PROPOSAL FOR A NEW WORK ITEM

Date of presentation of proposal:
2004-01-07

Proposer:
US National Body

Secretariat:
ANSI

ISO/IEC JTC 1/SC 22  N 3704

A proposal for a new work item shall be submitted to the secretariat of the ISO/IEC joint technical committee concerned with a copy to the ISO Central Secretariat.

Presentation of the proposal - to be completed by the proposer Guidelines for proposing and justifying a new work item are given in ISO Guide 26.

Title

Specification for secure C Library functions.

Scope

To introduce a redefinition of current C library functions -- including new library functions, macros, and types -- to the C programming Language to make them secure and safe in today's programming environment. These functions will attempt to eliminate buffer overflow, will have advanced error reporting, will in some cases contain parameter validation, and will have other features that are needed in today's programming environment to help guarantee more secure and safe programs.

Purpose and justification

The programming language C as specified by the International Standard ISO/IEC 9899:1999 provides little in the way of secure library functions. Security has quickly become one of the most important issues in programming, and the C programming language must stay abreast of this requirement. The only way to accomplish this is to add secure functionality to the C Programming language library.

This NP proposes to establish a new project to produce a Technical Report (type 2) in which existing Standard C Library functions and macros are redefined (renamed) to take into account buffer overrun, more robust error reporting, parameter validation, and any other feature that is required to make the functions and macros secure. In some cases there will no doubt need to be new functions, macros and types defined. Some other issues (like callback, thread safety, reentry safety) will be studied; it is not yet clear whether this functionality is suitable for specification in the proposed Technical Report, or if the topics will be dealt with in a future Technical Report (under another NP).

The main focus of this project will be to redefine the C library functions that have been identified as unsafe or non-secure in today's programming environment. Any and all prior art will be taken into account while developing the specifications for the redefinition of a secure and safe C Library.

The project also includes the production of the text for a Rationale document (either separate or as part of the project document).

Programme of work

If the proposed new work item is approved, which of the following document(s) is (are) expected to be developed?
____ a single International Standard more than one International Standard (expected number: ........ )
____ a multi-part International Standard consisting of .......... parts
____ an amendment or amendments to the following International Standard(s) ....................................
_X__ a technical report , type 2

Relevant documents to be considered

  • ISO/IEC 9899:1999 - Programming Language C
  • ISO/IEC JTC 1/SC22 WG14 N1007 - Security and Standard C Libraries
  • ISO/IEC JTC 1/SC22 WG14 N1031 - Specification for secure C Libray functions
  • ISO/IEC 11404:1996 - Language-independent datatypes.
  • Cooperation and liaison

    All ISO/IEC JTC 1/SC22 Working groups that have an interest in supporting many natural languages, especially ISO/IEC JTC 1/SC22 WG21 (C++).

    Preparatory work offered with target date(s)

    A PDTR document will be ready for registration 24 months after the approval of the project by JTC 1.

    Signature:


    for
    ANSI
    P-Member of JTC 1/SC 22

    Will the service of a maintenance agency or registration authority be required? .......NO.............
    - If yes, have you identified a potential candidate? ................
    - If yes, indicate name .............................................................

    Are there any known requirements for coding? ..........NO.........
    -If yes, please specify on a separate page

    Are there any known requirements for cultural and linguistic adaptability? .....NO....
    - If yes, please specify on a separate page

    Does the proposed standard concern known patented items? .......NO..........
    - If yes, please provide full information in an annex

    Comments and recommendations of the JTC 1 Secretariat - attach a separate page as an annex, if necessary

    Comments with respect to the proposal in general, and recommendations thereon:
    It is proposed to assign this new item to JTC 1/SC22 WG14
    The proposed project editor is Randy Meyers ([email protected]) of the United States, the proposed backup project editor is P. J. Plauger ([email protected]) of the United States. Both are members in good standing of NCITS J11.

    Voting on the proposal - Each P-member of the ISO/IEC joint technical committee has an obligation to vote within the time limits laid down (normally three months after the date of circulation).

    Date of circulation:
    2004-01-09

    Closing date for voting:
    2004-04-09

    Signature of JTC 1/SC 22  Secretary:
    Matt Deane


    NEW WORK ITEM PROPOSAL - PROJECT ACCEPTANCE CRITERIA

       

    Criterion

    Validity

    Explanation

    A Business Requirement

       

    A.1 Market Requirement

    Essential ___
    Desirable ___
    Supportive ___

     

    A.2 Regulatory Context

    Essential ___
    Desirable ___
    Supportive ___
    Not Relevant ___

     

    B. Related Work

       

    B.1 Completion/Maintence of current standards

    Yes ___
    No___

     

    B.2 Commitment to other organization

    Yes ___
    No___

     

    B.3 Other Source of standards

    Yes ___
    No___

     

    C. Technical Status

       

    C.1 Mature Technology

    Yes ___
    No___

     

    C.2 Prospective Technology

    Yes ___
    No___

     

    C.3 Models/Tools

    Yes ___
    No___

     

    D. Conformity Assessment and Interoperability

       

    D.1 Conformity Assessment

    Yes ___
    No___

     

    D.2 Interoperability

    Yes ___
    No___

     

    E. Other Justification

       


    Notes to Proforma

    A. Business Relevance. That which identifies market place relevance in terms of what problem is being solved and or need being addressed.

    A.1. Market Requirement. When submitting a NP, the proposer shall identify the nature of the Market Requirement, assessing the extent to which it is essential, desirable or merely supportive of some other project.

    A.2 Technical Regulation. If a Regulatory requirement is deemed to exist - e.g. for an area of public concern e.g. Information Security, Data protection, potentially leading to regulatory/public interest action based on the use of this voluntary international standard - the proposer shall identify this here.

    B. Related Work. Aspects of the relationship of this NP to other areas of standardization work shall be identified in this section.

    B.1 Competition/Maintenance. If this NP is concerned with completing or maintaining existing standards, those concerned shall be identified here.

    B.2 External Commitment. Groups, bodies, or fora external to JTC1 to which a commitment has been made by JTC for cooperation and or collaboration on this NP shall be identified here.

    B.3 External Std/Specification. If other activities creating standards or specifications in this topic area are known to exist or be planned, and which might be available to JTC1 as PAS, they shall be identified here.

    C. Technical Status. The proposer shall indicate here an assessment of the extent to which the proposed standard is supported by current technology.

    C.1 Mature Technology. Indicate here the extent to which the technology is reasonably stable and ripe for standardization.

    C.2 Prospective Technology. If the NP is anticipatory in nature based on expected or forecasted need, this shall be indicated here.

    C.3 Models/Tools. If the NP relates to the creation of supportive reference models or tools, this shall be indicated here.

    D. Any other aspects of background information justifying this NP shall be indicated here.

    D. Conformity Assessment and Interoperability

    D.1 Indicate here if Conformity Assessment is relevant to your project. If so, indicate how it is addressed in your project plan.

    D.2 Indicate here if Interoperability is relevant to your project. If so, indicate how it is addressed in your project plan.