16.1 Applicability to language
D.16.2 Guidance to language users
208 D.17 Using Shift Operations for Multiplication and Division [PIK]
D.17.1 Applicability to language
D.17.2 Guidance to language users
D.18 Sign Extension Error [XZI]
D.19 Choice of Clear Names [NAI]
D.19.1 Applicability to language
D.19.2 Guidance to language users
209 D.20 Dead Store [WXQ]
D.20.1 Applicability to Language
D.20.2 Guidance to Language Users
D.21 Unused Variable [YZS]
D.21.1 Applicability to language
D.21.2 Guidance to language users
D.22 Identifier Name Reuse [YOW]
D.22.1 Applicability to language
210 D.22.2 Guidance to language users
D.23 Namespace Issues [BJL]
D.24 Initialization of Variables [LAV]
D.24.1 Applicability to language
D.24.2 Guidance to language users
211 D.25 Operator Precedence/Order of Evaluation [JCW]
D.25.1 Applicability to language
D.25.2 Guidance to language users
D.26 Side-effects and Order of Evaluation [SAM]
D.26.1 Applicability to language
212 D.26.2 Guidance to language users
D.27 Likely Incorrect Expression [KOA]
D.27.1 Applicability to language
213 D.27.2 Guidance to language users
D.28 Dead and Deactivated Code [XYQ]
D.28.1 Applicability to language
214 D.28.2 Guidance to language users
D.29 Switch Statements and Static Analysis [CLL]
D.29.1 Applicability to language
D.29.2 Guidance to language users
215 D.30 Demarcation of Control Flow [EOJ]
D.30.1 Applicability to language
216 D.30.2 Guidance to language users
D.31 Loop Control Variables [TEX]
D.31.1 Applicability to language
217 D.31.2 Guidance to language users
D.32 Off-by-one Error [XZH]
D.32.1 Applicability to language
D.32.2 Guidance to language users
D.33 Structured Programming [EWD]
D.33.1 Applicability to language
218 D.33.2 Guidance to language users
D.34 Passing Parameters and Return Values [CSJ]
D.34.1 Applicability to language
D.34.2 Guidance to language users
219 D.35 Dangling References to Stack Frames [DCM]
D.35.1 Applicability to language
D.35.2 Guidance to language users
D.36 Subprogram Signature Mismatch [OTR]
D.36.1 Applicability to language
220 D.36.2 Guidance to language users
D.37 Recursion [GDL]
D.37.1 Applicability to language
D.37.2 Guidance to language users
D.38 Ignored Error Status and Unhandled Exceptions [OYB]
D.38.1 Applicability to language
D.38.2 Guidance to language users
221 D.39 Termination Strategy [REU]
D.39.1 Applicability to language
D.39.2 Guidance to language users
D.40 Type-breaking Reinterpretation of Data [AMV]
D.40.1 Applicability to language
222 D.40.2 Guidance to language users
D.41 Memory Leak [XYL]
D.41.1 Applicability to language
D.41.2 Guidance to language users
D.42 Templates and Generics [SYM]
D.43 Inheritance [RIP]
D.44 Extra Intrinsics [LRM]
223 D.45 Argument Passing to Library Functions [TRJ]
D.45.1 Applicability to language
D.45.2 Guidance to language users
D.46 Inter-language Calling [DJS]
D.47 Dynamically-linked Code and Self-modifying Code [NYY]
D.47.1 Applicability to language
224 D.47.2 Guidance to language users
D.48 Library Signature [NSQ]
D.48.1 Applicability to language
D.48.2 Guidance to language users
D.49 Unanticipated Exceptions from Library Routines [HJW]
D.49.1 Applicability to language
225 D.49.2 Guidance to language users
D.50 Pre-processor Directives [NMP]
D.50.1 Applicability to language
D.50.2 Guidance to language users
226 D.51 Suppression of Language-defined Run-time Checking [MXB]
D.52 Provision of Inherently Unsafe Operations [SKL]
D.52.1 Applicability to language
D.52.2 Guidance to language users
D.53 Obscure Language Features [BRS]
D.53.1 Applicability to language
D.53.2 Guidance to language users
227 D.54 Unspecified Behaviour [BQF]
D.54.1 Applicability to language
D.54.2 Guidance to language users
D.55 Undefined Behaviour [EWF]
D.55.1 Applicability to language
228 D.55.2 Guidance to language users
D.56 Implementation-defined Behaviour [FAB]
D.56.1 Applicability to language
D.56.2 Guidance to language users
D.57 Deprecated Language Features [MEM]
D.57.1 Applicability to language
229 D.57.2 Guidance to language users
D.58 Implications for standardization
232 Annex E (informative) Vulnerability descriptions for the language Python
E.1 Identification of standards and associated documents
233 E.2 General Terminology and Concepts
E.2.1 General Terminology
236 E.2.2 Key Concepts
237 E.3 Type System [IHN]
E.3.1 Applicability to language
239 E.3.2 Guidance to language users
E.4 Bit Representations [STR]
E.4.1 Applicability to language
240 E.4.2 Guidance to language users
E.5 Floating-point Arithmetic [PLF]
E.5.1 Applicability to language
E.5.2 Guidance to language users
E.6 Enumerator Issues [CCB]
E.6.1 Applicability to language
241 E.6.2 Guidance to language users
E.7 Numeric Conversion Errors [FLC]
E.7.1 Applicability to language
E.7.2 Guidance to language users
242 E.8 String Termination [CJM]
E.9 Buffer Boundary Violation [HCB]
E.10 Unchecked Array Indexing [XYZ]
E.11 Unchecked Array Copying [XYW]
E.12 Pointer Casting and Pointer Type Changes [HFC]
E.13 Pointer Arithmetic [RVG]
E.14 Null Pointer Dereference [XYH]
E.15 Dangling Reference to Heap [XYK]
243 E.16 Arithmetic Wrap-around Error [FIF]
E.16.1 Applicability to language
E.16.2 Guidance to language users
E.17 Using Shift Operations for Multiplication and Division [PIK]
E.17.1 Applicability to language
E.18 Sign Extension Error [XZI]
E.19 Choice of Clear Names [NAI]
E.19.1 Applicability to language
245 E.19.2 Guidance to language users
E.20 Dead Store [WXQ]
E.20.1 Applicability to language
246 E.20.2 Guidance to language users
E.21 Unused Variable [YZS]
E.22 Identifier Name Reuse [YOW]
E.22.1 Applicability to language
248 E.22.2 Guidance to language users
E.23 Namespace Issues [BJL]
E.23.1 Applicability to language
250 E.23.2 Guidance to language users
251 E.24 Initialization of Variables [LAV]
E.24.1 Applicability of language
E.24.2 Guidance to language users
E.25 Operator Precedence/Order of Evaluation [JCW]
E.25.1 Applicability to language
252 E.25.2 Guidance to language users
E.26 Side-effects and Order of Evaluation [SAM]
E.26.1 Applicability to language
253 E.26.2 Guidance to language users
E.27 Likely Incorrect Expression [KOA]
E.27.1 Applicability to language
254 E.27.2 Guidance to language users
E.28 Dead and Deactivated Code [XYQ]
E.28.1 Applicability to language
255 E.28.2 Guidance to language users
E.29 Switch Statements and Static Analysis [CLL]
E.29.1 Applicability to language
E.29.2 Guidance to language users
E.30 Demarcation of Control Flow [EOJ]
E.30.1 Applicability to language
256 E.30.2 Guidance to language users
E.31 Loop Control Variables [TEX]
E.31.1 Applicability to language
257 E.31.2 Guidance to language users
E.32 Off-by-one Error [XZH]
E.32.1 Applicability to language
E.32.2 Guidance to language users
E.33 Structured Programming [EWD]
E.33.1 Applicability to language
258 E.33.2 Guidance to language users
E.34 Passing Parameters and Return Values [CSJ]
E.34.1 Applicability to language
259 E.34.2 Guidance to language users
260 E.35 Dangling References to Stack Frames [DCM]
E.36 Subprogram Signature Mismatch [OTR]
