MiniLib: A flow analysis–based approach for attack surface reduction through software debloating

Software applications typically use libraries for the implementation of commonly used tasks. Each library encompasses an extensive collection of functionalities that cover a specific task area, such as interfacing with a database. However, while applications typically use a small subset of these functionalities, the unused ones are also bundled into the final distribution, due to the fact that the libraries are loaded and linked as indivisible objects. The presence of unused functionalities in the executable program increases its attack surface, since attackers may invoke code in these functionalities or exploit their vulnerabilities, using techniques such as stack smashing or buffer overflow. In this paper, we present MiniLib, an approach that removes from the final executable any unused functionalities that may be present in the libraries, reducing attack surface and thus enhancing security. The efficiency of MiniLib is validated through its application on applications drawn from the O-RAN 6G framework. Current findings indicate that the application of MiniLib may reduce the dependency-rooted application vulnerability exposure from 10.9% to 52.5%.