Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application. Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.
[1]
Benoit Baudry,et al.
A Comprehensive Study of Bloated Dependencies in the Maven Ecosystem
,
2021,
Empir. Softw. Eng..
[2]
Chenxiong Qian,et al.
Slimium: Debloating the Chromium Browser with Feature Subsetting
,
2020,
CCS.
[3]
Diomidis Spinellis,et al.
Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities
,
2021,
J. Syst. Softw..
[4]
Michele Bezzi,et al.
A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software
,
2019,
2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).
[5]
Miryung Kim,et al.
JShrink: in-depth investigation into debloating modern Java applications
,
2020,
ESEC/SIGSOFT FSE.