assert-kth / jdbl Goto Github PK

JDBL automatically removes unnecessary bytecode from Java applications through dynamic analysis https://dl.acm.org/doi/abs/10.1145/3546948

Home Page: https://www.cesarsotovalero.net/blog/diversity-driven-software-debloat.html

License: MIT License

Java 89.17% Shell 0.07% HTML 6.35% JavaScript 2.54% CSS 1.87%

debloating bytecode-manipulation maven-plugin

jdbl's Introduction

JDBL

What is JDBL?

JDBL is a Java DeBLoat tool. With JDBL, developers can automatically specialize Java libraries at build-time through dynamic debloating. JDBL executes the library and removes the methods, classes, and dependencies that are not needed to provide the expected output. The result is a smaller bundled file (e.g., JAR or WAR), which is tailored to the specific needs of the client. Using JDBL is great because it saves space on disk, reduces the attack surface, and improves performance of the client application. JDBL can be used as a Maven plugin (see usage), with minimal or zero configuration effort.

How does JDBL work?

JDBL is executed before the package phase of the Maven build lifecycle. First, JDBL compiles and instruments the bytecodes of the application and its dependencies. Then, JDBL collects accurate coverage information by executing the application based on a given workload. All the API members (e.g., classes and methods) used during the execution are collected at runtime. For more details about the coverage technique employed by JDBL read this blog post. JDBL removes the rest of unused API members through bytecode transformations using the ASM library. Finally, the debloated application is validated through the Maven package phase and it is bundled as a JAR or WAR file.

NOTE: JDBL produces a smaller, debloated version of the Java application without modifying its source code. The modified version is automatically packaged as a JAR file as resulting from the Maven build lifecycle.

Why is JDBL different?

Existing debloating tools for Java (e.g., Proguard) are rather conservative when removing API members because they rely on static analysis. In contrast, JDBL takes advantage of dynamic analysis to shrink all the bytecode that is not used during a particular execution trace. This way, JDBL outperforms competitors by removing more unnecessary while keeping the desired functionality. JDBL is fully automatic; no configuration is required.

Usage

To use JDBL as a Maven plugin, first clone this repository and run mvn clean install. Then, add the plugin to the pom.xml of the Maven project to be debloated:

<plugin>
    <groupId>se.kth.castor</groupId>
    <artifactId>jdbl-maven-plugin</artifactId>
    <version>1.0.0</version>
    <executions>
        <execution>
            <goals>
                <goal>${strategy}</goal>
            </goals>
        </execution>
    </executions>
</plugin>

The property ${strategy} can take one of the two following values, depending on the debloating strategy adopted:

test-based-debloat Removes the API members that are not covered by the test suite of the Maven project.
entry-point-debloat Removes the API members that are used after compiling and executing the Maven project from a given entry-point.

Optional parameters

In the case of the entry-point strategy, the following additional configuration parameters can be provided:

Name	Type	Description
`<entryClass>`	`<String>`	Fully qualified name of the class used as the entry point of the application. Typical value is: `Main`.
`<entryMethod>`	`<String>`	Fully qualified name of the method in the `<entryClass>` used as the entry point of the application. Typical value is: `main`./
`<entryParameters>`	`Set<String>`	Parameters of the `<entryMethod>` used provided. Only string values separated by commas are permitted.
`<skipJDBL>`	`boolean`	Skip plugin execution completely. Default value is: `false`.

License

JDBL is distributed under the MIT License. See LICENSE for more information.

Funding

JDBL is partially funded by the Wallenberg Autonomous Systems and Software Program (WASP).

jdbl's People

Stargazers

Watchers

Forkers

chubbymaggie kaizhiyu sxh519 z-zhiqiang

jdbl's Issues

Create core module

Extract the main logic of JDbl to an external module, e.g., jdbl-core.

Add minimal set of projects for which JDBL doesn't work

It's hard to analyze the results of JDBL on a large set of projects because it takes too much time to run. Therefore, we need to create a minimal set of projects that are failing the tests on the debloated library, and for which the client doesn't compile. This way, we should be able to fix the problems one at the time, and improve JDBL incrementally.

Dependencies with provided scope are bundled in the JAR after executing JDBL

For projects with dependencies with provided scope, those dependencies are copied to /target/classes by JDBL when resolving direct and transitive dependencies. Those dependencies are needed in the classpath of the project for running the test suite, but will not be shipped in the JAR file after using the jar-with-dependencies Maven plugin (see the plugin doc).

We need to exclude those dependencies from the bundle JAR by adding them to the classpath but put them out of the /target/classes directory.

Debloat of classes with only constants doesn't work

JDBL is removing classes that only contain public static final fields. For example, see 3192737. JDBL should NOT remove such classes.

This is because the compiler replaces the constant by the actual value in the bytecode, so the class is never loaded at runtime. There are several workarounds to resolve this issue. For example this one.

See this and this related questions.

JDBL must use JaCoCo API for offline instrumentation

At this moment, to run the test-based debloat with JDBL, the project needs to include JaCoCo as a plugin. JDBL should use the JaCoCo CLI for performing the offline instrumentation. This way, the JDBL users will only need to include the Maven plugin for running JDBL.

Write coverage results of the different tools to file for further comparison

Let's write the classes and methods covered by each coverage tool to a CSV file. This will allow us to compare how the diversity of coverage implementations helps to cover more used classes and methods. Also useful for representing this interesting result as a Venn Diagram.

When removing exceptions re-testing doesn't work

JDBL is removing necessary classes that extend from Exceptions. This causes failures when executing the debloated version.

JDBL does not detect the usage of synthetic methods in enums

Java coverage tools do not detect the usage of synthetic methods in enums. In particular, the JVM documentation specifies the existence of the two implicitly declared methods values and valueOf in enums. These methods are causing JDBL fail for many tests.

As discussed in this SO question:

It’s the duty of the compiler resp. bytecode generating tool to insert their implementation to the specific enum type. Note that despite being compiler-generated, these two methods should not get marked as synthetic.

Fix JDBL github pages

For some reason, I can't see the code of the GitHub Jekyll page https://castor-software.github.io/jdbl/ (currently in branch gh-pages).

compare covered and debloated bytecode

Measure at 'signature' level:

types
methods

Count signatures

total
covered (according to jacoco)
necessary (according to jdbl)
removed (according to jdbl)

When removing interfaces re-testing doesn't work

JDBL is removing necessary interfaces. This causes failures when executing the debloated version.

JDBL is bundling optional dependencies

The jdbl-maven-plugin uses the copy-dependencies Maven plugin to download all the dependencies of the project to be debloated into a local directory. This includes dependencies that are tagged as optional. However, the maven-assembly-plugin, commonly used to build a fat jar of applications, doesn't include optional dependencies in the bundle.

Thus, we need to filter out or exclude optional dependencies during the debloat phase. It seems that Maven doesn't support such a feature (see this SO question).

Covered method is removed

The method: 'SimpleIoBuffer.put()' is removed but the method is covered by jacoco <method name="put" desc="([B)V" line="39"><counter type="INSTRUCTION" missed="0" covered="6"/><counter type="LINE" missed="0" covered="2"/><counter type="COMPLEXITY" missed="0" covered="1"/><counter type="METHOD" missed="0" covered="1"/></method>

"com.googlecode.xmemcached:xmemcached": {
    "artifactId": "xmemcached",
    "groupId": "com.googlecode.xmemcached",
    "repo_name": "killme2008/xmemcached",
    "java_version": "1.5",
    "version": "2.4.7-SNAPSHOT",
    "clients": {
     "2.2.0": [
      {
       "repo_name": "pyloque/Gspark",
       "groupId": "zhangyue",
       "artifactId": "gspark",
       "version": "2.2.0"
      }
     ]
    },
    "releases": {
     "2.0.0": "4cb2376d614cf034a094610c8c37af8283d6cb2b",
     "1.4.2": "4cb2376d614cf034a094610c8c37af8283d6cb2b",
     "1.3.6": "dc8314c43fc7e4eb01b64cc2550f27da4af3c113",
     "1.3.8": "36b9de565f5cfb741bf5ea96d406e8ef20b6697f",
     "2.2.0": "4dca57581cd63219e3f3bab832328abffbb78fe2",
     "1.3.5": "91c47f3dde25a73a9f89b0e861a126d842fa3488",
     "1.3.3": "ad8dbeb3f93c13fdc7f8c91237412ef3b8461adf"
    }
  }