Trimmer: An Automated System for Configuration-Based Software Debloating

Software bloat has negative implications for security, reliability, and performance. To counter bloat, we propose Trimmer , a static analysis-based system for pruning unused functionality. Trimmer removes code that is unused with respect to user-provided command-line arguments and application-specific configuration files. Trimmer uses concrete memory tracking and a custom inter-procedural constant propagation analysis that facilitates dead code elimination. Our system supports both context-sensitive and context-insensitive constant propagation. We show that context-sensitive constant propagation is important for effective software pruning in most applications. We introduce sparse constant propagation that performs constant propagation only for configuration-hosting variables and show that it performs better (higher code size reductions) compared to constant propagation for all program variables. Overall, our results show that Trimmer reduces binary sizes for real-world programs with reasonable analysis times. Across 20 evaluated programs, we observe a mean binary size reduction of 22.7 percent and a maximum reduction of 62.7 percent. For 5 programs, we observe performance speedups ranging from 5 to 53 percent. Moreover, we show that winnowing software applications can reduce the program attack surface by removing code that contains exploitable vulnerabilities. We find that debloating using Trimmer removes CVEs in 4 applications.