The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

08/11/2021
by   Serena Elisa Ponta, et al.
0

Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application. Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/21/2020

A Comprehensive Study of Bloated Dependencies in the Maven Ecosystem

Build automation tools and package managers have a profound influence on...
research
02/16/2023

Automatic Specialization of Third-Party Java Dependencies

Modern software systems rely on a multitude of third-party dependencies....
research
08/29/2018

Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-...
research
08/27/2021

A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools

Background: Modern software uses many third-party libraries and framewor...
research
07/03/2019

Towards Automated Application-Specific Software Stacks

Software complexity has increased over the years. One common way to tack...
research
09/24/2021

Can We Trust Tests To Automate Dependency Updates? A Case Study of Java Projects

Developers are increasingly using services such as Dependabot to automat...

Please sign up or login with your details

Forgot password? Click here to reset