Quantifying the Security Benefits of Debloating Web Applications

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 3:30 p.m. (45 minutes).

As software becomes increasingly complex, its attack surface expands enabling the exploitation of a wide range of vulnerabilities. Web applications are no exception since modern HTML5 standards and the ever-increasing capabilities of JavaScript are utilized to build rich web applications, often subsuming the need for traditional desktop applications One possible way of handling this increased complexity is through the process of software debloating, i.e., the removal not only of dead code but also of code corresponding to features that a specific set of users do not require. Even though debloating has been successfully applied on operating systems, libraries, and compiled programs, its applicability on web applications has not yet been investigated. In this project, we present the first analysis of the security benefits of debloating web applications. We focus on four popular PHP applications and we dynamically exercise them to obtain information about the server-side code that executes as a result of client-side requests. We evaluate two different debloating strategies (file-level debloating and function-level debloating) and we show that we can produce functional web applications that are 46% smaller than their original versions and exhibit half their original cyclomatic complexity. Moreover, our results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.

Presenters:

  • Babak Amin Azad - Stony Brook University
    Babak is a PhD candidate at state university of New York at Stony Brook. In a normal day, he studies vulnerabilities and practices that make the web an unsafe place. These days, his main focus is on web attack surface reduction and also bot detection. Prior to starting his PhD, he worked in an incident response team in the banking industry.

Links:

Similar Presentations: