Does Ada need a 'secure coding standard' as well?

[Nasser M. Abbasi]

I saw that CMU makes now what is called CERT (secure coding standards)
for different languages. They have Java, C, C++ in there.

These are supposed to be rules that a programmer should adopt to
make the code written by that language more 'safe' and 'secure'

Here is the one for C for example

https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

I was wondering if Ada would benefit of having something like this?
such secure programming rules customized for Ada.

Or if it is even needed as much for Ada? Some of the rules
seem good to know about

May be some of this material is allready in the Ada rational in
different places. not sure now.

--Nasser

[Yannick Duchêne (Hibou57)]

Le Sat, 28 May 2011 20:53:25 +0200, Nasser M. Abbasi <n...@12000.org> a
écrit:

> I saw that CMU makes now what is called CERT (secure coding standards)
> for different languages. They have Java, C, C++ in there.
>
> These are supposed to be rules that a programmer should adopt to
> make the code written by that language more 'safe' and 'secure'
>
> Here is the one for C for example
>
> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

You can guess these recommendations are all languages specific. Ex. the
common recommendation to write

if (condition) {
do ();
}

instead of

if (condition)
do ();

makes no sense for Ada, which has already handle this: you always write

if Condition then
do;
end if;

There is no other way to do, so no rules to have there.

Well, this matters about how-to-write are mostly already embedded in the
language rules (that is one of its target: readability, and principle of
least-surprise).

Except that, there already exist to some Ada subset, or profiles. One of
the most common is the one which is required with SPARK. Here again, no
need to setup some rules and ask the authors to follow these rules and
nothing else, as these are already checked by the SPARK Checker.

But nothing is perfect, there may be some interested rules to be applied
to Ada, just that there will be few, and there all should be mostly domain
specific, as the ones about the large principles, are already there (I
believe).

--
“Syntactic sugar causes cancer of the semi-colons.” [Epigrams on
Programming — Alan J. — P. Yale University]
“Structured Programming supports the law of the excluded muddle.” [Idem]
“c++; /* this makes c bigger but returns the old value */” [Anonymous]

[Ludovic Brenta]

This is addressed by ISO/IEC JTC 1/SC 22/WG 23 Programming Language
Vulnerabilities[1].

There are language-specifix annexes for Ada, SPARK and several other
languages. The annexes for Ada and SPARK are in the Ada User
Journal[2], Volume 32, No 3 and 4 respectively.

[1] http://www.aitcnet.org/isai/
[2] http://www.ada-europe.org/journal.html

--
Ludovic Brenta.

[Nasser M. Abbasi]

On 5/28/2011 12:06 PM, Yannick Duchêne (Hibou57) wrote:

>
> Except that, there already exist to some Ada subset, or profiles. One of
> the most common is the one which is required with SPARK. Here again, no
> need to setup some rules and ask the authors to follow these rules and
> nothing else, as these are already checked by the SPARK Checker.
>

That was my initial reaction to when I saw those rules,
is that a well designed secure language, would not need such rules
(or much of then any them) for a programmer to remember, since
the compiler will check and reject code written which is 'not secure'
as it will be something not allowed at the language level itself.

But when I said that in the Java newsgroup I got screamed at :)

Most of the rules seem to target handling strings, where,
as one would expect, most of the security problems can sneak in.

The funny thing, is that Java 7 just added a switch on string !

http://www.vineetmanohar.com/2011/03/new-java-7-feature-string-in-switch-support/

So, may be now more rules needs to be added for the programmer
to remember when using this new feature added by the language,
so they can use it in 'secure' way.

--Nasser

[Yannick Duchêne (Hibou57)]

Le Sat, 28 May 2011 21:38:56 +0200, Nasser M. Abbasi <n...@12000.org> a
écrit:

> The funny thing, is that Java 7 just added a switch on string !
>
> http://www.vineetmanohar.com/2011/03/new-java-7-feature-string-in-switch-support/

A good idea, but they still did not removed the requirement of an explicit
Break and the end of each case, so that is still not a real Switch, that's
still a Goto.

switch (color) {
case "red":
System.out.println("Color is Red");
break;
case "green":
System.out.println("Color is Green");
break;
default:
System.out.println("Color not found");

[Simon Wright]

"Nasser M. Abbasi" <n...@12000.org> writes:

> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

I wouldn't have rated
https://www.securecoding.cert.org/confluence/display/seccode/POS39-C.+Use+the+correct+byte+ordering+when+transferring+data+between+systems
as a _guideline_ exactly!

Or
https://www.securecoding.cert.org/confluence/display/seccode/FIO09-C.+Be+careful+with+binary+data+when+transferring+data+across+systems
come to that.

[Mark_Ngbapai]

On May 28, 11:37 pm, Simon Wright <si...@pushface.org> wrote:
> "Nasser M. Abbasi" <n...@12000.org> writes:
>

> >https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+S...
>
> I wouldn't have ratedhttps://www.securecoding.cert.org/confluence/display/seccode/POS39-C....
> as a _guideline_ exactly!
>
> Orhttps://www.securecoding.cert.org/confluence/display/seccode/FIO09-C....
> come to that.

There are references to Ada in the NASA Software Safety Book, it is
worth reading and can be downloaded freely at:

http://www.hq.nasa.gov/office/codeq/doctree/871913.pdf

[Simon Wright]

Mark_Ngbapai <lightni...@gmail.com> writes:

> There are references to Ada in the NASA Software Safety Book, it is
> worth reading and can be downloaded freely at:
>
> http://www.hq.nasa.gov/office/codeq/doctree/871913.pdf

Excellent link, thanks! (it may be dated 2004, but it doesn't seem
dated).

