Automatic Specialization of Third-Party Java Dependencies

Modern software systems rely on a multitude of third-party dependencies. This large-scale code reuse reduces development costs and time, and it poses new challenges with respect to maintenance and security. Techniques such as tree shaking or shading can remove dependencies that are completely unused by a project, which partly address these challenges. Yet, the remaining dependencies are likely to be used only partially, leaving room for further reduction of third-party code. In this paper, we propose a novel technique to specialize dependencies of Java projects, based on their actual usage. For each dependency, we systematically identify the subset of its functionalities that is necessary to build the project, and remove the rest. Each specialized dependency is repackaged. Then, we generate specialized dependency trees where the original dependencies are replaced by the specialized versions and we rebuild the project. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specialized dependency tree. Moreover, through this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the dependencies, reducing the ratio of dependency classes to project classes from 8.7x in the original projects to 4.4x after specialization. These results indicate the relevance of dependency specialization to significantly reduce the share of third-party code in Java projects.Comment: 17 pages, 2 figures, 4 tables, 1 algorithm, 2 code listings, 3 equation

WebAssembly Diversification for Malware Evasion

WebAssembly has become a crucial part of the modern web, offering a faster alternative to JavaScript in browsers. While boosting rich applications in browser, this technology is also very efficient to develop cryptojacking malware. This has triggered the development of several methods to detect cryptojacking malware. However, these defenses have not considered the possibility of attackers using evasion techniques. This paper explores how automatic binary diversification can support the evasion of WebAssembly cryptojacking detectors. We experiment with a dataset of 33 WebAssembly cryptojacking binaries and evaluate our evasion technique against two malware detectors: VirusTotal, a general-purpose detector, and MINOS, a WebAssembly-specific detector. Our results demonstrate that our technique can automatically generate variants of WebAssembly cryptojacking that evade the detectors in 90% of cases for VirusTotal and 100% for MINOS. Our results emphasize the importance of meta-antiviruses and diverse detection techniques, and provide new insights into which WebAssembly code transformations are best suited for malware evasion. We also show that the variants introduce limited performance overhead, making binary diversification an effective technique for evasion

Automatic Specialization of Third-Party Java Dependencies

Modern software systems rely on a multitude of third-party dependencies. This large-scale code reuse reduces developmentcosts and time, and it poses new challenges with respect to maintenance and security. Techniques such as tree shaking or shading canremove dependencies that are completely unused by a project, which partly address these challenges. Yet, the remaining dependenciesare likely to be used only partially, leaving room for further reduction of third-party code. In this paper, we propose a novel technique tospecialize dependencies of Java projects, based on their actual usage. For each dependency, we systematically identify the subset of itsfunctionalities that is necessary to build the project, and remove the rest. Each specialized dependency is repackaged. Then, wegenerate specialized dependency trees where the original dependencies are replaced by the specialized versions and we rebuild theproject. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specializeddependency tree. Moreover, through this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the dependencies,reducing the ratio of dependency classes to project classes from 8.7× in the original projects to 4.4 × after specialization. Theseresults indicate the relevance of dependency specialization to significantly reduce the share of third-party code in Java projects.QC 20230511</p

Automatic Specialization of Third-Party Java Dependencies

Modern software systems rely on a multitude of third-party dependencies. This large-scale code reuse reduces developmentcosts and time, and it poses new challenges with respect to maintenance and security. Techniques such as tree shaking or shading canremove dependencies that are completely unused by a project, which partly address these challenges. Yet, the remaining dependenciesare likely to be used only partially, leaving room for further reduction of third-party code. In this paper, we propose a novel technique tospecialize dependencies of Java projects, based on their actual usage. For each dependency, we systematically identify the subset of itsfunctionalities that is necessary to build the project, and remove the rest. Each specialized dependency is repackaged. Then, wegenerate specialized dependency trees where the original dependencies are replaced by the specialized versions and we rebuild theproject. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specializeddependency tree. Moreover, through this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the dependencies,reducing the ratio of dependency classes to project classes from 8.7× in the original projects to 4.4 × after specialization. Theseresults indicate the relevance of dependency specialization to significantly reduce the share of third-party code in Java projects.QC 20230511</p