research-article

Public Access

Slimium: Debloating the Chromium Browser with Feature Subsetting

Authors:

Chenxiong Qian,

Wenke LeeAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 461 - 476

https://doi.org/10.1145/3372297.3417866

Published: 02 November 2020 Publication History

Abstract

Today, a web browser plays a crucial role in offering a broad spectrum of web experiences. The most popular browser, Chromium, has become an extremely complex application to meet ever-increasing user demands, exposing unavoidably large attack vectors due to its large code base. Code debloating attracts attention as a means of reducing such a potential attack surface by eliminating unused code. However, it is very challenging to perform sophisticated code removal without breaking needed functionalities because Chromium operates on a large number of closely connected and complex components, such as a renderer and JavaScript engine. In this paper, we present Slimium, a debloating framework for a browser (i.e., Chromium) that harnesses a hybrid approach for a fast and reliable binary instrumentation. The main idea behind Slimium is to determine a set of features as a debloating unit on top of a hybrid (i.e., static, dynamic, heuristic) analysis, and then leverage feature subsetting to code debloating. It aids in i) focusing on security-oriented features, ii) discarding unneeded code simply without complications, and iii)~reasonably addressing a non-deterministic path problem raised from code complexity. To this end, we generate a feature-code map with a relation vector technique and prompt webpage profiling results. Our experimental results demonstrate the practicality and feasibility of Slimium for 40 popular websites, as on average it removes 94 CVEs (61.4%) by cutting down 23.85 MB code (53.1%) from defined features (21.7% of the whole) in Chromium.

Supplementary Material

MOV File (Copy of CCS20_fpc139_Slimium - Brian Hollendyke.mov)

Presentation video

Download
168.56 MB

References

[1]

Feross Aboukhadijeh. 2012. Using the HTML5 Fullscreen API for Phishing Attacks. https://feross.org/html5-fullscreen-api-attack/.

[2]

AFL 2020. american fuzzy lop. http://lcamtuf.coredump.cx/afl/. Accessed: 2020--2--12.

[3]

Alexa. 2020. The top 500 sites on the web. https://www.alexa.com/topsites.

[4]

Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is More: Quantifying the Security Benefits of DebloatingWeb Applications. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19).

[5]

Michael D. Brown and Santosh Pande. 2019. CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST).

[6]

Derek Bruening and Saman Amarasinghe. 2004. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Ph.D. Dissertation. Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science.

[7]

Yingyi Bu, Vinayak Borkar, Guoqing Xu, and Michael J. Carey. 2013. A bloataware design for big data applications. In Proceedings of the 2013 international symposium on memory management (ISMM).

[8]

Caniuse.com. 2020. Support tables for HTML5, CSS3, etc. https://caniuse.com/#feat=feature-policy.

[9]

CVE Details. 2019. Vulnerabilities statistics on Google Chrome. https://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224.

[10]

Electron. 2020. . https://www.electronjs.org/.

[11]

Masoud Ghaffarinia and KevinW. Hamlen. 2019. Binary Control-Flow Trimming. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[12]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID).

[13]

Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020. Temporal System Call Specialization for Attack Surface Reduction. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20).

Digital Library

[14]

Google. 2018. Introduction to Feature Policy. https://developers.google.com/web/updates/2018/06/feature-policy#list.

[15]

Ashish Gehani Hashim Sharif, Muhammad Abubakar and Fareed Zaffar. 2018. TRIMMER: Application Specialization for Code Debloating. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE).

Digital Library

[16]

Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[17]

LLVM Compiler Infrastructure. [n.d.]. Writing an LLVM Pass. http://llvm.org/docs/WritingAnLLVMPass.html.

[18]

Zero Day Initiative. [n.d.]. Published Advisories. https://www.zerodayinitiative.com/advisories/published/.

[19]

S. Kell, D. P. Mulligan, and P. Sewell. 2016. The missing link: Explaining ELF static linking, semantically. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA).

[20]

Steve Kobes. 2020. Life of a pixel. https://bit.ly/lifeofapixel.

[21]

Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security (EuroSec).

Digital Library

[22]

Hsuan-Chi Kuo, Jianyan Chen, Sibin Mohan, and Tianyin Xu. 2020. Set the Configuration for the Heart of the OS: On the Practicality of Operating System Kernel Debloating. In Proceedings of the ACM on Measurement and Analysis of Computing Systems.

Digital Library

[23]

Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schroder-Preikschat, Daniel Lohmann, and Rudiger Kapitza. 2013. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[24]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation.

Digital Library

[25]

Net Marketshare. 2015. Browser Market Share. https://netmarketshare.com/browser-market-share.aspx.

[26]

Microsoft. 2020. Application Inspector. https://github.com/microsoft/ApplicationInspector.

[27]

misc-pt-site 2020. Intel Processor Trace Tools. https://software.intel.com/enus/node/721535. Accessed: 2020--2--12.

[28]

Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking Exploits through API Specialization. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC).

Digital Library

[29]

Mozilla. 2019. Content Security Policy (CSP). https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

[30]

Mozilla. 2020. Feature-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#Directives.

[31]

Collin Mulliner and Matthias Neugschwandtner. 2015. Breaking Payloads with Runtime Code Stripping and Image Freezing.

[32]

National Institute of Standards and Technology. [n.d.]. National Vulnerability Database. https://nvd.nist.gov/.

[33]

Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[34]

Chris Porter, Girish Mururu, Prithayan Barua, and Santosh Pande. 2020. BlankIt Library Debloating: Getting What YouWant Instead of Cutting What You Don't. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[35]

The Chromium Projects. 2020. Getting Around the Chromium Source Code Directory Structure. https://www.chromium.org/developers/how-tos/gettingaround-the-chrome-source-code.

