RAZOR: a framework for post-deployment software debloating
Abstract
Commodity software typically includes a large number of functionalities for a broad user population. However, each individual user usually only needs a small subset of all supported functionalities. The bloated code not only hinders optimal execution, but also leads to a larger attack surface. Recent works have explored program debloating as an emerging solution to this problem. Unfortunately, these works require program source code, limiting their real-world deployability.
In this paper, we propose a practical debloating framework, RAZOR, that performs code reduction for deployed binaries. Based on users' specifications, our tool customizes the binary to generate a functional program with minimal code size. Instead of only supporting given test cases, RAZOR takes several control-flow heuristics to infer complementary code that is necessary to support user-expected functionalities. We evaluated RAZOR on commonly used benchmarks and realworld applications, including the web browser FireFox and the close-sourced PDF reader FoxitReader. The result shows that RAZOR is able to reduce over 70% of the code from the bloated binary. It produces functional programs and does not introduce any security issues. RAZOR is thus a practical framework for debloating real-world programs.
References
[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005.
[2]
Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries. In Proceedings of the 25th USENIX Security Symposium (USENIX), 2016.
[3]
Dennis Andriesse, Asia Slowinska, and Herbert Bos. Compiler-Agnostic Function Detection in Binaries. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy, 2017.
[4]
Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In Proceedings of the 23rd USENIX Conference on Security Symposium, 2014.
[5]
Erick Bauman, Zhiqiang Lin, and Kevin Hamlen. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, 2018.
[6]
Fabrice Bellard. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the 2005 USENIX Annual Technical Conference, 2005.
[7]
Derek Bruening and Saman Amarasinghe. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. PhD thesis, Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2004.
[8]
Yingyi Bu, Vinayak Borkar, Guoqing Xu, and Michael J. Carey. A Bloat-aware Design for Big Data Applications. In Proceedings of the 2013 International Symposium on Memory Management, 2013.
[9]
Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. Control-Flow Integrity: Precision, Security, and Performance. ACM Comput. Surv., 2017.
[10]
Hari Cherupalli, Henry Duwe, Weidong Ye, Rakesh Kumar, and John Sartori. Bespoke Processors for Applications with Ultra-low Area and Power Constraints. In Proceedings of the 44th Annual International Symposium on Computer Architecture, 2017.
[11]
Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015.
[12]
Enes Goktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.
[13]
Google. V8 JavaScript Engine. https://chromium.googlesource.com/v8/v8.git.
[14]
Philip J. Guo and Dawson Engler. CDE: Using System Call Interposition to Automatically Create Portable Software Packages. In Proceedings of the 2011 USENIX Annual Technical Conference, 2011.
[15]
Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security, 2018.
[16]
Gerard J. Holzmann. Code Inflation. IEEE Software, 32(2), Mar 2015.
[17]
Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. Enforcing Unique Code Target Property for Control-Flow Integrity. In Proceedings of the 25th ACM Conference on Computer and Communications Security, 2018.
[18]
ImageTragick. ImageMagick Is On Fire: CVE-2016- 3714. https://imagetragick.com/.
[19]
Intel. Control-Flow Enforcement Technology Preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flowenforcement-technology-preview.pdf.
[20]
Intel Corporation. Intel® 64 and IA-32 Architectures Software Developer's Manual, volume 3 (3A, 3B, 3C & 3D): System Programming Guide. November 2018.
[21]
Yaoqi Jia, Zheng Leong Chua, Hong Hu, Shuo Chen, Prateek Saxena, and Zhenkai Liang. The Web/Local Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, 2016.
[22]
Y. Jiang, D. Wu, and P. Liu. JRed: Program Customization and Bloatware Mitigation Based on Static Analysis. In 2016 IEEE 40th Annual Computer Software and Applications Conference, 2016.
[23]
Yufei Jiang, Qinkun Bao, Shuai Wang, Xiao Liu, and Dinghao Wu. RedDroid: Android Application Redundancy Customization Based on Static Analysis. In Proceedings of the 29th IEEE International Symposium on Software Reliability Engineering, 2018.
[24]
Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. Code-Pointer Integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, 2014.
[25]
Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2005.
[26]
Haoyu Ma, Kangjie Lu, Xinjie Ma, Haining Zhang, Chunfu Jia, and Debin Gao. Software Watermarking Using Return-Oriented Programming. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015.
