Role Models: Role-based Debloating for Web Applications

The process of debloating, i.e., removing unnecessary code and features in software, has become an attractive proposition to managing the ever-expanding attack surface of ever-growing modern applications. Researchers have shown that debloating produces significant security improvements in a variety of application domains including operating systems, libraries, compiled software, and, more recently, web applications. Even though the client/server nature of web applications allows the same backend to serve thousands of users with diverse needs, web applications have been approached monolithically by existing debloating approaches. That is, a feature can be debloated only if none of the users of a web application requires it. Similarly, everyone gets access to the same "global"features, whether they need them or not. Recognizing that different users need access to different features, in this paper we propose role-based debloating for web applications. In this approach, we focus on clustering users with similar usage behavior together and providing them with a custom debloated application that is tailored to their needs. Through a user study with 60 experienced web developers and administrators, we first establish that different users indeed use web applications differently. This data is then used by DBLTR, an automated pipeline for providing tailored debloating based on a user's true requirements. Next to debloating web applications, DBLTR includes a transparent content-delivery mechanism that routes authenticated users to their debloated copies. We demonstrate that for different web applications, DBLTR can be 30-80% more effective than the state-of-the-art in debloating in removing critical vulnerabilities.