<![CDATA[PhD Proposal by Chenxiong Qian]]>

641792 event 1606938414 1606938414 <![CDATA[PhD Proposal by Chenxiong Qian]]> Title: Reducing Software's Attack Surface with Code Debloating

Chenxiong Qian
Ph.D. Student in Computer Science
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: December 3, 2020
Time: 10:00 AM to 12:00 PM (EST)
Location (remote via Bluejeans): https://bluejeans.com/482787466

Committee

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology)

Dr. William R. Harris (Co-Advisor, Galois, Inc)
Dr. Taesoo Kim (School of Computer Science, Georgia Institute of Technology)
Dr. Alessandro Orso (School of Computer Science, Georgia Institute of Technology)

Dr. Brendan Saltaformaggio ( School of Electrical and Computer Engineering, Georgia Institute of Technology)

Abstract
Current practice for developing and deploying software encourages the deployment of software to provide a large spectrum of features. Software with rich features usually exposes larger attack surface and makes it easier for an attacker to launch attacks. After observing that a large portion of software’s features are rarely required by users, an emerging solution, code debloating, has been proposed to reduce software’s attack surface by removing unneeded features’ code. However, there exist several challenges for building such systems: (1) non-developer users cannot describe clearly what features are unneeded; (2) there is no clear boundaries among the code of different features; (3) large and complex software takes inputs that keep changing, which results in non-deterministic executions. To address the challenges, I will first introduce a binary rewriting framework (Razor) that first runs software on given running examples and collects the executed code as references. Then, it uses heuristics to syntactically infer non-executed code that is related to the functionality indicated by the running examples, and directly rewrites the binary to generate a debloated version of the software. After that, I will present a framework (Slimium) that customizes the dominant web browser, Chromium, for visiting specific websites. Slimium removes unrequired features in Chromium based on a feature-code mapping created from manual analysis and static program analysis; and identifies non-deterministic code through dynamic profiling. The results show that Slimium generates slim versions of Chromium with 60% of the potential vulnerabilities removed, for visiting popular websites. In the end, I will briefly discuss my ongoing research that uses program reasoning and differential software testing to automatically partition software’s code for different features.

----------------------------------

Additional Meeting Details

Link: https://bluejeans.com/482787466

]]> <![CDATA[Bluejeans]]> 221981 1788 102851