E.36.1 Applicability to language
E.36.2 Guidance to language users
E.37 Recursion [GDL]
E.37.1 Applicability to language
E.37.2 Guidance to language users
E.38 Ignored Error Status and Unhandled Exceptions [OYB]
E.38.1 Applicability to language
261 E.38.2 Guidance to language users
E.39 Termination Strategy [REU]
E.39.1 Applicability to language
E.39.2 Guidance to language users
E.40 Type-breaking Reinterpretation of Data [AMV]
E.41 Memory Leak [XYL]
E.41.1 Applicability to language
262 E.41.2 Guidance to language users
E.42 Templates and Generics [SYM]
E.43 Inheritance [RIP]
E.43.1 Applicability to language
E.43.2 Guidance to language users
E.44 Extra Intrinsics [LRM]
E.44.1 Applicability to language
263 E.44.2 Guidance to language users
E.45 Argument Passing to Library Functions [TRJ]
E.45.1 Applicability to language
E.45.2 Guidance to language users
E.46 Inter-language Calling [DJS]
E.46.1 Applicability to language
264 E.46.2 Guidance to language users
E.47 Dynamically-linked Code and Self-modifying Code [NYY]
E.47.1 Applicability to language
E.47.2 Guidance to language users
E.48 Library Signature [NSQ]
E.48.1 Applicability to language
265 E.48.2 Guidance to language users
E.49 Unanticipated Exceptions from Library Routines [HJW]
E.49.1 Applicability to language
E.49.2 Guidance to language users
E.50 Pre-processor Directives [NMP]
E.51 Suppression of Language-defined Run-time Checking [MXB]
E.52 Provision of Inherently Unsafe Operations [SKL]
E.52.1 Applicability to language
266 E.52.2 Guidance to language users
E.53 Obscure Language Features [BRS]
E.53.1 Applicability of language
268 E.53.2 Guidance to language users
E.54 Unspecified Behaviour [BQF]
E.54.1 Applicability of language
269 E.54.2 Guidance to language users
E.55 Undefined Behaviour [EWF]
E.55.1 Applicability to language
E.55.2 Guidance to language users
270 E.56 Implementation–defined Behaviour [FAB]
E.56.1 Applicability to language
E.56.2 Guidance to language users
271 E.57 Deprecated Language Features [MEM]
E.57.1 Applicability to language
E.57.2 Guidance to language users
272 Annex F (informative) Vulnerability descriptions for the language Ruby
F.1 Identification of standards and associated documents
F.2 General Terminology and Concepts
273 F.3 Type System [IHN]
F.3.1 Applicability to language
274 F.3.2 Guidance to language users
F.4 Bit Representations [STR]
F.4.1 Applicability to language
F.4.2 Guidance to language users
275 F.5 Floating-point Arithmetic [PLF]
F.5.1 Applicability to language
F.5.2 Guidance to language users
F.6 Enumerator Issues [CCB]
F.6.1 Applicability to language
276 F.6.2 Guidance to language users
F.7 Numeric Conversion Errors [FLC]
F.7.1 Applicability to language
F.7.2 Guidance to language users
F.8 String Termination [CJM]
F.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
F.10 Unchecked Array Indexing [XYZ]
F.11 Unchecked Array Copying [XYW]
F.12 Pointer Casting and Pointer Type Changes [HFC]
277 F.13 Pointer Arithmetic [RVG]
F.14 Null Pointer Dereference [XYH]
F.15 Dangling Reference to Heap [XYK]
F.16 Arithmetic Wrap-around Error [FIF]
F.17 Using Shift Operations for Multiplication and Division [PIK]
F.18 Sign Extension Error [XZI]
F.19 Choice of Clear Names [NAI]
F.19.1 Applicability to language
F.19.2 Guidance to language users
278 F.20 Dead Store [WXQ]
F.20.1 Applicability to language
F.20.2 Guidance to language users
F.21 Unused Variable [YZS]
F.21.1 Applicability to language
F.21.2 Guidance to language users
F.22 Identifier Name Reuse [YOW]
F.22.1 Applicability to language
