Better bug reporting with better privacy

Operating Systems Review (ACM)

Volumn 42, Issue 2, 2008, Pages 319-328

  Castro, Miguel ^a   Costa, Manuel ^a   Martin, Jean Philippe ^a  

^a MICROSOFT RESEARCH   (United Kingdom)

Author keywords

Bug reports; Constraint solving; Privacy; Symbolic execution

Indexed keywords

COMPUTER SOFTWARE; INFORMATION ANALYSIS; USER INTERFACES;

BUG REPORTS; CONSTRAINT SOLVING; SYMBOLIC EXECUTION;

DATA PRIVACY;

EID: 77957793391     PISSN: 01635980     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1353535.1346322     Document Type: Conference Paper

References (39)

1. GHttpd Log() Function Buffer Overflow Vulnerability (Bugtraq ID: 5960). http://www.securityfocus.com/bid/5960.
2. Null HTTPd Remote Heap Overflow Vulnerability (Bugtraq ID: 5774). http://www.securityfocus.com/bid/5774.
3. Portable network graphics (png) specification and extensions. http://www.libpng.org/pub/png/spec/.
4. AORAWAL, R., AND SRIKANT, R. Privacy-preserving data mining. In SIGMOD '00: Proceedings of the 2000 ACM SIGMOD international conference on Management of data (2000), pp. 439-450.
5. BHANSALI, S., CHEN, W.-K., DE JONG, S., EDWARDS, A., MURRAY, R., DRINIC, M., MIHOCKA, D., AND CHAU, J. Framework for instruction-level tracing and analysis of program executuions. In VEE (June 2006).
6. BROADWELL, P., HARREN, M., AND SASTRY, N. Scrash: a system, for generating secure crash information.
7. BRUMLEY, D., NEWSOME, J., SONG, D., WANG, H., AND JHA, S. Towards automatic generation of vulnerability signatures. In IEEE Symposium on Security and Privacy (May 2006).
8. CADAR, C., GANESH, V., PAWLOWSKI, P. M., DILL, D. L., AND ENGLER, D. R. EXE: Automatically Generating Inputs of Death. In 13th ACM Confeience on Computer and Communications Security (2006).
9. CASTRO, M., COSTA, M., AND HARRIS, T. Securing software by enforcing data-flow integrity. In OSDI (Nov. 2006).
10. CHEN, S., XU, J., SEZER, E. C., GAURIAR, P., AND IYER, R. K. Non-control-data attacks are realistic threats. In USENIX Security Symposium (July 2005).
11. CHIRAYATH, V., LONGPRE, L., AND KREINOVICH, V. Measuring privacy loss in statistical databases. In Workshop on Descriptional Complexity of Formal Systems (June 2006), pp. 16-25.
12. COSTA, M., CASTRO, M., ZHOU, L., ZHANG, L., AND PEINADO, M. Bouncer: Securing Software by Blocking Bad Input. In SOSP (Oct. 2007).
13. COSTA, M., CROWCROFT, J., CASTRO, M., ROWSTRON, A., ZHOU, L., ZHANG, L., AND BARHAM, P. Vigilante: End-to-End Containment of Internet Worms. In SOSP (Oct. 2005).
14. COWAN, C., PU, C., MAIER, D., HINTON, H., WADPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAOLE, P., AND ZHANG, Q. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In USENIX Security Symposium (Jan. 1998).
15. CRANDALL, J. R., SU, Z., WU, S. F., AND CHONG, F. T. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In ACM CCS (Nov. 2005).
16. DE MOURA, L., AND BJORNER, N. Z3: An Efficient SMT Solver. In. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (Apr. 2008).
17. DUTERTRE, B., AND DE MOURA, L. The YICES SMT Solver. http://yices.csl.sri.com..
18. DUTERTRE, B., AND DE MOURA, L. A fast linear-arithemic solver for dpll(t). In CAV06 (Aug. 2006).
19. E.LNOZAHY, E. N., ALVISI, L., WANG, Y-M., AND JOHNSON, D. B. A survey of rollback-recovery protocols in message-passing systems. ACM Computing Surveys 34, 3 (Sept. 2002), 375-408.
20. GODEFROID, P., KLARLUND, N., AND SEN, K. DART: Directed Automated Random Testing. In PLDI (2005).
21. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. Automated whitebox fuzz testing. Tech. Rep. MSR-TR-2007-58, Microsoft Research Technical Report, May 2007.
22. GOMES, C P., HOFFMANN, J., SABHARWAL, A., AND SELMAN, B. From sampling to model counting. In IJCAI (2007), pp. 2293-2299.
23. GOMES, C P., SABHARWAL, A., AND SELMAN, B. Model counting: A new strategy for obtaining good bounds. In AAAI (2006).
24. MARTIN, J.-P. Upper and lower bounds on the number of solutions. Tech. Rep. MSR-TR-2007-164, Dec. 2007.
25. MICROSOFTCORPORATION. Msnmessenger, http://messenger.msn.com.
26. MICROSOFT CORPORATION. Privacy statement for the microsoft error reporting service, Oct. 2005. http://oca.microsoft.com/en/dcp20. asp.
27. MICROSOFT CORPORATION. Description of the end user privacy policy in application error reporting when you are using office. Microsoft Knowledge Base Q283768, Jan. 2007. http://support.microsoft.com/kb/ 283768.
28. MICROSOFT CORPORATION. Dr. watson overview, Jan. 2007. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ drwatson_overview.mspx?mfr=true.
29. MITRE CORPORATION. Multiple buffer overflows in libpng 1.2.5. CVE-2004-0597, June 2004. http://cve.mitre.org/cgibin/cvename.cgi?name= CAN-2004-0597.
30. MOORE, D., PAXSON, V., SAVAGE, S., SHANNON, C., STANIFORD, S., AND WEAVER, N. Inside the Slammer worm. IEEE Security and Privacy 1, 4 (July 2003).
31. QIN, F., TUCEK, J., SUNDARESAN, J., AND ZHOU, Y. Rx: Treating bugs as allergies - a safe method to survive software failures. In SOSP (Nov. 2005).
32. RUWASE, O., AND LAM, M. A practical dynamic buffer overflow detector. In NDSS (Feb. 2004).
33. SAMARATI, P., AND SWEENEY, L. Generalizing data to provide anonymity when disclosing information. In Proceedings of the 17th Symposium on Principles of Database Systems (1998), p. 188.
34. SANG, T., BEAME, P., AND KAUTZ, H. A. Heuristics for fast exact model counting. In. SAT (2005), pp. 226-240.
35. SEN, K., MARINOV, D., AND AGHA, G. CUTE: A Concolic Unit Testing Engine for C. In ESEC/FSE (2005).
36. SHANNON, C E. A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5, 1 (2001), 3-55.
37. SWEENEY, L. k-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Know!. -Based Syst. 10, 5 (2002), 557-570.
38. TUCEK, J., LU, S., HUANO, C., XANTHOS, S., AND ZHOU, Y. Triage: diagnosing production run failures at the user's site. In SOSP (Nov. 2007).
39. ZELLER, A., AND HILDEBRANDT, R. Simplifying and isolating failure-inducing input. IEEE Trans. Software Eng. 28, 2 (2002), 183-200.