Janis Lesinskis' Blog

Assorted ramblings

  • All entries
  • About me
  • Projects
  • Economics
  • Misc
  • Software-engineering
  • Sports

Debloating

Today is just another day on the internet, I periodically look at some logs for the static sites I run just to see what people are sending, something like this is fairly typical:

112.114.104.22 - - [28/Sep/2019:12:15:37 +0000] "POST /FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F HTTP/1.1" 500 1219 "http://www.lesinskis.com/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.033
112.114.104.22 - - [28/Sep/2019:12:15:41 +0000] "POST /admin_aspcms/_system/AspCms_SiteSetting.asp HTTP/1.1" 500 1219 "http://www.lesinskis.com/admin_aspcms/_system/AspCms_SiteSetting.asp" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.004
112.114.104.22 - - [28/Sep/2019:12:15:42 +0000] "POST /plus/90sec.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/plus/90sec.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.016
112.114.104.22 - - [28/Sep/2019:12:15:46 +0000] "POST /utility/convert/index.php?a=config&source=d7.2_x2.0 HTTP/1.1" 500 1219 "http://www.lesinskis.com/utility/convert/index.php?a=config&source=d7.2_x2.0" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.022
112.114.104.22 - - [28/Sep/2019:12:15:50 +0000] "POST /utility/convert/data/config.inc.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/utility/convert/data/config.inc.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.002
112.114.104.22 - - [28/Sep/2019:12:15:51 +0000] "POST /uploads/dede/sys_verifies.php?action=down HTTP/1.1" 500 1219 "http://www.lesinskis.com/uploads/dede/sys_verifies.php?action=down" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.003
112.114.104.22 - - [28/Sep/2019:12:15:51 +0000] "POST /index.php/api/Uploadify/preview HTTP/1.1" 500 1219 "http://www.lesinskis.com/index.php/api/Uploadify/preview" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.003
112.114.104.22 - - [28/Sep/2019:12:15:52 +0000] "POST /fdgq.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/fdgq.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.003
112.114.104.22 - - [28/Sep/2019:12:15:56 +0000] "POST /rvkdz.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/rvkdz.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.003
112.114.104.22 - - [28/Sep/2019:12:15:57 +0000] "POST /ysyqq.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/ysyqq.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.002
112.114.104.22 - - [28/Sep/2019:12:16:01 +0000] "POST /lzlqs.php HTTP/1.1" 500 1219 "http://www.lesinskis.com/lzlqs.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)" "112.114.104.22" response-time=0.005

This is just another example of the frequent run of the mill attempts to automatically scan for vulnerabilities.

Why debloating matters

For a while now people have talked about the increasing bloat of the web. A good talk about this is the website obesity crisis page loads and page sizes really have got out of hand in recent times.

One thing that's less talked about is the complete blow out in terms of dependencies in modern web deployments. Of course there's the more egregious ones like left-pad, that caused a huge number of issues when it was pulled from npm.

But then there's a lot more issues that lurk below the surface that nobody talks about. Specifically installed code that you do not actually use widens the attack surface while providing you no extra features.

Debloating as a security measure

There's a particularly interesting paper that does an analysis of how many vulnerabilities were reduced via debloating a PHP app: https://www.securitee.org/files/debloating_usec2019.pdf

The access log example from before shows in practice why this works from an infosec point of view. All those requests are crafted to exploit vulnerabilities in PHP apps, seeing as I don't run PHP on my site, I don't have it enabled. Reducing the attack surface is always a good idea if you can. Disabling tech stacks you don't use is a good idea, the more sophisticated approach to being able to disable the parts of tech stack you aren't using take this one step further.

One of the issues you can run into is packages, distributions and containers that have too many things installed into them. What can be convenient for the prototyping stage or development stage can be bad for security in a deployment stage. As such people have also looked at approaches for debloating containers as well: https://pages.cs.wisc.edu/~vrastogi/static/papers/rddjm17.pdf

Published: Sat 23 November 2019
By Janis Lesinskis
In Software-engineering
Tags: security infosec web debloating attack-surface

links

  • JaggedVerge

social

  • My GitHub page
  • LinkedIn

Proudly powered by Pelican, which takes great advantage of Python.