MultiPathPrivacy: Enhanced Privacy in Fault Replication

Most computer applications are published with bugs, whose reproducibility is strictly dependent on the availability of detailed information about the real usage of the application. Unfortunately, this data collection process raises severe privacy issues, as error reports are very likely to include personal information. This represents a strong disincentive for users to submit error reports, hampering the software maintenance process. In this work we address the issue of how to design data obfuscation mechanisms aimed at anonymizing the error reports generated by faulty applications, without compromising the bug reproducibility. The solution presented in this paper, MultiPathPrivacy, is based on an idea which is, to the best our knowledge, still unexplored in literature: maximizing the achievable degree of obfuscation by exploiting the presence of multiple execution paths leading to the manifestation of the same bug. MultiPathPrivacy relies on an off-line reach ability analysis phase, based on symbolic execution techniques, which is aimed at identifying not only the set of alternative execution paths leading to the execution of the code block where the bug manifested, but also to determine the symbolic constraints on the user inputs that are necessary to generate such execution paths. By exploiting the presence of disjoint sets of alternative user inputs/execution paths leading to the manifestation of the same bug, MultiPathPrivacy allows achieving striking improvements of the anonymization quality when compared to state of the art solutions. Via an experimental study, based both on a real, privacy-sensitive application and on publicly available software repositories, we show that MultiPathPrivacy can achieve up to 87% reduction of the amount of user input information leaked by the error report, evaluated in terms of bits of information revealed, and percentage of residual non-anonymized input.