When vulnerabilities are identified, applying their fixes may take time. However, for many real-world clients, it is not acceptable to simply keep using the vulnerable code, with its attack surface. We propose to analyze the usage of vulnerable code to help developers to reduce such usage, a process that we refer to as debloating. The principle of debloating is to remove portions of code with the goal of narrowing the attack surface to limit the effects of a vulnerability [1-4]. Debloating can take different forms and granularities: from removing a specific function in a single file to removing a high-level functionality spanning different concerns and files.Debloating can have a direct effect here by removing the vulnerable code. Another targeted scenario of debloating is when the vulnerability is not precisely mitigated and understood. For example, vulnerabilities are not yet fixed in a given API. In this case, debloating an API would provide a sub-API that still meets the customers' other functional needs, but with a reduced code and surface attack.
Debloating can complicate the task of an attacker and reduce the damage incurred by vulnerable code for two reasons: i) debloating produces a new code variant and attackers have to design specific strategies, ideally for each debloated variant of the code; ii) the attack over the vulnerable code is possible if and only if other parts of the code and entry points can be leveraged: if debloated, some attacks are simply not applicable.
[1] X. Tërnava, M. Acher, and B. Combemale. Specialization of run-time configuration space at compile-time: An exploratory study (under review). The Art, Science, and Engineering of Programming, 2022.
[2] Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. Less is more : quantifying the security benefits of debloating web applications. In 28th USENIX Security Symposium (USENIX Security 19), pages 1697–1714, 2019.
[3] João Ferreira Filho Bosco, Mathieu Acher, and Olivier Barais. Software Unbundling: Challenges and Perspectives. In S. Chiba, M. Südholt, P. Eugster, L. Ziarek, and G.T. Leavens, editors, Transactions on Modularity and Composition I. Springer, May 2016.
[4] Michael D Brown and Santosh Pande. Is less really more ? towards better metrics for measuring security improvements realized through software debloating. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19), 2019.