The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

2021 IEEE International Conference on Software Maintenance and Evolution (ICSME) Pub Date : 2021-08-11 DOI:10.26226/morressier.613b5418842293c031b5b612

Serena Elisa Ponta, Wolf Fischer, H. Plate, A. Sabetta

{"title":"The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application","authors":"Serena Elisa Ponta, Wolf Fischer, H. Plate, A. Sabetta","doi":"10.26226/morressier.613b5418842293c031b5b612","DOIUrl":null,"url":null,"abstract":"Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application. Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.","PeriodicalId":205629,"journal":{"name":"2021 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"117 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE International Conference on Software Maintenance and Evolution (ICSME)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.26226/morressier.613b5418842293c031b5b612","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application. Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.

查看原文本刊更多论文

使用的、膨胀的和脆弱的:减少工业应用的攻击面

当应用程序依赖的重要部分实际上未被使用时，软件重用可能会导致软件膨胀。有几种工具可以从应用程序或其依赖项中删除未使用的(字节)代码，从而产生更小的工件，并可能减少总体攻击面。在本文中，我们评估了三种解压工具的能力，以区分哪些依赖类是应用程序正常运行所必需的，哪些依赖类可以安全删除。为此，我们对一个真实的商业Java应用程序进行了案例研究。我们的研究表明，我们使用的工具能够正确识别相当数量的冗余代码，这些代码可以在不改变现有应用程序测试结果的情况下被删除。其中一个冗余类(以前)是易受攻击的，这证实了该技术具有应用于强化目的的潜力。然而，通过手工检查我们的实验结果，我们发现没有一个工具可以处理广泛使用的动态类加载的默认机制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE International Conference on Software Maintenance and Evolution (ICSME)

自引率

0.00%

发文量