HallMonitor: A Framework for Identifying Network Policy Violations in Software

Debloating helps to remove unused and poten-tially vulnerable code from software. While such techniques are becoming more mature and practical, they focus on the features that are unwanted by users, and not on a wealth of functionality that is disallowed by administrative policy. For instance, while an administrator may use a firewall to block certain types of traffic, hosts readily interact with such traffic when the firewall is bypassed (e.g., via an encrypted tunnel). In this paper, we present H ALL MONITOR, a tool that helps trim software functionality based on the violations of network policy. HALLMONITOR translates violations expressed in firewall and intrusion detection system rules (specifically, iptables and Snort) into parameters for detecting the implementation of such functions in source code spread amongst clients. We demonstrate the power of this approach first by removing echo functionality from ICMP, showing the ability to remove functions that enable higher-level attacks (e.g., network mapping). We then use network filtering rules to tag 14 out of 16 CVEs in Curl and Nginx (based on ground-truth from patches) to show the efficacy of our approach. In doing so, we demonstrate that network policy can be used to guide the removal not simply of code that users may not want, but instead of features that they are not allowed to use.