Traditional software development favors a one-size-fits-all mentality which results in software with incremental complexity and packed with often unused features creating powerful resources for attacks as well as obstacles for defenses: critical gadgets for code-reuse attacks, add complexity for analysis, vulnerabilities for crafting and escalating exploits, etc.

However, studies have shown that most end users tend to use only a fraction of code available in memory, across all layers of software execution stacks: application, library, interpreter, OS, and hardware. Complex software often contains features intended by the developers for all deployment contexts but are often unused in practice and expose security risks in average use case. In fact, clients must bear the burden of carrying all the features in the code with no viable method to adapt, disable or remove them. This extraneous code called bloated code may contain its own bugs and vulnerabilities broadening the overall attack surface. For example, unused code introduces critical gadgets for code-reuse attacks such as Stack Pivoting allowing an attacker to trigger the execution of the gadgets in a Return-Oriented Programming (ROP) payload.

This dissertation addresses the pressing need for a comprehensive system to efficiently reduce attack surface by tackling both the cause (i.e. one-size-fits-all property of software) and effect (i.e. security-critical gadgets) of the problem. First, for the former, we present a system to perform software specialization at both source code and binary levels by removing unused code from a code module, leaving only necessary code in the memory for a particular deployment context. For the latter, we introduce a stack pointer-centric integrity model and an enforcement system designed to remove the availability of gadgets to perform stack pivoting and limit the diverse set of gadgets for code reuse attacks. Our results show that our approach can remove as much as 86% code at source code level and as much as 20.81% code from binary while effectively mitigating and limiting security-sensitive gadgets with low performance overhead of 5.1%.