CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings

Software debloating is an emerging field of study aimed at improving the security and performance of software by removing excess library code and features that are not needed by the end user (called bloat). Software bloat is pervasive, and several debloating techniques have been proposed to address this problem. While these techniques are effective at removing bloat, they are not practical for the average end user, risk creating unsound programs and introducing new vulnerabilities, and are not well suited for debloating complex software such as network protocol implementations. In this paper, we propose CARVE, a simple yet effective security-focused debloating technique that addresses these shortcomings. CARVE employs static source code annotation to map software features to source code, eliminating the need for advanced software analysis during debloating and reducing the overall level of technical sophistication required by the end user. CARVE also introduces the concept of debloating with replacement, which is capable of removing software features while preserving software interoperability and mitigating the risk of creating an unsound program or introducing a vulnerability. We evaluate CARVE in 12 debloating scenarios and present our results demonstrating security and performance improvements that meet or exceed those of existing techniques.

[1]  Chenxiong Qian,et al.  RAZOR: A Framework for Post-deployment Software Debloating , 2019, USENIX Security Symposium.

[2]  Per Larsen,et al.  Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming , 2012, WOOT.

[3]  Peng Liu,et al.  Feature-Based Software Customization: Preliminary Analysis, Formalization, and Methods , 2016, 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE).

[4]  Lok-Kwong Yan,et al.  Debloating Software through Piece-Wise Compilation and Loading , 2018, USENIX Security Symposium.

[5]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[6]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[7]  Salman Niksefat,et al.  Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions , 2017, Journal of Computer Virology and Hacking Techniques.

[8]  Hashim Sharif,et al.  Trimmer: Application Specialization for Code Debloating , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[9]  Manish Gupta,et al.  The interplay of software bloat, hardware energy proportionality and system bottlenecks , 2011, HotPower '11.

[10]  Michalis Polychronakis,et al.  Configuration-Driven Software Debloating , 2019, EuroSec@EuroSys.

[11]  Mayur Naik,et al.  Effective Program Debloating via Reinforcement Learning , 2018, CCS.

[12]  Matthew Arnold,et al.  Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications , 2010, FoSER '10.

[13]  Peng Liu,et al.  JRed: Program Customization and Bloatware Mitigation Based on Static Analysis , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[14]  Aravind Prakash,et al.  A Multi-OS Cross-Layer Study of Bloating in User Programs, Kernel and Managed Execution Environments , 2017, FEAST@CCS.

[15]  Guru Venkataramani,et al.  TOSS: Tailoring Online Server Systems through Binary Feature Customization , 2018 .

[16]  Santosh Pande,et al.  Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating , 2019, CSET @ USENIX Security Symposium.