JSLIM: Reducing the Known Vulnerabilities of JavaScript Application by Debloating

Abstract

AbstractAs the complexity of software projects increases, more and more developers choose to package various external dependency libraries into software projects to simplify software development. Unfortunately, these introduced dependent libraries are likely to introduce many potential security risks. This phenomenon is called software bloat. One way to handle this increased threat is through software debloating, i.e., the removal of dead code and code corresponding to vulnerabilities introduced from external dependency libraries. In our paper, we proposed JSLIM, an effective vulnerability-aware software debloating system. First, JSLIM processes the public vulnerability information through natural language processing technology, obtains the mapping relationship between the vulnerability and the NPM package, and determines which function in the package causes a specific vulnerability. Then, according to the generated function call graph, determine whether the program calls the method that generates the vulnerability in the dependent library. JSLIM removes the code that isn’t called by the program and uses the sandbox to isolate the code that has vulnerabilities but cannot be removed. We conduct experiments on popular open-source JavaScript applications. The experimental results show that our method removes most of the code related to the known vulnerabilities of the application and effectively prevents attackers from exploiting known vulnerabilities in the NPM package to launch attacks on applications.KeywordsJavaScriptDebloatingVulnerabilitySecurityStatic analysis