RAZOR: A Framework for Post-deployment Software Debloating

Authors: 

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee, Georgia Institute of Technology

Abstract: 

Commodity software typically includes functionalities for a broad user population. However, each individual user usually only needs a subset of the supported functionalities. The bloated code not only hinders optimal execution, but also leads to a larger attack surface. Recent work explores program debloating as an emerging solution to this problem. Unfortunately, existing works require program source code, limiting their deployability.

In this paper, we propose a practical debloating framework, RAZOR, that performs code reduction for deployed binaries. Based on users’ specification, our tool customizes the binary to generate a functional program with the minimal code size. Instead of only supporting given test cases, RAZOR takes several control-flow heuristics to infer complementary code that are necessary to support user-expected functionalities. We have evaluated RAZOR on commonly used benchmarks and real-world applications, including the web browser FireFox and the close-sourced PDF reader FoxitReader. The result shows that RAZOR is able to reduce over 70% of the code from the bloated binary. It produces functional programs and does not introduce new security issues. RAZOR is thus a practical framework for debloating real-world programs.

BibTeX
@inproceedings {236296,
title = {{RAZOR}: A Framework for Post-deployment Software Debloating},
booktitle = {28th {USENIX} Security Symposium ({USENIX} Security 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/usenixsecurity19/presentation/qian},
publisher = {{USENIX} Association},
}