Enhancing Privacy Protection in Fault Replication Systems

Error reporting systems are valuable mechanisms for enhancing software reliability. Unfortunately, though, conventional error reporting systems are prone to leaking sensitive user information, raising strong privacy concerns. In this work we introduce RE SPA (Recursive Shortest Path-based Anonymizer), a system for generating failure-reproducing, yet anonymized, error reports. RE SPA relies on symbolic execution, executed at client side, in order to identify alternative failure-inducing paths in the program's execution graph, and derive the logical conditions, called path conditions, that define the set of user inputs reproducing these executions. Anonymized failure-inducing inputs are then synthesized using any (random) solution satisfying the path conditions. The search for alternative failure-inducing executions is based on an innovative algorithm that exploits three key ideas: i) ReSPA relies on binary search to determine, in an efficient way, which portions of the original execution should be preserved in the alternative one; ii) in order to identify alternative execution paths with low information leakage, ReSPA explores the execution graph by leveraging on the Djikstra's shortest path algorithm with information leakage as the distance metric; iii) ReSPA ensures provable non-reversibility of the alternative inputs it produces via a recursive technique that anonymizes the alternative inputs found after running the algorithm. We show via an evaluation based on six large, widely used applications and real bugs that ReSPA reduces information leak-age up to 99.76%, and on average by 93.92%. This corresponds to an average increase in privacy by 40% with respect to state-of-the-art systems, with gains that extend up to almost 20x.