Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application. Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.
翻译:当应用依赖性的大部分应用都有效使用时,软件的再利用可能会导致软件膨胀。 存在一些工具可以将未使用的( 字节) 代码从应用程序或其依赖性中删除, 从而产生较小的文物, 并有可能减少总体攻击表面。 在本文中, 我们评估了三种拆分工具的能力, 以区分应用正确运行所需的依赖性类别与可以安全去除的工具。 为了这样做, 我们对一个真实世界商业 Java 应用程序进行了案例研究。 我们的研究显示, 我们使用的工具能够正确识别大量多余代码, 这些代码可以在不改变现有应用测试结果的情况下被删除。 其中一种冗余的代码( 原) 变弱了, 证实该技术有可能用于硬化目的。 然而, 通过手动审查我们实验的结果, 我们发现没有一个工具能够处理一个广泛使用的动态级装入默认机制 。