Debloating Software through Piece-Wise Compilation and Loading Anh Quach Aravind Prakash Binghamton University Binghamton University
[email protected] [email protected] Lok Yan Air Force Research Laboratory
[email protected] Abstract This extraneous code may contain its own bugs and vulnerabilities and therefore broadens the overall attack Programs are bloated. Our study shows that only 5% of surface. Additionally, these features add unnecessary libc is used on average across the Ubuntu Desktop envi- burden on modern defenses (e.g., CFI) that do not dis- ronment (2016 programs); the heaviest user, vlc media tinguish between used and unused features in software. player, only needed 18%. Accumulation of unnecessary code in a binary – either In this paper: (1) We present a debloating framework by design (e.g., shared libraries) or due to software devel- built on a compiler toolchain that can successfully de- opment inefficiencies – amounts to code bloating. As a bloat programs (shared/static libraries and executables). typical example, shared libraries are designed to contain Our solution can successfully compile and load most li- the union of all functionality required by its users. braries on Ubuntu Desktop 16.04. (2) We demonstrate Static dead-code-elimination – a static analysis tech- the elimination of over 79% of code from coreutils nique used to identify unused code paths and remove and 86% of code from SPEC CPU 2006 benchmark pro- them from the final binary – employed during compila- grams without affecting functionality. We show that even tion is an effective means to reduce bloat. In fact, under complex programs such as Firefox and curl can be higher levels of optimization, modern compilers (clang, debloated without a need to recompile.