Michael D. Brown,Adam Meily,Brian Fairservice,Akshay Sood,Jonathan Dorn,Eric Kilmer,Ronald Eytchison

2024-06-13

Abstract:Software debloating tools seek to improve program security and performance by removing unnecessary code, called bloat. While many techniques have been proposed, several barriers to their adoption have emerged. Namely, debloating tools are highly specialized, making it difficult for adopters to find the right type of tool for their needs. This is further hindered by a lack of established metrics and comparative evaluations between tools. To close this information gap, we surveyed 10 years of debloating literature and several tools currently under commercial development to taxonomize knowledge about the debloating ecosystem. We then conducted a broad comparative evaluation of 10 debloating tools to determine their relative strengths and weaknesses. Our evaluation, conducted on a diverse set of 20 benchmark programs, measures tools across 12 performance, security, and correctness metrics. Our evaluation surfaces several concerning findings that contradict the prevailing narrative in the debloating literature. First, debloating tools lack the maturity required to be used on real-world software, evidenced by a slim 22% overall success rate for creating passable debloated versions of medium- and high-complexity benchmarks. Second, debloating tools struggle to produce sound and robust programs. Using our novel differential fuzzing tool, DIFFER, we discovered that only 13% of our debloating attempts produced a sound and robust debloated program. Finally, our results indicate that debloating tools typically do not improve the performance or security posture of debloated programs by a significant degree according to our evaluation metrics. We believe that our contributions in this paper will help potential adopters better understand the landscape of tools and will motivate future research and development of more capable debloating tools.

Software Engineering,Cryptography and Security,Programming Languages

Michael D. Brown,Santosh Pande

DOI: https://doi.org/10.1145/3338502.3359764

2019-07-04

Abstract:Software debloating is an emerging field of study aimed at improving the security and performance of software by removing excess library code and features that are not needed by the end user (called bloat). Software bloat is pervasive, and several debloating techniques have been proposed to address this problem. While these techniques are effective at reducing bloat, they are not practical for the average user, risk creating unsound programs and introducing vulnerabilities, and are not well suited for debloating complex software such as network protocol implementations. In this paper, we propose CARVE, a simple yet effective security-focused debloating technique that overcomes these limitations. CARVE employs static source code annotation to map software features source code, eliminating the need for advanced software analysis during debloating and reducing the overall level of technical sophistication required by the user. CARVE surpasses existing techniques by introducing debloating with replacement, a technique capable of preserving software interoperability and mitigating the risk of creating an unsound program or introducing a vulnerability. We evaluate CARVE in 12 debloating scenarios and demonstrate security and performance improvements that meet or exceed those of existing techniques.

Cryptography and Security,Software Engineering

Myeongsoo Kim,Santosh Pande,Alessandro Orso

2024-02-01

Abstract:Modern software often struggles with bloat, leading to increased memory consumption and security vulnerabilities from unused code. In response, various program debloating techniques have been developed, typically utilizing test cases that represent functionalities users want to retain. These methods range from aggressive approaches, which prioritize maximal code reduction but may overfit to test cases and potentially reintroduce past security issues, to conservative strategies that aim to preserve all influenced code, often at the expense of less effective bloat reduction and security improvement. In this research, we present RLDebloatDU, an innovative debloating technique that employs 1-DU chain minimality within abstract syntax trees. Our approach maintains essential program data dependencies, striking a balance between aggressive code reduction and the preservation of program semantics. We evaluated RLDebloatDU on ten Linux kernel programs, comparing its performance with two leading debloating techniques: Chisel, known for its aggressive debloating approach, and Razor, recognized for its conservative strategy. RLDebloatDU significantly lowers the incidence of Common Vulnerabilities and Exposures (CVEs) and improves soundness compared to both, highlighting its efficacy in reducing security issues without reintroducing resolved security issues.

Software Engineering

Liu Jiakun,Huang Qiao,Xia Xin,Shihab Emad,Lo David,Li Shanping

DOI: https://doi.org/10.1007/s10664-020-09917-5

IF: 3.762

2021-01-01

Empirical Software Engineering

Abstract:To complete tasks faster, developers often have to sacrifice the quality of the software. Such compromised practice results in the increasing burden to developers in future development. The metaphor, technical debt, describes such practice. Prior research has illustrated the negative impact of technical debt, and many researchers investigated how developers deal with a certain type of technical debt. However, few studies focused on the removal of different types of technical debt in practice. To fill this gap, we use the introduction and removal of different types of self-admitted technical debt (i.e., SATD) in 7 deep learning frameworks as an example. This is because deep learning frameworks are some of the most important software systems today due to their prevalent use in life-impacting deep learning applications. Moreover, the field of the development of different deep learning frameworks is the same, which enables us to find common behaviors on the removal of different types of technical debt across projects. By mining the file history of these frameworks, we find that design debt is introduced the most along the development process. As for the removal of technical debt, we find that requirement debt is removed the most, and design debt is removed the fastest. Most of test debt, design debt, and requirement debt are removed by the developers who introduced them. Based on the introduction and removal of different types of technical debt, we discuss the evolution of the frequencies of different types of technical debt to depict the unresolved sub-optimal trade-offs or decisions that are confronted by developers along the development process. We also discuss the removal patterns of different types of technical debt, highlight future research directions, and provide recommendations for practitioners.

Hsuan-Chi Kuo,Jianyan Chen,Sibin Mohan,Tianyin Xu

DOI: https://doi.org/10.1145/3379469

2020-05-27

Proceedings of the ACM on Measurement and Analysis of Computing Systems

Abstract:This paper presents a study on the practicality of operating system (OS) kernel debloating---reducing kernel code that is not needed by the target applications---in real-world systems. Despite their significant benefits regarding security (attack surface reduction) and performance (fast boot times and reduced memory footprints), the state-of-the-art OS kernel debloating techniques are seldom adopted in practice, especially in production systems. We identify the limitations of existing kernel debloating techniques that hinder their practical adoption, including both accidental and essential limitations. To understand these limitations, we build an advanced debloating framework named \tool which enables us to conduct a number of experiments on different types of OS kernels (including Linux and the L4 microkernel) with a wide variety of applications (including HTTPD, Memcached, MySQL, NGINX, PHP and Redis). Our experimental results reveal the challenges and opportunities towards making kernel debloating techniques practical for real-world systems. The main goal of this paper is to share these insights and our experiences to shed light on addressing the limitations of kernel debloating in future research and development efforts.

English Else

César Soto-Valero,Thomas Durieux,Nicolas Harrand,Benoit Baudry

DOI: https://doi.org/10.48550/arXiv.2008.08401

2022-05-19

Abstract:Software bloat is code that is packaged in an application but is actually not necessary to run the application. The presence of software bloat is an issue for security, for performance, and for maintenance. In this paper, we introduce a novel technique for debloating, which we call coverage-based debloating. We implement the technique for one single language: Java bytecode. We leverage a combination of state-of-the-art Java bytecode coverage tools to precisely capture what parts of a project and its dependencies are used when running with a specific workload. Then, we automatically remove the parts that are not covered, in order to generate a debloated version of the project. We succeed to debloat 211 library versions from a dataset of 94 unique open-source Java libraries. The debloated versions are syntactically correct and preserve their original behavior according to the workload. Our results indicate that 68.3% of the libraries' bytecode and 20.3% of their total dependencies can be removed through coverage-based debloating. For the first time in the literature on software debloating, we assess the utility of debloated libraries with respect to client applications that reuse them. We select 988 client projects that either have a direct reference to the debloated library in their source code or which test suite covers at least one class of the libraries that we debloat. Our results show that 81.5% of the clients, with at least one test that uses the library, successfully compile and pass their test suite when the original library is replaced by its debloated version.

Software Engineering

Hugo Lefeuvre,Nathan Dautenhahn,David Chisnall,Pierre Olivier

2024-10-11

Abstract:Decomposing large systems into smaller components with limited privileges has long been recognized as an effective means to minimize the impact of exploits. Despite historical roots, demonstrated benefits, and a plethora of research efforts in academia and industry, the compartmentalization of software is still not a mainstream practice. This paper investigates why, and how this status quo can be improved. Noting that existing approaches are fraught with inconsistencies in terminology and analytical methods, we propose a unified model for the systematic analysis, comparison, and directing of compartmentalization approaches. We use this model to review 211 research efforts and analyze 61 mainstream compartmentalized systems, confronting them to understand the limitations of both research and production works. Among others, our findings reveal that mainstream efforts largely rely on manual methods, custom abstractions, and legacy mechanisms, poles apart from recent research. We conclude with recommendations: compartmentalization should be solved holistically; progress is needed towards simplifying the definition of compartmentalization policies; towards better challenging our threat models in the light of confused deputies and hardware limitations; as well as towards bridging the gaps we pinpoint between research and mainstream needs. This paper not only maps the historical and current landscape of compartmentalization, but also sets forth a framework to foster their evolution and adoption.

Cryptography and Security,Operating Systems

Yutian Tang,Hao Zhou,Xiapu Luo,Ting Chen,Haoyu Wang,Zhou Xu,Yan Cai

DOI: https://doi.org/10.1109/tse.2021.3120213

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Existing programming practices for building Android apps mainly follow the "one-size-fits-all" strategy to include lots of functions and adapt to most types of devices. However, this strategy can result in software bloat and many serious issues, such as slow download speed, and large attack surfaces. Existing solutions cannot effectively debloat an app as they either lack flexibility or require human efforts. This work proposes a novel feature-oriented debloating approach and builds a prototype, named XDebloat, to automate this process in a flexible manner. First, We propose three feature location approaches to mine features in an app. XDebloat supports feature location approaches at a fine granularity. It also makes the feature location results editable. Second, XDebloat considers several Android-oriented issues (i.e., callbacks) to perform a more precise analysis. Third, XDebloat supports two major debloating strategies: pruning-based debloating and module-based debloating. We evaluate XDebloat with 200 open-source and 1,000 commercial apps. The results show that XDebloat can successfully remove components from apps or transform apps into on-demand modules within 10 minutes. For the pruning-based debloating strategy, on average, XDebloat can remove 32.1% code from an app. For the module-based debloating strategy, XDebloat can help developers build instant apps or app bundles automatically.

Eman Abu Ishgair,Marcela S. Melara,Santiago Torres-Arias

2024-05-29

Abstract:The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.

Cryptography and Security

Akoh Atadoga,Uchenna Joseph Umoga,Oluwaseun Augustine Lottu,Enoch Oluwademilade Sodiya

DOI: https://doi.org/10.30574/wjaets.2024.11.1.0051

2024-02-28

World Journal of Advanced Engineering Technology and Sciences

Abstract:The quest for sustainability has extended its reach into the realm of software engineering, prompting an exploration of tools, techniques, and emerging trends to mitigate the environmental impact of software development and operation. This review provides a critical review of current practices and future directions in sustainable software engineering. In recent years, the software industry has recognized the need to address the environmental footprint of software systems, considering factors such as energy consumption, resource utilization, and carbon emissions. Consequently, a plethora of tools and techniques have emerged to support sustainable software development processes. These range from energy-efficient programming languages and frameworks to eco-friendly software architectures and design patterns. Moreover, methodologies such as Green Software Engineering (GSE) and Sustainable Software Development (SSD) have gained traction, emphasizing the integration of sustainability considerations throughout the software development lifecycle. By adopting practices like green requirements engineering, energy-aware testing, and eco-design principles, organizations can optimize their software systems for reduced environmental impact without compromising functionality or performance. Furthermore, trends in sustainable software engineering extend beyond traditional development practices. The rise of cloud computing, edge computing, and Internet of Things (IoT) technologies presents both challenges and opportunities for sustainability. Techniques such as serverless computing and containerization offer potential benefits in terms of resource efficiency and scalability, while also introducing new considerations regarding data center energy consumption and electronic waste management. Looking ahead, the future of sustainable software engineering is marked by innovation and collaboration. Emerging technologies such as artificial intelligence (AI) and blockchain hold promise for optimizing resource allocation, enhancing energy efficiency, and fostering transparency in sustainability efforts. Additionally, interdisciplinary collaboration between software engineers, environmental scientists, and policymakers will be essential in shaping a more sustainable digital ecosystem. The journey towards sustainable software engineering involves a multifaceted approach encompassing tools, techniques, and ongoing adaptation to evolving trends. By critically evaluating current practices and embracing future directions, the software industry can contribute to a more environmentally responsible and resilient future.

Chris Porter,Sharjeel Khan,Kangqi Ni,Santosh Pande

2024-03-30

Abstract:Software debloating can effectively thwart certain code reuse attacks by reducing attack surfaces to break gadget chains. Approaches based on static analysis enable a reduced set of functions reachable at a callsite for execution by leveraging static properties of the callgraph. This achieves low runtime overhead, but the function set is conservatively computed, negatively affecting reduction. In contrast, approaches based on machine learning (ML) have much better precision and can sharply reduce function sets, leading to significant improvement in attack surface. Nevertheless, mispredictions occur in ML-based approaches. These cause overheads, and worse, there is no clear way to distinguish between mispredictions and actual attacks.

Cryptography and Security

Mehdi Mirakhorli,Derek Garcia,Schuyler Dillon,Kevin Laporte,Matthew Morrison,Henry Lu,Viktoria Koscinski,Christopher Enoch

2024-02-17

Abstract:Modern software applications heavily rely on diverse third-party components, libraries, and frameworks sourced from various vendors and open source repositories, presenting a complex challenge for securing the software supply chain. To address this complexity, the adoption of a Software Bill of Materials (SBOM) has emerged as a promising solution, offering a centralized repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches, exemplified by the SolarWinds attack, underscore the urgent need to enhance software security and mitigate vulnerability risks, with SBOMs playing a pivotal role in this endeavor by revealing potential vulnerabilities, outdated components, and unsupported elements. This research paper conducts an extensive empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM. We investigate emerging use cases in software supply chain security and identify gaps in SBOM technologies. Our analysis encompasses 84 tools, providing a snapshot of the current market and highlighting areas for improvement.

Software Engineering

Noel Warford,Tara Matthews,Kaitlyn Yang,Omer Akgul,Sunny Consolvo,Patrick Gage Kelley,Nathan Malkin,Michelle L. Mazurek,Manya Sleeper,Kurt Thomas

DOI: https://doi.org/10.48550/arXiv.2112.07047

2021-12-13

Computers and Society

Abstract:At-risk users are people who experience elevated digital security, privacy, and safety threats because of what they do, who they are, where they are, or who they are with. In this systematization work, we present a framework for reasoning about at-risk users based on a wide-ranging meta-analysis of 85 papers. Across the varied populations that we examined (e.g., children, activists, women in developing regions), we identified 10 unifying contextual risk factors--such as oppression or stigmatization and access to a sensitive resource--which augment or amplify digital-safety threats and their resulting harms. We also identified technical and non-technical practices that at-risk users adopt to attempt to protect themselves from digital-safety threats. We use this framework to discuss barriers that limit at-risk users' ability or willingness to take protective actions. We believe that the security, privacy, and human-computer interaction research and practitioner communities can use our framework to identify and shape research investments to benefit at-risk users, and to guide technology design to better support at-risk users.

