Recent advances in generative AI and Large Language Models (LLMs), such as ChatGPT, are ushering in a
new era of generative AI working in written human language. While LLMs can handle a vast array of tasks, software
engineers readily make use of ChatGPT’s ability to write and review software code, provide actionable suggestions,
or resolve bugs. To improve on the current state-of-the-art of debloating solutions, we propose leveraging LLMs to
remove code, that is, by generating a redacted subset of the original code. We hypothesize that the ability of LLMs
to agnostically generalize to multiple use-cases (type of bloat, type of software, stage of the life cycle) can further
advance debloating techniques at a quicker and more versatile pace.
More specifically, we argue that LLMs can be leveraged in multiple ways for debloating. First, they can be used
to guide the process by going from a high-level requirement (e.g. ”drop the PDF reader support”) to identifying the
concrete code implementing the feature. Second, they can actually remove code. Third, they can validate the process
through comprehensive testing and fuzzing to ensure that core functionalities are preserved while confirming that the
attack surface has been effectively reduced.
[1]Michael D. Brown, Adam Meily, Brian Fairservice, Akshay Sood, Jonathan Dorn, Eric Kilmer, and Ronald Eytchison. “A Broad Comparative Evaluation of Software Debloating Tools”. In: 33rd USENIX Security Symposium (USENIX Security 24). 2024, pp. 3927–3943.
[2]Michael D. Brown and Santosh Pande. “Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating”. In: 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). 2019. (Visited on 11/22/2024).
[3]Angela Fan, Beliz Gokkaya, Mark Harman, Mitya Lyubarskiy, Shubho Sengupta, Shin Yoo, and Jie M. Zhang. “Large Language Models for Software Engineering: Survey and Open Problems”. In: 2023 IEEE/ACM International Conference on Software Engineering: Future of Software Engineering (ICSE-FoSE). IEEE, 2023, pp. 31–53.
[4]Masoud Ghaffarinia and Kevin W. Hamlen. “Binary Control-Flow Trimming”. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London United Kingdom: ACM, Nov. 2019, pp. 1009–1022. isbn: 978-1-4503-6747-9. doi: 10.1145/3319535.3345665.
[5]Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. “Effective Program Debloating via Reinforcement Learning”. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Toronto Canada: ACM, Oct. 2018, pp. 380–394. isbn: 978-1-4503-5693-0. doi: 10.1145/3243734.3243838.
[6]Simon Kuenzer et al. “Unikraft: fast, specialized unikernels the easy way”. In: Proceedings of the Sixteenth European Conference on Computer Systems. EuroSys ’21. Online Event, United Kingdom: Association for Computing Machinery, 2021, pp. 376–394. isbn: 9781450383349. doi: 10 . 1145 / 3447786 . 3456248. url: https://doi.org/10.1145/3447786.3456248.
[7]Hsuan-Chi Kuo, Dan Williams, Ricardo Koller, and Sibin Mohan. “A Linux in unikernel clothing”. In: Proceedings of the Fifteenth European Conference on Computer Systems. EuroSys ’20. Heraklion, Greece: Association for Computing Machinery, 2020. isbn: 9781450368827. doi: 10.1145/3342195.3387526. url: https://doi.org/10.1145/3342195.3387526.
[8]Tomer Laor et al. “DRAWNAPART: A Device Identification Technique Based on Remote GPU Fingerprinting”. In: Proceedings 2022 Network and Distributed System Security Symposium. 2022. doi: 10.14722/ndss.2022.24093. arXiv: 2201.09956 [cs].
[9]Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. “Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints”. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016, pp. 878–894. (Visited on 04/26/2024).
[10]Anton Lozhkov et al. StarCoder 2 and The Stack v2: The Next Generation. Feb. 2024. arXiv: 2402.19173.
[11]Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Balraj Singh, Thomas Gazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. “Unikernels: library operating systems for the cloud”. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS ’13. Houston, Texas, USA: Association for Computing Machinery, 2013, pp. 461–472. isbn: 9781450318709. doi: 10 . 1145 / 2451116 . 2451167. url: https : / / doi . org / 10 . 1145 / 2451116 .
2451167.
[12]Mathieu Acher, Luc Lesoil, Georges Aaron Randrianaina, Xhevahire Tërnava, and Olivier Zendra. “A Call for Removing Variability”. In: Proceedings of the 17th International Working Conference on Variability Modelling of Software-Intensive Systems. Odense Denmark: ACM, Jan. 2023, pp. 82–84. isbn: 9798400700019. doi: 10.1145/3571788.3571801.
[13]Chenxiong Qian, Hyungjoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. “Slimium: Debloating the Chromium Browser with Feature Subsetting”. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Virtual Event USA: ACM, Oct. 2020, pp. 461–476. isbn: 978-1-4503-7089-9. doi: 10.1145/3372297.3417866.
[14]César Soto-Valero, Nicolas Harrand, Martin Monperrus, and Benoit Baudry. “A Comprehensive Study of Bloated
Dependencies in the Maven Ecosystem”. In: Empirical Software Engineering 26.3 (May 2021), p. 45. issn: 1382-
3256, 1573-7616. doi: 10.1007/s10664-020-09914-8.
[15]Xhevahire Tërnava, Mathieu Acher, and Benoit Combemale. “Specialization of Run-time Configuration Space at Compile-time: An Exploratory Study”. In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. Tallinn Estonia: ACM, Mar. 2023, pp. 1459–1468. isbn: 978-1-4503-9517-5. doi: 10.1145/3555776.3578613.