Role Models: Role-based Debloating for Web Applications
Pages 251 - 262
Abstract
The process of debloating, i.e., removing unnecessary code and features in software, has become an attractive proposition to managing the ever-expanding attack surface of ever-growing modern applications. Researchers have shown that debloating produces significant security improvements in a variety of application domains including operating systems, libraries, compiled software, and, more recently, web applications. Even though the client/server nature of web applications allows the same backend to serve thousands of users with diverse needs, web applications have been approached monolithically by existing debloating approaches. That is, a feature can be debloated only if none of the users of a web application requires it. Similarly, everyone gets access to the same "global" features, whether they need them or not. Recognizing that different users need access to different features, in this paper we propose role-based debloating for web applications. In this approach, we focus on clustering users with similar usage behavior together and providing them with a custom debloated application that is tailored to their needs. Through a user study with 60 experienced web developers and administrators, we first establish that different users indeed use web applications differently. This data is then used by DBLTR, an automated pipeline for providing tailored debloating based on a user's true requirements. Next to debloating web applications, DBLTR includes a transparent content-delivery mechanism that routes authenticated users to their debloated copies. We demonstrate that for different web applications, DBLTR can be 30-80% more effective than the state-of-the-art in debloating in removing critical vulnerabilities.
References
[1]
Muhammad Abubakar, Adil Ahmad, Pedro Fonseca, and Dongyan Xu. 2021. $SHARD$: Fine-Grained Kernel Specialization with Context-Aware Hardening. In Proceedings of the 30th USENIX Security Symposium.
[2]
Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In Proceedings of the 28th USENIX Security Symposium.
[3]
Purnima Bholowalia and Arvind Kumar. 2014. EBK-means: A clustering technique based on elbow method and k-means in WSN. International Journal of Computer Applications (2014).
[4]
Ivan Boci? and Tevfik Bultan. 2016. Finding access control bugs in web applications with CanCheck. In 31st IEEE/ACM International Conference on Automated Software Engineering.
[5]
Alexander Bulekov, Rasoul Jahanshahi, and Manuel Egele. 2021. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In Proceedings of the 30th USENIX Security Symposium.
[6]
Johannes Dahse and Jörg Schwenk. 2010. RIPS-A static source code analyser for vulnerabilities in PHP scripts. In Seminar Work. Horst Görtz Institute Ruhr-University Bochum.
[7]
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. (2009).
[8]
Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[9]
Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. 1996. A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD'96).
[10]
Fiverr. 2022. The online marketplace for freelance services. https://fiverr.com
[11]
Ivan Fratrić. 2012. ROPGuard: Runtime prevention of return-oriented programming attacks. Technical report (2012).
[12]
Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020a. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses.
[13]
Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020b. Temporal system call specialization for attack surface reduction. In Proceedings of the 29th USENIX Security Symposium.
[14]
Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[15]
Rasoul Jahanshahi, Adam Doupé, and Manuel Egele. 2020. You shall not pass: Mitigating sql injection attacks on legacy web applications. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security.
[16]
Pawan Jaiswal. 2022. WordPress File Manager Plugin Unauthenticated RCE Exploit. https://medium.com/swlh/wordpress-file-manager-plugin-exploit-for-unauthenticated-rce-8053db3512ac
[17]
Xin Jin and Jiawei Han. 2010. K-Means Clustering. Springer US.
[18]
Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.
[19]
Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-driven software debloating. In Proceedings of the 12th European Workshop on Systems Security.
[20]
Steve McConnell. 2004. Code complete. Pearson Education.
[21]
Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking exploits through API specialization. In Proceedings of the 34th Annual Computer Security Applications Conference.
[22]
Shachee Mishra and Michalis Polychronakis. 2020. Saffire: Context-sensitive Function Specialization and Hardening against Code Reuse Attacks. In IEEE European Symposium on Security & Privacy.
[23]
Shachee Mishra and Michalis Polychronakis. 2021. SGXPecial: Specializing SGX Interfaces against Code Reuse Attacks. In Proceedings of the 14th European Workshop on Systems Security.
[24]
Andrew Y. Ng, Michael I. Jordan, and Yair Weiss. 2001. On Spectral Clustering: Analysis and an Algorithm. In Proceedings of the 14th International Conference on Neural Information Processing Systems: Natural and Synthetic (Vancouver, British Columbia, Canada) (NIPS'01). MIT Press, Cambridge, MA, USA, 849--856.
[25]
NPM. 2022. Node Package Manager Statistics. https://blog.npmjs.org/post/615388323067854848/so-long-and-thanks-for-all-the-packages.html
[26]
OpenResty. 2022. Scalable Web Platform by Extending NGINX with Lua. https://openresty.org/en/
[27]
Packagist. 2022a. The PHP Package Repository. https://packagist.org/statistics
[28]
Packagist. 2022b. Popular PHP Packages. https://packagist.org/explore/popular
[29]
Vasilis Pappas. 2012. kBouncer: Efficient and transparent ROP mitigation. (2012).
[30]
PyPI. 2022. Package Download Statistics. https://pypistats.org/top
[31]
Chenxiong Qian, Hyungjoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. 2020. Slimium: Debloating the Chromium Browser with Feature Subsetting. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[32]
Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating software through piece-wise compilation and loading. In Proceedings of the 27th USENIX Security Symposium.
[33]
Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. 2017. Cimplifier: automatically debloating containers. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering.
[34]
Nilo Redini, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. 2019. Bintrimmer: Towards static binary debloating through abstract interpretation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.
[35]
Ambionics Security. 2017. PHPGGC: PHP Generic Gadget Chains. https://github.com/ambionics/phpggc
[36]
Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most websites don't need to vibrate: A cost-benefit approach to improving browser security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[37]
Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS.
[38]
Statistica. 2022. How many websites are there? https://www.statista.com/chart/19058/number-of-websites-online/
[39]
Upwork. 2022. The marketplace for freelancers. https://upwork.com
[40]
Andreas Zeller and Ralf Hildebrandt. 2002. Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering, Vol. 28, 2 (2002). io
Index Terms
- Role Models: Role-based Debloating for Web Applications
Recommendations
Modeling and Verifying for Frameset-Based Web Applications
TASE '11: Proceedings of the 2011 Fifth International Conference on Theoretical Aspects of Software EngineeringAs Web applications evolve, their structure may be-come more and more complex. Web frameset is used to organize multiple frames and nested framesets to make the layout of some Web pages more identical and bring the development of Web applications easier,...
A New Adaptive Model for Web Engineering Methods to Develop Modern Web Applications
ICSIM '18: Proceedings of the 2018 International Conference on Software Engineering and Information ManagementWith the evolution of modern web applications, several web engineering methods proposed to develop web applications. The modern web applications are; Rich Internet Application (RIA), Semantic Web Application (SWA), Ubiquitous Web Applications (UWA), and ...
End-user programming of web-native interactive applications
CompSysTech '11: Proceedings of the 12th International Conference on Computer Systems and TechnologiesWeb 2.0 has enabled Web users to create and share a variety of hyper-text based artifacts including embedded images, sound, and video on the Web. Creating Web-based interactive artifacts such as computer games, however, has remained a challenge: to end ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2023
304 pages
ISBN:9798400700675
DOI:10.1145/3577923
- General Chair:
- Mohamed Shehab,
- Program Chairs:
- Maribel Fernandez,
- Ninghui Li
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 April 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CODASPY '23
Sponsor:
CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy
April 24 - 26, 2023
NC, Charlotte, USA
Acceptance Rates
Overall Acceptance Rate 149 of 789 submissions, 19%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 172Total Downloads
- Downloads (Last 12 months)108
- Downloads (Last 6 weeks)28
Reflects downloads up to 14 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in