ÿþ<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=Content-Type content="text/html; charset=unicode"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 12"> <meta name=Originator content="Microsoft Word 12"> <link rel=File-List href="panalyst_files/filelist.xml"> <link rel=Edit-Time-Data href="panalyst_files/editdata.mso"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--><!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Author>ruiwangwarm</o:Author> <o:LastAuthor>ruiwangwarm</o:LastAuthor> <o:Revision>4</o:Revision> <o:TotalTime>4</o:TotalTime> <o:Created>2008-05-13T14:58:00Z</o:Created> <o:LastSaved>2008-05-13T15:03:00Z</o:LastSaved> <o:Pages>8</o:Pages> <o:Words>11494</o:Words> <o:Characters>65520</o:Characters> <o:Lines>546</o:Lines> <o:Paragraphs>153</o:Paragraphs> <o:CharactersWithSpaces>76861</o:CharactersWithSpaces> <o:Version>12.00</o:Version> </o:DocumentProperties> </xml><![endif]--> <link rel=themeData href="panalyst_files/themedata.thmx"> <link rel=colorSchemeMapping href="panalyst_files/colorschememapping.xml"> <!--[if gte mso 9]><xml> <w:WordDocument> <w:TrackMoves>false</w:TrackMoves> <w:TrackFormatting/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>ZH-CN</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="&#45;-"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true" DefSemiHidden="true" DefQFormat="false" DefPriority="99" LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false" UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--> <style> <!-- DIV[class="Part"] { text-align:left; margin-bottom:0px; margin-top:0px; margin-right:0px; text-indent:0px; direction:ltr } DIV[class="Sect"] { text-align:left; margin-bottom:0px; margin-top:0px; margin-right:0px; text-indent:0px; direction:ltr } table {display:table; float:none;} /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:"Arial Unicode MS"; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:134; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-134238209 -371195905 63 0 4129279 0;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520082689 -1073717157 41 0 66047 0;} @font-face {font-family:"\@Arial Unicode MS"; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:134; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-134238209 -371195905 63 0 4129279 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; text-align:left; line-height:normal; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; color:black;} h3 {mso-style-priority:9; mso-style-unhide:no; mso-style-qformat:yes; mso-style-link:"Heading 3 Char"; margin-top:0in; margin-right:0in; margin-bottom:27.75pt; margin-left:0in; text-align:center; line-height:normal; mso-pagination:widow-orphan; mso-outline-level:3; font-size:13.5pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; color:black; font-weight:bold;} h4 {mso-style-priority:9; mso-style-unhide:no; mso-style-qformat:yes; mso-style-link:"Heading 4 Char"; margin-top:0in; margin-right:0in; margin-bottom:6.75pt; margin-left:0in; text-align:justify; line-height:normal; mso-pagination:widow-orphan; mso-outline-level:4; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; color:black; font-weight:bold;} a:link, span.MsoHyperlink {mso-style-noshow:yes; mso-style-priority:99; color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; text-decoration:underline; text-underline:single;} p {mso-style-noshow:yes; mso-style-priority:99; margin-top:0in; margin-right:0in; margin-bottom:43.5pt; margin-left:0in; text-align:center; line-height:14.25pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; color:black;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-noshow:yes; mso-style-priority:99; mso-style-link:"Balloon Text Char"; margin:0in; margin-bottom:.0001pt; text-align:left; line-height:normal; mso-pagination:widow-orphan; font-size:8.0pt; font-family:"Tahoma","sans-serif"; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; color:black;} span.Heading3Char {mso-style-name:"Heading 3 Char"; mso-style-noshow:yes; mso-style-priority:9; mso-style-unhide:no; mso-style-locked:yes; mso-style-link:"Heading 3"; mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt; font-family:"Cambria","serif"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:major-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:major-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:major-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:major-bidi; color:#4F81BD; mso-themecolor:accent1; font-weight:bold;} span.Heading4Char {mso-style-name:"Heading 4 Char"; mso-style-noshow:yes; mso-style-priority:9; mso-style-unhide:no; mso-style-locked:yes; mso-style-link:"Heading 4"; mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt; font-family:"Cambria","serif"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:major-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:major-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:major-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:major-bidi; color:#4F81BD; mso-themecolor:accent1; font-weight:bold; font-style:italic;} span.BalloonTextChar {mso-style-name:"Balloon Text Char"; mso-style-noshow:yes; mso-style-priority:99; mso-style-unhide:no; mso-style-locked:yes; mso-style-link:"Balloon Text"; mso-ansi-font-size:8.0pt; mso-bidi-font-size:8.0pt; font-family:"Tahoma","sans-serif"; mso-ascii-font-family:Tahoma; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Tahoma; mso-bidi-font-family:Tahoma; color:black;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:1891917067; mso-list-template-ids:1378757658;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:·ð; mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Symbol;} @list l0:level2 {mso-level-tab-stop:1.0in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level3 {mso-level-tab-stop:1.5in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level4 {mso-level-tab-stop:2.0in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level5 {mso-level-tab-stop:2.5in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level6 {mso-level-tab-stop:3.0in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level7 {mso-level-tab-stop:3.5in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level8 {mso-level-tab-stop:4.0in; mso-level-number-position:left; text-indent:-.25in;} @list l0:level9 {mso-level-tab-stop:4.5in; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} </style> <![endif]--> <meta name=dc.date content="2008-05-13T00:03:59-05:00"> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="3074"/> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1"/> </o:shapelayout></xml><![endif]--> </head> <body bgcolor=white lang=EN-US link=blue vlink=purple style='tab-interval:.5in' alink=fushia> <div class=Section1> <div> <h3><span style='font-size:14.5pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman";font-weight:normal'>Panalyst: Privacy-Aware Remote Error Analysis on Commodity Software </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h3> <p><i><span style='font-family:"Arial","sans-serif"'>Rui Wang</span></i><i><sub><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><i><span style='font-family:"Arial","sans-serif"'>, XiaoFeng Wang</span></i><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span></sub><i><span style='font-family:"Arial","sans-serif"'>and Zhuowei Li</span></i><i><sub><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>! <br> </span></sub></i><i><span style='font-family:"Arial","sans-serif"'>Indiana University at Bloomington, </span></i><i><sub><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>! </span></sub></i><i><span style='font-family: "Arial","sans-serif"'>Center for Software Excellence, Microsoft<br> <sub>{</sub>wang63,xw7<sub>}</sub>@indiana.edu, zhuowei.li@microsoft.com</span></i></p> <div> <p style='margin-bottom:6.75pt'><span style='font-family:"Arial","sans-serif"'>Abstract </span></p> <p style='margin-bottom:19.5pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Remote error analysis aims at timely detection and remedy of software vulnerabilities through analyzing runtime errors that occur on the client. This objective can only be achieved by offering users effective protection of their private information and minimizing the performance impact of the analysis on their systems without undermining the amount of information the server can access for understanding errors. To this end, we propose in the paper a new technique for privacy-aware remote analysis, called <i>Panalyst</i>. Panalyst includes a client component and a server component. Once a runtime exception happens to an application, Panalyst client sends the server an initial error report that includes only public information regarding the error, such as the length of the packet that triggers the exception. Using an input built from the report, Panalyst server performs a taint analysis and symbolic execution on the application, and adjusts the input by querying the client about the information upon which the execution of the application depends. The client agrees to answer only when the reply does not give away too much user information. In this way, an input that reproduces the error can be gradually built on the server under the client s consent. Our experimental study of this technique demonstrates that it exposes a very small amount of user information, introduces negligible overheads to the client and enables the server to effectively analyze an error. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>1 Introduction </span></p> <p style='margin-bottom:3.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Remote analysis of program runtime errors enables timely discovery and patching of software bugs, and has therefore become an important means to improve software security and reliability. As an example, Microsoft is reported to ûx 29 percent of all Windows XP bugs within Service Pack 1 through its Windows Error Reporting (WER) utility [20]. Remote error analysis is typically achieved by running an error reporting tool on a client system, which gathers data related to an application s runtime exception (such as a crash) and transmits them to a server for diagnosis of the underlying software ûaws. This paradigm has been widely adopted by software manufacturers. For example, Microsoft relies on WER to collect data should a crash happen to an application. Similar tools developed by the third party are also extensively used. An example is BugToaster [27], a free crash analysis tool that queries a central database using the attributes extracted from a crash to seek a potential ûx. These tools, once complemented by automatic analysis mechanisms [44, 34] on the server side, will also contribute to quick detection and remedy of critical security ûaws that can be exploited to launch a large-scale cyber attack such as Worm epidemic [47, 30]. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The primary concern of remote error analysis is its privacy impact. An error report may include private user information such as a user s name and the data she submitted to a website [9]. To reduce information leaks, error reporting systems usually only collect a small amount of information related to an error, for example, a snippet of the memory around a corrupted pointer. This treatment, however, does not sufûciently address the privacy concern, as the snippet may still carry conûdential data. Moreover, it can also make an error report less informative for the purpose of rapid detection of the causal bugs, some of which could be security critical. To mitigate this problem, prior research proposes to instrument an application to log its runtime operations and submit the sanitized log once an exception happens [25, 36]. Such approaches affect the performance of an application even when it works normally, and require nontrivial changes to the application s code: for example, Scrash [25] needs to do source-code transformation, which makes it unsuitable for debugging commodity software. In addition, these approaches still cannot ensure that sufûcient information is gathered for a quick identiûcation of critical security ûaws. Alternatively, one can analyze a vulnerable program directly on the client [29]. This involves intensive debugging operations such as replaying the input that causes a crash and analyzing an executable at the instruction level [29], which could be too intrusive to the user s normal operations to be acceptable for a practical deployment. Another problem is that such an analysis consumes a large amount of computing resources. For example, instruction-level tracing of program execution usually produces an execution trace of hundreds of megabytes [23]. This can hardly be afforded by the client with limited resources, such as Pocket PC or PDA. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>We believe that a good remote analyzer should help the user effectively control the information to be used in an error diagnosis, and avoid expensive operations on the client side and modiûcation of an application s source or binary code. On the other hand, it is also expected to offer sufûcient information for automatic detection and remedy of critical security ûaws. To this end, we propose Panalyst, a new technique for privacy-aware remote analysis of the crashes triggered by network inputs. Panalyst aims at automatically generating a new input on the server side to accurately reproduce a crash that happens on the client, using the information disclosed according to the user s privacy policies. This is achieved through collaboration between its client component and server component. When an application crashes, Panalyst client identiûes the packet that triggers the exception and generates an initial error report containing nothing but the public attributes of the packet, such as its length. Taking the report as a  taint source, Panalyst server performs an instruction-level taint analysis of the vulnerable application. During this process, the server may ask the client questions related to the content of the packet, for example, whether a tainted branching condition is true. The client answers the questions only if the amount of information leaked by its answer is permitted by the privacy policies. The client s answers are used by the server to build a new packet that causes the same exception to the application, and determine the property of the underlying bug, particularly whether it is security critical. </span></p> <p style='margin-bottom:3.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Panalyst client measures the information leaks associated with individual questions using <i>entropy</i>. Our privacy policies use this measure to deûne the maximal amount of information that can be revealed for individual ûelds of an application-level protocol. This treatment enables the user to effectively control her information during error reporting. Panalyst client does not perform any intensive debugging operations and therefore incurs only negligible overheads. It works on commodity applications without modifying their code. These properties make a practical deployment of our technique plausible. In the meantime, our approach can effectively analyze a vulnerable application and capture the bugs that are exploitable by malicious inputs. Panalyst can be used by software manufacturers to demonstrate their  due diligence in preserving their customers privacy, and by a third party to facilitate collaborative diagnosis of vulnerable software. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:19.5pt;margin-left: 9.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>We sketch the contributions of this paper as follows: </span></p> <p class=MsoNormal style='margin-top:0in;margin-right:0in;margin-bottom:11.25pt; margin-left:56.25pt;text-align:justify;text-indent:-9.0pt;line-height:12.0pt; mso-list:l0 level1 lfo2;tab-stops:list .5in'><![if !supportLists]><span style='font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol; mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp; </span></span></span><![endif]><i><span style='font-size:10.0pt;font-family: "Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Novel framework for remote error analysis. </span></i><span style='font-size:10.0pt;font-family: "Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>We propose a new framework for remote error analysis. The framework minimizes the impact of an analysis to the client s performance and resources, lets the user maintain a full control of her information, and in the meantime provides her the convenience to contribute to the analysis the maximal amount of information she is willing to reveal. On the server side, our approach interleaves the construction of an accurate input for triggering an error, which is achieved through interactions with the client, and the analysis of the bug that causes the error. This feature allows our analyzer to make full use of the information provided by the client: even if such information is insufûcient for reproducing the error, it helps discover part of input attributes, which can be fed into other debugging mechanisms such as fuzz testing [35] to identify the bug. </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p class=MsoNormal style='margin-top:0in;margin-right:0in;margin-bottom:11.25pt; margin-left:56.25pt;text-align:justify;text-indent:-9.0pt;line-height:12.0pt; mso-list:l0 level1 lfo2;tab-stops:list .5in'><![if !supportLists]><span style='font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol; mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp; </span></span></span><![endif]><i><span style='font-size:10.0pt;font-family: "Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Automatic control of information leaks. </span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>We present our design of new privacy policies to deûne the maximal amount of information that can be leaked for individual ûelds of an application-level protocol. We also developed a new technique to enforce such policies, which automatically evaluates the information leaks caused by responding to a question and then makes decision on whether to submit the answer in accordance with the policies. </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p class=MsoNormal style='margin-top:0in;margin-right:0in;margin-bottom:19.5pt; margin-left:56.25pt;text-align:justify;text-indent:-9.0pt;line-height:12.0pt; mso-list:l0 level1 lfo2;tab-stops:list .5in'><![if !supportLists]><span style='font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol; mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp; </span></span></span><![endif]><i><span style='font-size:10.0pt;font-family: "Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Implementation and evaluations. </span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"; mso-fareast-font-family:"Times New Roman"'>We implemented a prototype system of Panalyst and evaluated it using real applications. Our experimental study shows that Panalyst can accurately restore the causal input of an error without leaking out too much user information. Moreover, our technique has been demonstrated to introduce nothing but negligible overheads to the client. </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The rest of the paper is organized as follows. Section 2 formally models the problem of remote error analysis. Section 3 elaborates the design of Panalyst. Section 4 describes the implementation of our prototype system. Section 5 reports an empirical study of our technique using the prototype. Section 6 discusses the limitations of our current design. Section 7 presents the related prior research, and Section 8 concludes the paper and envisions the future research. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>2 Problem Description </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We formally model the problem of remote error analysis as follows. Let P : S </span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>× </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>IS be a program that maps an initial process state s </span></i><sub><span style='font-size:14.5pt; font-family:"Cambria Math","serif";mso-bidi-font-family:"Cambria Math"'>"</span></sub><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>S<sup>’!</sup></span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and an input i </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>I </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to an end state. A state here describes the data in memory, disk and register that are related to the process of </span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>P </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. A subset of <i>S</i>, <i>E</i></span><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>b</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>, contains all possible states the process can end at after an input exploits a bug <i>b</i>. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Once </span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>P </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>terminates at an error state, the client runs an error reporting program </span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>G : </span><i><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>I</span></i><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>R </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to generate a </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:145.5pt; margin-bottom:.0001pt;text-align:justify;line-height:12.0pt'><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></i></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>report r </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif"; mso-bidi-font-family:"Cambria Math"'>"</span></sub><sub><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'> </span></sub><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>R </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>for analyzing </span><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>P </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>on the server. The report must be created under the constraints of the computing resources the client is able or willing to commit. Speciûcally, <i>C</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>t : </span><i><sub><span style='font-size: 10.0pt;font-family:"Arial","sans-serif"'>{</span></sub></i><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>G<sub>}× </sub></span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>I <sub>× </sub>R </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>measures the delay experienced by the user during report generation, <i>C</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>s <sub>× </sub>R </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>measures the storage overhead, and </span><sup><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>: </span></sup><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>C<sup>{</sup></span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>n </span><i><sup><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>G}× </span></sup></i><sup><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>I </span></sup><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>× </span></sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>R </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>"’! </span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>measures the bandwidth </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:33.0pt; margin-bottom:.0001pt;text-align:justify;mso-line-height-alt:12.0pt'><sup><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>: </span></sup><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>{<sup>G</sup>}× </span></i><sup><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>I </span></sup></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>used for transmitting the report. To produce and submit a report r </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>R</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>, the computation time, storage consumption and bandwidth usage must be bounded by certain thresholds: formally, (<i>C</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(<i>G</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>r</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>'"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>(<i>C</i></span><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>s</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>(<i>G</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>r</span></i><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>) </span><i><sub><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>d"</span></sub></i><i><span style='font-size: 10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>s</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><i><sub><span style='font-size:10.0pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>'"</span></sub></i><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>(<i>C</i></span><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>w</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>(<i>G</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>r</span></i><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>w</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>), where <i>Th</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, <i>Th</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>s </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and <i>Th</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>w </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>represent the thresholds for time, storage space and bandwidth respectively. In addition, </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>r </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is allowed to be submitted only when the amount of information it carries is acceptable to the user. This is enforced using a function </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; mso-line-height-alt:12.0pt'><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>L : R <sub>× </sub>I </span><i><sub><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>’!</span></sub></i><i><sub><span style='font-size:10.0pt; font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>that quantiûes the information leaked out by <i>r</i>, and a threshold <i>Th</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>l</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. Formally, we require <i>L</i>(<i>r</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>l</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The server runs an analyzer </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>D : </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>R</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>I </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to diagnose </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:156.75pt; margin-bottom:.0001pt;text-align:justify;line-height:12.0pt'><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></i></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>the vulnerable program </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>P </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>D </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>constructs a new input using </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>r </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to exploit the same bug that causes the error on the client. Formally, given </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>P </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(<i>i</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>E</span></i><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>b </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>and </span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>r = </span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>G</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>(<i>i</i>), the analyzer identiûes another input <i>i</i></span><sub><span style='font-size:14.5pt;font-family:"Arial Unicode MS","sans-serif"; mso-fareast-font-family:"Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>from </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>r </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>such that </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>P </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(<i>i</i></span><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>E</span></i><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>b</span></i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>. This is also subject to resource constraints. Speciûcally, let <i>C</i></span><i><sub><span style='font-size: 7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>: </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>{</span></sub></i><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>D<sub>}×</sub>R<sub>×</sub></span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>I </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>be a function that </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:70.5pt; margin-bottom:.0001pt;text-align:justify'><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>t </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>measures the computation time for running </span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>D </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and <i>C</i></span><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>s</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>: </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>{</span></sub></i><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>D<sub>}× </sub></span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>R <sub>× </sub>I </span><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>’!</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>that measures the storage overhead. We have: (<i>C</i></span><i><sub><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>t</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(<i>D</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>r</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>i</span></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></sub></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>'"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>(<i>C</i></span><i><sub><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>s</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(<i>D</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>r</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>i</span></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Th</span></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>s</span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>), where <i>Th</i></span><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>t </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and <i>Th</i></span><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>s </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>are the server s thresholds for time and space respectively. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>A solution to the above problem is expected to achieve three objectives: </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:20.25pt; margin-bottom:.0001pt;text-align:justify;text-indent:-9.0pt;mso-line-height-alt: 12.0pt'><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>" </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Low client overheads. </span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>A practical solution should work effectively under very small <i>Th</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, <i>Th</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>s </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and <i>Th</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>w</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. Remote error analysis aims at timely detecting critical security ûaws, which can only be achieved when most clients are willing to collaborate in most of the time. However, this will not happen unless the client-side operations are extremely lightweight, as clients may have limited resources and their workloads may vary with time. Actually, customers could be very sensitive to the overheads brought in by error reporting systems. For example, advice has been given to turn off WER on Windows Vista and Windows Mobile to improve their performance [12, 17, 13]. Therefore, it is imaginable that many may stop participating in error analysis in response to even a slight increase of overheads. As a result, the chance to catch dangerous bugs can be signiûcantly reduced. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:20.25pt; margin-bottom:.0001pt;text-align:justify;line-height:12.0pt'><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Control of information leaks. </span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The user needs to </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:9.75pt; margin-bottom:.0001pt;text-align:justify;mso-line-height-alt:12.0pt'><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>" </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:20.25pt; margin-bottom:.0001pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>have a full control of her information during an error analysis. Otherwise, she may choose not to participate. Indispensable to this objective is a well-constructed function </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>L </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>that offers the user a reasonable measure of the information within an error report. In addition, privacy policies built upon </span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>L </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and a well-designed policy enforcer will automate the information control, thereby offering the user a reliable and convenient way to protect her privacy. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:6.75pt;margin-left: 20.25pt;text-align:justify;text-indent:-9.0pt;mso-line-height-alt:12.0pt'><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>" </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Usability of error report. </span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Error reports submitted by the user should contain ample information to allow a new input <i>i</i></span><sub><span style='font-size:14.5pt;font-family:"Arial Unicode MS","sans-serif"; mso-fareast-font-family:"Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to be generated within a short period of time (small <i>Th</i></span><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>t</span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) and at a reasonable storage overhead (small <i>Th</i></span><i><sub><span style='font-size:7.0pt; font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>s</span></sub></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>). The reports produced by the existing systems include little information, for example, a snapshot of the memory around a corrupted pointer. As a result, an analyzer may need to exhaustively explore a vulnerable program s branches to identify the bug that causes the error. This process can be very time-consuming. To improve this situation, it is important to have a report that gives a detailed description about how an exploit happens. </span></p> <p style='margin-bottom:15.0pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In Section 3, we present an approach that achieves these objectives. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>3 Our Approach </span></p> <p style='margin-bottom:15.0pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In this section, we ûrst present an overview of Panalyst and then elaborate on the designs of its individual components. </span></p> </div> <div> <div> <h4><span style='font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"; font-weight:normal'>3.1 Overview </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h4> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Panalyst has two components, client and server. Panalyst client logs the packets an application receives, notiûes the server of its runtime error, and helps the server analyze the error by responding to its questions as long as the answers are permitted by the user s privacy policies. Panalyst server runs an instruction-level taint analysis on the application s executable using an empty input, and evaluates the execution symbolically [37] in the meantime. Whenever the server encounters a tainted value that affects the choice of execution paths or memory access, </span></p> </div> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=464 height=279 id="_x0000_i1032" src="images/panalyst_img_0.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:19.5pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Figure 1: The Design of Panalyst. </span></p> <div> <p style='margin-bottom:19.5pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>it queries the client using the symbolic expression of that value. From the client s answer, the server uses a constraint solver to compute the values of the input bytes that taint the expression. We illustrate the design of our approach in Figure 1. </span></p> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=273 height=107 id="_x0000_i1031" src="images/panalyst_img_1.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:27.75pt;line-height:12.0pt'><span style='font-size: 10.0pt;font-family:"Arial","sans-serif"'>Figure 2: An Illustrative Example. </span></p> <p align=right style='margin-bottom:0in;margin-bottom:.0001pt;text-align:right; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>An example. Here we explain how Panalyst works through an example, a program described in Figure 2. The example is a simpliûed version of Null-HTTPd [8]. It is written in C for illustration purpose: Panalyst actually is designed to work on binary executables. The program ûrst checks whether a packet is an HTTP POST request. If so, it allocates a buffer with the size computed by adding 1024 to an integer derived from the Content-Length ûeld and moves the content of the request to that buffer. A problem here is that a buffer overûow can happen if Content-Length is set to be negative, which makes the buffer smaller than expected. When this happens, the program may crash as a result of writing to an illegal address or being terminated by an error detection mechanism such as GLIBCerror detection. Panalyst client logs the packets recently received by </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>the program. In response to a crash, the client identiûes the packet being processed and notiûes Panalyst server of the error. The server then starts analyzing the vulnerable program at instruction level using an empty HTTP request as a taint source. The request is also described by a set of symbols, which the server uses to compute a symbolic expression for the value of every tainted memory location or register. When the execution of the program reaches Line 1 in Figure 2, the values of the ûrst four bytes on the request need to be revealed so as to determine the branch the execution should follow. For this purpose, the server sends the client a question:  <i>B</i></span><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>1</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>2</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>3</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>4 </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>= POST ? , where <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>represents the <i>jt</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>h </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>byte on the request. The client checks its privacy policies, which deûnes the maximal number of bits of information allowed to be leaked for individual HTTP ûeld. In this case, the client is permitted to reveal the keyword POST that is deemed nonsensitive. The server then ûlls the empty request with these letters and moves on to the branch determined by the client s answer. The instruction on Line 2 calls malloc. The function accesses memory using a pointer built upon the content of Content-Length, which is tainted. To enable this memory access, the server sends the symbolic expression of the pointer to the client to query its concrete value. The client s reply allows the server to add more bytes to the request it is working on. Finally, the execution hits Line 3, a loop to move request content to the buffer allocated through malloc. The loop is identiûed by the server from its repeated instruction pattern. Then, a question is delivered to the client to query its exit condition:  where is the ûrst byte <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>= <i><sub>\</sub>n</i> ? . This question concerns request content, a ûeld on which the privacy policies forbid the client to leak out more than certain amount of information. Suppose that threshold is 5 bytes. To answer the question, only one byte needs to be given away: the position of the byte  <i><sub>\</sub>n</i> . Therefore, the client answers the question, which enables the server to construct a new packet to reproduce the crash. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The performance of an analysis can be improved by sending the server an initial report with all the ûelds that are deemed nonsensitive according the user s privacy policies. In the example, these ûelds include keywords such as  POST and the Content-Length ûeld. This treatment reduces the communication overheads during an analysis. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Threat model. We assume that the user trusts the information provided by the server but does not trust her data with the server. The rationale behind this assumption is based upon the following observations. The owners of the server are often software manufacturers, who have little incentive to steal their customers information. What the user does not trust is the way in which those parties manage her data, as improper management of the data can result in leaks of her private information. Actually, the same issue is also of concern to those owners, as they could be reluctant to take the liability for protecting user information. Therefore, the client can view the server as a benign though unreliable partner, and take advantage of the information it discovers from the vulnerable program to identify sensitive data, which we elaborate in Section 3.2. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Note that this assumption <i>is not </i>fundamental to Panalyst: more often than not, the client is capable of identifying sensitive data on its own. As an example, the aforementioned analysis on the program in Figure 2 does not rely on any trust in the server. Actually, the assumption only serves an approach for deûning ûne-grained privacy policies in our research (Section 3.2), and elimination of the assumption, though may lead to coarser-grained policies under some circumstances, will not invalidate the whole approach. </span></p> </div> </div> <div> <div> <h4><span style='font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"; font-weight:normal'>3.2 Panalyst Client </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h4> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Panalyst client is designed to work on the computing devices with various resource constraints. Therefore, it needs to be extremely lightweight. The client also includes a set of policies for protecting the user s privacy and a mechanism to enforce them. We elaborate such a design as follows. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Packet logging and error reporting. Panalyst client intercepts the packets received by an application, extracts their application-level payloads and saves them to a log ûle. This can be achieved either through capturing packets at network layer using a sniffer such as Wireshark [1], or by interposing on the calls for receiving data from network. We chose the latter for prototyping the client: in our implementation, an application s socket calls are intercepted using ptrace [10] to dump the application-level data to a log. The size of the ûle is bounded, and therefore only the most recent packets are kept. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>When a serious runtime error happens, the process of a vulnerable program may crash, which triggers our error analysis mechanism. Runtime errors can also be detected by the mechanisms such as GLIBCerror detection, Windows build-in diagnostics [11] or other runtime error detection techniques [28, 21]. Once an error happens to an application, Panalyst client identiûes the packets it is working on. This is achieved in our design by looking at all the packets within one TCP connection. Speciûcally, the client marks the beginning of a connection once observing an acceptcall from the application and the end of the connection when it detects close. After an exception happens, the client concatenates the application-level payloads of all the packets within the current connection to form a <i>message</i>, which it uses to talk to the server. For simplicity, our current design focuses on the error triggered by network input and assumes that all information related to the exploit is present in a single connection. Panalyst can be extended to handle the errors caused by other inputs such as data from a local ûle through logging and analyzing these inputs. It could also work on multiple connections with the support of the state-of-art replay techniques [43, 32] that are capable of replaying the whole application-layer session to the vulnerable application on the server side. When a runtime error occurs, Panalyst client notiûes the server of the type of the error, for example, segmentation fault and illegal instruction. Moreover, the client can ship to the server part of the message responsible for the error, given such information is deemed nonsensitive according to the user s privacy policies. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>After reporting to the server a runtime error, Panalyst client starts listening to a port to wait for the questions from the server. Panalyst server may ask two types of questions, either related to a tainted branching condition or a tainted pointer a vulnerable program uses to access memory. In the ûrst case, the client is supposed to answer  yes or  no to the question described by a symbolic inequality: <i>C</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>0, where <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>j</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>] </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>1 <sub>d" </sub>j <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>m</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) is the symbol for the <i>k</i>[<i>j</i>]th byte on the causal message. In the second case, the client is queried about the concrete value of a symbolic pointer <i>S</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>). These questions can be easily addressed by the client using the values of these bytes on the message. However, the answers can be delivered to the server only after they are checked against the user s privacy policies, which we describe below. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Privacy policies. Privacy policies here are designed to specify the maximal amount of information that can be given away during an error analysis. Therefore, they must be built upon a proper measure of information. Here, we adopt <i>entropy </i>[48], a classic concept of information theory, as the measure. Entropy quantiûes uncertainty as number of bits. Speciûcally, suppose that an application ûeld </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>A </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is equally likely to take one of </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>m </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>different values. The entropy of </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>A </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is computed as log</span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>2 </span></sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>m </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>bits. If the client reveals that </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>A </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>makes a path condition true, which reduces the possible values the ûeld can have to a proportion </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>Á </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>of <i>m</i>, the exposed information is quantiûed as: log</span><sub><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>2 </span></sub><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>m <sub>" </sub></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>log</span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>2 </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Ám = </span></i><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>" </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>log</span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>2 </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Á bits. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The privacy policies used in Panalyst deûne the maximal number of bytes of the information within a protocol ûeld that can be leaked out. The number here is called <i>leakage threshold</i>. Formally, denote the leakage threshold for a ûeld </span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>A </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>by </span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>Ä </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>. Suppose the server can infer from the client s answers that </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>A </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>can take a proportion </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>Á </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>of all possible values of that ûeld. The privacy policy requires that the following hold: </span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>" </span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>log</span><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>2 </span></sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>Á <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Ä</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. For example, a policy can specify that no more than 2 bytes of the URL information within an HTTP request can be revealed to the server. This policy design can achieve a ûne-grained control of information. As an example, let us consider HTTP requests: protocol keywords such as GET and POST are usually deemed nonsensitive, and therefore can be directly revealed to the server; on the other hand, the URL ûeld and the cookie ûeld can be sensitive, and need to be protected by low leakage thresholds. Panalyst client includes a protocol parser to partition a protocol message into ûelds. The parser does not need to be precise: if it cannot tell two ûelds apart, it just treats them as a single ûeld. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>A problem here is that applications may use closed protocols such as ICQ and SMB whose speciûcations are not publically available. For these protocols, the whole protocol message has to be treated as a single ûeld, which unfortunately greatly reduces the granularity of control privacy policies can have. A solution to this problem is to partition information using the parameters of API (such as Linux kernel API, GLIBCor Windows API) functions that work on network input. For example, suppose that the GLIBC function fopen builds its parameters upon an input message; we can infer that the part of the message related to ûle access modes (such as  read and  write ) can be less sensitive than that concerning ûle name. This approach needs a model of API functions and trust in the information provided by the server. Another solution is to partition an input stream using a set of tokens and common delimiters such as  <i><sub>\</sub></i>n . Such tokens can be speciûed by the user. For example, using the token  secret and the delimiter  . , we can divide the URL  www.secretservice.gov into the following ûelds:  www ,  . ,  secretservice and  gov . Upon these ûelds, different leakage thresholds can be deûned. These two approaches can work together and also be applied to specify ûner-grained policies within a protocol ûeld when the protocol is public. </span></p> <p style='margin-bottom:11.25pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>To facilitate speciûcation of the privacy policies, Panalyst can provide the user with policy templates set by the expert. Such an expert can be any party who has the knowledge about ûelds and the amount of information that can be disclosed without endangering the content of a ûeld. For example, people knowledgeable about the HTTP speciûcations are in the position to label the ûelds like  www as nonsensive and domain names such as  secretservice.gov as sensitive. Typically, protocol keywords, delimiters and some API parameters can be treated as public information, while the ûelds such as those including the tokens and other API parameters are deemed sensitive. A default leakage threshold for a sensitive ûeld can be just a few bytes: for example, we can allow one or two bytes to be disclosed from a domain-name ûeld, because they are too general to be used to pinpoint the domain name; as another example, up to four bytes can be exposed from a ûeld that may involve credit-card numbers, because people usually tolerate such information leaks in real life. Note that we may not be able to assign a zero threshold to a sensitive ûeld because this can easily cause an analysis to fail: to proceed with an analysis, the server often needs to know whether the ûeld contains some special byte such as a delimiter, which gives away a small amount of information regarding its content. These policy templates can be adjusted by a user to deûne her customized policies. </span></p> <p style='margin-bottom:15.0pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Policy enforcement. To enforce privacy policies, we need to quantify the information leaked by the client s answers. This is straightforward in some cases but less so in others. For example, we know that answering  yes to the question  <i>B</i></span><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>1</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>2</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>3</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>4 </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>=  POST ? in Figure 2 gives away four bytes; however, information leaks can be more difûcult to gauge when it comes to the questions like  <i>B</i></span><span style='font-size: 14.5pt;font-family:"Arial","sans-serif"'>j <sub>× </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>B</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>k &lt; </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>256?  , where <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>k </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>indicates the <i>j</i>th and the <i>k</i>th bytes on a message respectively. Without loss of generality, let us consider a set of bytes (<i>B</i></span><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size: 7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size: 7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) of a protocol message, whose concrete values on the message makes a condition  <i>C</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) <sub>d" </sub></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>0 true. To quantify the information an answer to the question gives away, we need to know <i>Á</i>, the proportion of all possible values these bytes can take that make the condition true. Finding </span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>Á </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is nontrivial because the set of the values these bytes can have can be very large, which makes it impractical to check them one by one against the inequality. Our solution to the problem is based upon the classic statistic technique for estimating a proportion in a population. Speciûcally, we randomly pick up a set of values for these bytes to verify a branching condition and repeat the trial for n times. From these n trials, we can estimate the proportion Á as </span><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>n</span></sub></i><sup><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>x </span></sup><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>where x is the number of trials in which the condition is true. The accuracy of this estimate is described by the probability that a range of values contain the true value of <i>Á</i>. The range here is called <i>conûdence interval </i>and the probability called <i>conûdence level</i>. Given a conûdence interval and a conûdence level, standard statistic technique can be used to determine the size of samples n [2]. For example, suppose the estimate of Á is 0.3 with a conûdence interval <i><sub>±</sub></i>0<i>.</i>5 and a conûdence level 0.95, which intuitively means 0<i>.</i>25 <i>&lt;Á</i>&lt; 0<i>.</i>35 with a probability 0.95; in this case, the number of trials we need to play is 323. This approach offers an approximation of information leaks: in the prior example, we know that with 0.95 conûdence, information being leaked will be no more than <sub>" </sub>log<sub>2 </sub>0<i>.</i>25 = 4 bits. Using such an estimate and a predetermined leakage threshold, a policy enforcer can decide whether to let the client answer a question. </span></p> </div> </div> <div> <div> <h4><span style='font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"; font-weight:normal'>3.3 Panalyst Server </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h4> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Panalyst server starts working on a vulnerable application upon receiving an initial error report from the client. The report includes the type of the error, and other nonsensitive information such as the corrupted pointer, the lengths of individual packets application-level payloads and the content of public ûelds. Based upon it, the server conducts an instruction-level analysis of the application s executable, which we elaborate as follows. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Taint analysis and symbolic execution. Panalyst server performs a dynamic taint analysis on the vulnerable program, using a network input built upon the initial report as a taint source. The input involves a set of packets, whose application-layer payloads form a message characterized by the same length as the client s message and the information disclosed by the report. The server monitors the execution of the program instruction by instruction to track tainted data according to a set of taint-propagation rules. These rules are similar to those used in other taint-analysis techniques such as RIFLE [51], TaintCheck [44] and LIFT [45], examples of which are presented in Table 1. Along with the dynamic analysis, the server also performs a symbolic execution [37] that statically evaluates the execution of the program through interpreting its instructions, using symbols instead of real values as input. Each symbol used by Panalyst represents one byte on the input message. Analyzing the program in this way, we can not only keep close track of tainted data ûows, but also formulate a symbolic expression for every tainted value in memory and registers. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 9.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Whenever the execution encounters a conditional branching with its condition tainted by input symbols, the server sends the condition as a question to the client to seek answer. With the answer from the client, the server can ûnd <i>hypothetic values </i>for these symbols using a constraint solver. For example, a  no to the question <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>i = </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <i><sub>\</sub>n</i> may result in a letter  a to be assigned to the <i>i</i>th byte on the input. To keep the runtime data consistent with the hypothetic value of symbol <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, the server updates all the tainted values related to <i>B</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>i </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>by evaluating their symbolic expressions with the hypothetic value. It is important to note that <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>i </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>may appear in multiple branching conditions (<i>C</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>1 <sub>d" </sub></span><span style='font-size: 10.0pt;font-family:"Arial","sans-serif"'>0, ..., <i>C</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>k <sub>d" </sub></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>0). Without loss of generality, suppose all of them are true. To ûnd a value for <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>i</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, the constraint solver must solve the constraint (<i>C</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>1 <sub>d" </sub></span><span style='font-size: 10.0pt;font-family:"Arial","sans-serif"'>0) </span><sub><span style='font-size: 14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family:"Cambria Math"'>'"</span></sub><sub><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>... </span></i><sub><span style='font-size:14.5pt;font-family:"Cambria Math","serif";mso-bidi-font-family: "Cambria Math"'>'"</span></sub><sub><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'> </span></sub><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>(<i>C</i></span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>k <sub>d" </sub></span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>0). The server also needs to  refresh the tainted values concerning <i>B</i></span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>i </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>each time when a new hypothetic value of the symbol comes up. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The server also queries the client when the program attempts to access memory through a pointer tainted by input symbols (<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>). In this case, the server needs to give the symbolic expression of the pointer <i>S</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>) </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to the client to get its value <i>v</i>, and solve the constraint <i>S</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>)</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>= v </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>to ûnd these symbols hypothetic values. Query of a tainted pointer is necessary for ensuring the program s correct execution, particularly when a write happens through such a pointer. It is also an important step for reliably reproducing a runtime error, as the server may need to know the value of a pointer, or at least its range, to determine whether an illegal memory access is about to occur. However, this treatment may disclose too much user information, in particular when the pointer involves only one symbol: a  yes to such a question often exposes the real value of that symbol. Such a problem usually happens in a string-related GLIBC function, where letters on a string are used as offsets to look up a table. Our solution is to accommodate symbolic pointers in our analysis if such a pointer carries only one symbol and is used to read from a memory location. This approach can be explicated through an example. Consider the instruction  MOV EAX, [ESI+CL] , where CL is tainted by an input byte <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>j</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. Instead of directly asking the client for the value of ESI+CL, which reveals the real value of <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, the server gathers the bytes from the memory locations pointed by (ESI+0, ESI+1, ..., ESI+ 255) to form a list. The list is used to prepare a question should EAXget involved in a branching condition such as  CMP EAX, 1 . In this case, the server generates a query including [ESI+CL], which is the symbolic expression of EAX, the value of ESI, the list and the condition. In response to the query, the client uses the real value of <i>B</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and the list to verify the condition and answer either  yes or  no , which enables the server to identify the right branch. </span></p> </div> <p style='margin-bottom:6.75pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Table 1: </span><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'>Examples of the Taint Rules. </span></p> <div align=center> <table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:0in;border-collapse:collapse;mso-yfti-tbllook:1184;mso-padding-alt: 2.25pt 2.25pt 2.25pt 2.25pt'> <tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;height:10.5pt'> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:10.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:10.5pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Instruction Category </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=285 valign=top style='width:213.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:10.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:10.5pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Taint Propagation </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=178 valign=top style='width:133.5pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:10.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:10.5pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Examples </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> </tr> <tr style='mso-yfti-irow:1;height:28.5pt'> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:28.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>data movement </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=285 valign=top style='width:213.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:28.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>(1) taint is propagated to the destination if the source is tainted, (2) the destination operand is not tainted if the source operand is not tainted. </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=178 valign=top style='width:133.5pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:28.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>mov eax,ebx; push eax; call 0x4080022; lea ebx, ptr [ecx+10] </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:2;height:19.5pt'> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>arithmetic </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=285 valign=top style='width:213.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>(1) taint is propagated to the destination if the source is tainted, (2) the EFLAGS is also regarded as a destination operand. </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=178 style='width:133.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>and eax, ebx; inc ecx; shr eax,0x8 </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:3;height:19.5pt'> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>address calculation </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=285 valign=top style='width:213.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>an address is tainted if any element in the address calculation is tainted </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=178 valign=top style='width:133.5pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>mov ebx, dword ptr [ecx+2*ebx+0x08] </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:4;height:19.5pt'> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>conditional jump </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=285 valign=top style='width:213.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>regard EFLAGS as a source operand </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=178 style='width:133.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:19.5pt'> <p class=MsoNormal style='margin-bottom:20.25pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>jz 0x0746323; jnle 0x878342; jg 0x405687 </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:5;mso-yfti-lastrow:yes;height:9.75pt'> <td width=113 style='width:84.75pt;border:solid black 1.0pt;border-top:none; mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:9.75pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>compare </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=285 valign=top style='width:213.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:9.75pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>regard EFLAGS as a destination operand </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=178 style='width:133.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:9.75pt'> <p class=MsoNormal style='margin-bottom:20.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>cmp eax,ebx; test eax,eax </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> </tr> </table> </div> <div> <p style='margin-bottom:11.25pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The analysis stops when the execution reaches a state where a runtime error is about to happen. Examples of such a state include a jump to an address outside the process image or an illegal instruction, and memory access through an illegal pointer. When this happens, Panalyst server announces that an input reproducing the error has been identiûed, and can be used for further analysis of the underlying bug and generation of signatures [52, 50, 39] or patches [49]. Our analysis also contributes to a preliminary classiûcation of bugs: if the illegal address that causes the error is found to be tainted, we have a reason to believe that the underlying bug can be exploited remotely and therefore is security critical. </span></p> <p style='margin-bottom:3.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Reducing communication overhead. A major concern for Panalyst seems to be communication overhead: the server may need to query the client whenever a tainted branching condition or a tainted pointer is encountered. However, in our research, we found that the bandwidth consumed in an analysis usually is quite small, less than a hundred KB during the whole analysis. This is because the number of tainted conditions and pointers can be relatively small in many programs, and both the server s questions and the client s answers are usually short. Need for communication can be further reduced if an initial error report supplies the server with a sufûcient amount of public information regarding the error. However, the performance of the server and the client will still be affected when the program intensively operates on tainted data, which in many cases is related to loop. </span></p> <p style='margin-bottom:3.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>A typical loop that appears in many network-facing applications is similar to the one in the example (Line 6 of Figure 2). The loop compares individual bytes in a protocol ûeld with a delimiter such as  <i><sub>\</sub>n</i> or   to identify the end of the ûeld. If we simply view the loop as a sequence of conditional branching, then the server has to query the client for every byte within that ûeld, which can be time consuming. To mitigate this problem, we designed a technique in our research to ûrst identify such a loop and then let client proactively scan its message to ûnd the location of the ûrst string that terminates the loop. We describe the technique below. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The server monitors a tainted conditional branching that the execution has repeatedly bumped into. When the number of such encounters exceeds a threshold, we believe that a loop has been identiûed. The step value of that loop can be approximated by the difference between the indices of the symbols that appear in two consecutive evaluations of the condition. For example, consider the loop in Figure 2. If the ûrst time the execution compares <i>B</i></span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>j </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>with  <i><sub>\</sub>n</i> and the second time it tries <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>j</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>+1</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, we estimate the step as one. The server then sends a question to the client, including the loop condition <i>C</i>(<i>B</i></span><i><span style='font-size:7.0pt;font-family: "Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family: "Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>,...,B</span></i><i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt; font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>) </span><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>and step estimates <i>»</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,»</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. The client starts from the <i>k</i>[<i>i</i>]th byte (</span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>1 <sub>d" </sub>i <sub>d" </sub></span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>m</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) to scan its message every <i>»</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>j</i></span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>] </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>bytes, until it ûnds a set of bytes (<i>B</i></span><i><sub><span style='font-size:7.0pt;font-family: "Arial","sans-serif"'>k</span></sub></i><i><sub><span style='font-size:7.0pt; font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]</span></sub><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>,...,B</span></i><i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>k</span></sub></i><i><sub><span style='font-size:7.0pt;font-family:"Arial Unicode MS","sans-serif";mso-fareast-font-family: "Times New Roman";mso-fareast-theme-font:minor-fareast'>ýÿ</span></sub></i><sub><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[<i>m</i>]</span></sub><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) that makes the condition false. The positions of these bytes are shipped to the server. As a result, the analysis can evaluate the loop condition using such information, without talking to the client iteration by iteration. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The above technique only works on a simple loop characterized by a constant step value. Since such a loop frequently appears in network-facing applications, our approach contributes to signiûcant reduction of communication when analyzing these applications. Development of a more general approach for dealing with the loops with varying step size is left as our future research. Another problem of our technique is that the condition it identiûes may not be a real loop condition. However, this does not bring us much trouble in general, as the penalty of such a false positive can be small, including nothing but the requirement for the client to scan its message and disclosure of a few bytes that seem to meet the exit condition. If the client refuses to do so, the analysis can still continue through directly querying the client about branching conditions. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Improving constraint-solving performance. Solving a constraint can be time consuming, particularly when the constraint is nonlinear, involving operations such as bitwise AND, OR and XOR. To maintain a valid runtime state for the program under analysis, Panalyst server needs to run a constraint solver to update hypothetic symbol values whenever a new branching condition or memory access is encountered. This will impact the server s performance. In our research, we adopted a very simple strategy to mitigate this impact: we check whether current hypothetic values satisfy a new constraint before solving the constraint. This turns out to be very effective: in many cases, we found that symbol values good for an old constraint also work for a new constraint, which allows us to skip the constraint-solving step. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>4 Implementation </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We implemented a prototype of Panalyst under Linux, including its server component and client component. The details of our implementation are described in this section. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Message logging. We adopted ptrace to dump the packet payloads an application receives. Speciûcally, ptrace intercepts the system call socketcall() and parses its parameters to identify the location of an input buffer. The content of the buffer is dumped to a log ûle. We also labels the beginning of a connection when an accept()is observed and the end of the connection when there is a close(). The data between these two calls are used to build a message once a runtime exception happens to the application. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Estimate of information leaks. To evaluate the information leaks caused by answering a question, our implementation ûrst generates a constraint that is a conjunction of all the constraints the client receives that are directly or transitively related to the question, and then samples values of the constraint using the random values of the symbols it contains. We set the number of samples to 400, which achieves a conûdence interval of <i><sub>±</sub></i>0<i>.</i>0</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>5 </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>and a conûdence level of 0.95. A problem here is that the granularity of the control here could be coarse, as 400 samples can only represent loss of one byte of information. When this happens, our current implementation takes a conservative treatment to assume that all the bytes in a constraint are revealed. A ûner-grained approach can be restoring the values of the symbols byte by byte to repeatedly check information leaks, until all the bytes are disclosed. An evaluation of such an approach is left as our future work. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Error analyzer. We implemented an error analyzer as a Pin tool that works under Pin s Just-In-Time (JIT) mode [40]. The analyzer performs both taint analysis and symbolic execution on a vulnerable application, and builds a new input to reproduce the runtime error that occurred on the client. The analyzer starts from a message that contains nothing but zeros and has the same length as the client s input, and designates a symbol to every byte on that message. During the analysis, the analyzer ûrst checks whether a taint will be propagated by an instruction and only symbolically evaluates those whose operands involve tainted bytes. Since many instructions related to taint propagation use the information of EFLAGS, the analyzer also takes this register as a source operand for these instructions. Once an instruction s source operand is tainted, symbolic expressions are computed for the destination operand(s). For example, consider the instruction add eax, ebx, where ebxis tainted. Our analyzer ûrst computes a symbolic expression <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>eb</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>x + </span><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>v</span></i><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>eax</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>, where <i>B</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>eb</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>x </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is an expression for ebx and <i>v</i></span><i><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>ea</span></i><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>x </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>is the value of eax, and then generates another expression for EFLAGS because the result of the operation affects Flag OF, SF, ZF, AF, CF, PF. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Whenever a conditional jump is encountered, the server queries the client about EFLAGS. To avoid asking the client to give away too much information, such a query only concerns the speciûc ûag that affects that branching, instead of the whole status of EFLAGS. For example, consider the following branching: cmp eax,ebx and then jz 0x33fd740. In this case, the server s question is only limited to the status of ZF, which the branching condition depends on, though the comparison instruction also changes other ûags such as SFand CF. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Constraint solver. Our implementation uses Yices [33] to solve constraints so as to ûnd the hypothetic values for individual symbols. These values are important to keeping the application in a state that is consistent with its input. Yices is a powerful constraint solver which can handle many nonlinear constraints. However, there are situations when a constraint is so complicated that its solution cannot be obtained within a reasonable time. When this happens, we adopted a strategy that gradually inquires the client about the values of individual symbols to simplify the constraint, until it becomes solvable by the constraint solver. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Data compression. We implemented two measures to reduce the communication between the client and the server. The ûrst one is for processing the questions that include the same constraints except input symbols. Our implementation indexes each question the server sends to the client. Whenever the server is about to ask a question that differs from a previous one only in symbols, it only transmits the index of the old question and these symbols. This strategy is found to be extremely effective when the sizes of the questions become large: in our experiment, a question with 8KB was compressed to 52 bytes. The strategy also complements our technique for processing loops: for a complicated loop with varying steps which the technique cannot handle, the server needs to query the client iteratively; however, the sizes of these queries can be very small as they are all about the same constraint with different symbols. The second measure is to use a lightweight real-time compression algorithm to reduce packet sizes. The algorithm we adopted is minilzo [6], which reduced the bandwidth consumption in our experiments to less than 100 KB for an analysis, at a negligible computational overhead. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>5 Evaluation </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In this section, we describe our experimental study of Panalyst. The objective of this study is to understand the effectiveness of our technique in remote error analysis and protection of the user s privacy, and the overheads it introduces. To this end, we evaluated our prototype using 6 real applications and report the outcomes of these experiments here. </span></p> <p style='margin-bottom:15.0pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Our experiments were carried out on two Linux workstations, one as the server and the other as the client. Both of them were installed with Redhat Enterprise 4. The server has a 2.40GHz Core 2 Duo processor and 3GB memory. The client has a Pentium 4 1.3GHz processor and 256MB memory. </span></p> </div> <div> <div> <h4><span style='font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"; font-weight:normal'>5.1 Effectiveness </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h4> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We ran Panalyst to analyze the errors that occurred in 6 real applications, including Newspost [7], Open-VMPS [19], Null-HTTPd (Nullhttpd) [8], Sumus [15], Light HTTPd [5] and ATP-HTTPd [3]. The experimental results are presented in Table 2. These applications contain bugs that are subject to stack-based overûow, format string error and heap-based overûow. The errors were triggered by a single or multiple input packets on the client and analyzed on the server. As a result, new packets were gradually built from an initial error report and interactions with the client to reproduce an error. This was achieved without leaking too much user information. We elaborate our experiments below. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Newspost. Newspost is a Usenet binary autoposter for Unix and Linux. Its version 2.1.1 and earlier has a bug subject to stack-based overûow: speciûcally, a buffer in the socket getline()function can be overrun by a long string without a newline character. In our experiment, the application was crashed by a packet of 2KB. After this happened, the client sent the server an initial error report that described the length of the packet and the type of the error. The report was converted into an input to an analysis performed on the application, which included an all-zero string of 2KB. During the analysis, the server identiûed a loop that iteratively searched for  0xa , the newline symbol, as a termination condition for moving bytes into a buffer, and questioned the client about the position at which the byte ûrst appeared. The byte actually did not exist in the client s packet. As a result, the input string overûowed the buffer and was spilled on an illegal address to cause a segmentation fault. Therefore, the server s input was shown to be able to reproduce the error. This analysis was also found to disclose very little user information: nothing more than the fact that none of the input bytes were  0xa were revealed. This was quantiûed as 0.9 byte. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>OpenVMPS. OpenVMPS is an open-source implementation of Cisco Virtual Membership Policy Server, which dynamically assigns ports to virtual networks according to Ethernet addresses. The application has a format string bug which allows the input to supply a string with format speciûers as a parameter for vfprintf(). This could make vfprintf() write to a memory location. In the experiment, Panalyst server queried the client to get  00 000c 02 as illustrated in Figure 4. These four bytes were part of a branching condition, and seems to be a keyword of the protocol. We also found that the string  00 b9 were used as a loop counter. These two bytes were identiûed by the constraint solver. The string  62637 turned out to be the content that the format speciûer  %19$hn wrote to a memory location through vfprintf(). They were recovered from the client because they were used as part of a pointer to access memory. Our implementation successfully built a new input on the server that reproduced the error, as illustrated in Figure 4. This analysis recovered 39 bytes from the client, all of which were either related to branching conditions or memory access. An additional 18.4 bytes of information were estimated by the client to be leaked, as a result of the client s answers which reduced the ranges of the values some symbols could take. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Null-HTTPd. Null-HTTPd is a small web server working on Linux and Windows. Its version 0.5 contains a heap-overûow bug, which can be triggered when the HTTP request is a POST with a negative Content Length ûeld and a long request content. In our experiment, the client parsed the request using Wireshark and delivered nonsensitive information such as the keyword POST to the server. The server found that the application added 1024 to the value derived from the Content Length and used the sum as pointer in the function calloc. This resulted in a query for the value of that ûeld, which the client released. At this point, the server acquired all the information necessary for reproducing the error and generated a new input illustrated in Figure 5. The information leaks caused by the analysis include the keyword, the value of Content Length, HTTP delimiters and the knowledge that some bytes are not special symbols such as delimiters. This was quan</span></p> </div> <p style='margin-bottom:6.75pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Table 2: </span><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'>Effectiveness of Panalyst. </span></p> <div align=center> <table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:0in;border-collapse:collapse;mso-yfti-tbllook:1184;mso-padding-alt: 2.25pt 2.25pt 2.25pt 2.25pt'> <tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;height:16.5pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Applications </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=84 valign=top style='width:63.0pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Vul. Type </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=132 valign=top style='width:99.0pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>New Input Generated? </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Size of client s message (bytes) </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=93 valign=top style='width:69.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Info leaks (bytes) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=93 valign=top style='width:69.