4 research outputs found
Automatic Specialization of Third-Party Java Dependencies
Modern software systems rely on a multitude of third-party dependencies. This
large-scale code reuse reduces development costs and time, and it poses new
challenges with respect to maintenance and security. Techniques such as tree
shaking or shading can remove dependencies that are completely unused by a
project, which partly address these challenges. Yet, the remaining dependencies
are likely to be used only partially, leaving room for further reduction of
third-party code. In this paper, we propose a novel technique to specialize
dependencies of Java projects, based on their actual usage. For each
dependency, we systematically identify the subset of its functionalities that
is necessary to build the project, and remove the rest. Each specialized
dependency is repackaged. Then, we generate specialized dependency trees where
the original dependencies are replaced by the specialized versions and we
rebuild the project. We implement our technique in a tool called DepTrim, which
we evaluate with 30 notable open-source Java projects. DepTrim specializes a
total of 343 (86.6%) dependencies across these projects, and successfully
rebuilds each project with a specialized dependency tree. Moreover, through
this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the
dependencies, reducing the ratio of dependency classes to project classes from
8.7x in the original projects to 4.4x after specialization. These results
indicate the relevance of dependency specialization to significantly reduce the
share of third-party code in Java projects.Comment: 17 pages, 2 figures, 4 tables, 1 algorithm, 2 code listings, 3
equation
WebAssembly Diversification for Malware Evasion
WebAssembly has become a crucial part of the modern web, offering a faster
alternative to JavaScript in browsers. While boosting rich applications in
browser, this technology is also very efficient to develop cryptojacking
malware. This has triggered the development of several methods to detect
cryptojacking malware. However, these defenses have not considered the
possibility of attackers using evasion techniques. This paper explores how
automatic binary diversification can support the evasion of WebAssembly
cryptojacking detectors. We experiment with a dataset of 33 WebAssembly
cryptojacking binaries and evaluate our evasion technique against two malware
detectors: VirusTotal, a general-purpose detector, and MINOS, a
WebAssembly-specific detector. Our results demonstrate that our technique can
automatically generate variants of WebAssembly cryptojacking that evade the
detectors in 90% of cases for VirusTotal and 100% for MINOS. Our results
emphasize the importance of meta-antiviruses and diverse detection techniques,
and provide new insights into which WebAssembly code transformations are best
suited for malware evasion. We also show that the variants introduce limited
performance overhead, making binary diversification an effective technique for
evasion
Automatic Specialization of Third-Party Java Dependencies
Modern software systems rely on a multitude of third-party dependencies. This large-scale code reuse reduces developmentcosts and time, and it poses new challenges with respect to maintenance and security. Techniques such as tree shaking or shading canremove dependencies that are completely unused by a project, which partly address these challenges. Yet, the remaining dependenciesare likely to be used only partially, leaving room for further reduction of third-party code. In this paper, we propose a novel technique tospecialize dependencies of Java projects, based on their actual usage. For each dependency, we systematically identify the subset of itsfunctionalities that is necessary to build the project, and remove the rest. Each specialized dependency is repackaged. Then, wegenerate specialized dependency trees where the original dependencies are replaced by the specialized versions and we rebuild theproject. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specializeddependency tree. Moreover, through this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the dependencies,reducing the ratio of dependency classes to project classes from 8.7× in the original projects to 4.4 × after specialization. Theseresults indicate the relevance of dependency specialization to significantly reduce the share of third-party code in Java projects.QC 20230511</p
Automatic Specialization of Third-Party Java Dependencies
Modern software systems rely on a multitude of third-party dependencies. This large-scale code reuse reduces developmentcosts and time, and it poses new challenges with respect to maintenance and security. Techniques such as tree shaking or shading canremove dependencies that are completely unused by a project, which partly address these challenges. Yet, the remaining dependenciesare likely to be used only partially, leaving room for further reduction of third-party code. In this paper, we propose a novel technique tospecialize dependencies of Java projects, based on their actual usage. For each dependency, we systematically identify the subset of itsfunctionalities that is necessary to build the project, and remove the rest. Each specialized dependency is repackaged. Then, wegenerate specialized dependency trees where the original dependencies are replaced by the specialized versions and we rebuild theproject. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specializeddependency tree. Moreover, through this specialization, DepTrim removes a total of 60,962 (47.0%) classes from the dependencies,reducing the ratio of dependency classes to project classes from 8.7× in the original projects to 4.4 × after specialization. Theseresults indicate the relevance of dependency specialization to significantly reduce the share of third-party code in Java projects.QC 20230511</p