[trustable-software] From security to safety, or the other way around?

Robert Seacord Robert.Seacord at nccgroup.trust
Sun Sep 25 15:50:24 UTC 2016 

Thanks, Andrew, I'm flattered. 8^)  Unfortunately, we've never had a chance to follow up on our lunch time chat in Chiswick about combining the CERT and MISRA standards.  Hopefully, you'll be attending the next C Standards Meeting here in Pittsburgh in a few weeks and we'll have a chance to follow up.

I don't know if you have had a chance to read the referenced paper.  It is available from Engineering & Technology Reference as part of their subscription service, so they need the content to be exclusive.  It does take Addendum 2 into account, although I have not yet seen the imminent Addendum 3, but would be happy to review it for you.

The paper begins to detail some of the issues with MISRA, not just from a security perspective but from a safety perspective as well.  The paper was limited to 6 pages, however, so it is not comprehensive in this regard.  I do think that the CERT C Coding Standard is a higher quality standard, primarily because it was developed by bequest of and with the extensive input of the ISO/IEC C Standards Committee.  It is also closely coordinated with ISO/IEC TS 17961:2013 -- C secure coding rules (http://www.iso.org/iso/catalogue_detail.htm?csnumber=61134) which is an ISO/IEC Technical Specification.

I think the primary (non-technical) problem with MISRA is that it is a proprietary document, and that it is developed by a rather closed process.  An international standards body such as the ISO/IEC C Standards Committee is likely the best place to perform this work as it will be developed following a formal but open process that doesn't allow one individual or organization undue influence over the resulting product.

Towards this end, we are currently considering the next steps for ISO/IEC TS 17961:2013.  One possibility is that we will propose to convert this Technical Specification into an International Standard, now that the community has had several years of experience with it.  As part of this work, it would be interesting to look at this document from a safety perspective as well, and also to add support for additional C11 features.  This might require reforming the study group, which could consider MISRA rules as well as rules originating from other sources.

Again, I hope you will be at the upcoming C Standards meeting in Pittsburgh, when we will discuss this further with the committee.

Thanks,
rCs


-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.veristac.io] On Behalf Of Andrew Banks
Sent: Sunday, September 25, 2016 4:26 AM
To: 'Discussion about trustable software engineering' <trustable-software at lists.veristac.io>
Subject: Re: [trustable-software] From security to safety, or the other way around?

>> I've been reading a very interesting paper titled 'Safety and Security Coding Standards for C' 
>> written by Robert C. Seacord for the IET (Institute of Engineering and Technology)

I'm pleased to see the IET addressing the issue, and a good choice of author!

>> Any MISRA folks have ideas on how it would extend towards (for example connected) secure systems?

As you suggest, the whole topic of Safety v Security has become a Big Thing, and I've spoken at a number of conferences (in the UK, Germany and Japan) on this and the approach that MISRA is taking - which is to address the concept of High Integrity Software, rather than focus on arbitrary semantic differences (at software level) between Safety and Security.   While MISRA C "Guidelines for the use of C in Critical Systems" was originally created as an automotive safety guideline, it has been widely adopted by other industries, and (as per its title) it is applicable for use in any critical system.

Robert Secord and I agree with each other on many aspects of the subject, although there are one or two areas where we have our differences.

The recently published Addendum 2 (coverage of MISRA C against ISO 17961 C Secure) and the imminent Addendum 3 (coverage of MISRA C against CERT-C) clearly show that we disagree with Robert's assessment that MISRA C is not *already* a security standard.  Likewise, current and planned work includes further extension into areas relevant to the hosted environment.

Furthermore, (while we suspect his intent is the opposite) we welcome Robert's observation that CERT-C is not considered a subset, as both DO-178x and ISO 26262 require a subset of C :-)

Standards, such as MISRA C and CERT-C need to continue to evolve to remain relevant, and our plans for MISRA C hope to ensure that it meets the needs for all High Integrity and Critical Systems... I am more than happy to enter into discussions, where it is felt that MISRA C needs to improve further.



Kind regards
Andrew Banks MIET FBCS CITP
Chairman, MISRA C Working Group
http://www.misra.org.uk


_______________________________________________
trustable-software mailing list
trustable-software at lists.veristac.io
https://lists.veristac.io/cgi-bin/mailman/listinfo/trustable-software

More information about the trustable-software mailing list