Combined Static Analysis and Machine Learning Prediction for Application Debloating

Upon closer analysis between BlankIt and Decker, we come to the conclusion that the key factor for higher gadget reduction in BlankIt over Decker is that BlankIt uses ML-based prediction, which is very precise.

BlankIt’s ML-based predictions are input-sensitive and can leverage calling context to forecast the next set of calls in a dynamic call chain. Such predictions can overcome the unanalyzable nature of static callgraphs and control flow graphs. Using ML in a debloating framework carries with it one key challenge, however, namely how to resolve mispredictions. BlankIt, for example, suffers from this problem of false alarms. When a library call leads to a misprediction, BlankIt attempts to resolve it in a parallel audit thread that reruns the call within Memcheck (Nethercote:2007:VFH:1250734.1250746, ). Though serviceable for library code, this technique would not be tenable for predicting function calls on a whole program basis in application code, which is what Decker deals with. Library calls are relatively infrequent compared to user-defined functions, so mispredictions are likely to occur with higher frequency when predicting and debloating for application code on a whole program basis. In other words, the use of ML-based prediction and debloating would lead to a situation with constant interruptions (due to mispredictions) and audit threads for distinguishing between attacks vs. mispredictions. Therefore, new techniques are needed that are lightweight and can validate predictions without such problems. In short, it remains an open problem how to effectively verify that mispredicted execution paths still conform to a valid control flow.

Although Decker provides a significant attack surface reduction, being based on static analysis of callgraph reachability comes with limitations. We draw on a simple code example to highlight how static analysis-based callgraph predictions can fail to protect the program, and how a technique with ML-based predictions provides a higher level of defense. Listing 1 shows pseudocode that contains a common programming paradigm, namely error handling for extremely rare corner cases. In this example, the function $service$ contains a while-loop for $do\_work$. On each iteration, the loop checks if error $e$ has occurred; if so, $handle\_err$ is called to process the state; then execution continues in $do\_work$ for the current iteration.

The intuition for this simple but realistic code is that the error handler does not always need to be mapped active, because it is unlikely to be called. Based on static reachability analysis triggered at the loop header, Decker (decker, ) fails to handle this case, though, because its static analysis is conservative. In Decker, this code is handled by first statically analyzing the loop and identifying all interprocedurally reachable functions within it ($do\_work$, $aux1$, $aux2$, $handle\_err$, and $attacker\_target\_func$). Then at runtime, Decker enables this entire set of functions at the loop preheader and disables these functions at the loop exits. A technique such as BlankIt (blankit, ) cannot be used here because it is only able to handle library code, as explained above. If, however, one can use a model to predict which functions will be called within this loop, it is reasonable to expect that $handle\_err$ will not be regularly predicted when the model is trained on representative profiling data for this case.

We list three ways in which an attacker may try to enter and exploit $attacker\_target\_func$, and describe how a predictive model with statically enlightened checks can defend against them:

1. (1)

   The target function may contain a gadget that the attacker needs to use in their gadget chain. Under the most common executions, however, a model will predict that $attacker\_target\_func$ will not be executed, so this function will be disabled. Jum** into this code would therefore lead to a fault and a failed attack, unlike in Decker.

2. (2)

   The attacker may attempt to redirect control flow to the entrance of $attacker\_target\_func$. Though this is a normal function entry point (unlike case 1), it will still lead to a fault and crash whenever the model has not predicted the error handler to be invoked. (Section 4.2 will elaborate on this point.)

3. (3)

   The attacker may attempt to redirect control flow to the entrance of $handle\_err$. As we will show, all entry points into subsections of the callgraph that depend on the model predictions must be gated by a fallback mechanism. This is to handle mispredictions under no-attack scenarios. However, the static analysis techniques we introduce later can catch such cases. In particular, only a valid static sequence of calls will be allowed to pass through this “gate.” In our example, the attack will only be allowed to jump to $handle\_err$ from $aux2$ (as $handle\_err$ can only follow $aux2$ in a valid call function sequence). Attempting to jump from $service$, $do\_work$, or $aux1$ will fail the runtime check at the entrance to $handle\_err$ and result in a crash. (Sections 4.2 and 4.3 will make these points clearer.)

