Bloatware as a security risk: Researchers' innovative ways to combat the scourge

Unnecessary code in software provides digital criminals more opportunities to compromise computing devices, according to researchers. Read about their solutions to bloatware.

Image: iStock

Wirth's Law—which states that software is getting slower more rapidly than hardware is getting faster—is not as well known as Moore's Law, and that is how the Office of Naval Research (ONR) would like to keep it. Unlike Moore's Law, Wirth's Law has an adverse impact on computing performance, thanks to software bloat.

Put simply, software bloat is the accumulation of unnecessary code in a program. The additional code causes the program to use excessive hardware resources such as memory, slowing down the program and other programs installed on the computer.

From this ONR press release: "Thanks to voracious consumer appetites for software features and faster product rollouts, modern coders use pre-made libraries to meet demand. The problem is these libraries contain both the new code and the repetitive code from previous software versions — creating layers of redundant, unused, and outdated functions that slow down computer running time."

Slower has been acceptable so far, as hardware advances have been able to mask the slowdown. But, now there are additional concerns.

SEE: It's time to ban bloatware, the persistent PC security pest (ZDNet)

Bloat creates security issues

"Software bloat isn't only a nuisance or inconvenience," said ONR Program Officer Dr. Sukarno Mertoguno, in the organization's press release. "It also presents a serious security risk, since the additional code could offer hackers more entry points into a software program."

The ONR is collaborating with security researchers Dr. Dinghao Wu at Pennsylvania State University and Dr. Harry Xu at the University of California, Irvine to address security issues caused by software bloat. "A bloated software system contains a larger code base that could lead to more vulnerabilities and greater entry platforms for hackers and cyber terrorists," mentions Wu in the ONR press release. "After gaining access to a system, a hacker can use the code—even unused, older code—for malicious purposes."

JRed identifies software bloat

To combat software bloat, Dr. Wu and fellow researchers Peng Liu and Yufei Jiang at Pennsylvania State University created JRed. The software tool quickly reads thousands of lines of code, and by applying algorithmically-determined rules to the code, software bloat is located and removed.

In the paper JRed: Program Customization and Bloatware Mitigation Based on Static Analysis (PDF), Wu, Liu, and Jiang write, "We evaluated the effectiveness of JRed on trimming security-related vulnerabilities in the Java Runtime JRE, and the results show that nearly half of the known security vulnerabilities can be trimmed away with the specialized JREs for each benchmark program."

Library Auto-Selection (LAS)

Dr. Xu and his research team at UC Irvine also looked at Java. "Much evidence shows that seemingly harmless performance problems can lead to severe scalability reductions and financial losses. Even mature software written by expert engineers has had performance issues that caused serious and highly publicized incidents," Xu mentions in a UC Irvine press release.

To combat software bloat, Xu and fellow researchers created a software optimization technique called Library Auto-Selection (LAS). "LAS combines both the developer's insights along with compiler and runtime system support to automatically remove inefficiencies in software," explains the press release. "It targets a broad class of performance issues in object-oriented programs resulting from generalized implementations of libraries."

In simple language, LAS creates what are called "shadow libraries" that find software bloat and then update the program, so only the necessary code is used. Xu is quoted as saying the LAS method has trimmed software bloat to a significant degree, while improving runtime speeds by more than 70%.

Improve runtime

Besides eliminating security issues, both JRed and LAS are doing their part to increase performance. "JRed might potentially create more opportunity for whole program optimizations," mentions Dr Wu in the JRed research paper. "Also, due to the reduction of code size, the program loading and starting time can be significantly reduced and from an end user point of view, JRed does improve the performance for certain Java applications. This might have a bigger impact in a smart-device environment."

Next step: Mobile and cloud

Both research teams are expanding their search for software bloat. They are currently looking at software used in mobile and large-scale cloud-computing applications. Interestingly, if JRed and LAS create enough interest—and they should since removing software bloat saves time and money and improves security—Wirth's Law will indeed stay relatively unknown.

Note: The research by both the Penn State and UC Irvine teams are part of ONR's Cyber Security and Complex Software Systems Program, which focuses on the design and construction of software systems that meet required assurances for security, safety, reliability, and performance.

Also see

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox