Towards Automated Application-Specific Software Stacks

07/03/2019
by   Nicolai Davidsson, et al.
0

Software complexity has increased over the years. One common way to tackle this complexity during development is to encapsulate features into a shared library. This allows developers to reuse already implemented features instead of reimplementing them over and over again. However, not all features provided by a shared library are actually used by an application. As a result, an application using shared libraries loads unused code into memory, which an attacker can use to perform code-reuse and similar types of attacks. The same holds for applications written in a scripting language such as PHP or Ruby: The interpreter typically offers much more functionality than is actually required by the application and hence provides a larger overall attack surface. In this paper, we tackle this problem and propose a first step towards automated application-specific software stacks. We present a compiler extension capable of removing unneeded code from shared libraries and---with the help of domain knowledge---also capable of removing unused functionalities from an interpreter's code base during the compilation process. Our evaluation against a diverse set of real-world applications, among others Nginx, Lighttpd, and the PHP interpreter, removes on average 71.3 libc implementation. The evaluation on web applications show that a tailored PHP interpreter can mitigate entire vulnerability classes, as is the case for OpenConf. We demonstrate the applicability of our debloating approach by creating an application-specific software stack for a Wordpress web application: we tailor the libc library to the Nginx web server and PHP interpreter, whereas the PHP interpreter is tailored to the Wordpress web application. In this real-world scenario, the code of the libc is decreased by 65.1

READ FULL TEXT
research
11/04/2021

Automatic Diversity in the Software Supply Chain

Despite its obvious benefits, the increased adoption of package managers...
research
06/30/2020

Extending the OpenCHK Model with Advanced Checkpoint Features

One of the major challenges in using extreme scale systems efficiently i...
research
04/16/2020

Optimising the Fit of Stack Overflow Code Snippets into Existing Code

Software developers often reuse code from online sources such as Stack O...
research
07/07/2020

From API to NLI: A New Interface for Library Reuse

Developers frequently reuse APIs from existing libraries to implement ce...
research
07/05/2020

Steroids for DOPed Applications: A Compiler for Automated Data-Oriented Programming

The wide-spread adoption of system defenses such as the randomization of...
research
10/18/2021

On-the-fly Code Activation for Attack Surface Reduction

Modern code reuse attacks are taking full advantage of bloated software....
research
08/11/2021

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Software reuse may result in software bloat when significant portions of...

Please sign up or login with your details

Forgot password? Click here to reset