With the above motivations, we present a new ML-based predictive method backed by performant audits that use static invariants. In summary, this work makes the following contributions:

1. (1)

   To the best of our knowledge, it is the first prediction-based approach for whole-application debloating that is performant and sound.

2. (2)

   It is the first debloating technique to leverage static analysis techniques that guarantee certain program properties are met whenever mispredictions due to ML occur.

3. (3)

   It includes an empirical evaluation that shows the technique improves attack surface reduction beyond the state of the art and with overheads that are in line with prior art.

The remaining sections are laid out as follows. Section 2 provides background. Section 3 gives an overview of the solution. Section 4 goes into technical details of the framework. Section 5 provides the results from our empirical evaluation. Section 6 provides a survey of the related work. Section 7 concludes.

Designing a debloating tool involves tradeoffs along different dimensions. A debloating technique can have several attributes including soundness, ability to offer full feature support, whether it requires user input or manual intervention, whether it depends on a runtime component, etc. Regardless of the technique used, the most important criteria for a tool in terms of real-world utility are soundness under a normal (no-attack) scenario and the ability to stop an attack with acceptable runtime overhead. The soundness criterion is operationally defined as the ability of the debloated program to be robust and not crash under no-attack inputs, and to produce the same results as its non-debloated counterpart under such inputs. By full feature support, we mean the debloated program is not “specialized” to a subset of features from the original program; it must provide support for all the desired (non-debloated) features. In this work, we maintain that soundness and full feature support are critical for a generally adoptable solution. Our goal is to show how a mix of static analysis techniques and machine learning can improve debloating reductions without sacrificing either of these qualities. In addition, we also show how the attack-stop** ability is superior to Decker and runtime overhead lower than BlankIt.

There are only three tools from Table 1 that are sound and that produce programs with full feature support: Piece-wise (piece-wise, ), BlankIt (blankit, ), and Decker (decker, ). Despite this commonality, these tools differ substantially. For example, Piece-wise and BlankIt debloat libraries; Decker debloats applications. BlankIt is the only tool of this group with a ML-based prediction mechanism; it is also the only one that works at the binary level. Piece-wise does not require any runtime support; BlankIt and Decker do.

Piece-wise and Decker both show that to guarantee soundness, the framework is forced to reckon with the limitations of static analysis. In fact, Trimmer (trimmer, ) and LMCAS (lmcas, ), despite being specialization techniques, face this same issue in order to guarantee soundness. Razor (razor, ) is also a specialization technique; it runs the program on representative inputs and then uses heuristics to include related control flow; unlike the above techniques, however, it is unsound.

There are two frameworks in Table 1 that rely on ML-based prediction: Chisel (chisel, ) and BlankIt. In Chisel, the model makes offline decisions on where to cut parts of the program, which may lead to unsound transformations; once the program is finalized, there is no support to handle missing functionality at runtime. In contrast, BlankIt’s runtime allows it to access debloated code even on misprediction; it depends on Memcheck (Nethercote:2007:VFH:1250734.1250746, ; DBLP:conf/usenix/SewardN05, ) to catch memory errors in this case. Though the interfaces and frequency of third-party library calls may enable this kind of mitigation approach in BlankIt, it is unlikely to be useful for whole program debloating which is the focus of this work. The authors’ results show that to reduce slowdowns on the critical path, a parallel audit thread is required, but even in two of their evaluated benchmarks, more than one helper thread is needed to handle the audit overhead and frequency of mispredictions.

Gadgets are a continuous sequence of instructions that perform some useful computation for an attacker. It could be a primitive action (such as addition) or a more complex one (such as pushing onto a stack and advancing an index). It may also have some side effect (whether wanted or unwanted) such as polluting a register that is unrelated to the desired computation. In any case, a gadget in isolation is rarely useful, so attackers combine them to form gadget chains. The gadget chain carries out some malicious action, such as spawning a shell or changing the permissions of a system page. Since such attacks are carried out by reusing the application code (in terms of gadget chains), they are called code reuse attacks.