F.22.2 Guidance to language users
279 F.23 Namespace Issues [BJL]
F.23.1 Applicability to language
F.23.2 Guidance to language users
F.24 Initialization of Variables [LAV]
F.25 Operator Precedence/Order of Evaluation [JCW]
F.25.1 Applicability to language
280 F.25.2 Guidance to language users
F.26 Side-effects and Order of Evaluation [SAM]
F.26.1 Applicability to language
281 F.26.2 Guidance to language users
F.27 Likely Incorrect Expression [KOA]
F.27.1 Applicability to language
F.27.2 Guidance to language users
F.28 Dead and Deactivated Code [XYQ]
F.28.1 Applicability to language
282 F.28.2 Guidance to language users
F.29 Switch Statements and Static Analysis [CLL]
F.29.1 Applicability to language
F.29.2 Guidance to language users
F.30 Demarcation of Control Flow [EOJ]
F.31 Loop Control Variables [TEX]
F.31.1 Applicability to language
F.31.2 Guidance to language users
F.32 Off-by-one Error [XZH]
F.32.1 Applicability to language
283 F.32.2 Guidance to language users
F.33 Structured Programming [EWD]
F.33.1 Applicability to language
F.33.2 Guidance to language users
F.34 Passing Parameters and Return Values [CSJ]
F.34.1 Applicability to language
284 F.34.2 Guidance to language users
F.35 Dangling References to Stack Frames [DCM]
F.36 Subprogram Signature Mismatch [OTR]
F.36.1 Applicability to language
F.36.2 Guidance to language users
285 F.37 Recursion [GDL]
F.37.1 Applicability to language
F.37.2 Guidance to language users
F.38 Ignored Error Status and Unhandled Exceptions [OYB]
F.38.1 Applicability to language
F.38.2 Guidance to language users
F.39 Termination Strategy [REU]
F.39.1 Applicability to language
F.39.2 Guidance to language users
F.40 Type-breaking Reinterpretation of Data [AMV]
F.41 Memory Leak [XYL]
286 F.42 Templates and Generics [SYM]
F.43 Inheritance [RIP]
F.43.1 Applicability to language
F.43.2 Guidance to language users
F.44 Extra Intrinsics [LRM]
F.45 Argument Passing to Library Functions [TRJ]
F.45.1 Applicability to language
F.45.2 Guidance to language users
F.46 Inter-language Calling [DJS]
F.46.1 Applicability to language
287 F.46.2 Guidance to language users
F.47 Dynamically-linked Code and Self-modifying Code [NYY]
F.47.1 Applicability to language
F.47.2 Guidance to language users
F.48 Library Signature [NSQ]
F.48.1 Applicability to language
F.48.2 Guidance to language users
F.49 Unanticipated Exceptions from Library Routines [HJW]
F.49.1 Applicability to language
F.49.2 Guidance to language users
F.50 Pre-processor Directives [NMP]
288 F.51 Suppression of Language-defined Run-time Checking [MXB]
F.52 Provision of Inherently Unsafe Operations [SKL]
F.53 Obscure Language Features [BRS]
F.54 Unspecified Behaviour [BQF]
F.54.1 Applicability of language
F.54.2 Guidance to language users
F.55 Undefined Behaviour [EWF]
F.55.1 Applicability to language
289 F.55.2 Guidance to language users
F.56 Implementation-defined Behaviour [FAB]
F.56.1 Applicability to language
F.56.2 Guidance to language users
F.57 Deprecated Language Features [MEM]
290 Annex G (informative) Vulnerability descriptions for the language SPARK
G.1 Identification of standards and associated documentation
G.2 General terminology and concepts
291 G.3 Type System [IHN]
292 G.4 Bit Representation [STR]
G.5 Floating-point Arithmetic [PLF]
G.6 Enumerator Issues [CCB]
G.7 Numeric Conversion Errors [FLC]
G.8 String Termination [CJM]
G.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
G.10 Unchecked Array Indexing [XYZ]
G.11 Unchecked Array Copying [XYW]
293 G.12 Pointer Casting and Pointer Type Changes [HFC]
