research-article

Open access

Machine Learning Systems are Bloated and Vulnerable

Authors:

Huaifeng Zhang,

Mohannad Alhanahnah,

Fahmi Abdulqadir Ahmed,

Philipp Leitner,

Ahmed Ali-EldinAuthors Info & Claims

Proceedings of the ACM on Measurement and Analysis of Computing Systems, Volume 8, Issue 1

Article No.: 6, Pages 1 - 30

https://doi.org/10.1145/3639032

Published: 21 February 2024 Publication History

Abstract

Today's software is bloated with both code and features that are not used by most users. This bloat is prevalent across the entire software stack, from operating systems and applications to containers. Containers are lightweight virtualization technologies used to package code and dependencies, providing portable, reproducible and isolated environments. For their ease of use, data scientists often utilize machine learning containers to simplify their workflow. However, this convenience comes at a cost: containers are often bloated with unnecessary code and dependencies, resulting in very large sizes. In this paper, we analyze and quantify bloat in machine learning containers. We develop MMLB, a framework for analyzing bloat in software systems, focusing on machine learning containers. MMLB measures the amount of bloat at both the container and package levels, quantifying the sources of bloat. In addition, MMLB integrates with vulnerability analysis tools and performs package dependency analysis to evaluate the impact of bloat on container vulnerabilities. Through experimentation with 15 machine learning containers from TensorFlow, PyTorch, and Nvidia, we show that bloat accounts for up to 80% of machine learning container sizes, increasing container provisioning times by up to 370% and exacerbating vulnerabilities by up to 99%.

References

[1]

Mart'in Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Geoffrey Irving, Michael Isard, et al. 2016. $$TensorFlow$$: a system for $$Large-Scale$$ machine learning. In 12th USENIX symposium on operating systems design and implementation (OSDI 16). 265--283.

[2]

Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P Kemerlis, and Georgios Portokalidis. 2019. Nibbler: debloating binary shared libraries. In Proceedings of the 35th Annual Computer Security Applications Conference. 70--83.

Digital Library

[3]

Aatira Anum Ahmad, Abdul Rafae Noor, Hashim Sharif, Usama Hameed, Shoaib Asif, Mubashir Anwar, Ashish Gehani, Fareed Zaffar, and Junaid Haroon Siddi2018bloati. 2021. Trimmer: an automated system for configuration-based software debloating. IEEE Transactions on Software Engineering, Vol. 48, 9 (2021), 3485--3505.

[4]

Mohannad Alhanahnah, Rithik Jain, Vaibhav Rastogi, Somesh Jha, and Thomas Reps. 2022. Lightweight, Multi-Stage, Compiler-Assisted Application Specialization. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). 251--269. https://doi.org/10.1109/EuroSP53844.2022.00024

[5]

Anchore. 2022. Grype. https://github.com/anchore/grype. [Online; accessed 2022--10--27].

[6]

Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In 28th USENIX Security Symposium (USENIX Security 19). 1697--1714.

[7]

Erik Bern. 2022. Git of Theseus. https://github.com/erikbern/git-of-theseus. [Online; accessed 2022--10--27].

[8]

Suparna Bhattacharya, Kanchi Gopinath, and Mangala Gowri Nanda. 2013. Combining concern input with program analysis for bloat detection. ACM SIGPLAN Notices, Vol. 48, 10 (2013), 745--764.

Digital Library

[9]

Suparna Bhattacharya, Karthick Rajamani, K Gopinath, and Manish Gupta. 2011. The interplay of software bloat, hardware energy proportionality and system bottlenecks. In Proceedings of the 4th Workshop on Power-Aware Computing and Systems. 1--5.

Digital Library

[10]

Michael D. Brown and Santosh Pande. 2019a. CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings (FEAST'19). Association for Computing Machinery, New York, NY, USA, 1--7. https://doi.org/10.1145/3338502.3359764

Digital Library

[11]

Michael D Brown and Santosh Pande. 2019b. Carve: Practical security-focused software debloating using simple feature set mappings. In Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation. 1--7.

Digital Library

[12]

Michael D Brown and Santosh Pande. 2019c. Is less really more? towards better metrics for measuring security improvements realized through software debloating. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19).

Digital Library

[13]

Bobby R Bruce, Tianyi Zhang, Jaspreet Arora, Guoqing Harry Xu, and Miryung Kim. 2020. Jshrink: In-depth investigation into debloating modern java applications. In Proceedings of the 28th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering. 135--146.

Digital Library

[14]

Cloud Architecture Center. 2023. MLOps: Continuous delivery and automation pipelines in machine learning. Google Cloud.

[15]

CentOS. 2023. Yum. https://wiki.centos.org/PackageManagement(2f)Yum.html. [Online; accessed 2023--10--2].

[16]

Jun Lin Chen, Daniyal Liaqat, Moshe Gabel, and Eyal de Lara. 2022. Starlight: Fast Container Provisioning on the Edge and over the $$WAN$$. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). 35--50.

[17]

Tianqi Chen, Mu Li, Yutian Li, Min Lin, Naiyan Wang, Minjie Wang, Tianjun Xiao, Bing Xu, Chiyuan Zhang, and Zheng Zhang. 2015. Mxnet: A flexible and efficient machine learning library for heterogeneous distributed systems. arXiv preprint arXiv:1512.01274 (2015).

[18]

Yurong Chen, Shaowen Sun, Tian Lan, and Guru Venkataramani. 2018. Toss: Tailoring online server systems through binary feature customization. In Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation. 1--7.

Digital Library

[19]

Francc ois Chollet et al. 2018. Keras: The python deep learning library. Astrophysics source code library (2018), ascl--1806.

[20]

Jake Christensen, Ionut Mugurel Anghel, Rob Taglang, Mihai Chiroiu, and Radu Sion. 2020. $$DECAF$$: Automatic, adaptive de-bloating and hardening of $$COTS$$ firmware. In 29th USENIX Security Symposium (USENIX Security 20). 1713--1730.

[21]

Conda. 2023. Conda Documentation. https://docs.conda.io/en/latest/. [Online; accessed 2023--12--15].

[22]

Ward Cunningham. 1992. The WyCash portfolio management system. ACM SIGPLAN OOPS Messenger, Vol. 4, 2 (1992), 29--30.

Digital Library

[23]

Agrim Dewan, Poojith U Rao, Balwinder Sodhi, and Ritu Kapur. 2021. BloatLibD: Detecting Bloat Libraries in Java Applications. In ENASE. 126--137.

[24]

DockerSlim. 2022. DockerSlim. https://github.com/slimtoolkit/slim. [Online; accessed 2022--10--27].

[25]

FAIR. 2022. FAIRSEQ. https://github.com/facebookresearch/fairseq. [Online; accessed 2022--10--27].

[26]

Silvery Fu, Radhika Mittal, Lei Zhang, and Sylvia Ratnasamy. 2020. Fast and efficient container startup at the edge via dependency scheduling. In 3rd USENIX Workshop on Hot Topics in Edge Computing (HotEdge 20).

[27]

Google Cloud. 2023. MLOps: Continuous delivery and automation pipelines in machine learning. https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning?hl=en. [Online; accessed 2024--12--1].

[28]

Katharina Gschwind, Constantin Adam, Sastry Duri, Shripad Nadgowda, and Maja Vukovic. 2017. Optimizing service delivery with minimal runtimes. In International Conference on Service-Oriented Computing. Springer, 384--387.

[29]

Arpan Gujarati, Sameh Elnikety, Yuxiong He, Kathryn S McKinley, and Björn B Brandenburg. 2017. Swayam: distributed autoscaling to meet SLAs of machine learning inference services with resource efficiency. In Proceedings of the 18th ACM/IFIP/USENIX middleware conference. 109--120.

Digital Library

[30]

Klaus Haller. 2022. Managing AI in the Enterprise. Springer.

[31]

Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 380--394.

Digital Library

[32]

Intel. 2023. Intel oneAPI Math Kernel Library. https://www.intel.cn/content/www/cn/zh/developer/tools/oneapi/onemkl.html. [Online; accessed 2023--10--2].

[33]

Yangqing Jia, Evan Shelhamer, Jeff Donahue, Sergey Karayev, Jonathan Long, Ross Girshick, Sergio Guadarrama, and Trevor Darrell. 2014. Caffe: Convolutional architecture for fast feature embedding. In Proceedings of the 22nd ACM international conference on Multimedia. 675--678.

Digital Library

[34]

Yufei Jiang, Qinkun Bao, Shuai Wang, Xiao Liu, and Dinghao Wu. 2018. RedDroid: Android application redundancy customization based on static analysis. In 2018 IEEE 29th international symposium on software reliability engineering (ISSRE). IEEE, 189--199.

[35]

Hsuan-Chi Kuo, Jianyan Chen, Sibin Mohan, and Tianyin Xu. 2020. Set the configuration for the heart of the os: On the practicality of operating system kernel debloating. Proceedings of the ACM on Measurement and Analysis of Computing Systems, Vol. 4, 1 (2020), 1--27.

Digital Library

[36]

Yunseong Lee, Alberto Scolari, Byung-Gon Chun, Marco Domenico Santambrogio, Markus Weimer, and Matteo Interlandi. 2018. PRETZEL: Opening the Black Box of Machine Learning Prediction Serving Systems. In OSDI, Vol. 18. 611--626.

[37]

Nick Mitchell, Edith Schonberg, and Gary Sevitsky. 2009. Four trends leading to Java runtime bloat. IEEE software, Vol. 27, 1 (2009), 56--63.

[38]

NVIDIA. 2022. The NVIDIA CUDA Deep Neural Network library (cuDNN). https://docs.nvidia.com/deeplearning/cudnn/install-guide/index.html [Online; accessed 2022--10--27].

[39]

NVIDIA. 2022. NVIDIA Deep Learning Examples for Tensor Cores. https://github.com/NVIDIA/DeepLearningExamples. [Online; accessed 2022--10--27].

[40]

Nvidia. 2023. CUDA Toolkit. https://developer.nvidia.com/cuda-toolkit. [Online; accessed 2023--10--2].

[41]

NVIDIA. 2023. the CUDA Basic Linear Algebra Subroutine library (cuBLAS). https://docs.nvidia.com/cuda/cublas/index.html [Online; accessed 2023--10-03].

[42]

David OBrien, Sumon Biswas, Sayem Imtiaz, Rabe Abdalkareem, Emad Shihab, and Hridesh Rajan. 2022. 23 shades of self-admitted technical debt: an empirical study on machine learning software. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 734--746.

[43]

Moses Openja, Forough Majidi, Foutse Khomh, Bhagya Chembakottu, and Heng Li. 2022. Studying the practices of deploying machine learning projects on docker. In Proceedings of the International Conference on Evaluation and Assessment in Software Engineering 2022. 190--200.

Digital Library

[44]

Misun Park, Ketan Bhardwaj, and Ada Gavrilovska. 2020. Toward lighter containers for the edge. In 3rd USENIX Workshop on Hot Topics in Edge Computing (HotEdge 20).

[45]

Pardis Pashakhanloo, Aravind Machiry, Hyonyoung Choi, Anthony Canino, Kihong Heo, Insup Lee, and Mayur Naik. 2022. Pacjam: Securing dependencies continuously via package-oriented debloating. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. 903--916.

Digital Library

[46]

Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, et al. 2019. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems, Vol. 32 (2019).

[47]

PIP. 2023. pip. https://pip.pypa.io/en/stable/. [Online; accessed 2023--12--15].

[48]

Serena Elisa Ponta, Wolfram Fischer, Henrik Plate, and Antonino Sabetta. 2021. The used, the bloated, and the vulnerable: Reducing the attack surface of an industrial application. In 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 555--558.

[49]

PyTorch. 2022. PyTorch Examples. https://github.com/pytorch/examples. [Online; accessed 2022--10--27].

[50]

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. $$RAZOR$$: A framework for post-deployment software debloating. In 28th USENIX Security Symposium (USENIX Security 19). 1733--1750.

[51]

Anh Quach and Aravind Prakash. 2019. Bloat factors and binary specialization. In Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation. 31--38.

Digital Library

[52]

Pranav Rajpurkar, Jian Zhang, Konstantin Lopyrev, and Percy Liang. 2016. SQuAD: 100,000 quachestions for Machine Comprehension of Text. In Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Austin, Texas, 2383--2392. https://doi.org/10.18653/v1/D16--1264

[53]

Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. 2017. Cimplifier: Automatically Debloating Containers. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (Paderborn, Germany) (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 476--486. https://doi.org/10.1145/3106237.3106271

Digital Library

[54]

Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, Alexander C. Berg, and Li Fei-Fei. 2015. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision (IJCV), Vol. 115, 3 (2015), 211--252. https://doi.org/10.1007/s11263-015-0816-y

Digital Library

[55]

David Sculley, Gary Holt, Daniel Golovin, Eugene Davydov, Todd Phillips, Dietmar Ebner, Vinay Chaudhary, Michael Young, Jean-Francois Crespo, and Dan Dennison. 2015. Hidden technical debt in machine learning systems. Advances in neural information processing systems, Vol. 28 (2015).

[56]

Aquacha Security. 2022. Trivy. https://github.com/a2018bloatasecurity/trivy. [Online; accessed 2022--10--27].

[57]

Pramod Singh. 2021. Deploy Machine Learning Models to Production. Springer.

[58]

César Soto-Valero, Thomas Durieux, and Benoit Baudry. 2021a. A longitudinal analysis of bloated java dependencies. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1021--1031.

Digital Library

[59]

César Soto-Valero, Thomas Durieux, Nicolas Harrand, and Benoit Baudry. 2022. Coverage-Based Debloating for Java Bytecode. ACM Computing Surveys (CSUR) (2022).

[60]

César Soto-Valero, Nicolas Harrand, Martin Monperrus, and Benoit Baudry. 2021b. A comprehensive study of bloated dependencies in the maven ecosystem. Empirical Software Engineering, Vol. 26, 3 (2021), 45.

Digital Library

[61]

Yiming Tang, Raffi Khatchadourian, Mehdi Bagherzadeh, Rhia Singh, Ajani Stewart, and Anita Raja. 2021a. An empirical study of refactorings and technical debt in Machine Learning systems. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 238--250.

Digital Library

[62]

Yutian Tang, Hao Zhou, Xiapu Luo, Ting Chen, Haoyu Wang, Zhou Xu, and Yan Cai. 2021b. Xdebloat: Towards automated feature-oriented app debloating. IEEE Transactions on Software Engineering, Vol. 48, 11 (2021), 4501--4520.

[63]

TensorFlow. 2022a. TensorFlow Model Garden. https://github.com/tensorflow/models. [Online; accessed 2022--10--27].

[64]

TensorFlow. 2022b. TensorFlow Serving. https://github.com/tensorflow/serving. [Online; accessed 2022--10--27].

[65]

Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci. 2018. Cntr: Lightweight $$OS$$ containers. In 2018 $$USENIX$$ Annual Technical Conference ($$USENIX$$$$ATC$$ 18). 199--212.

[66]

TorchServe. 2022. TorchServe. https://github.com/pytorch/serve. [Online; accessed 2022--10--27].

[67]

Ubuntu. 2023. Package Managerment. https://ubuntu.com/server/docs/package-management. [Online; accessed 2023--12--15].

[68]

Richard Uhlig, David Nagle, Trevor Mudge, Stuart Sechrest, and Joel Emer. 1995. Instruction fetching: Coping with code bloat. ACM SIGARCH Computer Architecture News, Vol. 23, 2 (1995), 345--356.

Digital Library

[69]

Niklaus Wirth. 1995. A plea for lean software. Computer, Vol. 28, 2 (1995), 64--68.

Digital Library

[70]

Qi Xin, Qirun Zhang, and Alessandro Orso. 2022. Studying and understanding the tradeoffs between generality and reduction in software debloating. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1--13.

Digital Library

[71]

Renjun Ye, Liang Liu, Simin Hu, Fangzhou Zhu, Jingxiu Yang, and Feng Wang. 2021. JSLIM: Reducing the known vulnerabilities of Javascript application by debloating. In International Symposium on Emerging Information Security and Applications. Springer, 128--143.

[72]

Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams. 2023. Software Bills of Materials Are Required. Are We There Yet? IEEE Security & Privacy, Vol. 21, 2 (2023), 82--88.

Digital Library

[73]

Matei Zaharia, Andrew Chen, Aaron Davidson, Ali Ghodsi, Sue Ann Hong, Andy Konwinski, Siddharth Murching, Tomas Nykodym, Paul Ogilvie, Mani Parkhe, et al. 2018. Accelerating the machine learning lifecycle with MLflow. IEEE Data Eng. Bull., Vol. 41, 4 (2018), 39--45.

[74]

Nannan Zhao, Vasily Tarasov, Hadeel Albahar, Ali Anwar, Lukas Rupprecht, Dimitrios Skourtis, Arnab K Paul, Keren Chen, and Ali R Butt. 2020. Large-scale analysis of docker images and performance implications for container storage systems. IEEE Transactions on Parallel and Distributed Systems, Vol. 32, 4 (2020), 918--930.

Digital Library

[75]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In USENIX security symposium, Vol. 17. io

Cited By

Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin A(2024)Machine Learning Systems are Bloated and VulnerableACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365506452:1(37-38)Online publication date: 13-Jun-2024
https://doi.org/10.1145/3673660.3655064
Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin AGaretto MMarin ACiucu FFanti GRighter R(2024)Machine Learning Systems are Bloated and VulnerableAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655064(37-38)Online publication date: 10-Jun-2024
https://doi.org/10.1145/3652963.3655064

Index Terms

Machine Learning Systems are Bloated and Vulnerable
1. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories

Recommendations

Machine Learning Systems are Bloated and Vulnerable
SIGMETRICS '24

Today's software is bloated with both code and features that are not used by most users. This bloat is prevalent across the entire software stack, from operating systems and applications to containers. Containers are lightweight virtualization ...
Machine Learning Systems are Bloated and Vulnerable
SIGMETRICS/PERFORMANCE '24: Abstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems

Today's software is bloated with both code and features that are not used by most users. This bloat is prevalent across the entire software stack, from operating systems and applications to containers. Containers are lightweight virtualization ...
4 Systems Perspectives into Human-Centered Machine Learning
MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking

Machine learning (ML) has had a tremendous impact in across the world over the last decade. As we think about ML solving complex tasks, sometimes at super-human levels, it is easy to forget that there is no machine learning without humans in the loop. ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems

Proceedings of the ACM on Measurement and Analysis of Computing Systems Volume 8, Issue 1

POMACS

March 2024

494 pages

EISSN:2476-1249

DOI:10.1145/3649331

Editors:
Augustin Chaintreau
Columbia University
,
Leana Golubchik
University of Southern California, United States
,
Zhi-Li Zhang
University of Minnesota, United States

Issue’s Table of Contents

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 February 2024

Published in POMACS Volume 8, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
390
Total Downloads

Downloads (Last 12 months)390
Downloads (Last 6 weeks)90

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin A(2024)Machine Learning Systems are Bloated and VulnerableACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365506452:1(37-38)Online publication date: 13-Jun-2024
https://doi.org/10.1145/3673660.3655064
Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin AGaretto MMarin ACiucu FFanti GRighter R(2024)Machine Learning Systems are Bloated and VulnerableAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655064(37-38)Online publication date: 10-Jun-2024
https://doi.org/10.1145/3652963.3655064

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents