The Strengths and Behavioral Quirks of Java Bytecode Decompilers

During compilation from Java source code to bytecode, some information is irreversibly lost. In other words, compilation and decompilation of Java code is not symmetric. Consequently, the decompilation process, which aims at producing source code from bytecode, must establish some strategies to reconstruct the information that has been lost. Modern Java decompilers tend to use distinct strategies to achieve proper decompilation. In this work, we hypothesize that the diverse ways in which bytecode can be decompiled has a direct impact on the quality of the source code produced by decompilers. We study the effectiveness of eight Java decompilers with respect to three quality indicators: syntactic correctness, syntactic distortion and semantic equivalence modulo inputs. This study relies on a benchmark set of 14 real-world open-source software projects to be decompiled (2041 classes in total). Our results show that no single modern decompiler is able to correctly handle the variety of bytecode structures coming from real-world programs. Even the highest ranking decompiler in this study produces syntactically correct output for 84% of classes of our dataset and semantically equivalent code output for 78% of classes.Comment: 11 pages, 6 figures, 9 listings, 3 table

Coverage-Based Debloating for Java Bytecode

Software bloat is code that is packaged in an application but is actually not necessary to run the application. The presence of software bloat is an issue for security, for performance, and for maintenance. In this paper, we introduce a novel technique for debloating Java bytecode, which we call coverage-based debloating. We leverage a combination of state-of-the-art Java bytecode coverage tools to precisely capture what parts of a project and its dependencies are used at runtime. Then, we automatically remove the parts that are not covered to generate a debloated version of the compiled project. We successfully generate debloated versions of 220 open-source Java libraries, which are syntactically correct and preserve their original behavior according to the workload. Our results indicate that 68.3% of the libraries' bytecode and 20.5% of their total dependencies can be removed through coverage-based debloating. Meanwhile, we present the first experiment that assesses the utility of debloated libraries with respect to client applications that reuse them. We show that 80.9% of the clients with at least one test that uses the library successfully compile and pass their test suite when the original library is replaced by its debloated version

A Comprehensive Study of Bloated Dependencies in the Maven Ecosystem

Build automation tools and package managers have a profound influence on software development. They facilitate the reuse of third-party libraries, support a clear separation between the application's code and its external dependencies, and automate several software development tasks. However, the wide adoption of these tools introduces new challenges related to dependency management. In this paper, we propose an original study of one such challenge: the emergence of bloated dependencies. Bloated dependencies are libraries that the build tool packages with the application's compiled code but that are actually not necessary to build and run the application. This phenomenon artificially grows the size of the built binary and increases maintenance effort. We propose a tool, called DepClean, to analyze the presence of bloated dependencies in Maven artifacts. We analyze 9,639 Java artifacts hosted on Maven Central, which include a total of 723,444 dependency relationships. Our key result is that 75.1% of the analyzed dependency relationships are bloated. In other words, it is feasible to reduce the number of dependencies of Maven artifacts up to 1/4 of its current count. We also perform a qualitative study with 30 notable open-source projects. Our results indicate that developers pay attention to their dependencies and are willing to remove bloated dependencies: 18/21 answered pull requests were accepted and merged by developers, removing 131 dependencies in total.Comment: Manuscript submitted to Empirical Software Engineering (EMSE

Analyzing 2.3 Million Maven Dependencies to Reveal an Essential Core in APIs

This paper addresses the following question: does a small, essential, core set of API members emerges from the actual usage of the API by client applications? To investigate this question, we study the 99 most popular libraries available in Maven Central and the 865,560 client programs that declare dependencies towards them, summing up to 2.3M dependencies. Our key findings are as follows: 43.5% of the dependencies declared by the clients are not used in the bytecode; all APIs contain a large part of rarely used types and a few frequently used types, and the ratio varies according to the nature of the API, its size and its design; we can systematically extract a reuse-core from APIs that is sufficient to provide for most clients, the median size of this subset is 17% of the API that can serve 83% of the clients. This study is novel both in its scale and its findings about unused dependencies and the reuse-core of APIs. Our results provide concrete insights to improve Maven's build process with a mechanism to detect unused dependencies. They also support the need to reduce the size of APIs to facilitate API learning and maintenance.Comment: 15 pages, 13 figures, 3 tables, 2 listing