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:12.75pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Rate of info leaks </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> </tr> <tr style='mso-yfti-irow:1;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Newspost </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Stack Overûow </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>2056 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>0.9 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>0.04% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:2;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>OpenVMPS </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Format String </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>199 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>57.4 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>28.8% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:3;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Null-HTTPd </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Heap Overûow </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>416 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>29.7 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>7.14% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:4;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Sumus </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Stack Overûow </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>500 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>7.7 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>1.54% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:5;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Light HTTPd </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Stack Overûow </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>211 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>17.9 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>8.48% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:6;mso-yfti-lastrow:yes;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>ATP-HTTPd </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=84 valign=top style='width:63.0pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Stack Overûow </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></p> </td> <td width=132 valign=top style='width:99.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Yes </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>819 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>16.7 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=93 valign=top style='width:69.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:12.75pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>2.04% </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> </table> </div> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=52 id="_x0000_i1030" src="images/panalyst_img_2.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:30.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Figure 3: Input Generation for Newspost. Left: the client s packet; Right: the new packet generated on the server. </span></p> <div> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>tiûed as 29.7 bytes, about 7% of the HTTP message the client received. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Sumus. Sumus is a server for playing Spanish  mus game on the Internet. It is known that Sumus 0.2.2 and the earlier versions have a vulnerable buffer that can be overûowed remotely [14]. In our experiment, Panalyst server gradually constructed a new input through interactions with the client until the application was found to jump to a tainted address. At this point, the input was shown to be able to reproduce the client s error. The information leaked during the analysis is presented in Figure 6, including a string  GET which affected a path condition, and 4  0x90 , which were the address the application attempted to access. These 7 bytes were counted as leaked information, along with the fact that other bytes were not a delimiter. </span></p> <p style='margin-bottom:6.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Light-HTTPd. Light-HTTPd is a free HTTP server. Its version 0.1 has a vulnerable buffer on the stack. Our experiment captured an exception that happened when the application returned from the function vsprintf() and constructed the new input. The input shared 14 bytes with the client s input which were essential to determining branching conditions and accessing memory. For example, the keyword  GET appeared on a conditional jump and the letter  H were used as a condition in the GLIBC function strstr. The remaining 3.9 bytes were caused by the intensive string operations, such as strtok, which frequently used individual bytes for table lookup and comparison operations. Though these operations did not give away the real values of these bytes, they reduced the range of the bytes, which were quantiûed into another 3.9 bytes. </span></p> <p style='margin-bottom:15.0pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ATP-HTTPd. ATP-HTTPd 0.4 and 0.4b involve a remotely exploitable buffer in the socket gets()function. A new input that triggered this bug was built in our experiment, which are presented in Figure 8. For example, the string  EDCB was an address the application attempted to jump to; this operation actually caused a segmentation fault. Information leaks during this analysis are similar to that of Light-HTTPd, which was quantiûed as 16.7 bytes. </span></p> </div> </div> <div> <div> <h4><span style='font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"; font-weight:normal'>5.2 Performance </span><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></h4> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We also evaluated the performance of Panalyst. The client was deliberately run on a computer with 1 GHz CPU and 256MB memory to understand the performance impact of our technique on a low-end system. The server was on a high-end, with a 2.40GHz Core 2 Duo CPU and 3GB memory. In our experiments, we measured the delay caused by an analysis, memory use and bandwidth consumption on both the client and the server. The results are presented in Table 3. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The client s delay describes the accumulated time that the client spent to receive packets from the server, compute answers, evaluate information leaks and deliver the responses. In our experiments, we observed that this whole process incurred the latency below 3.2 seconds. Moreover, the memory use on the client side was kept below 5 MB. Given the hardware platform over which this performance was achieved, we have a reason to believe that such overhead could be afforded by even a device with limited computing resources, such as Pocket PC and PDA. Our analysis introduced a maximal 99,659 bytes communication overhead. We believe this is still reasonable for the client, because the size of a typical web page exceeds 100 KB and many mobile devices nowadays have the capability of web browsing. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The delay on the server side was measured between the reception of an initial error report and the generation of a new input. An additional 15 seconds for launching our Pin-based analyzer should also be counted. Given this, the server s performance was very good: the maximal latency was found to be under 1 minute. However, </span></p> </div> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=120 id="_x0000_i1029" src="images/panalyst_img_3.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:27.75pt'><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>Figure 4: Input Generation for OpenVMPS. Left: the client s packet; Right: the new packet generated on the server. </span></p> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=145 id="_x0000_i1028" src="images/panalyst_img_4.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:30.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Figure 5: Input Generation for Null-HTTPd. Left: the client s packet; Right: the new packet generated on the server. </span></p> <div> <p style='margin-bottom:21.75pt;text-align:justify;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this was achieved on a very high-end system. Actually, we observed that the latency was doubled when moving the server to a computer with 2.36 GHz CPU and 1 GB memory. More importantly, the server consumed about 100 MB memory during the analysis. This can be easily afforded by a high-end system as the one used in our experiment, but could be a signiûcant burden to a low-end system such as a mobile device. As an example, most PDAs have less than 100 MB memory. Therefore, we believe that Panalyst server should be kept on a dedicated high-performance system. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>6 Discussion </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Our research makes the ûrst step towards a fully automated and privacy-aware remote error analysis. However, the current design of Panalyst is still preliminary, leaving much to be desired. For example, the approach does not work well in the presence of probabilistic errors, and our privacy policies can also be better designed. We elaborate limitations and possible solutions in the left part of this section, and discuss the future research for improving our technique in Section 7. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The current design of Panalyst is for analyzing the error triggered by network input alone. However, runtime errors can be caused by other inputs such as those from a local ûle or another process. Some of these errors can also be handled by Panalyst. For example, we can record all the data read by a vulnerable program and organize them into multiple messages, each of which corresponds to a particular input to the program; an error analysis can happen on these messages in a similar fashion as described in Section 3. A weakness of our technique is that it can be less effective in dealing with a probabilistic error such as the one caused by multithread interactions. However, it can still help the server build sanitized inputs that drive the vulnerable program down the same execution paths as those were followed on the client. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Panalyst may require the client to leak out some information that turns out to be unnecessary for reproducing an error, in particular, the values of some tainted pointer unrelated to the error. A general solution is describing memory addresses as symbolic expressions and taking them into consideration during symbolic execution. This approach, however, can be very expensive, especially when an execution involves a large amount of indirect addressing through the tainted pointers. To maintain a moderate overhead during an analysis, our current design only offers a limited support for symbolic pointers: we introduce such a pointer only when it includes a single symbol and is used for reading from memory. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>The way we treat loops is still preliminary: it only works on the loops with constant step sizes and may falsely classify a branching condition as a loop condition. As a result, we may miss some real loops, which increases the communication overhead of an analysis, or require the client to unnecessarily disclose extra informa</span></p> </div> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=173 id="_x0000_i1027" src="images/panalyst_img_5.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:27.75pt'><span style='font-size:10.0pt;font-family: "Arial","sans-serif"'>Figure 6: Input Generation for Sumus. Left: the client s packet; Right: the new packet generated on the server. </span></p> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=125 id="_x0000_i1026" src="images/panalyst_img_6.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:30.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Figure 7: Input Generation for Light HTTPd. Left: the client s packet; Right: the new packet generated on the server. </span></p> <div> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>tion. However, the client can always refuse to give more information and set a threshold for the maximal number of the questions it will answer. Even if this causes the analysis to fail, the server can still acquire some information related to the error and use it to facilitate other error analysis techniques such as fuzz testing. We plan to study more general techniques for analyzing loops in our future research. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Entropy-based policies may not be sufûcient for regulating information leaks. For example, complete disclosure of one byte in a ûeld may have different privacy implications from leakage of the same amount of information distributed among several bytes in the ûeld. In addition, speciûcation of such policies does not seem to be intuitive, which may affect their usability. More effective privacy policies can be built upon other deûnitions of privacy such as <i>k</i>-Anonymity [46], <i>l</i>-Diversity [41] and <i>t</i>-Closeness [38]. These policies will be developed and evaluated in our future work. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Panalyst client can only approximate the amount of information disclosed by its answers using statistical means. It also assumes a uniform distribution over the values a symbol can take. Design of a better alternative for quantifying and controlling information is left as our future research. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Another limitation of our approach is that it cannot handle encoded or encrypted input. This problem can be mitigated by interposing on the API functions (such as those in the OpenSSL library) for decoding or decryption to get their plaintext outputs. Our error analysis will be conducted over the plaintext. </span></p> <p style='margin-bottom:11.25pt;text-align:justify'><span style='font-family: "Arial","sans-serif"'>7 Related Work </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Error reporting techniques have been widely used for helping the user diagnose application runtime error. Windows error reporting [20], a technique built upon Microsoft s Dr. Watson service [18], generates an error report through summarizing a program state, including contents of registers and stack. It may also ask the user for extra information such as input documents to investigate an error. Such an error report is used to search an expert system for the solution provided by human experts. If the search fails, the client s error will be recorded for a future analysis. Crash Reporter [16] of Mac OS X and third-party tools such as BugToaster [27] and Bug Buddy [22] work in a similar way. As an example, Bug Buddy for GNOME can generate a stack trace using gdb and let the user post it to the GNOME bugzilla [4]. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Privacy protection in existing error reporting techniques mostly relies on the privacy policies of those who collect reports. This requires the user to trust the collector, and also forces her to either send the whole report </span></p> </div> <p class=MsoNormal align=center style='text-align:center'><span style='mso-fareast-font-family:"Times New Roman";mso-no-proof:yes'><img width=624 height=133 id="_x0000_i1025" src="images/panalyst_img_7.jpg"></span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> <p style='margin-bottom:30.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Figure 8: Input Generation for ATP HTTPd. Left: the client s packet; Right: the new packet generated on the server. </span></p> <p style='margin-bottom:6.75pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Table 3: </span><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'>Performance of Panalyst. </span></p> <div align=center> <table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:0in;border-collapse:collapse;mso-yfti-tbllook:1184;mso-padding-alt: 2.25pt 2.25pt 2.25pt 2.25pt'> <tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;height:16.5pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>Programs </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>client delay (s) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=89 valign=top style='width:66.