[C-safe-secure-studygroup] Study Group Meeting Minutes - 20170322

Laurence Urhegyi laurence.urhegyi at codethink.co.uk
Wed Mar 29 11:00:04 UTC 2017 

Agenda from last week's meeting attached and included as text below.



# Agenda



## Topic
Review of actions from previous meeting.

## Key Points
* Robert has met recently with representatives from MISRA and had 
further positive discussions, but not yet any substantial commitments 
regarding their stance on collaboration and combining the work of MISRA 
and the TS 17961.
* We’ll continue to progress as we are, for now.
* This meeting has changed to 1pm in the US now, but due to UK time 
changes soon, will be back to a 12pm start time. This can be reviewed 
periodically.
* Should we hold a meeting during the WG14 / C Standards meeting in 
Markham, w/c Monday 03 April.
* It probably won’t be feasible to hold a meeting there, so let’s cancel 
the next meeting in 4 weeks.
*Action:* Laurence to send out a mail informing everyone that the next 
study group meeting is cancelled.
*Action:* Robert to send out a mail asking if members are still 
interested in the study group, to try and encourage participation in the 
group.



## Topic
Rule 1.1
No consensus last time.

## Key Points
* Rules without a consensus should be added to ‘the end of the queue’ 
rather than being discussed immediately again during the next meeting. 
For this reason we’ll re-visit this rule at a later date.



## Topic
Rule 1.2
Discussion of this rule may be dependent on the proposal of how language 
extensions should be handled, from Gavin.

## Key Points
Not discussed today: awaiting discussion on the mailing list after 
Gavin’s post.



## Topic
Rule 1.3

## Key Points
Not discussed today: no submission to the wiki yet.



## Topic
Rule 2.1

## Key Points
Not discussed today: Jill was not present.



## Topic
Rule 2.4 (no consensus last time).

## Key Points
Placed at the back of the queue.



## Topic
Rule 2.6

## Key Points
Not discussed today: Adele was not present.



## Topic
Rule 2.7

## Key Points
* Aaron provided an update the mailing list on ‘unused code’ in general. 
For a security profile, it does not seem to make much sense to add in 
rules around the use of unused code. They don’t have any impact on the 
security of the program. For a safety profile, ‘unused code’ can be used 
against you in court if a safety critical system contains dead or unused 
code. This is also a question of style
* Clive: unused code is not just a style issue: it’s in the mindset of 
writing the code, so the question is ‘what is a system doing with code 
if it is not using it?’ - everything should be traced back to the 
requirements of the system.
* Aaron: this is not true because of the use of libraries in use. Code 
that runs on top of a real time Operating System, which includes a lot 
of code there which will not be used.
* Clive: when creating a safety critical system, you should not be 
writing general purpose libraries - you are creating a system to meet 
very specific requirements. This is where a deviation comes into play.
* Aaron: the distinction seems to be between general code written by the 
developers of a safety critical system, and general code which is 
‘inherited’ by the team developing the system. Should these be treated 
differently in terms of deviation?
* Clive: Yes. It’s related to code that comes from within a controlled 
environment or code from outside of a controlled environment. You need 
to justify why you’d be using code from outside of your own controlled 
environment and not creating it yourself.
* Aaron: that makes sense. It is useful to include these rules in the 
safety critical profile in that case.
* Robert: I am wondering if we need an exception here for comments.
* Aaron: A good example of something which makes things clearer and is 
very helpful but has no impact whatsoever on the code.
* Robert: analyser tools to be used in the safety critical market will 
need to be able to diagnose unused code. We should capture the points of 
the above discussion as a ‘rationale’ against each rule.
*Vote:* No specific vote taken on this rule, as we reached a conclusion 
on the general point made above, ie: to include rules that focus on dead 
code.



## Topic
Rule 4.1

## Key Points
* Kostya did a write up which he included on the wiki, but is not 
participating in the group any more so it was decided that we should 
discuss this rule now.
* Clive: I can see the logic in this rule, it seems to be more of a 
style rule: it seems to have an issue in that it does not capture 
something which is a genuine mistake. If two characters are used: is the 
second digit intended or is it part of the hex, as it will be compiled 
as part of the hex?
* Robert: this is what Kostya suggests in his write up as well. From a 
security perspective, this should not be considered, since it takes 
correct code and makes it non- conforming.
* Clive: I do not see that as significant as the rules around ‘unused 
code’. From a security perspective this is not a vulnerability.
* Robert: Should this be safety only or is it not needed at all? 
Kostya’s suggestion on the wiki seems sensible, where it says it should 
only be 2 characters if it’s a hex, which seems to be a reasonable 
extension of this.
* See here for that write-up: 
https://gitlab.com/trustable/C_Safety_and_Security_Rules_Study_Group/wikis/misrarules4
* Robert: it’s a stylistic choice because it is recommending the use of 
a constrained style to indicate intent beyond the semantics of the language.
* Clive: agreed that this is a style rule, it seems strong to say this 
should be required.
* Robert: with only 3 people on the call it’s probably not fair to hold 
a vote, so we should re-visit this as we don’t have a quorum. But it 
seems as though this rule could be one which does not make the cut.

## Topic
Rule 5.6

## Key Points
* Aaron: this rule prohibits re-using the name of a typedef across all 
translation units (including other typedefs). Can’t see any place for 
this rule in a security profile, but certainly seems appropriate for a 
safety profile. However, the rule should be re-written, because it is 
actually very restrictive: it does not take account of scope at all. For 
example, if you have a translation unit which has a typedef that is 
local to a function and then in a different translation unit you have a 
static function with the same name that is a violation of this rule, yet 
it has no chance at all of having any impact on this code, and is also 
highly unlikely to even cause confusion to a user.
* Clive: this seems to be a category of a ‘meta-rule’, as it comes up a 
number of times. Ie. not re-using names. I’d say the rule as it is 
written should be fine: I don’t think we need to include anything about 
specific scope here.
* Aaron: that means that the amount of data to be tracked is huge. Which 
is fine, it is certainly not impossible to do, but for projects with a 
large code base it will be very expensive. Every identifier will have to 
be tracked, across the entire program.
* Clive: there are other rules which will specify that a tracking 
mechanism such as the above should be kept for the project.
* Roberto: although I can’t hear the conversation so well I believe this 
rule should in the safety profile.
* Robert: there is a consensus that this rule belongs in the safety 
profile.



## Any Other Business
* SafSec Action Research Day 31st October at the BCS entitled:
7 years on SafeSec Software is a common expression - do the Cloud and 
IoT make a difference?

## Key Points
Not discussed today: Adele was not present.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: CSafetyandSecurityStudyGroupMeeting-AgendaMinutes-v1.0-20170322.pdf
Type: application/pdf
Size: 94994 bytes
Desc: not available
URL: <https://lists.trustable.io/pipermail/c-safe-secure-studygroup/attachments/20170329/bd16f811/attachment-0001.pdf>

More information about the C-safe-secure-studygroup mailing list