Software debloating for the web stack

debloating.com hosts the ongoing research projects on the topic of debloating for web applications


What is software debloating?

The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. Debloating can target various parts of the software stack. For instance, "Less is More" reduces the attack surface of web applications by removing the PHP code that is not required, and as a result, removing the potential vulnerabilities in those sections of the code. Orthogonally, "Saphire" makes it harder to mount exploits by disabling unnecessary system calls for web applications.

"Mininode" is a tool, which helps to reduce the attack surface of the Node.js applications by removing the unused modules and functions within the modules. Finally, "SQLBlock" limits each PHP function for accessing the database. It essentially reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function.

"DBLTR" introduces the idea of role-based debloating. This system identifies clusters of users with similar behavior, assigns them to a dynamically defined access-control role and removes more code, and more vulnerabilities compared to prior all-in-one debloating schemes.

"Minimalist" generates a call-graph for a given PHP web application, and performs a reachability analysis for the features users require and removes unreachable functions in the analyzed web application. Compared to prior work, Minimalist debloats web applications without relying on heavy runtime instrumentation. Furthermore, the call-graph generated by Minimalist can be reused (in combination with web server logs) to debloat different installations of the same web application. Due to the inherent complexity and highly dynamic nature of the PHP language, Minimalist cannot guarantee the soundness of its call-graph analysis. However, Minimalist follows a best-effort approach to model the majority of PHP features used by popular web applications, such as WordPress, phpMyAdmin, and others.

"AnimateDead" is a concolic PHP analysis engine that uses the readily available web server logs as application entry points, and performs concolic reachability analysis and extracts the code-coverage of target web applications in an abstract environment, which allows our results to generalize for all user inputs and database states. We demonstrate that debloating via concolic execution improves the security of web applications by shrinking the size of their code by an average of 47% and reducing critical API calls by 55%, while removing 35-65% of vulnerabilities for historic CVEs. We show that via concolic execution, we can debloat web applications with comparable security improvements of dynamic debloating schemes without suffering from the runtime overhead, and the need for a training phase. Moreover, AnimateDead-debloated web applications reduce the likelihood of breakage by allowing users to perform all actions reachable from the analyzed entry points.


Debloating projects


Our Team

This line of research is pursued by researchers from multiple universities. Below are the leaders and the contributors of these projects.

Institutions

People

Stony Brook University
Babak Amin Azad
Babak Amin Azad
PhD
Stony Brook University
Pierre Laperdrix
Pierre Laperdrix
Full time researcher
CNRS / Univ. Lille / Inria
Nick Nikiforakis
Nick Nikiforakis
Associate Professor
Stony Brook University
Boston University
Alexander Bulekov
Alexander Bulekov
PhD Candidate
Boston University
Rasoul Jahanshahi
Rasoul Jahanshahi
PhD Candidate
Boston University
Manuel Egele
Manuel Egele
Assistant Professor
Boston University
North Carolina State University
Igibek Koishybayev
Igibek Koishybayev
PhD Candidate
North Carolina State University
Alexandros Kapravelos
Alexandros Kapravelos
Assistant Professor
North Carolina State University
Arizona State University
Adam Doupé
Adam Doupé
Associate Professor
Arizona State University

Funded by

Funded by the ONR
Office of Naval Research
Grant number: N00014-17-1-2541
Funded by the ONR
Office of Naval Research
Grant number: N00014-21-1-2159