[36]

The Chromium Projects. 2020. User Experience. https://www.chromium.or/userexperience.

[37]

The Chromium Projects. 2020. Web IDL in Blink. https://www.chromium.org/blink/webidl.

[38]

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In Proceedings of the 28th USENIX Security Symposium.

[39]

Anh Quach and Aravind Prakash. 2019. Bloat Factors and Binary Specialization. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST).

Digital Library

[40]

Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 869--886.

[41]

Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick D. McDaniel. 2017. Cimplifier: automatically debloating containers. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE).

[42]

Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS).

Digital Library

[43]

snyderp. 2018. Some blocked features still accessible. https://github.com/snyderp/web-api-manager/issues/97.

[44]

StatCounter. 2020. Browser Market Share Worldwide. https://gs.statcounter.com/browser-market-share/desktop/worldwide.

[45]

Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control- Flow Integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14).

[46]

W3C. 2019. Feature Policy. https://w3c.github.io/webappsec-feature-policy/.

[47]

W3C. 2020. All standars and drafts. https://www.w3.org/TR/.

[48]

we are social. 2019. DIGITAL 2019: GLOBAL INTERNET USE ACCELERATES. https://wearesocial.com/blog/2019/01/digital-2019-global-internet-useaccelerates.

[49]

Wikipedia. 2020. Hamming distance. https://en.wikipedia.org/wiki/Hamming_distance.

[50]

Wikipedia. 2020. Pwn2Own. https://en.wikipedia.org/wiki/Pwn2Own.

[51]

Hongfa Xue, Yurong Chen, Guru Venkataramani, and Tian Lan. 2019. Hecate: Automated Customization of Program and Communication Features to Reduce Attack Surfaces. In International Conference on Security and Privacy in Communication Systems (SecureComm).

[52]

Dinghao Wu Yufei Jiang and Peng Liu. 2016. Jred: Program customization and bloatware mitigation based on static analysis. In Proceedings of the 40th Annual Computer Software and Applications Conference (ACSAC).

[53]

Tian Lan Yurong Chen and Guru Venkataramani. 2017. DamGate: Dynamic Adaptive Multi-feature Gating in Program Binaries. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST).

[54]

ZDNet. 2018. Microsoft's Edge to morph into a Chromium-based, cross-platform browser. https://zd.net/2OUytjP.

[55]

Xiangyu Zhang Zhongshu Gu, Brendan Saltaformaggio and Dongyan Xu. 2014. FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine. In Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

Cited By

Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Huang Z(2024)Debloating Feature-Rich Closed-Source Windows Software2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00047(400-405)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00047
Kim DKim SRyu GChoi D(2024)Session Replication Attack Through QR Code Sniffing in Passkey CTAP RegistrationICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_21(294-307)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_21
Show More Cited By

Index Terms

Slimium: Debloating the Chromium Browser with Feature Subsetting
1. Security and privacy
  1. Systems security
    1. Browser security

Recommendations

DeView: Confining Progressive Web Applications by Debloating Web APIs
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

A progressive web application (PWA) becomes an attractive option for building universal applications based on feature-rich web Application Programming Interfaces (APIs). While flexible, such vast APIs inevitably bring a significant increase in an API ...
Software Protection with Code Mobility
MTD '15: Proceedings of the Second ACM Workshop on Moving Target Defense

The analysis of binary code is a common step of Man-At-The-End attacks to identify code sections crucial to implement attacks, such as identifying private key hidden in the code, identifying sensitive algorithms or tamper with the code to disable ...
Stubbifier: debloating dynamic server-side JavaScript applications
Abstract
JavaScript is an increasingly popular language for server-side development, thanks in part to the Node.js runtime environment and its vast ecosystem of modules. With the Node.js package manager npm, users are able to easily include external ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

October 2020

2180 pages

ISBN:9781450370899

DOI:10.1145/3372297

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Jonathan Katz
University of Maryland, USA
,
Giovanni Vigna
University of California-Santa Barbara, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9 - 13, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
20,743
Total Downloads

Downloads (Last 12 months)436
Downloads (Last 6 weeks)30

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Huang Z(2024)Debloating Feature-Rich Closed-Source Windows Software2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00047(400-405)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00047
Kim DKim SRyu GChoi D(2024)Session Replication Attack Through QR Code Sniffing in Passkey CTAP RegistrationICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_21(294-307)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_21
Azad BJahanshahi RTsoukaladelis CEgele MNikiforakis NCalandrino JTroncoso C(2023)AnimateDeadProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620549(5575-5591)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620549
Jahanshahi RAzad BNikiforakis NEgele MCalandrino JTroncoso C(2023)MinimalistProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620548(5557-5573)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620548
Amin Azad BNikiforakis NShehab MFernandez MLi N(2023)Role Models: Role-based Debloating for Web ApplicationsProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583647(251-262)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583647
Wang WLin XWang JGao WGu DLv WWang JMeng WJensen CCremers CKirda E(2023)HODOR: Shrinking Attack Surface on Node.js via System Call LimitationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616609(2800-2814)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616609
Oh CLee SQian CKoo HLee W(2022)DeView: Confining Progressive Web Applications by Debloating Web APIsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567987(881-895)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567987
Xin QZhang QOrso A(2022)Studying and Understanding the Tradeoffs Between Generality and Reduction in Software DebloatingProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556970(1-13)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3556970
Pashakhanloo PMachiry AChoi HCanino AHeo KLee INaik MSuga YSakurai KDing XSako K(2022)PacJamProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3524054(903-916)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3524054
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents