ASE 2024
Sun 27 October - Fri 1 November 2024 Sacramento, California, United States
Wed 30 Oct 2024 14:15 - 14:30 at Magnoila - Library and dependancy Chair(s): Curtis Atkisson

To reduce the source of potential exploits, binary debloating or specialization tools are used to remove unnecessary code from binaries. This paper presents a new binary debloating and specialization tool, LeanBin, that harnesses lifting and recompilation, based on observed execution traces. The dynamically recorded execution traces capture the required subset of instructions and control flow of the application binary for a given set of inputs. This initial control flow is subsequently augmented using heuristic-free static analysis to avoid excessively restricting the input space. The further structuring of the control flow and translation of binary instructions into a subset of C enables a lightweight generation of the code that can be recompiled, obtaining LLVM IR and a new debloated binary. Unlike most debloating approaches, LeanBin enables both binary debloating of the application and shared libraries, while reusing the existing compiler infrastructure. Additionally, unlike existing binary lifters, it does not rely on potentially unsound heuristics used by static lifters, nor suffers from long execution times, a limitation of existing dynamic lifters. Instead, LeanBin combines both heuristic-free static and dynamic analysis. The run time of lifting and debloating SPEC CPU2006 INT benchmarks has a geomean of 1.78x, normalized to the native execution, and the debloated binary runs with a geomean overhead of 1.21x. The percentage of gadgets, compared to the original binary, has a geomean between 24.10% and 30.22%, depending on the debloating strategy; and the code size can be as low as 53.59%. For the SQLite use-case, LeanBin debloats a binary including its shared library and generates a debloated binary that runs up to 1.24x faster with 3.65% gadgets.

Wed 30 Oct

Displayed time zone: Pacific Time (US & Canada) change

13:30 - 15:00
13:30
15m
Talk
How to Pet a Two-Headed Snake? Solving Cross-Repository Compatibility Issues with Hera
Research Papers
Yifan Xie , Zhouyang Jia National University of Defense Technology, Shanshan Li National University of Defense Technology, Ying Wang Northeastern University, Jun Ma National University of Defense Technology, Xiaoling Li National University of Defense Technology, Haoran Liu National University of Defense Technology, Ying Fu National University of Defense Technology, Liao Xiangke National University of Defense Technology
13:45
15m
Talk
Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments
Industry Showcase
Xinyi Zheng Huazhong University of Science and Technology, Chen Wei MYbank, Ant Group, Shenao Wang Huazhong University of Science and Technology, Yanjie Zhao Huazhong University of Science and Technology, Peiming Gao MYbank, Ant Group, Yuanchao Zhang Mybank, Ant Group, Kailong Wang Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology
14:00
15m
Talk
Detect Hidden Dependency to Untangle Commits
Research Papers
Mengdan Fan , Wei Zhang Peking University, Haiyan Zhao Peking University, Guangtai Liang Huawei Cloud Computing Technologies, Zhi Jin Peking University
14:15
15m
Talk
LeanBin: Harnessing Lifting and Recompilation to Debloat Binaries
Research Papers
Igor Wodiany University of Manchester, Antoniu Pop University of Manchester, Mikel Luján University of Manchester
DOI Pre-print
14:30
15m
Talk
Balancing the Quality and Cost of Updating Dependencies
Research Papers
Damien Jaime Université Paris Nanterre & LIP6, Pascal Poizat Université Paris Nanterre & LIP6, Joyce El Haddad Université Paris Dauphine - PSL , Thomas Degueule CNRS
14:45
10m
Talk
Depends-Kotlin: A Cross-Language Kotlin Dependency Extractor
Tool Demonstrations
Qiong Feng Nanjing University of Science and Technology, Xiaotian Ma Nanjing University of Science and Technology, Huan Ji Huawei Nanjing Research Center, Wei Song Nanjing University of Science and Technology, Peng Liang Wuhan University, China
DOI Pre-print Media Attached