Chengbin Pang,Ruotong Yu,Yaohui Chen,Eric Koskinen,Georgios Portokalidis,Bing Mao,Jun Xu

DOI: https://doi.org/10.1109/sp40001.2021.00012

2021-05-01

Abstract:Disassembly of binary code is hard, but necessary for improving the security of binary software. Over the past few decades, research in binary disassembly has produced many tools and frameworks, which have been made available to researchers and security professionals. These tools employ a variety of strategies that grant them different characteristics. The lack of systematization, however, impedes new research in the area and makes selecting the right tool hard, as we do not understand the strengths and weaknesses of existing tools. In this paper, we systematize binary disassembly through the study of nine popular, open-source tools. We couple the manual examination of their code bases with the most comprehensive experimental evaluation (thus far) using 3,788 binaries. Our study yields a comprehensive description and organization of strategies for disassembly, classifying them as either algorithm or else heuristic. Meanwhile, we measure and report the impact of individual algorithms on the results of each tool. We find that while principled algorithms are used by all tools, they still heavily rely on heuristics to increase code coverage. Depending on the heuristics used, different coverage-vs-correctness trade-offs come in play, leading to tools with different strengths and weaknesses. We envision that these findings will help users pick the right tool and assist researchers in improving binary disassembly.

Omar Alrawi,Miuyin Yong Wong,Athanasios Avgetidis,Kevin Valakuzhy,Boladji Vinny Adjibi,Konstantinos Karakatsanis,Mustaque Ahamad,Doug Blough,Fabian Monrose,Manos Antonakakis

2024-03-25

Abstract:Malware sandboxes provide many benefits for security applications, but they are complex. These complexities can overwhelm new users in different research areas and make it difficult to select, configure, and use sandboxes. Even worse, incorrectly using sandboxes can have a negative impact on security applications. In this paper, we address this knowledge gap by systematizing 84 representative papers for using x86/64 malware sandboxes in the academic literature. We propose a novel framework to simplify sandbox components and organize the literature to derive practical guidelines for using sandboxes. We evaluate the proposed guidelines systematically using three common security applications and demonstrate that the choice of different sandboxes can significantly impact the results. Specifically, our results show that the proposed guidelines improve the sandbox observable activities by at least 1.6x and up to 11.3x. Furthermore, we observe a roughly 25% improvement in accuracy, precision, and recall when using the guidelines to help with a malware family classification task. We conclude by affirming that there is no "silver bullet" sandbox deployment that generalizes, and we recommend that users apply our framework to define a scope for their analysis, a threat model, and derive context about how the sandbox artifacts will influence their intended use case. Finally, it is important that users document their experiment, limitations, and potential solutions for reproducibility

Computer Science

Huaifeng Zhang,Mohannad Alhanahnah,Ahmed Ali-Eldin

DOI: https://doi.org/10.48550/arXiv.2305.04641

2023-05-08

Abstract:While there has been exponential improvements in hardware performance over the years, software performance has lagged behind. The performance-gap is caused by software inefficiencies, many of which are caused by software bloat. Software bloat occurs due to the ever increasing, mostly unused, features and dependencies in a software. Bloat exists in all layers of software, from the operating system, to the application, resulting in computing resource wastage. The problem is exacerbated in both cloud and edge setting as the number of applications running increase. To remove software bloat, multiple debloating tools have been proposed in the literature. However, these tools do not provide safety guarantees on the debloated software, with some files needed during run-time removed. In this paper, We introduce BLAFS, a BLoat-Aware-file system for containers. BLAFS guarantees debloating safety for both cloud and edge systems. BLAFS is implemented on top of the Overlay file-system, allowing for file-system layer sharing across the containers. We compare BLAFS to two state-of-the-art debloating tools (Cimplifier and Dockerslim), and two state-of-the-art lazy-loading container snap-shotters for edge systems (Starlight and eStargz). Our evaluation of real-world containers shows BLAFS reduces container sizes by up to 97% of the original size, while maintaining the safety of the containers when other debloating tools fail. We also evaluate BLAFS's performance in edge settings. It can reduce the container provisioning time by up to 90% providing comparable bandwidth reductions to lazy-loading snap-shotters, while removing 97% of the vulnerabilities, and up to 97% less space on the edge.

Software Engineering

Tarik Houichime,Younes El Amrani

DOI: https://doi.org/10.1007/s10515-024-00446-9

IF: 1.677

2024-06-08

Automated Software Engineering

Abstract:Software design optimization (SDO) demands advanced abstract reasoning to define optimal design components' structure and interactions. Modeling tools such as UML and MERISE, and to a degree, programming languages, are chiefly developed for lucid human–machine design dialogue. For effective automation of SDO, an abstract layer attuned to the machine's computational prowess is crucial, allowing it to harness its swift calculation and inference in determining the best design. This paper contributes an innovative and universal framework for search-based software design refactoring with an emphasis on optimization. The framework accommodates 44% of Fowler's cataloged refactorings. Owing to its adaptable and succinct structure, it integrates effortlessly with diverse optimization heuristics, eliminating the requirement for further adaptation. Distinctively, our framework offers an artifact representation that obviates the necessity for a separate solution representation, this unified dual-purpose representation not only streamlines the optimization process but also facilitates the computation of essential object-oriented metrics. This ensures a robust assessment of the optimized model through the construction of pertinent fitness functions. Moreover, the artifact representation supports parallel optimization processes and demonstrates commendable scalability with design expansion.

computer science, software engineering

Girish Mururu,Chris Porter,Prithayan Barua,Santosh Pande

DOI: https://doi.org/10.48550/arXiv.1902.06570

2019-02-18

Abstract:Modern software systems heavily use C/C++ based libraries. Because of the weak memory model of C/C++, libraries may suffer from vulnerabilities which can expose the applications to potential attacks. For example, a very large number of return oriented programming gadgets exist in glibc that allow stitching together semantically valid but malicious Turing-complete programs. In spite of significant advances in attack detection and mitigation, full defense is unrealistic against an ever-growing set of possibilities for generating such malicious programs. In this work, we create a defense mechanism by debloating libraries to reduce the dynamic functions linked so that the possibilities of constructing malicious programs diminishes significantly. The key idea is to locate each library call site within an application, and in each case to load only the set of library functions that will be used at that call site. This approach of demand-driven loading relies on an input-aware oracle that predicts a near-exact set of library functions needed at a given call site during the execution. The predicted functions are loaded just in time, and the complete call chain (of function bodies) inside the library is purged after returning from the library call back into the application. We present a decision-tree based predictor, which acts as an oracle, and an optimized runtime system, which works directly with library binaries like GNU libc and libstdc++. We show that on average, the proposed scheme cuts the exposed code surface of libraries by 97.2%, reduces ROP gadgets present in linked libraries by 97.9%, achieves a prediction accuracy in most cases of at least 97%, and adds a small runtime overhead of 18% on all libraries (16% for glibc, 2% for others) across all benchmarks of SPEC 2006, suggesting this scheme is practical.

Cryptography and Security

Katherine R. Dearstyne,Alberto D. Rodriguez,Jane Cleland-Huang

2024-08-20

Abstract:Software engineering practices such as constructing requirements and establishing traceability help ensure systems are safe, reliable, and maintainable. However, they can be resource-intensive and are frequently underutilized. To alleviate the burden of these essential processes, we developed the Requirements Organization and Optimization Tool (ROOT). ROOT centralizes project information and offers project visualizations and AI-based tools designed to streamline engineering processes. With ROOT's assistance, engineers benefit from improved oversight and early error detection, leading to the successful development of software systems. Link to screen cast: <a class="link-external link-https" href="https://youtu.be/3rtMYRnsu24" rel="external noopener nofollow">this https URL</a>

Software Engineering

Cadence Patrick,Kimberly Ruth,Zakir Durumeric

2024-04-18

Abstract:Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Software Engineering,Cryptography and Security