debloating.com hosts the ongoing research projects on the topic of debloating for web applications
The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. Debloating can target various parts of the software stack. For instance, "Less is More" reduces the attack surface of web applications by removing the PHP code that is not required, and as a result, removing the potential vulnerabilities in those sections of the code. Orthogonally, "Saphire" makes it harder to mount exploits by disabling unnecessary system calls for web applications.
"Mininode" is a tool, which helps to reduce the attack surface of the Node.js applications by removing the unused modules and functions within the modules. Finally, "SQLBlock" limits each PHP function for accessing the database. It essentially reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function.
This line of research is pursued by researchers from multiple universities. Below are the leaders and the
contributors of these projects.