Debloating Software through Piece-Wise Compilation and Loading
share
Programs are bloated. Our study shows that only 5 across Ubuntu Desktop environment (>2200 programs); the heaviest user, vlc media player, only used 18 vulnerable attack surface for software exploitation and imposes undue burden on defenses (e.g., CFI defenses). In this paper: (1) We present a debloating framework built on a compiler toolchain that can successfully debloat software (shared/static libraries and executables). Our solution can successfully compile and load most libraries on Ubuntu Desktop 16.04. (2) We demonstrate an elimination of over 84 coreutils and 85 functionality. We show that even complex COTS programs (e.g., FireFox, Curl) can be debloated without a need to recompile. (3) We demonstrate the security impact of our system by eliminating over 70 coreutils suite, and show that unused code that contain real-world vulnerabilities can be successfully eliminated without adverse effects on the program. (4) Our solution imposes a low load time overhead.
READ FULL TEXT