Loading…
Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Thursday, September 12 • 3:30pm - 4:15pm
Quantifying the Security Benefits of Debloating Web Applications

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
As software becomes increasingly complex, its attack surface expands enabling the exploitation of a wide range of vulnerabilities. Web applications are no exception since modern HTML5 standards and the ever-increasing capabilities of JavaScript are utilized to build rich web applications, often subsuming the need for traditional desktop applications

One possible way of handling this increased complexity is through the process of software debloating, i.e., the removal not only of dead code but also of code corresponding to features that a specific set of users do not require. Even though debloating has been successfully applied on operating systems, libraries, and compiled programs, its applicability on web applications has not yet been investigated.

In this project, we present the first analysis of the security benefits of debloating web applications. We focus on four popular PHP applications and we dynamically exercise them to obtain information about the server-side code that executes as a result of client-side requests. We evaluate two different debloating strategies (file-level debloating and function-level debloating) and we show that we can produce functional web applications that are 46% smaller than their original versions and exhibit half their original cyclomatic complexity. Moreover, our results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.

Speakers
avatar for Babak Amin Azad

Babak Amin Azad

PhD Candidate, Stony Brook University
Babak is a PhD candidate at state university of New York at Stony Brook. In a normal day, he studies vulnerabilities and practices that make the web an unsafe place. These days, his main focus is on web attack surface reduction and also bot detection. Prior to starting his PhD, he... Read More →


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 4