Chaining gadgets requires some linking mechanism to go from one gadget to the next during an attack. For example, return-oriented programming (ROP) (rop, ) uses return instructions, jump-oriented programming (JOP) (jop, ; jop2, ) uses jump, and call-oriented programming (COP) (pcop, ) uses call. There are nuances to each of them. Jump-oriented programming commonly uses a dispatcher function, for example. There are also flavors within each of these types, such as JOP attacks that use two dispatcher functions (jop-rocket, ). In fact, ROP, JOP, and COP can even be intermixed in a gadget chain.

Lastly, it should be noted that using gadget reductions as a debloating measurement comes with limitations. Works such as (islessreallymore, ) show the inherent weaknesses of reduction metrics and present a tool for analyzing gadget classes and quality. By considering what various gadgets do or compute, the kind and extent of their side effects, how critical they are, how rare they are, etc., one can form a more complete picture of the effectiveness of a debloating technique. In short, measuring only gadget quantity oversimplifies all of this. Furthermore, as mentioned, gadgets must be strung together into a useful chain. Reducing the absolute gadget count in a program may not matter if a critical chain still exists and can be exploited.

These limitations are an open problem within the debloating for security community. Automatically constructing gadget chains is challenging, though some tools exist (ropgadget, ; ropper, ). In (decker, ), the authors show that relatively high gadget reductions are capable of breaking a well-known shell-spawning chain on common benchmarks. This promising result suggests that high gadget-reduction counts can thwart certain known chains.

We limit our scope of work solely to the problem of how to improve results using known gadget metrics. We focus on the problem of eliminating more code surface. Therefore, we use similar metrics from prior art, including gadget classification, count, and quality, but we acknowledge and treat the metrics problem itself as important future work.

We adopt a threat model similar to previous debloating works (chisel, ; razor, ; decker, ; blankit, ; lmcas, ). The underlying hardware, software stack, and toolchain are trusted. The threat is an attacker carrying out a code reuse attack on the application itself. We do not make any assumptions about the initial vulnerability or exploit for triggering the code reuse attack. We are focused only on reducing the attack surface of the program such that any exploit will have substantially less code and gadgets available for reuse. We assume the runtime is protected as in similar works that use existing methods, e.g. hardware segmentation (blankit, ; decker, ; cpi, ; getting-point, )). Similar to works like (decker, ), the goal is attack surface reduction and is not about guaranteeing the integrity of indirect control flow (as this is already covered in numerous CFI (cfi, ) works).

Listing 2 and Figure 2 illustrate the prediction mechanism at a high level. In the listing, pseudocode for function $D$ is shown; and in the figure, assume that execution has flowed from function $A$ to $B$ to $D$, at which point a prediction mechanism is triggered. Notice that $D$ has a call to predict just above the while loop. This predict call is instrumented by PDSG’s LLVM release pass. During the application’s execution, predict invokes PDSG’s runtime system, which queries the model for a set of forthcoming functions. In this example, the runtime predicts $F$, $J$, and $M$. The runtime marks these functions as RX before returning from predict and entering the loop. The right side of Figure 2 makes it explicit that these functions occupy some pages in system memory (not necessarily continuous or in order), and it is only these upcoming pages of the memory that will be enabled RX by this particular prediction. In this manner, PDSG’s runtime system is superior to that of Decker. In Decker, the entire, statically reachable set of functions within the while loop would be enabled ($\{E,K,F,I,L,J,M\}$), whereas in PDSG, only predicted functions would be enabled ($\{F,J,M\}$ in this example), which can significantly improve the precision and attack surface.

The prediction techniques and runtime checks described above raise several new challenges that must be solved for application code:

• •

  Prediction: It is unknown what kind of model is effective for this problem, what the features should be, and where the release pass should instrument the predict calls.

• •

  Rectification: On misprediction, the program will attempt to call a function that is not yet mapped executable. PDSG must identify these “rectification points” in the program and map the necessary functions to avoid crashes. It is unclear which functions should be mapped at these points; how functions in the .text section should be laid out to accommodate this; and where the release pass should instrument these rectification points.

• •

  Path checking: Finally, and most importantly, one must to distinguish between mispredictions and actual attacks. This raises several questions, including: Which properties of the program can and should be checked? How does one construct such a static model of invariants with reasonable compile time and that is also fast for runtime-checking?