[Yannick Duchêne (Hibou57)]

Le Sat, 28 May 2011 20:53:25 +0200, Nasser M. Abbasi <n...@12000.org> a
écrit:

> I was wondering if Ada would benefit of having something like this?
> such secure programming rules customized for Ada.

In the particular area of Object Oriented Design applied to High-Integrity
applications, there is one AdaCore worked on:
www.open-do.org/wp-content/uploads/2011/04/HighIntegrityAda.pdf

(I have this in my archive directory, but did not read it so far)

I know Jean-Pierre Rosen also took part to a similar workshop, but I have
no reference to this.

[Yannick Duchêne (Hibou57)]

Le Sun, 29 May 2011 16:04:29 +0200, Yannick Duchêne (Hibou57)
<yannick...@yahoo.fr> a écrit:

> In the particular area of Object Oriented Design applied to
> High-Integrity applications, there is one AdaCore worked on:
> www.open-do.org/wp-content/uploads/2011/04/HighIntegrityAda.pdf

http://www.open-do.org/wp-content/uploads/2011/04/HighIntegrityAda.pdf

[Maciej Sobczak]

On 28 Maj, 20:53, "Nasser M. Abbasi" <n...@12000.org> wrote:

> Or if it is even needed as much for Ada?

Apparently it is, as several such documents were written for Ada.

Apart from those already mentionend, these two might be of interest:

"Ada95 Trustworthiness Study: Guidance on the Use of Ada95 in the
Development of High Integrity Systems"

ISO/IES TR 15942: "Guide for the use of the Ada programming language
in high integrity systems"

--
Maciej Sobczak * http://www.msobczak.com * http://www.inspirel.com

[Yannick Duchêne (Hibou57)]

Le Sun, 29 May 2011 17:23:52 +0200, Maciej Sobczak
<see.my....@gmail.com> a écrit:

> Apart from those already mentionend, these two might be of interest:

> […]
Do you know some reference to papers published after the workshop
Jean-Pierre Rosen talked about here some months ago ? This was about OOD
in applications with hard requirement for safety. I posted one link to
such a document, but a pointer to this other material would still be worth.

Note for people not very versed in Ada reading this thread: these papers
does not suggest Ada is not safe; on the opposite, these are all
recommendations to be applied when a hard step above typical safety
requirement one may find with everyday applications are required; none is
required outside of so much heavy requirements.

[Florian Weimer]

* Maciej Sobczak:

> On 28 Maj, 20:53, "Nasser M. Abbasi" <n...@12000.org> wrote:
>
>> Or if it is even needed as much for Ada?
>
> Apparently it is, as several such documents were written for Ada.
>
> Apart from those already mentionend, these two might be of interest:
>
> "Ada95 Trustworthiness Study: Guidance on the Use of Ada95 in the
> Development of High Integrity Systems"

I don't think the CERT guide is targeted at high-integrity systems.
It's intended for an extremely broad range of things, from server
software to productivity applications for end users. This means that
certain features are taken for granted, such as the need to restart
applications from time to time (because of a non-compacting dynamic
memory manager) and the ability of software to scale with available
resources.

[J-P. Rosen]

Le 29/05/2011 16:04, Yannick Duchêne (Hibou57) a écrit :
> In the particular area of Object Oriented Design applied to
> High-Integrity applications, there is one AdaCore worked on:
> www.open-do.org/wp-content/uploads/2011/04/HighIntegrityAda.pdf
>

> I know Jean-Pierre Rosen also took part to a similar workshop, but I
> have no reference to this.
>

There will be a panel on this topic at the upcoming Ada-Europe
conference. One more reason to attend ;-)
---------------------------------------------------------
J-P. Rosen (ro...@adalog.fr)
Adalog a déménagé / Adalog has moved:
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
Tel: +33 1 45 29 21 52, Fax: +33 1 45 29 25 00

[J-P. Rosen]

Le 29/05/2011 17:53, Yannick Duchêne (Hibou57) a écrit :
> Do you know some reference to papers published after the workshop
> Jean-Pierre Rosen talked about here some months ago ? This was about OOD
> in applications with hard requirement for safety. I posted one link to
> such a document, but a pointer to this other material would still be worth.
>

I wrote one that I sent (a bit late, sorry) to Ada Letters. Should be in
the next issue.

[Simon Clubley]

On 2011-05-28, Ludovic Brenta <lud...@ludovic-brenta.org> wrote:
>
> There are language-specifix annexes for Ada, SPARK and several other
> languages. The annexes for Ada and SPARK are in the Ada User
> Journal[2], Volume 32, No 3 and 4 respectively.
>

> [2] http://www.ada-europe.org/journal.html
>

The most recent volume on that website is Volume 32, No 1, dated March 2011.

Are you saying that these annexes are due for publication later this year,
or is the above volume number incorrect ?

Thanks,

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

[AdaMagica]

> > There are language-specifix annexes for Ada, SPARK and several other
> > languages.  The annexes for Ada and SPARK are in the Ada User
> > Journal[2], Volume 32, No 3 and 4 respectively.

It's volume 31, but the text is not yet online, only the table of
contents.

> > [2]http://www.ada-europe.org/journal.html

[Simon Clubley]

On 2011-05-31, AdaMagica <christ-u...@t-online.de> wrote:
>> > There are language-specifix annexes for Ada, SPARK and several other
>> > languages.  The annexes for Ada and SPARK are in the Ada User
>> > Journal[2], Volume 32, No 3 and 4 respectively.
>
> It's volume 31, but the text is not yet online, only the table of
> contents.
>

Thanks for clarifying.

Are the annexes available from any other online source ?

A quick search using the first URL only found what was classed as
historical material for Ada 83.