Software Diversity for Third-Party Dependencies

Thanks to the emergence of package managers and online software repositories, modern software development heavily relies on the reuse of third-party libraries. This practice has significant benefits in terms of productivity and reliability. Yet, the reuse of software libraries leads large groups of applications to share a significant amount of code, including potential defects such as bugs or vulnerabilities. The lack of diversity in these group of applications make them more prone to large-scale failures, and more predictable for attackers attempting to exploit their shared vulnerabilities.To mitigate these risks opened by library reuse, this dissertation proposes to introduce diversity in software applications.We create variants of software applications through transformations targeting the libraries they depend on. These variants provide functionalities equivalent to their original, while not sharing the exact same behavior. In this dissertation, we cover three aspects of software diversity.First, we study the existing behavioral diversity of alternative libraries implementing similar functionalities.We perform two case studies on two families of reusable software artifacts: JSON libraries and Bytecode decompilers. We provide empirical evidence that both groups of artifacts exhibit significant natural input/output behavioral diversity. Second, we study software transformations targeting libraries themselves. We propose six source-to-source transformations targeting software libraries, as well as a general architecture to implement library substitution. We implement this architecture in a JSON library substitution framework, leveraging the diversity of behavior we observe in JSON libraries. We assess the impact of these transformations on open-source libraries and software applications through two experiments. Finally, we study the properties of software applications and libraries that make them prone to transformation without changing their functionalities. We analyze the variants produced during our software diversification experiments and discuss our findings. In particular, we observe that the existence of alternative implementations at different granularity, instructions, methods, classes, and libraries, provides an important source of potential diversity that can be leveraged.Tack vare uppkomsten av pakethanterare och mjukvaruförråd på nätet ärmodern programvaruutveckling i hög grad beroende av återanvändning avbibliotek från tredje part. Denna praxis har betydande fördelar när det gällerproduktivitet och tillförlitlighet. Återanvändning av programvarubibliotek iett stort antal program leder dock till att dessa program delar en betydandemängd kod, inklusive potentiella fel som buggar och sårbarheter. Omprogramvarudefekter delas i stor utsträckning uppstår en risk för storskaligafel. Dessutom ökar risken för att samma sårbarhet kan användas mot fleraprogram med samma tredje-partsbibliotek. För att minska riskerna medåteranvändning av bibliotek föreslås i denna avhandling att man skaparvarianter av programvaror genom omvandlingar som är inriktade på debibliotek programvarorna är beroende av.I denna avhandling täcker vi tre aspekter av mjukvarumångfald. Förststuderar vi den befintliga beteendemässiga mångfalden hos alternativabibliotek som implementerar likvärdig funktionalitet. Vi genomför tvåfallstudier av två familjer av återanvändbar mjukvara: JSON-bibliotek ochBytecode-dekompilatorer. Vi ger empiriska bevis för att båda grupperna avmjukvara uppvisar en betydande beteendemässig mångfald när det gällerinput/output.Den andra aspekten som vi studerar är programvaruomvandlingarinriktade på själva biblioteken. Vi föreslår sex omvandlingar från källkodtill källkod inriktade på mjukvarubibliotek, samt en generell arkitektur föratt genomföra ersättningar av hela bibliotek. Vi tillämpar denna arkitekturi ett ramverk för att ersätta JSON-bibliotek och utnyttjar den mångfaldav beteenden som vi observerar i dessa. Vi bedömer effekterna av dessaomvandlingar på bibliotek och program med öppen källkod genom tvåexperiment.Slutligen studerar vi de egenskaper hos programvara och bibliotek somgör att de lämpar sig för omvandling utan att deras funktionalitet ändras.Vi analyserar de varianter som produceras under våra mjukvarudiversifieringsexperiment och diskuterar våra resultat. Vi konstaterar särskilt att förekomsten av alternativa implementeringar i olika skala, instruktioner, metoder,klasser och bibliotek, utgör en viktig källa till potentiell mångfald som kanutnyttjas.QCR 20220413</p

