A Multi-OS Cross-Layer Study of Bloating in User Programs, Kernel and Managed Execution Environments

We present a study of bloating across the software stack. We study user-level programs, OS kernels and Java virtual machine. We employ: (1) static measurements to detect limits to debloating, and (2) dynamic measurements to detect how much of the code available to a program is utilized under typical payloads. We incorporate an ultra-light weight tracing procedure in a whole-system emulator to measure the bloat in kernel. We measure the amount of kernel code that executes during the boot process and during the execution of popular system calls. Our findings show that bloating is pervasive and severe. A significant fraction of code across the software stack is never executed and provides scope for debloating.

[1]  Matthew Arnold,et al.  Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications , 2010, FoSER '10.

[2]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[3]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[4]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[5]  Peng Liu,et al.  JRed: Program Customization and Bloatware Mitigation Based on Static Analysis , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[6]  Heng Yin,et al.  Defeating ROP Through Denial of Stack Pivot , 2015, ACSAC 2015.

[7]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[8]  Chris DiBona,et al.  Open Sources: Voices from the Open Source Revolution , 1999 .

[9]  Matthew Cole,et al.  Supplementing Modern Software Defenses with Stack-Pointer Sanity , 2017, ACSAC.

[10]  Peng Liu,et al.  A Preliminary Analysis and Case Study of Feature-Based Software Customization (Extended Abstract) , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion.

[11]  Michael J. Carey,et al.  A bloat-aware design for big data applications , 2013, ISMM '13.

[12]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Donald E. Porter,et al.  A study of modern Linux API usage and compatibility: what to support when you're supporting , 2016, EuroSys.

[14]  Heng Yin,et al.  Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform , 2014, ISSTA 2014.

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.