Software debloating for the web stack

What is software debloating?

The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. Debloating can target various parts of the software stack. For instance, "Less is More" reduces the attack surface of web applications by removing the PHP code that is not required, and as a result, removing the potential vulnerabilities in those sections of the code. Orthogonally, "Saphire" makes it harder to mount exploits by disabling unnecessary system calls for web applications.

"Mininode" is a tool, which helps to reduce the attack surface of the Node.js applications by removing the unused modules and functions within the modules. Finally, "SQLBlock" limits each PHP function for accessing the database. It essentially reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function.

"DBLTR" introduces the idea of role-based debloating. This system identifies clusters of users with similar behavior, assigns them to a dynamically defined access-control role and removes more code, and more vulnerabilities compared to prior all-in-one debloating schemes.

"Minimalist" generates a call-graph for a given PHP web application, and performs a reachability analysis for the features users require and removes unreachable functions in the analyzed web application. Compared to prior work, Minimalist debloats web applications without relying on heavy runtime instrumentation. Furthermore, the call-graph generated by Minimalist can be reused (in combination with web server logs) to debloat different installations of the same web application. Due to the inherent complexity and highly dynamic nature of the PHP language, Minimalist cannot guarantee the soundness of its call-graph analysis. However, Minimalist follows a best-effort approach to model the majority of PHP features used by popular web applications, such as WordPress, phpMyAdmin, and others.

"AnimateDead" is a concolic PHP analysis engine that uses the readily available web server logs as application entry points, and performs concolic reachability analysis and extracts the code-coverage of target web applications in an abstract environment, which allows our results to generalize for all user inputs and database states. We demonstrate that debloating via concolic execution improves the security of web applications by shrinking the size of their code by an average of 47% and reducing critical API calls by 55%, while removing 35-65% of vulnerabilities for historic CVEs. We show that via concolic execution, we can debloat web applications with comparable security improvements of dynamic debloating schemes without suffering from the runtime overhead, and the need for a training phase. Moreover, AnimateDead-debloated web applications reduce the likelihood of breakage by allowing users to perform all actions reachable from the analyzed entry points.