In Pursuit of Lean OS Kernels: Reducing Attack Surface Through Debloating
Presented by Dr. Rakesh Bobba, Associate Professor of Electrical Engineering and Computer Science

Modern operating systems, such as Linux, include a vast range of features to support many different devices and use cases. However, most systems only rely on a small fraction of this functionality. The unused portions of the operating system increase the system’s “attack surface,” creating more opportunities for security vulnerabilities. 

This lecture examines recent advancements in kernel debloating, a method for trimming unnecessary parts of the operating system kernel to reduce code size and improve security. 

The presentation introduces TRACIE, a tool that observes real system behavior and customizes the kernel based on how the system is actually used. By more accurately linking system activity to the kernel features required to support it, TRACIE removes approximately 21.67% of unneeded code — an 8% improvement over prior techniques — and eliminates one known security vulnerability. 

The lecture then highlights DICE, a new approach that does not rely on system activity traces. Instead, it analyzes the kernel’s configuration structure and iteratively removes unnecessary components. DICE achieves a 35.59% reduction in code size and eliminates ten additional known vulnerabilities. 

Finally, the talk presents an empirical analysis of the Linux configuration system itself. Findings show that structural constraints—such as overly broad configuration options and rigid dependency rules—limit how effectively the kernel can be reduced through configuration-based methods. These results point toward opportunities for future improvements in kernel design and configuration mechanisms.