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>client memory use (MB) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=79 valign=top style='width:59.25pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>server delay (s) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=89 style='width:66.75pt;border:solid black 1.0pt;border-left:none; mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>server memory use (MB) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=113 valign=top style='width:84.75pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>total size of questions (bytes) </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=108 valign=top style='width:81.0pt;border:solid black 1.0pt; border-left:none;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:16.5pt'> <p class=MsoNormal style='margin-bottom:21.0pt'><span style='font-size:7.0pt; font-family:"Arial","sans-serif";mso-fareast-font-family:"Times New Roman"'>total size of answers (bytes) </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> </tr> <tr style='mso-yfti-irow:1;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Newspost </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>0.022 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>4.7 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>12.14 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>99.3 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>527 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>184 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:2;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>OPenVMPS </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>1.638 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>3.9 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>17 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>122.3 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>45,610 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>6,088 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:3;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Null-HTTPd </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>1.517 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>5.0 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>13.09 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>118.1 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>99,659 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>3,416 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:4;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Sumus </span><b><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>0.123 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>4.8 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>1.10 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>85.4 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>5,968 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>2,760 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:5;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>Light HTTPd </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>0.88 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>4.8 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>6.59 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>110.1 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>14,005 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>2,808 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> <tr style='mso-yfti-irow:6;mso-yfti-lastrow:yes;height:8.25pt'> <td width=94 valign=top style='width:70.5pt;border:solid black 1.0pt; border-top:none;mso-border-top-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>ATP-HTTPd </span><b><span style='mso-fareast-font-family: "Times New Roman"'><o:p></o:p></span></b></p> </td> <td width=74 valign=top style='width:55.5pt;border-top:none;border-left:none; border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;mso-border-top-alt: solid black .75pt;mso-border-left-alt:solid black .75pt;mso-border-alt:solid black .75pt; padding:2.25pt 2.25pt 2.25pt 2.25pt;height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>3.197 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>5.0 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=79 valign=top style='width:59.25pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>37.11 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=89 valign=top style='width:66.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>145.4 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=113 valign=top style='width:84.75pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>50,615 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> <td width=108 valign=top style='width:81.0pt;border-top:none;border-left: none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt; mso-border-top-alt:solid black .75pt;mso-border-left-alt:solid black .75pt; mso-border-alt:solid black .75pt;padding:2.25pt 2.25pt 2.25pt 2.25pt; height:8.25pt'> <p class=MsoNormal style='margin-bottom:21.0pt;line-height:8.25pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family: "Times New Roman"'>15,960 </span><span style='mso-fareast-font-family:"Times New Roman"'><o:p></o:p></span></p> </td> </tr> </table> </div> <div> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>or submit nothing at all. In contrast, Panalyst reduces the user s reliance on the collectors to protect her privacy and also allows her to submit part of the information she is comfortable with. Even if such information is insufûcient for reproducing an error, it can make it easier for other techniques to identify the underlying bug. Moreover, Panalyst server can automatically analyze the error caused by an unknown bug, whereas existing techniques depend on human to analyze new bugs. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Proposals have been made to improve privacy protection during error reporting. Scrash [25] instruments an application s source code to record information related to a crash and generate a  clean report that does not contain sensitive information. However, it needs source code and therefore does not work on commodity applications without the manufacturer s support. In addition, the technique introduces performance overheads even when the application works properly, and like other error reporting techniques, uses a remote expert system and therefore does not perform automatic analysis of new errors. Brickell, et al propose a privacy-preserving diagnostic scheme, which works on binary executables [24, 36]. The technique aims at searching a knowledge base framed as a decision tree in a privacy-preserving manner. It also needs to proûle an application s execution. Panalyst differs from these approaches in that it does not interfere with an application s normal run except logging inputs, which is very lightweight, and is devised for automatically analyzing an unknown bug. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; text-indent:9.75pt;line-height:12.0pt'><span style='font-size:10.0pt; font-family:"Arial","sans-serif"'>Techniques for automatic analysis of software vulnerabilities have been intensively studied. Examples include the approach for generating vulnerability-based signatures [26], Vigilante [30], DACODA [31] and EXE [53]. </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>These approaches assume that an input triggering an error is already given and therefore privacy is no longer a concern. Panalyst addresses the important issue on how to get such an input without infringing too much on the user s privacy. This is achieved when Panalyst server is analyzing the vulnerable program. Our technique combines dynamic taint analysis with symbolic execution, which bears some similarity to a recent proposal for exploring multiple execution paths [42]. However, that technique is primarily designed for identifying hidden actions of malware, while Panalyst is for analyzing runtime errors. Therefore, we need to consider the issues that are not addressed by the prior approach. A prominent example is the techniques we propose to tackle a tainted pointer, which is essential to reliably reproducing an error. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Similar to Panalyst, a technique has been proposed recently to symbolically analyze a vulnerable executable and generate an error report through solving constraints [29]. The technique also applies entropy to quantify information loss caused by the error reporting. Panalyst differs from that approach fundamentally in that our technique generates a new input remotely while the prior approach directly works on the causal input on the client. Performing an intensive analysis on the client is exactly the thing we want to avoid, because this increases the client s burden and thus discourages the user from participating. Although an evaluation of the technique reports a moderate overhead [29], it does not include computation-intensive operations such as instruction-level tracing, which can, in some cases, introduce hundreds of seconds of delay and hundreds of megabytes of execution traces [23]. This can be barely acceptable to the user having such resources, and hardly affordable to those using weak devices such as PocketPC and PDA. Actually, reproducing an error without direct access to the causal input is much more difûcult than analyzing the input locally, because it requires a careful coordination between the client and the server to ensure a gradual release of the input information without endangering the user s privacy and failing the analysis at the same time. In addition, Panalyst can enforce privacy policies to individual protocol ûelds and therefore achieves a ûner-grained control of information than the prior approach. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:11.25pt;margin-left: .25in;text-align:justify;text-indent:-17.25pt'><span style='font-family:"Arial","sans-serif"'>8 Conclusion and Future Work </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Remote error analysis is essential to timely discovery of security critical vulnerabilities in applications and generation of ûxes. Such an analysis works most effectively when it protects users privacy, incurs the least performance overheads on the client and provides the server with sufûcient information for an effective study of the underlying bugs. To this end, we propose Panalyst, a new techniques for privacy-aware remote error analysis. Whenever a runtime error occurs, the Panalyst client sends the server an initial error report that includes nothing but the public information about the error. Using an input built from the report, Panalyst server analyzes the propagation of tainted data in the vulnerable application and symbolically evaluates its execution. During the analysis, the server queries the client whenever it does not have sufûcient information to determine the execution path. The client responds to a question only when the answer does not leak out too much user information. The answer from the client allows the server to adjust the content of the input through symbolic execution and constraint solving. As a result, a new input will be built which includes the necessary information for reproducing the error on the client. Our experimental study of this technique demonstrates that it exposes a very small amount of user information, introduces negligible overheads to the client and enables the server to effectively analyze an error. </span></p> <p style='margin-bottom:19.5pt;text-align:justify;text-indent:9.75pt; line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The current design of Panalyst is for analyzing the error triggered by network inputs alone. Future research will extend our approach to handle other types of errors. In addition, we also plan to improve the techniques for estimating information leaks and reduce the number of queries the client needs to answer. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:11.25pt;margin-left: .25in;text-align:justify;text-indent:-17.25pt'><span style='font-family:"Arial","sans-serif"'>9 Acknowledgements </span></p> <p align=left style='margin-bottom:11.25pt;text-align:left;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We thank our Shepherd Anil Somayaji and anonymous reviewers for the comments on the paper. This work was supported in part by the National Science Foundation the Cyber Trust program under Grant No. CNS-0716292. </span></p> <p align=left style='margin-bottom:6.75pt;text-align:left'><span style='font-family:"Arial","sans-serif"'>References </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:3.75pt;text-align:left;line-height:9.75pt'><span style='font-size: 8.0pt;font-family:"Arial","sans-serif"'>[1] Wireshark. http://www.wireshark.org/. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[2] <i>NIST/SEMATECH e-Handbook of Statistical Methods</i>. http://www.itl.nist.gov/div898/handbook/, 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[3] Athttpd</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Remote GET Request Buffer Overrun Vulnerability. http://www.securityfocus.com/bid/8709/ discuss/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[4] GNOME bug tracking system</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://bugzilla.gnome. org/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[5] LIGHT http server and content management system</span><span style='font-size:14.5pt;font-family: "Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http:// lhttpd.sourceforge.net/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[6] miniLZO, a lightweight subset of the LZO library</span><span style='font-size:14.5pt; font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>http:// www.oberhumer.com/opensource/lzo/#minilzo, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[7] Newspost</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>, </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>a usenet binary autoposter for unix. http:// newspost.unixcab.org/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[8] NullLogic, the Null HTTPD server. http://nullwebmail. sourceforge.net/httpd/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-13.5pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[9] Privacy</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Statement for the Microsoft Error Reporting Service. http://oca.microsoft.com/en/dcp20.asp, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[10] Process Tracing Using Ptrace</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://linuxgazette. net/issue81/sandeep.html, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[11] Reducing</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Support Costs with Windows Vista. http: //technet.microsoft.com/en-us/windowsvista/ aa905076.aspx, as of 2008. </span></p> <p align=left style='margin-bottom:0in;margin-bottom:.0001pt;text-align:left; line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[12] Speed up Windows Mobile 5 pocket device . </span></p> <p align=left style='margin-top:0in;margin-right:12.75pt;margin-bottom:3.75pt; margin-left:.25in;text-align:left;line-height:9.75pt'><span style='font-size: 8.0pt;font-family:"Arial","sans-serif"'>http://www.mobiletopsoft.com/board/388/ speed-up-windows-mobile-5-pocket-device. html, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[13] Speed Up Windows Vista</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://www.extremetech. com/article2/0,1697,2110598,00.asp, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[14] Sumus Game Server</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Remote Buffer Overûow Vulnerability. http://www.securityfocus.com/bid/13162, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[15] SUMUS, the mus server</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://sumus.sourceforge. net/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[16] Technical</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Note TN2123, CrashReporter. http: //developer.apple.com/technotes/tn2004/ tn2123.html, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[17] Tip:</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Disable Error reporting in Windows Mobile 5 to get better performance: msg#00043. http://osdir.com/ml/ handhelds.ipaq.ipaqworld/2006-05/msg00043. html, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[18] U.S. Department of Energy Computer Incident Advisory Capability. Ofûce XP Error Reporting May Send Sensitive Documents to Microsoft. http://www.ciac.org/ciac/ bulletins/m-005.shtml, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt; margin-left:.25in;text-align:left;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[19] VMPS, VLAN Management Policy Server</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://vmps. sourceforge.net/, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:0in; margin-left:.25in;margin-bottom:.0001pt;text-align:left;text-indent:-17.25pt; line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[20] Windows Error Reporting</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'>. </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>http://msdn2.microsoft. com/en-us/library/bb513641%28VS.85%29.aspx, as of 2008. </span></p> <p align=left style='margin-top:0in;margin-right:0in;margin-bottom:0in; margin-left:.25in;margin-bottom:.0001pt;text-align:left;text-indent:-17.25pt; line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[21] A</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>BADI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UDIU</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., E</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RLINGSSON</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, U., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IGATTI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. Control-ûow integrity. In <i>ACM Conference on Computer and Communications Security </i>(2005), pp. 340 353.</span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[22] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ERKMAN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. Project Info for Bug-Buddy. http://www. advogato.org/proj/bug-buddy/, as of 2008. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[23] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HANSALI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HEN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, W.-K., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>DE </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>J</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ONG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S., E</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>DWARDS</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A., M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>URRAY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R., D</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RINI </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>´ M., M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IHO </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>ÇD., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HAU</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>,</span> <span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>C</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>CKA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>J. Framework for instruction-level tracing and analysis of program executions. In <i>VEE  06: Proceedings of the 2nd international conference on Virtual execution environments </i>(2006), pp. 154 163. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[24] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RICKELL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., P</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ORTER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. E., S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HMATIKOV</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, V., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ITCHEL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, E. Privacy-preserving remote diagnostics. In <i>CCS  07: Proceedings of the 14th ACM conference on Computer and communications security </i>(2007), pp. 498 507. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[25] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ROADWELL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, P., H</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ARREN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ASTRY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, N. Scrash: A system for generating secure crash information. In <i>Proceedings of the 12th USENIX Security Symposium </i>(Aug. 2003), USENIX, pp. 273 284. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[26] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RUMLEY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D., N</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EWSOME</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ONG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. X., W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, H., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>J</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S. Towards automatic generation of vulnerability-based signatures. In <i>S&amp;P </i>(2006), pp. 2 16. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[27] B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>T</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OASTER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>. Do Something about computer Crashes. http: //www.bugtoaster.com, 2002. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[28] C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ASTRO</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OSTA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>H</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ARRIS</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, T. Securing software by enforcing data-ûow integrity. In <i>OSDI </i>(2006), pp. 147 160. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[29] C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ASTRO</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OSTA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ARTIN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J.-P. Better bug reporting with better privacy. In <i>Proceedings of Thirteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 08) </i>(2008). </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[30] C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OSTA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ROWCROFT</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ASTRO</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OWSTRON</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: .25in;text-align:justify;line-height:9.75pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>I. T., Z</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>HOU</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, L., Z</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>HANG</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, L., </span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>B</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>ARHAM</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, P. T. Vigilante: end-to-end containment of internet worms. In <i>Proceedings of SOSP </i>(2005), pp. 133 147. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[31] C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RANDALL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. R., S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>U</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Z., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>U</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S. F. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In <i>CCS  05: Proceedings of the 12th ACM conference on Computer and communications security </i>(New York, NY, USA, 2005), ACM Press, pp. 235 248. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[32] C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, W., P</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AXSON</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, V., W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EAVER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, N., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ATZ</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R. H. Protocol-independent adaptive replay of application dialog. In <i>NDSS </i>(2006). </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[33] D</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UTERTRE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, B., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OURA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, L. The YICES SMT Solver. http://yices.csl.sri.com/, as of 2008. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[34] E</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>GELE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RUEGEL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IRDA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, E., Y</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, H., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ONG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: .25in;text-align:justify;line-height:9.75pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>D. Dynamic spyware analysis. In <i>Proceedings of the 2007 USENIX Annual Technical Conference (Usenix 07) </i>(June 2007). </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[35] G</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ODEFROID</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, P., L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EVIN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M. Y., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OLNAR</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. Automated whitebox fuzz testing. In <i>NDSS </i>(2008). </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[36] H</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>A</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OSSBACH</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C. J., D</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AVIS</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. V., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, I., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AMADAN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: .25in;text-align:justify;line-height:9.75pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>H. E., P</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>ORTER</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, D. E., C</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>HEN</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, D. L., </span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>W</span><span style='font-size:6.5pt; font-family:"Arial","sans-serif"'>ITCHEL</span><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>, E. Improved error reporting for software that uses black-box components. In <i>PLDI  07: Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation </i>(2007), pp. 101 111. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[37] K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ING</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. C. Symbolic execution and program testing. <i>Commun. ACM 19</i>, 7 (1976), 385 394. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[38] L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>I</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, N., L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>I</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, T., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>V</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ENKATASUBRAMANIAN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S. t-closeness: Privacy beyond k-anonymity and l-diversity. In <i>ICDE </i>(2007), IEEE, pp. 106 115. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[39]</span><span style='font-size:14.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Z., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EKAR</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In <i>CCS  05: Proceedings of the 12th ACM conference on Computer and communications security </i>(New York, NY, USA, 2005), ACM Press, pp. 213 222. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[40] L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UK</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C.-K., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OHN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R., M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UTH</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R., P</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ATIL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, H., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>LAUSER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A., L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OWNEY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, G., W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ALLACE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EDDI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, V. J., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>H</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AZELWOOD</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: .25in;text-align:justify;line-height:9.75pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>K. Pin: building customized program analysis tools with dynamic instrumentation. In <i>PLDI  05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation </i>(2005), pp. 190 200. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:6.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[41] M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ACHANAVAJJHALA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IFER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D., G</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EHRKE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>V</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ENKITASUBRAMANIAM</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M. L-diversity: Privacy beyond k-anonymity. <i>TKDD 1</i>, 1 (2007). </span></p> <p align=left style='margin-top:0in;margin-right:49.5pt;margin-bottom:3.75pt; margin-left:0in;text-align:left;mso-line-height-alt:6.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[42] M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OSER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>R</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>¨</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UGEL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IRDA</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, E. Exploring multiple execution paths for malware analysis. In <i>IEEE Symposium on Security and Privacy </i>(2007), pp. 231 245. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[43] N</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EWSOME</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RUMLEY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D., F</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RANKLIN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ONG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: .25in;text-align:justify;line-height:9.75pt'><span style='font-size:8.0pt; font-family:"Arial","sans-serif"'>D. X. Replayer: automatic protocol replay by binary analysis. In <i>ACM Conference on Computer and Communications Security </i>(2006), pp. 311 321. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[44] N</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EWSOME</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ONG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. X. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In <i>NDSS </i>(2005). </span></p> <p style='margin-bottom:0in;margin-bottom:.0001pt;text-align:justify; line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[45] Q</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, F., W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>I</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Z., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IM</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, H.-S., Z</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HOU</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Y., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>U</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Y. Lift: A low-overhead practical information ûow tracking system for detecting security attacks. In <i>MICRO </i>(2006), pp. 135 148. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[46] S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AMARATI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, P., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>WEENEY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, L. Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression, 1998. Technical Report SRICSL-98-04. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[47] S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HANNON</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>M</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>OORE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. The spread of the witty worm. <i>IEEE Security &amp; Privacy 2</i>, 4 (July/August 2004), 46 50. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[48] S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HANNON</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C. E. A mathematical theory of communication. <i>Bell system technical journal 27 </i>(1948). </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[49] S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IDIROGLOU</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EROMYTIS</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, A. D. Countering network worms through automatic patch generation. <i>IEEE Security and Privacy 3</i>, 6 (2005), 41 49. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[50] S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>INGH</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S., E</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>STAN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., V</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ARGHESE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, G., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AVAGE</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, S. Automated worm ûngerprinting. In <i>Proceedings of OSDI </i>(2004), pp. 45 60. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[51] V</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ACHHARAJANI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, N., B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>RIDGES</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M. J., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ANGAN</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, R., O</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>TTONI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, G., B</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>LOME</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. A., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EIS</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, G. A., V</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ACHHARAJANI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>A</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>UGUST</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. I. RIFLE: An architectural framework for user-centric information-ûow security. In <i>MICRO </i>(2004), IEEE Computer Society, pp. 243 254. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:3.75pt;margin-left: 18.75pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[52] W</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, X., L</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>I</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, Z., X</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>U</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., R</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>EITER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, M. K., K</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>IL</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>HOI</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J. Y. Packet vaccine: black-box exploit detection and signature generation. In <i>ACM Conference on Computer and Communications Security </i>(2006), pp. 37 46. </span></p> <p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:18.75pt; margin-bottom:.0001pt;text-align:justify;text-indent:-17.25pt;line-height:9.75pt'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>[53] Y</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ANG</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, J., S</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AR</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., T</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>WOHEY</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, P., C</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>ADAR</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, C., </span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>AND </span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>E</span><span style='font-size:6.5pt;font-family:"Arial","sans-serif"'>NGLER</span><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>, D. Automatically generating malicious disks using symbolic execution. In <i>SP  06: Proceedings of the 2006 IEEE Symposium on Security and Privacy </i>(2006), pp. 243 257. </span></p> </div> </div> </div> </div> </div> </body> </html>