Abstract
As the complexity of software projects increases, more and more developers choose to package various external dependency libraries into software projects to simplify software development. Unfortunately, these introduced dependent libraries are likely to introduce many potential security risks. This phenomenon is called software bloat. One way to handle this increased threat is through software debloating, i.e., the removal of dead code and code corresponding to vulnerabilities introduced from external dependency libraries. In our paper, we proposed JSLIM, an effective vulnerability-aware software debloating system. First, JSLIM processes the public vulnerability information through natural language processing technology, obtains the mapping relationship between the vulnerability and the NPM package, and determines which function in the package causes a specific vulnerability. Then, according to the generated function call graph, determine whether the program calls the method that generates the vulnerability in the dependent library. JSLIM removes the code that isn’t called by the program and uses the sandbox to isolate the code that has vulnerabilities but cannot be removed. We conduct experiments on popular open-source JavaScript applications. The experimental results show that our method removes most of the code related to the known vulnerabilities of the application and effectively prevents attackers from exploiting known vulnerabilities in the NPM package to launch attacks on applications.
This work is supported by the National Natural Science Foundation of China under Grant No. U20B2050 and the Science and Technology Funds from National State Grid Ltd. (The Research on Key Technologies of Distributed Parallel Database Storage and Processing based on Big Data).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Official babel documentation (2015). https://www.npmjs.com/package/detective
Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Esprima. In: ECMAScript Parsing Infrastructure for Multipurpose Analysis (2012)
Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium, 08–11 February 2015, San Diego, USA (2015)
Azad, B.A., Laperdrix, P., Nikiforakis, N.: Less is more: quantifying the security benefits of debloating web applications. In: 28th USENIX Security Symposium USENIX Security 19, pp. 1697–1714 (2019)
Brown, M.D., Pande, S.: Carve: practical security-focused software debloating using simple feature set mappings. In: Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation, pp. 1–7 (2019)
Bruce, B.R., Zhang, T., Arora, J., Xu, G.H., Kim, M.: Jshrink: in-depth investigation into debloating modern java applications. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 135–146 (2020)
Davis, J., Kildow, G., Lee, D.: The case of the poisoned event handler: weaknesses in the node.js event-driven architecture. In: Proceedings of the 10th European Workshop on Systems Security, p. 8 (2017)
Feldthaus, A., Schäfer, M., Sridharan, M., Dolby, J., Tip, F.: Efficient construction of approximate call graphs for javascript IDE services. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 752–761. IEEE (2013)
Koo, H., Ghavamnia, S., Polychronakis, M.: Configuration-driven software debloating. In: Proceedings of the 12th European Workshop on Systems Security, pp. 1–6 (2019)
Landsborough, J., Harding, S., Fugate, S.: Removing the kitchen sink from software. In: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 833–838 (2015)
Macias, K., Mathur, M., Bruce, B.R., Zhang, T., Kim, M.: Webjshrink: a web service for debloating java bytecode. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1665–1669 (2020)
node-elm. https://github.com/bailicangdu/node-elm
Sharif, H., Abubakar, M., Gehani, A., Zaffar, F.: Trimmer: application specialization for code debloating. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 329–339 (2018)
Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 315–317 (2008)
Sun, C., Li, Y., Zhang, Q., Gu, T., Su, Z.: Perses: syntax-guided program reduction. In: Proceedings of the 40th International Conference on Software Engineering, pp. 361–371 (2018)
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: 23rd USENIX Security Symposium USENIX Security 14, pp. 191–206 (2014)
Vázquez, H.C., Bergel, A., Vidal, S., Pace, J.D., Marcos, C.: Slimming javascript applications: an approach for removing unused functions from javascript libraries. Inf. Softw. Technol. 107, 18–29 (2019)
Xu, G., Arnold, M., Mitchell, N., Rountev, A., Sevitsky, G.: Go with the flow: profiling copies to find runtime bloat. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 419–430 (2009)
Xu, G., Mitchell, N., Arnold, M., Rountev, A., Sevitsky, G.: Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications. In: Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, pp. 421–426 (2010)
Zimmermann, M., Staicu, C.A., Tenny, C., Pradel, M.: Small world with high risks: a study of security threats in the NPM ecosystem. In: 28th USENIX Security Symposium USENIX Security 19, pp. 995–1010 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Ye, R., Liu, L., Hu, S., Zhu, F., Yang, J., Wang, F. (2022). JSLIM: Reducing the Known Vulnerabilities of JavaScript Application by Debloating. In: Meng, W., Katsikas, S.K. (eds) Emerging Information Security and Applications. EISA 2021. Communications in Computer and Information Science, vol 1403. Springer, Cham. https://doi.org/10.1007/978-3-030-93956-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-93956-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93955-7
Online ISBN: 978-3-030-93956-4
eBook Packages: Computer ScienceComputer Science (R0)