[27]
John Martellaro. Why Your iPhone Uses PNG for Screen Shots and JPG for Photos. https://www.macobserver.com/tmo/article/whyyour-iphone-uses-png-for-screen-shotsand-jpg-for-photos.
[28]
The Top 500 Sites on the Web. https://www.alexa.com/topsites.
[29]
Dromaeo-DOM. http://dromaeo.com/?dom.
[30]
Dromaeo-JS. http://dromaeo.com/?dromaeo.
[31]
The Heartbleed Bug. http://heartbleed.com/.
[32]
Function and Macro Index. https://www.gnu.org/software/libc/manual/html_node/Function-Index.html.
[33]
Octane. https://chromium.github.io/octane.
[34]
SunSpider. https://webkit.org/perf/sunspider-1.0.2/sunspider-1.0.2/driver.html.
[35]
CVE-2014-0038: Privilege Escalation in X32 ABI. https://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2014-0038, 2014.
[36]
Collin Mulliner and Matthias Neugschwandtner. Breaking Payloads with Runtime Code Stripping and Image Freezing. In Black Hat USA Briefings (Black Hat USA), Las Vegas, NV, August 2015.
[37]
Ben Niu and Gang Tan. Per-Input Control-Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
[38]
The Chromium Projects. Site Isolation. https://www.chromium.org/Home/chromiumsecurity/site-isolation.
[39]
Anh Quach, Rukayat Erinfolami, David Demicco, and Aravind Prakash. A Multi-OS Cross-Layer Study of Bloating in User Programs, Kernel and Managed Execution Environments. In Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation, 2017.
[40]
Anh Quach, Aravind Prakash, and Lok Yan. Debloating Software through Piece-Wise Compilation and Loading. In Proceedings of the 27th USENIX Security Symposium, 2018.
[41]
Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. Cimplifier: Automatically Debloating Containers. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, 2017.
[42]
John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, and Xuejun Yang. Test-case Reduction for C Compiler Bugs. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation, 2012.
[43]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015.
[44]
Hashim Sharif, Muhammad Abubakar, Ashish Gehani, and Fareed Zaffar. TRIMMER: Application Specialization for Code Debloating. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018.
[45]
Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. Recognizing Functions in Binaries with Neural Networks. In Proceedings of the 24th USENIX Conference on Security Symposium, 2015.
[46]
Igor Skochinsky. Compiler Internals: Exceptions and RTTI. http://www.hexblog.com/wpcontent/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf, 2012.
[47]
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.
[48]
Peter Snyder, Cynthia Taylor, and Chris Kanich. Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017.
[49]
Chengnian Sun, Yuanbo Li, Qirun Zhang, Tianxiao Gu, and Zhendong Su. Perses: Syntax-guided Program Reduction. In Proceedings of the 40th International Conference on Software Engineering, 2018.
[50]
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Ulfar Erlingsson, Luis Lozano, and Geoff Pike. Enforcing Forward-edge Control-Flow Integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium, 2014.
[51]
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. Ramblr: Making Reassembly Great Again. In Proceedings of the 24th Annual Network and Distributed System Security Symposium, 2017.
[52]
Shuai Wang, Pei Wang, and Dinghao Wu. Reassembleable Disassembling. In Proceedings of the 24th USENIX Conference on Security Symposium, 2015.
[53]
Mingwei Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium, 2013.
- RAZOR: a framework for post-deployment software debloating
Recommendations
Razor: A Tool for Post-Silicon Scan ATPG Pattern Debug and Its Application
VTS '04: Proceedings of the 22nd IEEE VLSI Test SymposiumGeneration of ATPG patterns require a gate-levelsimulation model and associated constraints. If themodels and the related constraints used to generatepatterns are erroneous, then the patterns will likely failon Silicon. The process of debugging pattern ...
Bug localization via searching crowd-contributed code
Internetware '14: Proceedings of the 6th Asia-Pacific Symposium on InternetwareBug localization, i.e., locating bugs in code snippets, is a frequent task in software development. Although static bug-finding tools are available to reduce manual effort in bug localization, these tools typically detect bugs with known project-...
Comments
Information & Contributors
Information
Published In
Sponsors
- Google Inc.
- IBMR: IBM Research
- Microsoft: Microsoft
- Intel: Intel
- Facebook: Facebook
Publisher
USENIX Association
United States
Publication History
Published: 14 August 2019
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Oct 2024