Configuration-Driven Software Debloating

Koo, Hyungjoon; Ghavamnia, Seyedhamed; Polychronakis, Michalis

doi:10.1145/3301417.3312501

Cited by 46 publications

(22 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Slimium [50] debloats Chromium features based on a static-, dynamic-, and heuristic-based analysis. Koo et al take a configuration-driven approach to remove feature-specific code [29], achieving 77% debloat on nginx. Trimmer [57] is another technique that takes as input a user configuration and uses it to drive the debloating process.…”

Section: Related Workmentioning

confidence: 99%

On-the-fly Code Activation for Attack Surface Reduction

Porter¹,

Khan²,

Pande³

2021

Preprint

View full text Add to dashboard Cite

Modern code reuse attacks are taking full advantage of bloated software. Attackers piece together short sequences of instructions in otherwise benign code to carry out malicious actions. Eliminating these reusable code snippets, known as gadgets, has become one of the prime concerns of attack surface reduction. The aim is to break these chains of gadgets, thereby making such code reuse attacks impossible or substantially less common. Previous work on attack surface reduction has typically tried to eliminate such attacks by subsetting the application, e.g. via user-specified inputs, configurations, or features, or by focusing on third-party libraries to achieve high gadget reductions with minimal interference to the application.In this work we present a general, whole-program attack surface reduction technique called OCA that significantly reduces gadgets and has minor performance degradation. OCA requires no user inputs and leaves all features intact. OCA identifies specific program points and through analysis determines key function sets to enable/disable at runtime. The runtime system, thus, controls the set of enabled functions during execution, thereby significantly reducing the set of active gadgets an attacker can use, and by extension, cutting down the set of active gadget chains dramatically. On SPEC CPU 2017, our framework achieves 73.2% total gadget reduction with only 4% average slowdown. On 10 GNU coreutils applications, it achieves 87.2% reduction. On the nginx server it achieves 80.3% reduction with 2% slowdown. We also provide a gadget chain-breaking study across all applications, and show that our framework breaks the shell-spawning chain in all cases.

show abstract

Section: Related Workmentioning

confidence: 99%

On-the-fly Code Activation for Attack Surface Reduction

Porter¹,

Khan²,

Pande³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…In contrast, our study focuses on the evolution and the emergence of bloat in Java projects, while spotting some of the current research gaps and tooling for effective dependency management. Other studies have focused on eliminating bloat in source code [33], binary shared libraries [1], highly configurable programs [15], or containers [24]. Other works have focused on improving the debloat process through various optimizations techniques [2,3,11,31,35].…”

Section: Related Workmentioning

confidence: 99%

A Longitudinal Analysis of Bloated Java Dependencies

Soto-Valero¹,

Durieux²,

Baudry³

2021

Preprint

View full text Add to dashboard Cite

We study the evolution and impact of bloated dependencies in a single software ecosystem: Java/Maven. Bloated dependencies are third-party libraries that are packaged in the application binary but are not needed to run the application. We analyze the history of 435 Java projects. This historical data includes 48,469 distinct dependencies, which we study across a total of 31,515 versions of Maven dependency trees. Bloated dependencies steadily increase over time, and 89.2 % of the direct dependencies that are bloated remain bloated in all subsequent versions of the studied projects. This empirical evidence suggests that developers can safely remove a bloated dependency. We further report novel insights regarding the unnecessary maintenance efforts induced by bloat. We find that 22 % of dependency updates performed by developers are made on bloated dependencies, and that Dependabot suggests a similar ratio of updates on bloated dependencies.

show abstract

“…In the same vein, TRIMMER [81] specializes program code, and debloats applications, by leveraging user-defined configurations, while Shredder [61] further introduces constant propagation analyses to specialize system API functions. Last, Koo et al [48] propose the concept of configuration-based software debloating: i.e., the removal of featurespecific code, which is exclusively used only when certain configuration directives are specified/enabled. These approaches are orthogonal to Nibbler, looking at software thinning from a different perspective, while most of them (with the exception of Shredder) require access to source code.…”

Section: Related Work 71 Code Reductionmentioning

confidence: 99%

Large-scale Debloating of Binary Shared Libraries

et al. 2020

View full text Add to dashboard Cite

Developers nowadays have access to an arsenal of toolkits and libraries for rapid application prototyping. However, when an application loads a library, the entirety of that library’s code is mapped into the process address space, even if only a single function is actually needed. The unused portion is bloat that can negatively impact software defenses by unnecessarily inflating their overhead or increasing the attack surface. In this article, we investigate whether debloating is possible and practical at the binary level. To this end, we present Nibbler : a system that identifies and erases unused functions within dynamic shared libraries. Nibbler works in tandem with defenses such as continuous code re-randomization and control-flow integrity, enhancing them without incurring additional run-time overhead. We developed and tested a prototype of Nibbler on x86-64 Linux; Nibbler reduces the size of shared libraries and the number of available functions, for real-world binaries and the SPEC CINT2006 suite, by up to 56% and 82%, respectively. We also demonstrate that Nibbler benefits defenses by showing that: (i) it improves the deployability of a continuous re-randomization system for binaries, namely, Shuffler, by increasing its efficiency by 20%, and (ii) it improves certain fast but coarse and context-insensitive control-flow integrity schemes by reducing the number of gadgets reachable through indirect branch instructions by 75% and 49%, on average. Last, we apply Nibbler on ≈30K C/C++ binaries and ≈5K unique dynamic shared libraries (i.e., almost the complete set of the Debian sid distribution), as well as on nine official Docker images (with millions of downloads in Docker Hub), reporting entrancing findings regarding code bloat at large.

show abstract

Configuration-Driven Software Debloating

Cited by 46 publications

References 13 publications

On-the-fly Code Activation for Attack Surface Reduction

On-the-fly Code Activation for Attack Surface Reduction

A Longitudinal Analysis of Bloated Java Dependencies

Large-scale Debloating of Binary Shared Libraries

Contact Info

Product

Resources

About