Abstract Scrash: A Tool for Generating Secure Crash Information
Abstract:
A growing number of contemporary applications and operating systems include provisions for sending debugging information back to the developer after a crash. While this practice is of great help to the developer, it can pose a privacy vulnerability to the end user of the software. Crash reports may contain sensitive user data such as passwords and credit card numbers, which are exposed to misuse or interception when the report is sent over the network and later stored in the developer’s crash data repository. This paper presents Scrash, a tool that safeguards user information by removing sensitive data from crash reports. Scrash operates by modifying the source code of C programs to ensure that data labeled “sensitive” does not appear in a crash report. In evaluation tests, Scrash added only a small amount of run-time overhead and required minimal involvement on the part of the developer. 1
Citations
| 402 | Uniprocessor garbage collection techniques – Wilson - 1992 |
| 161 | Dynamic storage allocation: A survey and critical review – Wilson, Johnstone, et al. - 1995 |
| 136 | Detecting Format String Vulnerabilities with Type Qualifiers – Shankar, Talwar, et al. - 2001 |
| 113 | Memory management with explicit regions – Gay, Aiken - 1998 |
| 82 | Language support for regions – Gay, Aiken - 2001 |
| 48 | Vmalloc: A general and efficient memory allocator – Vo - 1996 |
| 14 | Language-Based Information Flow Security – Sabelfeld, Myers - 2003 |
| 8 | Building a better backtrace: Techniques for postmortem program analysis – Liblit, Aiken - 2002 |
| 3 | Project Info for Bug-Buddy. http: //www.advogato.org/proj/bug-buddy – Berkman - 2002 |
| 2 | Cil: An infrastructure for c program analysis and transformation – Necula, McPeak, et al. - 2002 |
| 1 | et al. CQual: A tool for adding type qualifiers to C. http://www.cs.berkeley. edu/~jfoster/cqual – Foster |
| 1 | Watson’s a Big-Mouth. http: //www.griffin-digital.com/dr__watson.htm – Dr - 2002 |
