SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions

Muaz Ali; Muhammad Muzammil; Faraz Karim; Ayesha Naeem; Rukhshan Haroon; Muhammad Haris; Huzaifah Nadeem; Waseem Sabir; Fahad Shaon; Fareed Zaffar; Vinod Yegneswaran; Ashish Gehani; Sazzadur Rahaman

doi:10.1007/978-3-031-51482-1_12

SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions

Muaz Ali, Muhammad Muzammil, Faraz Karim, Ayesha Naeem, Rukhshan Haroon, Muhammad Haris, Huzaifah Nadeem, Waseem Sabir, Fahad Shaon, Fareed Zaffar, Vinod Yegneswaran, Ashish Gehani, Sazzadur Rahaman

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Automated software debloating of program source or binary code has tremendous potential to improve both application performance and security. Unfortunately, measuring and comparing the effectiveness of various debloating methods is challenging due to the absence of a universal benchmarking platform that can accommodate diverse approaches. In this paper, we first present DEBLOATBENCHA (Debloating benchmark for applications), an extensible and sustainable benchmarking platform that enables comparison of different research techniques. Then, we perform a holistic comparison of the techniques to assess the current progress. In the current version, we integrated four software debloating research tools: Chisel, Occam, Razor, and Piece-wise. Each tool is representative of a different class of debloaters: program source, compiler intermediate representation, executable binary, and external library. Our evaluation revealed interesting insights (i.e., hidden and explicit tradeoffs) about existing techniques, which might inspire future research. For example, all the binaries produced by Occam and Piece-Wise were correct, while Chisel significantly outperformed others in binary size and Gadget class reductions. In a first-of-its-kind composition, we also combined multiple debloaters to debloat a single binary. Our performance evaluation showed that, in both ASLR-proof and Turing-complete gadget expressively cases, several compositions (e.g., Chisel-Occam, Chisel-Occam-Razor) significantly outperformed the best-performing single tool (i.e., Chisel).

Original language	English (US)
Title of host publication	Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings
Editors	Gene Tsudik, Mauro Conti, Kaitai Liang, Georgios Smaragdakis
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	229-249
Number of pages	21
ISBN (Print)	9783031514814
DOIs	https://doi.org/10.1007/978-3-031-51482-1_12
State	Published - 2024
Event	28th European Symposium on Research in Computer Security, ESORICS 2023 - The Hague, Netherlands Duration: Sep 25 2023 → Sep 29 2023

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14347 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	28th European Symposium on Research in Computer Security, ESORICS 2023
Country/Territory	Netherlands
City	The Hague
Period	9/25/23 → 9/29/23

Keywords

Benchmark
Debloating Comparison
Program Debloating

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-51482-1_12

Cite this

Ali, M., Muzammil, M., Karim, F., Naeem, A., Haroon, R., Haris, M., Nadeem, H., Sabir, W., Shaon, F., Zaffar, F., Yegneswaran, V., Gehani, A., & Rahaman, S. (2024). SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. In G. Tsudik, M. Conti, K. Liang, & G. Smaragdakis (Eds.), Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings (pp. 229-249). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14347 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-51482-1_12

SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. / Ali, Muaz; Muzammil, Muhammad; Karim, Faraz et al.
Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings. ed. / Gene Tsudik; Mauro Conti; Kaitai Liang; Georgios Smaragdakis. Springer Science and Business Media Deutschland GmbH, 2024. p. 229-249 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14347 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ali, M, Muzammil, M, Karim, F, Naeem, A, Haroon, R, Haris, M, Nadeem, H, Sabir, W, Shaon, F, Zaffar, F, Yegneswaran, V, Gehani, A & Rahaman, S 2024, SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. in G Tsudik, M Conti, K Liang & G Smaragdakis (eds), Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14347 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 229-249, 28th European Symposium on Research in Computer Security, ESORICS 2023, The Hague, Netherlands, 9/25/23. https://doi.org/10.1007/978-3-031-51482-1_12

Ali M, Muzammil M, Karim F, Naeem A, Haroon R, Haris M et al. SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. In Tsudik G, Conti M, Liang K, Smaragdakis G, editors, Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 229-249. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-51482-1_12

Ali, Muaz ; Muzammil, Muhammad ; Karim, Faraz et al. / SoK : A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings. editor / Gene Tsudik ; Mauro Conti ; Kaitai Liang ; Georgios Smaragdakis. Springer Science and Business Media Deutschland GmbH, 2024. pp. 229-249 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6f33a455787147309e7a1d1b9c12fc69,

title = "SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions",

abstract = "Automated software debloating of program source or binary code has tremendous potential to improve both application performance and security. Unfortunately, measuring and comparing the effectiveness of various debloating methods is challenging due to the absence of a universal benchmarking platform that can accommodate diverse approaches. In this paper, we first present DEBLOATBENCHA (Debloating benchmark for applications), an extensible and sustainable benchmarking platform that enables comparison of different research techniques. Then, we perform a holistic comparison of the techniques to assess the current progress. In the current version, we integrated four software debloating research tools: Chisel, Occam, Razor, and Piece-wise. Each tool is representative of a different class of debloaters: program source, compiler intermediate representation, executable binary, and external library. Our evaluation revealed interesting insights (i.e., hidden and explicit tradeoffs) about existing techniques, which might inspire future research. For example, all the binaries produced by Occam and Piece-Wise were correct, while Chisel significantly outperformed others in binary size and Gadget class reductions. In a first-of-its-kind composition, we also combined multiple debloaters to debloat a single binary. Our performance evaluation showed that, in both ASLR-proof and Turing-complete gadget expressively cases, several compositions (e.g., Chisel-Occam, Chisel-Occam-Razor) significantly outperformed the best-performing single tool (i.e., Chisel).",

keywords = "Benchmark, Debloating Comparison, Program Debloating",

author = "Muaz Ali and Muhammad Muzammil and Faraz Karim and Ayesha Naeem and Rukhshan Haroon and Muhammad Haris and Huzaifah Nadeem and Waseem Sabir and Fahad Shaon and Fareed Zaffar and Vinod Yegneswaran and Ashish Gehani and Sazzadur Rahaman",

note = "Publisher Copyright: {\textcopyright} 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 28th European Symposium on Research in Computer Security, ESORICS 2023 ; Conference date: 25-09-2023 Through 29-09-2023",

year = "2024",

doi = "10.1007/978-3-031-51482-1_12",

language = "English (US)",

isbn = "9783031514814",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "229--249",

editor = "Gene Tsudik and Mauro Conti and Kaitai Liang and Georgios Smaragdakis",

booktitle = "Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings",

address = "Germany",

}

TY - GEN

T1 - SoK

T2 - 28th European Symposium on Research in Computer Security, ESORICS 2023

AU - Ali, Muaz

AU - Muzammil, Muhammad

AU - Karim, Faraz

AU - Naeem, Ayesha

AU - Haroon, Rukhshan

AU - Haris, Muhammad

AU - Nadeem, Huzaifah

AU - Sabir, Waseem

AU - Shaon, Fahad

AU - Zaffar, Fareed

AU - Yegneswaran, Vinod

AU - Gehani, Ashish

AU - Rahaman, Sazzadur

PY - 2024

Y1 - 2024

N2 - Automated software debloating of program source or binary code has tremendous potential to improve both application performance and security. Unfortunately, measuring and comparing the effectiveness of various debloating methods is challenging due to the absence of a universal benchmarking platform that can accommodate diverse approaches. In this paper, we first present DEBLOATBENCHA (Debloating benchmark for applications), an extensible and sustainable benchmarking platform that enables comparison of different research techniques. Then, we perform a holistic comparison of the techniques to assess the current progress. In the current version, we integrated four software debloating research tools: Chisel, Occam, Razor, and Piece-wise. Each tool is representative of a different class of debloaters: program source, compiler intermediate representation, executable binary, and external library. Our evaluation revealed interesting insights (i.e., hidden and explicit tradeoffs) about existing techniques, which might inspire future research. For example, all the binaries produced by Occam and Piece-Wise were correct, while Chisel significantly outperformed others in binary size and Gadget class reductions. In a first-of-its-kind composition, we also combined multiple debloaters to debloat a single binary. Our performance evaluation showed that, in both ASLR-proof and Turing-complete gadget expressively cases, several compositions (e.g., Chisel-Occam, Chisel-Occam-Razor) significantly outperformed the best-performing single tool (i.e., Chisel).

AB - Automated software debloating of program source or binary code has tremendous potential to improve both application performance and security. Unfortunately, measuring and comparing the effectiveness of various debloating methods is challenging due to the absence of a universal benchmarking platform that can accommodate diverse approaches. In this paper, we first present DEBLOATBENCHA (Debloating benchmark for applications), an extensible and sustainable benchmarking platform that enables comparison of different research techniques. Then, we perform a holistic comparison of the techniques to assess the current progress. In the current version, we integrated four software debloating research tools: Chisel, Occam, Razor, and Piece-wise. Each tool is representative of a different class of debloaters: program source, compiler intermediate representation, executable binary, and external library. Our evaluation revealed interesting insights (i.e., hidden and explicit tradeoffs) about existing techniques, which might inspire future research. For example, all the binaries produced by Occam and Piece-Wise were correct, while Chisel significantly outperformed others in binary size and Gadget class reductions. In a first-of-its-kind composition, we also combined multiple debloaters to debloat a single binary. Our performance evaluation showed that, in both ASLR-proof and Turing-complete gadget expressively cases, several compositions (e.g., Chisel-Occam, Chisel-Occam-Razor) significantly outperformed the best-performing single tool (i.e., Chisel).

KW - Benchmark

KW - Debloating Comparison

KW - Program Debloating

UR - http://www.scopus.com/inward/record.url?scp=85182604593&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85182604593&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-51482-1_12

DO - 10.1007/978-3-031-51482-1_12

M3 - Conference contribution

AN - SCOPUS:85182604593

SN - 9783031514814

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 229

EP - 249

BT - Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings

A2 - Tsudik, Gene

A2 - Conti, Mauro

A2 - Liang, Kaitai

A2 - Smaragdakis, Georgios

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 25 September 2023 through 29 September 2023

ER -