Our system, Scrash, is an easy-to-use filtering system that presents several tradeoffs between privacy guarantees and developer utility of crash data. Its goal is to eliminate sensitive memory locations and their copies from a core file. In addition, Scrash provides developer control over certain classes of derivative data that may be removed from the core file. For example, Scrash considers the length of a sensitive buffer to be sensitive as well, which ensures that the length of a sensitive password buffer computed via strlen will also be regarded as sensitive. The developer may choose to override this rule, however, if she feels that disclosing the length of the buffer may be beneficial for problem debugging and does not pose a significant privacy risk.
Scrash ignores privacy leaks resulting from indirect information flows or other covert channels. As an example of such an information flow technique, the program counter and call stack can leak information on the state of sensitive variables. Consider the following example:
char c = password[0];
if (c >= 'a' && c <= 'z') {
// stmt a
} else {
// stmt b
}
If the program's execution state indicates that statement 
was executed,
then an adversary can infer that the password does not start with a
lower case letter even if the password variable is marked as sensitive.
Eliminating control flow privacy leaks and other covert channels while
retaining enough information for
debugging is difficult, so Scrash ignores such vulnerabilities. For example,
the processor registers and even the entire call stack would not be available
to the developer in a system that seeks to guard against control flow privacy
leaks. All reveal the state of prior control flow decisions and could be
used to discover information about the state of sensitive variables that had
been used in conditionals.