Title: Reducing Software's Attack Surface with Code Debloating

Chenxiong Qian
Ph.D. Student in Computer Science
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: April 22, 2021
Time: 12:00 PM to 2:00 PM (EST)
Location (remote via Bluejeans): https://bluejeans.com/116525426

Committee

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology)

Dr. William R. Harris (Co-Advisor, Galois, Inc)
Dr. Taesoo Kim (School of Computer Science, Georgia Institute of Technology)
Dr. Alessandro Orso (School of Computer Science, Georgia Institute of Technology)

Dr. Brendan Saltaformaggio ( School of Electrical and Computer Engineering, Georgia Institute of Technology)


Abstract
Current practice for developing and deploying software encourages the deployment of software to provide a large spectrum of features. Software with rich features usually exposes larger attack surface and makes it easier for an attacker to launch attacks. After observing that a large portion of software’s features are rarely required by users, an emerging solution, code debloating, has been proposed to reduce software’s attack surface by removing unneeded features’ code. However, there exist several challenges for building such systems: (1) non-developer users cannot describe clearly what features are unneeded; (2) there is no clear boundaries among the code of different features; (3) large and complex software takes inputs that keep changing, which results in non-deterministic executions. 

In this dissertation, I present three projects that address the above challenges incrementally. First, I will introduce a binary rewriting framework (Razor) that first runs software on given running examples and collects the executed code as references. Then, it uses heuristics to syntactically infer non-executed code that is related to the functionality indicated by the running examples, and directly rewrites the binary to generate a debloated version of the software. Second, I will present a framework (Slimium) that customizes the dominant web browser, Chromium, for visiting specific websites. Slimium removes unrequired features in Chromium based on a feature-code mapping created from manual analysis and static program analysis; and identifies non-deterministic code through dynamic profiling. The results show that Slimium generates slim versions of Chromium with 60% of the potential vulnerabilities removed, for visiting popular websites. In the end, I will present a static analysis framework that automatically partitions a large-scale and complex software's source code into different groups implementing different features. The framework provides static analysis for effectively summarizing each function's code, type analysis, data dependency analysis, etc., and it uses graph algorithms to group the code and data objects relying on the static analysis results. The evaluation shows that the framework is able to build the feature-code mapping for Chromium automatically and the mapping is more accurate and complete than the one created manually in Slimium, which improves the code reduction performance.

----------------------------------

Additional Meeting Details

Link: https://bluejeans.com/116525426

Dial one of the following numbers:

+1.408.419.1715

(United States(San Jose))

+1.408.915.6290

(United States(San Jose))

Meeting ID: 116 525 426
Moderator Passcode (if required): 2461