G.13 Pointer Arithmetic [RVG]
G.14 Null Pointer Dereference [XYH]
G.15 Dangling Reference to Heap [XYK]
G.16 Arithmetic Wrap-around Error [FIF]
G.17 Using Shift Operations for Multiplication and Division [PIK]
G.18 Sign Extension Error [XZI]
G.19 Choice of Clear Names [NAI]
G.20 Dead store [WXQ]
294 G.21 Unused Variable [YZS]
G.22 Identifier Name Reuse [YOW]
G.23 Namespace Issues [BJL]
G.24 Initialization of Variables [LAV]
G.25 Operator Precedence/Order of Evaluation [JCW]
G.26 Side-effects and Order of Evaluation [SAM]
G.27 Likely Incorrect Expression [KOA]
G.28 Dead and Deactivated Code [XYQ]
295 G.29 Switch Statements and Static Analysis [CLL]
G.30 Demarcation of Control Flow [EOJ]
G.31 Loop Control Variables [TEX]
G.32 Off-by-one Error [XZH]
G.33 Structured Programming [EWD]
G.34 Passing Parameters and Return Values [CSJ]
296 G.35 Dangling References to Stack Frames [DCM]
G.36 Subprogram Signature Mismatch [OTR]
G.37 Recursion [GDL]
G.38 Ignored Error Status and Unhandled Exceptions [OYB]
G.39 Termination Strategy [REU]
297 G.40 Type-breaking Reinterpretation of Data [AMV]
G.41 Memory Leak [XYL]
G.42 Templates and Generics [SYM]
G.43 Inheritance [RIP]
G.44 Extra Intrinsics [LRM]
G.45 Argument Passing to Library Functions [TRJ]
G.46 Inter-language Calling [DJS]
298 G.47 Dynamically-linked Code and Self-modifying Code [NYY]
G.48 Library Signature [NSQ]
G.49 Unanticipated Exceptions from Library Routines [HJW]
G.50 Pre-Processor Directives [NMP]
G.51 Suppression of Language-defined Run-time Checking [MXB]
G.52 Provision of Inherently Unsafe Operations [SKL]
G.53 Obscure Language Features [BRS]
299 G.54 Unspecified Behaviour [BQF]
G.55 Undefined Behaviour [EWF]
G.56 Implementation-Defined Behaviour [FAB]
G.57 Deprecated Language Features [MEM]
G.58 Implications for standardization
300 Annex H (informative) Vulnerability descriptions for the language PHP
H.1 Identification of standards and associated documentation
301 H.2 General Terminology and Concepts
H.2.1 General Terminology
H.2.2 Key Concepts
302 H.3 Type System [IHN]
H.3.1 Applicability to Language
303 H.3.2 Guidance to Language Users
H.4 Bit Representations [STR]
H.4.1 Applicability to Language
304 H.4.2 Guidance to Language Users
H.5 Floating-point Arithmetic [PLF]
H.5.1 Applicability to Language
H.5.2 Guidance to Language Users
H.6 Enumerator Issues [CCB]
H.6.1 Applicability to Language
305 H.6.2 Guidance to Language Users
H.7 Numeric Conversion Errors [FLC]
H.7.1 Applicability to Language
306 H.7.2 Guidance to Language Users
H.8 String Termination [CJM]
H.8.1 Applicability to Language
307 H.8.2 Guidance to Language Users
H.9 Buffer Boundary Violation (Buffer Overflow) [HCB]
H.10 Unchecked Array Indexing [XYZ]
H.11 Unchecked Array Copying [XYW]
H.12 Pointer Casting and Pointer Type Changes [HFC]
H.13 Pointer Arithmetic [RVG]
308 H.14 Null Pointer Dereference [XYH]
H.15 Dangling Reference to Heap [XYK]
H.16 Arithmetic Wrap-around Error [FIF]
H.16.1 Applicability to Language
H.16.2 Guidance to Language Users
309 H.17 Using Shift Operations for Multiplication and Division [PIK]
H.17.1 Applicability to Language
310 H.17.2 Guidance to Language Users
H.18 Sign Extension Error [XZI]
H.19 Choice of Clear Names [NAI]
H.19.1 Applicability to Language
311 H.19.2 Guidance to Language Users
H.20 Dead Store [WXQ]
H.20.1 Applicability to Language
312 H.20.2 Guidance to Language Users
H.21 Unused Variable [YZS]
H.22 Identifier Name Reuse [YOW]
H.22.1 Applicability to Language
313 H.22.2 Guidance to Language Users
