*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Reducing Software's Attack Surface with Code Debloating
Chenxiong Qian
Ph.D. Student in Computer Science
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: December 3, 2020
Time: 10:00 AM to 12:00 PM (EST)
Location (remote via Bluejeans): https://bluejeans.com/482787466
Committee
Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology)
Dr. William R. Harris (Co-Advisor, Galois, Inc)
Dr. Taesoo Kim (School of Computer Science, Georgia Institute of Technology)
Dr. Alessandro Orso (School of Computer Science, Georgia Institute of Technology)
Dr. Brendan Saltaformaggio ( School of Electrical and Computer Engineering, Georgia Institute of Technology)
Abstract
Current practice for developing and deploying software encourages the deployment of software to provide a large spectrum of features. Software with rich features usually exposes larger attack surface and makes it easier for an attacker to launch attacks. After observing that a large portion of software’s features are rarely required by users, an emerging solution, code debloating, has been proposed to reduce software’s attack surface by removing unneeded features’ code. However, there exist several challenges for building such systems: (1) non-developer users cannot describe clearly what features are unneeded; (2) there is no clear boundaries among the code of different features; (3) large and complex software takes inputs that keep changing, which results in non-deterministic executions. To address the challenges, I will first introduce a binary rewriting framework (Razor) that first runs software on given running examples and collects the executed code as references. Then, it uses heuristics to syntactically infer non-executed code that is related to the functionality indicated by the running examples, and directly rewrites the binary to generate a debloated version of the software. After that, I will present a framework (Slimium) that customizes the dominant web browser, Chromium, for visiting specific websites. Slimium removes unrequired features in Chromium based on a feature-code mapping created from manual analysis and static program analysis; and identifies non-deterministic code through dynamic profiling. The results show that Slimium generates slim versions of Chromium with 60% of the potential vulnerabilities removed, for visiting popular websites. In the end, I will briefly discuss my ongoing research that uses program reasoning and differential software testing to automatically partition software’s code for different features.
----------------------------------
Additional Meeting Details
Link: https://bluejeans.com/482787466
