Coverage-Based Debloating for Java Bytecode

@article{SotoValero2022CoverageBasedDF,
  title={Coverage-Based Debloating for Java Bytecode},
  author={C{\'e}sar Soto-Valero and Thomas Durieux and Nicolas Harrand and Beno{\^i}t Baudry},
  journal={ACM Computing Surveys (CSUR)},
  year={2022}
}
Software bloat is code that is packaged in an application but is actually not necessary to run the application. The presence of software bloat is an issue for security, for performance, and for maintenance. In this paper, we introduce a novel technique for debloating, which we call coverage-based debloating. We implement the technique for one single language: Java bytecode. We leverage a combination of state-of-the-art Java bytecode coverage tools to precisely capture what parts of a project… 

References

SHOWING 1-10 OF 72 REFERENCES

JShrink: in-depth investigation into debloating modern Java applications

TLDR
JShrink develops an end-to-end bytecode debloating framework that augments traditional static reachability analysis with dynamic profiling and type dependency analysis and renovates existing bytecode transformations to account for new language features in modern Java.

Configuration-Driven Software Debloating

TLDR
This work explores an alternative configuration-driven software debloating approach that removes feature-specific code that is exclusively needed only when certain configuration directives are specified---which are often disabled by default.

Large-scale Debloating of Binary Shared Libraries

TLDR
Nibbler is a system that identifies and erases unused functions within dynamic shared libraries and improves the deployability of a continuous re-randomization system for binaries by increasing its efficiency by 20%, and it improves certain fast but coarse and context-insensitive control-flow integrity schemes by reducing the number of gadgets reachable through indirect branch instructions.

JRed: Program Customization and Bloatware Mitigation Based on Static Analysis

TLDR
A new static-analysis-enabled approach to trimming unused code from both Java applications and Java Runtime Environment (JRE) automatically is proposed, built on top of the Soot framework and evaluated based on a set of criteria: code size, code complexity, memory footprint, execution and garbage collection time, and security.

Trimmer: Application Specialization for Code Debloating

TLDR
This work developed Trimmer, an application specialization tool that leverages user-provided configuration data to specialize an application to its deployment context and demonstrates Trimmer can effectively reduce code bloat.

Negative Effects of Bytecode Instrumentation on Java Source Code Coverage

TLDR
The amount of differences in the results of these two Java code coverage approaches are investigated, the possible reasons are enumerated, and the implications on various applications are discussed.

Less is More: Quantifying the Security Benefits of Debloating Web Applications

TLDR
The results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.

Binary Debloating for Security via Demand Driven Loading

TLDR
This work creates a defense mechanism by debloating libraries to reduce the dynamic functions linked so that the possibilities of constructing malicious programs diminishes significantly, and presents a decision-tree based predictor, which acts as an oracle, and an optimized runtime system, which works directly with library binaries like GNU libc and libstdc++.

Practical extraction techniques for Java

TLDR
This paper explores extraction techniques such as the removal of unreachable methods and redundant fields, inlining of method calls, and transformation of the class hierarchy for reducing application size, and presents a uniform approach for supplying this input that relies on MEL, a modular specification language.
...