To attend this virtual event, click here.

Abstract  

As software becomes increasingly complex, its attack surface expands enabling the exploitation of a wide range of vulnerabilities. Web applications are no exception since modern HTML5 standards and the ever-increasing capabilities of JavaScript are utilized to build rich web applications, often subsuming the need for traditional desktop applications. One possible way of handling this increased complexity is through the process of software debloating, i.e., the removal not only of dead code but also of code corresponding to features that a specific set of users do not require. Debloating has been successfully applied to operating systems, libraries, and compiled programs. In this talk, we focus on debloating web applications and it's unique challenges. After reviewing the literature and the state-of-the-art debloating strategies for binaries, we go over the security benefits of debloating web applications. We focus on four popular PHP applications and evaluate two different debloating strategies (file-level debloating and function-level debloating) and we show that we can produce functional web applications that are 46% smaller than their original versions and exhibit half their original cyclomatic complexity. Moreover, our results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.

Speaker Bio

Babak Amid Azad is a Ph.D. candidate at Stony Brook University. He works under the supervision of Professor Nikiforakis, aiming to uncover vulnerabilities and practices, that make the web insecure. More specifically, by reducing the attack surface of web applications through software debloating. In his latest work (published at USENIX security 2019) he showed that we can remove up to 60% of historical CVEs and reduce the size of a web application by 65% while maintaining the most popular functionality of the evaluated web applications. Orthogonal to his work on attack surface reduction, he studies malicious bots on the internet devising ways to protect websites against them by differentiating their traffic from regular user traffic.