Large-scale Debloating of Binary Shared Libraries

Agadakos, Ioannis; DeMarinis, Nicholas; Jin, Di; Williams-King, Kent; Alfajardo, Jearson; Shteinfeld, Benjamin; Williams-King, David; Kemerlis, Vasileios P.; Portokalidis, Georgios

doi:10.1145/3414997

Cited by 23 publications

(44 citation statements)

References 75 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast, our study focuses on the evolution and the emergence of bloat in Java projects, while spotting some of the current research gaps and tooling for effective dependency management. Other studies have focused on eliminating bloat in source code [33], binary shared libraries [1], highly configurable programs [15], or containers [24]. Other works have focused on improving the debloat process through various optimizations techniques [2,3,11,31,35].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Longitudinal Analysis of Bloated Java Dependencies

Soto-Valero¹,

Durieux²,

Baudry³

2021

Preprint

View full text Add to dashboard Cite

We study the evolution and impact of bloated dependencies in a single software ecosystem: Java/Maven. Bloated dependencies are third-party libraries that are packaged in the application binary but are not needed to run the application. We analyze the history of 435 Java projects. This historical data includes 48,469 distinct dependencies, which we study across a total of 31,515 versions of Maven dependency trees. Bloated dependencies steadily increase over time, and 89.2 % of the direct dependencies that are bloated remain bloated in all subsequent versions of the studied projects. This empirical evidence suggests that developers can safely remove a bloated dependency. We further report novel insights regarding the unnecessary maintenance efforts induced by bloat. We find that 22 % of dependency updates performed by developers are made on bloated dependencies, and that Dependabot suggests a similar ratio of updates on bloated dependencies.

show abstract

Section: Related Workmentioning

confidence: 99%

“…In this work, we consider a software project as a collection of Java source code files and configuration files organized to be build with Maven. 1 In this section, we present the key concepts for the analysis of a project 𝑝 in the context of the set of its software dependencies, denoted as D.…”

Section: Introductionmentioning

confidence: 99%

A Longitudinal Analysis of Bloated Java Dependencies

Soto-Valero¹,

Durieux²,

Baudry³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Debloating We implemented a function-level debloating [2,14] tool for x86_64 and ARM64. Starting from the program entry point and from every function whose address is taken, this tool iterates over our control-flow graph and finds all reachable code.…”

Section: Egalito Toolsmentioning

confidence: 99%

“…We implemented inplace randomization [44], and a JIT-Shuffling continuous randomization technique (based on Shuffler [61] and TASR [8]). We also implemented debloating [2,14], where unneeded code is removed from the program to improve security. Finally, control-flow integrity (CFI) is another code-reuse defense, where the target of every indirect control flow is validated [1,31,48].…”

Section: Introductionmentioning

confidence: 99%

Egalito

Williams-King

Kobayashi

Williams-King

et al. 2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

Self Cite

View full text Add to dashboard Cite

For comprehensive analysis of all executable code, and fast turn-around time for transformations, it is essential to operate directly on binaries to enable profiling, security hardening, and architectural adaptation. Disassembling binaries is difficult, and prior work relies on a process virtual machine to translate references on the fly or inefficient binary code patching. Our Egalito recompiler leverages metadata present in current stripped x86_64 and ARM64 binaries to generate a complete disassembly, and allows arbitrary modifications that may affect program layout without any constraints from the original binary. We utilize our own layout-agnostic intermediate representation, which is low-level enough to make the regeneration of output code predictable, yet supports a dual high-level representation for sophisticated analysis. We demonstrate nine binary tools including a novel continuous code randomization technique where Egalito transforms itself, and software emulation of the control-flow integrity in upcoming hardware. We evaluated Egalito on a large set of Debian packages, completely analyzing 99.9% of a selection of 867 executables and libraries; a majority of 149 applicable Debian packages pass all tests under Egalito. On SPEC CPU 2006, thanks to our binary optimizations, Egalito actually observes a 1.7% performance speedup. CCS Concepts. • Software and its engineering → Software reverse engineering; • Security and privacy → † Work done while at Columbia University.

show abstract

“…Guided linking can sometimes replace dynamic relocations with static references; in other cases, caching can be combined with our system for an additional performance gain. [Agadakos et al 2019;Davidsson et al 2019;Mulliner and Neugschwandtner 2015;Ziegler et al 2019]. The primary goal is to improve security by reducing the attack surface, with code size reduction as a secondary goal.…”

Section: Optimizing Dynamically Linked Codementioning

confidence: 99%

Guided linking: dynamic linking without the costs

Bartell

Dietz

Adve

2020

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Dynamic linking is extremely common in modern software systems, thanks to the flexibility and space savings it offers. However, this flexibility comes at a cost: it's impossible to perform interprocedural optimizations that involve calls to a dynamic library. The basic problem is that the run-time behavior of the dynamic linker can't be predicted at compile time, so the compiler can make no assumptions about how such calls will behave.This paper introduces guided linking, a technique for optimizing dynamically linked software when some information about the dynamic linker's behavior is known in advance. The developer provides an arbitrary set of programs, libraries, and plugins to our tool, along with constraints that limit the possible dynamic linking behavior of the software. By taking advantage of the constraints, our tool enables any existing optimization to be applied across dynamic linking boundaries. For example, the NoOverride constraint can be applied to a function when the developer knows it will never be overridden with a different definition at run time; guided linking then enables the function to be inlined into its callers in other libraries. We also introduce a novel code size optimization that deduplicates identical functions even across different parts of the software set.By applying guided linking to the Python interpreter and its dynamically loaded modules, supplying the constraint that no other programs or modules will be used, we increase speed by an average of 9%. By applying guided linking to a dynamically linked distribution of Clang and LLVM, and using the constraint that no other software will use the LLVM libraries, we can increase speed by 5% and reduce file size by 13%. If we relax the constraint to allow other software to use the LLVM libraries, we can still increase speed by 5% and reduce file size by 5%. If we use guided linking to combine 11 different versions of the Boost library, using minimal constraints, we can reduce the total library size by 57%.

show abstract

Large-scale Debloating of Binary Shared Libraries

Cited by 23 publications

References 75 publications

A Longitudinal Analysis of Bloated Java Dependencies

A Longitudinal Analysis of Bloated Java Dependencies

Egalito

Guided linking: dynamic linking without the costs

Contact Info

Product

Resources

About