Software Diversity for Third-Party Dependencies

Thanks to the emergence of package managers and online software repositories, modern software development heavily relies on the reuse of third-party libraries. This practice has significant benefits in terms of productivity and reliability. Yet, the reuse of software libraries leads large groups of applications to share a significant amount of code, including potential defects such as bugs or vulnerabilities. The lack of diversity in these group of applications make them more prone to large-scale failures, and more predictable for attackers attempting to exploit their shared vulnerabilities.To mitigate these risks opened by library reuse, this dissertation proposes to introduce diversity in software applications.We create variants of software applications through transformations targeting the libraries they depend on. These variants provide functionalities equivalent to their original, while not sharing the exact same behavior. In this dissertation, we cover three aspects of software diversity.First, we study the existing behavioral diversity of alternative libraries implementing similar functionalities.We perform two case studies on two families of reusable software artifacts: JSON libraries and Bytecode decompilers. We provide empirical evidence that both groups of artifacts exhibit significant natural input/output behavioral diversity. Second, we study software transformations targeting libraries themselves. We propose six source-to-source transformations targeting software libraries, as well as a general architecture to implement library substitution. We implement this architecture in a JSON library substitution framework, leveraging the diversity of behavior we observe in JSON libraries. We assess the impact of these transformations on open-source libraries and software applications through two experiments. Finally, we study the properties of software applications and libraries that make them prone to transformation without changing their functionalities. We analyze the variants produced during our software diversification experiments and discuss our findings. In particular, we observe that the existence of alternative implementations at different granularity, instructions, methods, classes, and libraries, provides an important source of potential diversity that can be leveraged.Tack vare uppkomsten av pakethanterare och mjukvaruförråd på nätet ärmodern programvaruutveckling i hög grad beroende av återanvändning avbibliotek från tredje part. Denna praxis har betydande fördelar när det gällerproduktivitet och tillförlitlighet. Återanvändning av programvarubibliotek iett stort antal program leder dock till att dessa program delar en betydandemängd kod, inklusive potentiella fel som buggar och sårbarheter. Omprogramvarudefekter delas i stor utsträckning uppstår en risk för storskaligafel. Dessutom ökar risken för att samma sårbarhet kan användas mot fleraprogram med samma tredje-partsbibliotek. För att minska riskerna medåteranvändning av bibliotek föreslås i denna avhandling att man skaparvarianter av programvaror genom omvandlingar som är inriktade på debibliotek programvarorna är beroende av.I denna avhandling täcker vi tre aspekter av mjukvarumångfald. Förststuderar vi den befintliga beteendemässiga mångfalden hos alternativabibliotek som implementerar likvärdig funktionalitet. Vi genomför tvåfallstudier av två familjer av återanvändbar mjukvara: JSON-bibliotek ochBytecode-dekompilatorer. Vi ger empiriska bevis för att båda grupperna avmjukvara uppvisar en betydande beteendemässig mångfald när det gällerinput/output.Den andra aspekten som vi studerar är programvaruomvandlingarinriktade på själva biblioteken. Vi föreslår sex omvandlingar från källkodtill källkod inriktade på mjukvarubibliotek, samt en generell arkitektur föratt genomföra ersättningar av hela bibliotek. Vi tillämpar denna arkitekturi ett ramverk för att ersätta JSON-bibliotek och utnyttjar den mångfaldav beteenden som vi observerar i dessa. Vi bedömer effekterna av dessaomvandlingar på bibliotek och program med öppen källkod genom tvåexperiment.Slutligen studerar vi de egenskaper hos programvara och bibliotek somgör att de lämpar sig för omvandling utan att deras funktionalitet ändras.Vi analyserar de varianter som produceras under våra mjukvarudiversifieringsexperiment och diskuterar våra resultat. Vi konstaterar särskilt att förekomsten av alternativa implementeringar i olika skala, instruktioner, metoder,klasser och bibliotek, utgör en viktig källa till potentiell mångfald som kanutnyttjas.QCR 20220413</p

Privacy in Mobile Apps. Measuring Privacy Risks in Mobile Apps

Privacy risks are increasingly linked to how people use their smartphones and tablets. This study investigates privacy issues in 21 mobile apps for Android. The experiment was done in Oslo, Norway, in November and December 2015. All the apps in this study accessed personally identifiable information. A central finding is that many mobile apps not owned by big American tech companies (e_g. Google, Facebook) - such as sports apps and dating apps - transmitted potentially sensitive user data to a complex myriad of third-party services. In our study the 21 mobile apps communicated with approximately 600 different primary and third-party domains. Many of these third-party domains are trackers that pose potential privacy risks because we have little knowledge about how they collect, store and link user data. Third-party trackers in our study sent data to servers in Europe and the USA. Oppdragsgiver: Norwegian Consumer Counci