H.23 Namespace Issues [BJL]
H.23.1 Applicability to Language
314 H.23.2 Guidance to Language Users
H.24 Initialization of Variables [LAV]
H.24.1 Applicability of language
H.24.2 Guidance to Language Users
H.25 Operator Precedence/Order of Evaluation [JCW]
H.25.1 Applicability to Language
315 H.25.2 Guidance to Language Users
H.26 Side-effects and Order of Evaluation [SAM]
H.26.1 Applicability to Language
316 H.26.2 Guidance to Language Users
H.27 Likely Incorrect Expression [KOA]
H.27.1 Applicability to Language
317 H.27.2 Guidance to Language Users
H.28 Dead and Deactivated Code [XYQ]
H.28.1 Applicability to Language
H.28.2 Guidance to Language Users
318 H.29 Switch Statements and Static Analysis [CLL]
H.29.1 Applicability to Language
H.29.2 Guidance to Language Users
H.30 Demarcation of Control Flow [EOJ]
H.30.1 Applicability to Language
319 H.30.2 Guidance to Language Users
H.31 Loop Control Variables [TEX]
H.31.1 Applicability to Language
H.31.2 Guidance to Language Users
H.32 Off-by-one Error [XZH]
H.32.1 Applicability to Language
320 H.32.2 Guidance to Language Users
H.33 Structured Programming [EWD]
H.33.1 Applicability to Language
H.33.2 Guidance to Language Users
321 H.34 Passing Parameters and Return Values [CSJ]
H.34.1 Applicability to Language
H.34.2 Guidance to Language Users
H.35 Dangling References to Stack Frames [DCM]
H.36 Subprogram Signature Mismatch [OTR]
H.36.1 Applicability to Language
322 H.36.2 Guidance to Language Users
H.37 Recursion [GDL]
H.37.1 Applicability to Language
H.37.2 Guidance to Language Users
H.38 Ignored Error Status and Unhandled Exceptions [OYB]
H.38.1 Applicability to Language
323 H.38.2 Guidance to Language Users
H.39 Termination Strategy [REU]
H.39.1 Applicability to Language
324 H.39.2 Guidance to Language Users
H.40 Type-breaking Reinterpretation of Data [AMV]
H.41 Memory Leak [XYL]
H.41.1 Applicability to Language
H.41.2 Guidance to Language Users
H.42 Templates and Generics [SYM]
325 H.43 Inheritance [RIP]
H.43.1 Applicability to Language
H.43.2 Guidance to Language Users
H.44 Extra Intrinsics [LRM]
H.45 Argument Passing to Library Functions [TRJ]
H.45.1 Applicability to Language
H.45.2 Guidance to language users
H.46 Inter-language Calling [DJS]
H.46.1 Applicability to Language
H.46.2 Guidance to Language Users
326 H.47 Dynamically-linked Code and Self-modifying Code [NYY]
H.47.1 Applicability to Language
H.47.2 Guidance to Language Users
H.48 Library Signature [NSQ]
H.48.1 Applicability to Language
H.48.2 Guidance to Language Users
H.49 Unanticipated Exceptions from Library Routines [HJW]
H.49.1 Applicability to Language
H.49.2 Guidance to Language Users
327 H.50 Pre-processor Directives [NMP]
H.51 Suppression of Run-time Checking [MXB]
H.51.1 Applicability to Language
H.51.2 Guidance to Language Users
H.52 Provision of Inherently Unsafe Operations [SKL]
H.52.1 Applicability of language
H.52.2 Guidance to Language Users
H.53 Obscure Language Features [BRS]
H.53.1 Applicability of language
328 H.53.2 Guidance to Language Users
H.54 Unspecified Behaviour [BQF]
H.54.1 Applicability of language
329 H.54.2 Guidance to Language Users
H.55 Undefined Behaviour [EWF]
H.55.1 Applicability to Language
H.55.2 Guidance to Language Users
330 H.56 Implementation–defined Behaviour [FAB]
H.56.1 Applicability to Language
H.56.2 Guidance to Language Users
H.57 Deprecated Language Features [MEM]
H.57.1 Applicability to Language
H.57.2 Guidance to Language Users
331 Bibliography
334 Index
335 Blank Page

Related products

BSI PD ISO/IEC TR 24772:2013
$215.11