*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
To attend this virtual event, click here.
Abstract Â
As software becomes increasingly complex, its attack surface expands enabling the exploitation of a wide range of vulnerabilities. Web applications are no exception since modern HTML5 standards and the ever-increasing capabilities of JavaScript are utilized to build rich web applications, often subsuming the need for traditional desktop applications. One possible way of handling this increased complexity is through the process of software debloating, i.e., the removal not only of dead code but also of code corresponding to features that a specific set of users do not require. Debloating has been successfully applied to operating systems, libraries, and compiled programs. In this talk, we focus on debloating web applications and it's unique challenges. After reviewing the literature and the state-of-the-art debloating strategies for binaries, we go over the security benefits of debloating web applications. We focus on four popular PHP applications and evaluate two different debloating strategies (file-level debloating and function-level debloating) and we show that we can produce functional web applications that are 46% smaller than their original versions and exhibit half their original cyclomatic complexity. Moreover, our results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.
Speaker Bio
Babak Amid Azad is a Ph.D. candidate at Stony Brook University. He works under the supervision of Professor Nikiforakis, aiming to uncover vulnerabilities and practices, that make the web insecure. More specifically, by reducing the attack surface of web applications through software debloating. In his latest work (published at USENIX security 2019) he showed that we can remove up to 60% of historical CVEs and reduce the size of a web application by 65% while maintaining the most popular functionality of the evaluated web applications. Orthogonal to his work on attack surface reduction, he studies malicious bots on the internet devising ways to protect websites against them by differentiating their traffic from regular user traffic.
