Programs are bloated. Our study shows that only 5% of libc is used on average across Ubuntu Desktop environment (>2200 programs); the heaviest user, vlc media player, only used 18%. This is striking because bloating presents a vulnerable attack surface for software exploitation and imposes undue burden on defenses (e.g., CFI defenses). In this paper: (1) We present a debloating framework built on a compiler toolchain that can successfully debloat software (shared/static libraries and executables). Our solution can successfully compile and load most libraries on Ubuntu Desktop 16.04. (2) We demonstrate an elimination of over 84% code from coreutils and 85% code from SPEC CPU 2006 benchmark programs without affecting functionality. We show that even complex COTS programs (e.g., FireFox, Curl) can be debloated {without a need to recompile}. (3) We demonstrate the security impact of our system by eliminating over 70% of reusable code gadgets from coreutils suite, and show that unused code that contain {real-world vulnerabilities} can be successfully eliminated without adverse effects on the program. (4) Our solution imposes a low load time overhead.
View on arXiv