ABSTRACT
The process of debloating, i.e., removing unnecessary code and features in software, has become an attractive proposition to managing the ever-expanding attack surface of ever-growing modern applications. Researchers have shown that debloating produces significant security improvements in a variety of application domains including operating systems, libraries, compiled software, and, more recently, web applications. Even though the client/server nature of web applications allows the same backend to serve thousands of users with diverse needs, web applications have been approached monolithically by existing debloating approaches. That is, a feature can be debloated only if none of the users of a web application requires it. Similarly, everyone gets access to the same "global" features, whether they need them or not. Recognizing that different users need access to different features, in this paper we propose role-based debloating for web applications. In this approach, we focus on clustering users with similar usage behavior together and providing them with a custom debloated application that is tailored to their needs. Through a user study with 60 experienced web developers and administrators, we first establish that different users indeed use web applications differently. This data is then used by DBLTR, an automated pipeline for providing tailored debloating based on a user's true requirements. Next to debloating web applications, DBLTR includes a transparent content-delivery mechanism that routes authenticated users to their debloated copies. We demonstrate that for different web applications, DBLTR can be 30-80% more effective than the state-of-the-art in debloating in removing critical vulnerabilities.
- Muhammad Abubakar, Adil Ahmad, Pedro Fonseca, and Dongyan Xu. 2021. $SHARD$: Fine-Grained Kernel Specialization with Context-Aware Hardening. In Proceedings of the 30th USENIX Security Symposium.Google Scholar
- Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In Proceedings of the 28th USENIX Security Symposium.Google Scholar
- Purnima Bholowalia and Arvind Kumar. 2014. EBK-means: A clustering technique based on elbow method and k-means in WSN. International Journal of Computer Applications (2014).Google Scholar
- Ivan Boci? and Tevfik Bultan. 2016. Finding access control bugs in web applications with CanCheck. In 31st IEEE/ACM International Conference on Automated Software Engineering.Google Scholar
- Alexander Bulekov, Rasoul Jahanshahi, and Manuel Egele. 2021. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In Proceedings of the 30th USENIX Security Symposium.Google Scholar
- Johannes Dahse and Jörg Schwenk. 2010. RIPS-A static source code analyser for vulnerabilities in PHP scripts. In Seminar Work. Horst Görtz Institute Ruhr-University Bochum.Google Scholar
- Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. (2009).Google Scholar
- Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.Google ScholarDigital Library
- Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. 1996. A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD'96).Google ScholarDigital Library
- Fiverr. 2022. The online marketplace for freelance services. https://fiverr.comGoogle Scholar
- Ivan Fratrić. 2012. ROPGuard: Runtime prevention of return-oriented programming attacks. Technical report (2012).Google Scholar
- Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020a. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses.Google Scholar
- Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020b. Temporal system call specialization for attack surface reduction. In Proceedings of the 29th USENIX Security Symposium.Google ScholarDigital Library
- Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.Google ScholarDigital Library
- Rasoul Jahanshahi, Adam Doupé, and Manuel Egele. 2020. You shall not pass: Mitigating sql injection attacks on legacy web applications. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security.Google ScholarDigital Library
- Pawan Jaiswal. 2022. WordPress File Manager Plugin Unauthenticated RCE Exploit. https://medium.com/swlh/wordpress-file-manager-plugin-exploit-for-unauthenticated-rce-8053db3512acGoogle Scholar
- Xin Jin and Jiawei Han. 2010. K-Means Clustering. Springer US.Google Scholar
- Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.Google Scholar
- Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-driven software debloating. In Proceedings of the 12th European Workshop on Systems Security.Google ScholarDigital Library
- Steve McConnell. 2004. Code complete. Pearson Education.Google Scholar
- Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking exploits through API specialization. In Proceedings of the 34th Annual Computer Security Applications Conference.Google ScholarDigital Library
- Shachee Mishra and Michalis Polychronakis. 2020. Saffire: Context-sensitive Function Specialization and Hardening against Code Reuse Attacks. In IEEE European Symposium on Security & Privacy.Google ScholarCross Ref
- Shachee Mishra and Michalis Polychronakis. 2021. SGXPecial: Specializing SGX Interfaces against Code Reuse Attacks. In Proceedings of the 14th European Workshop on Systems Security.Google ScholarDigital Library
- Andrew Y. Ng, Michael I. Jordan, and Yair Weiss. 2001. On Spectral Clustering: Analysis and an Algorithm. In Proceedings of the 14th International Conference on Neural Information Processing Systems: Natural and Synthetic (Vancouver, British Columbia, Canada) (NIPS'01). MIT Press, Cambridge, MA, USA, 849--856.Google Scholar
- NPM. 2022. Node Package Manager Statistics. https://blog.npmjs.org/post/615388323067854848/so-long-and-thanks-for-all-the-packages.htmlGoogle Scholar
- OpenResty. 2022. Scalable Web Platform by Extending NGINX with Lua. https://openresty.org/en/Google Scholar
- Packagist. 2022a. The PHP Package Repository. https://packagist.org/statisticsGoogle Scholar
- Packagist. 2022b. Popular PHP Packages. https://packagist.org/explore/popularGoogle Scholar
- Vasilis Pappas. 2012. kBouncer: Efficient and transparent ROP mitigation. (2012).Google Scholar
- PyPI. 2022. Package Download Statistics. https://pypistats.org/topGoogle Scholar
- Chenxiong Qian, Hyungjoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. 2020. Slimium: Debloating the Chromium Browser with Feature Subsetting. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.Google ScholarDigital Library
- Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating software through piece-wise compilation and loading. In Proceedings of the 27th USENIX Security Symposium.Google ScholarDigital Library
- Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. 2017. Cimplifier: automatically debloating containers. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering.Google ScholarDigital Library
- Nilo Redini, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. 2019. Bintrimmer: Towards static binary debloating through abstract interpretation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.Google ScholarCross Ref
- Ambionics Security. 2017. PHPGGC: PHP Generic Gadget Chains. https://github.com/ambionics/phpggcGoogle Scholar
- Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most websites don't need to vibrate: A cost-benefit approach to improving browser security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.Google ScholarDigital Library
- Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications.. In NDSS.Google Scholar
- Statistica. 2022. How many websites are there? https://www.statista.com/chart/19058/number-of-websites-online/Google Scholar
- Upwork. 2022. The marketplace for freelancers. https://upwork.comGoogle Scholar
- Andreas Zeller and Ralf Hildebrandt. 2002. Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering , Vol. 28, 2 (2002). ioGoogle ScholarDigital Library
Index Terms
- Role Models: Role-based Debloating for Web Applications
Recommendations
Modeling and Verifying for Frameset-Based Web Applications
TASE '11: Proceedings of the 2011 Fifth International Conference on Theoretical Aspects of Software EngineeringAs Web applications evolve, their structure may be-come more and more complex. Web frameset is used to organize multiple frames and nested framesets to make the layout of some Web pages more identical and bring the development of Web applications easier,...
A New Adaptive Model for Web Engineering Methods to Develop Modern Web Applications
ICSIM '18: Proceedings of the 2018 International Conference on Software Engineering and Information ManagementWith the evolution of modern web applications, several web engineering methods proposed to develop web applications. The modern web applications are; Rich Internet Application (RIA), Semantic Web Application (SWA), Ubiquitous Web Applications (UWA), and ...
End-user programming of web-native interactive applications
CompSysTech '11: Proceedings of the 12th International Conference on Computer Systems and TechnologiesWeb 2.0 has enabled Web users to create and share a variety of hyper-text based artifacts including embedded images, sound, and video on the Web. Creating Web-based interactive artifacts such as computer games, however, has remained a challenge: to end ...
Comments