We consider a naive prediction scheme, followed by a more robust approach, and then discuss the model itself.

The previous section describes how the model and its supporting instrumentation are designed to activate functions at runtime of predicted sub-callgraphs (PSCGs) rather than entire sub-callgraphs (SCGs) in order to further reduce the program’s attack surface. Rectification is about how to handle mispredictions so that the program does not crash. That is, when the program attempts to execute code outside of the activated PSCG, the rectification component must activate the necessary code in the SCG.

Rectifying mispredictions at runtime has two characteristics:

1. (1)

   It guarantees soundness of the application when using imperfect predictions to guide which code to map executable.

2. (2)

   It adds security beyond that of on-the-fly, binary-level debloating techniques like BlankIt (blankit, ) that effectively have to check for rectification at all function calls.

Regarding (1), rectification guarantees soundness by ensuring that before a function executes, it is guaranteed to have an active map**. When that function is part of the PSCG (i.e. the predicted set), this is trivially true (no rectification is needed). When that function is not part of the PSCG, it implies that execution is flowing across a boundary between the PSCG and the SCG; and because all PSCGs are known, static targets of the trained model, PDSG can statically guarantee that all such edges will be instrumented with rectification instrumentation. Thus, the PDSG runtime will catch and map those functions as active before continuing execution. Regarding (2), rectification yields additional security beyond schemes like BlankIt because PDSG instruments only at select points in the callgraph, which we call “rectification points” (RPs). In schemes such as BlankIt, all function calls are allowed to proceed, though mispredictions trigger a mitigation strategy. In PDSG, however, only function calls at RPs are allowed to proceed (and mispredictions will trigger a path-checking strategy, detailed in the next subsection). We show an example first to help illustrate these properties and aid understanding of our rectification algorithm.

Figure 3 shows an example callgraph of five functions, $F0-F4$. For the purposes of this example, we assume that this callgraph forms an SCG and that the root of the SCG is $F0$. Assume also that our training leads to two PSCGs that get called within the SCG: $A=\{F0,F1,F2\}$ and $B=\{F0,F2,F3\}$. We will show that in this example, we need 3 RPs: $RP_{A0}=F2\rightarrow F3$, $RP_{B0}=F0\rightarrow F1$, and $RP_{B1}=F3\rightarrow F4$.

The high-level reasoning for these RPs is as follows. The PSCGs will only ever activate set $A$ or set $B$ (never both, and never anything outside of those sets). Therefore, whenever the predicted set is $A$, a misprediction means that $F3$ and $F4$ must be mapped at an RP, namely $RP_{A0}$ (because otherwise a crash could occur). Similarly, whenever the predicted set is $B$, a misprediction means that $F1$ and $F4$ must be mapped at an RP; in this case, they are not connected, so two RPs are required, namely $RP_{B0}$ and $RP_{B1}$.

The exact implementation mechanisms and semantics for RPs can vary. For example, at $RP_{B0}$, the framework can mark both $F1$ and $F4$ as active (and disable $RP_{B1}$). Alternatively, it could service only $F1$ and leave $RP_{B1}$ enabled (which will service $F4$, should it be needed). Both are reasonable schemes depending on the expected runtime overheads and prediction accuracy. This can be refined through further empirical studies, but for the purposes of this work, we use the former approach.

To return to our prior point that this rectification can provide security beyond that of on-the-fly, binary-level debloating techniques like BlankIt, notice that all possible prediction sets are known statically. (Likewise, all misprediction sets are known statically.) Therefore, if we take the example of prediction set $A$, we know at build time that a misprediction includes only functions $F3$ and $F4$, and that $F4$ is dominated by $F3$ in the callgraph. In other words, there is no way for execution to go from $F0$, $F1$, or $F2$ directly to $F4$, and thus there is no RP to handle code activation along such a path. This “gate-like” behavior is not present in techniques like BlankIt which map any function on demand and depend on a mitigation strategy to catch any misprediction.

The pseudocode for instrumenting at RPs is presented in Algorithm 1. The algorithm iterates over the PSCGs and for each one conducts a depth-first search over its functions. If it finds a callsite to a callee that is not part of the PSCG, it inserts an RP at the callsite (add_rp in Algorithm 1). add_rp simply instruments a call to the PDSG runtime, which will actually map the statically known, remaining functions of the SCG during execution.

PDSG’s path-checking component handles dynamic, ML-based mispredictions based on program properties derived from static program analysis. Path checking is a key motivation for this work, because other prediction mechanisms for debloating (e.g. (chisel, ; blankit, )) do not give any formal guarantees for checking mispredictions. It offers a security improvement beyond that already provided by the attack surface reduction from the prediction component, and above the gating benefit from the rectification component. The insight is that static analysis can “package” a multitude of useful program properties for the runtime to check whenever there is a misprediction. PDSG records a dynamic call trace so that on misprediction, it can compare that trace against static properties of the program. This allows PDSG to handle mispredictions with less overhead and clearer guarantees than a heavy-weight mitigation strategy like in (blankit, ).

The shape of this solution is as follows: At build time, PDSG encodes static program properties in Datalog, which serves as a deductive database. Then at runtime, PDSG runs the program with tracing enabled and on misprediction, queries the database to check that the trace satisfies the properties.

There are three major challenges to be tackled, which we cover in turn:

1. (1)

   What static properties are useful, and how do we define them?

2. (2)

   How do we capture those properties in a practical compiler setting?

3. (3)

   How do we perform the checking online with minimal interference?

Now that we have described the framework’s technical components in detail, we want to step back to clarify again how they fit together. From the user’s standpoint, they build an application with PDSG and profile it using representative inputs. This creates a log that gets automatically fed into a learner for training a model. The user then recompiles their application with PDSG, which embeds the model into the program. This final binary contains the necessary instrumentation and linking so that when it runs, PDSG will dynamically reduce its attack surface.

To achieve this attack surface reduction, several of PDSG’s features work in concert. As the program executes, the function calls are tracked. Then at key points in the callgraph, the prediction mechanism is invoked, and PDSG enables the upcoming region of code that it expects to execute (i.e. the predicted sub-callgraph, PSCG). As mentioned, the output of the predictor is a single-value integer ID, which represents the set of functions in the PSCG. By design, this set is always a subset of the SCG. In other words, at runtime PDSG is periodically enabling upcoming functions that it expects will execute, and these functions are always within the statically known and reachable portion from the current point in the callgraph.

When execution flows outside of the current PSCG, this is a misprediction, and it must be handled. PDSG checks that its call sequence history conforms to the database of ensue relations. That is, if a pair of calls is an invalid ensue relation, then PDSG has detected an attack (or bug) and can act accordingly (alert, exit, etc.). If, on the other hand, the call sequence history is verified against the ensue relations, then the program continues as normal.

The gadget reductions are shown in Table 2. This is for all gadget types (ROP, JOP, COP, and special-purpose) reported by the GSA tool (notsofast, ). Because of PDSG’s dynamic behavior, the gadget reductions fluctuate over the duration of the program, depending on the active PSCGs and SCGs. Thus, the minimum and maximum columns represent the worst- and best-case reductions during each application’s execution. The lowest reduction across all benchmarks at any point is for mcf with 24% reduction; and the highest reduction is nearly 100% (after rounding) for both perlbench and xalancbmk. On average, however, the minimum and maximum reductions tend to fall between 60 and 90%, with the average being 82.5%.

Compared with other state-of-the-art techniques, PDSG’s gadget reductions appear to be an advancement. Of the other sound debloating techniques, Piece-wise debloats 72.9% of total gadgets from libraries; BlankIt debloats 97.8% ROP gadgets from libraries; LMCAS debloats 55.9% ROP gadgets from applications; and Decker debloats 73.2% total gadgets from applications. Thus, PDSG is nearly a 10% improvement over the nearest, closely related prior work, Decker, and more than 25% improvement over the other sound, whole application-debloating technique, LMCAS.

On closer inspection, PDSG appears to be acting (as intended) to restrict the functions within the SCGs to a narrow predicted subset. For example, on average for SPEC CPU 2017, functions and interprocedurally outermost loop headers statically reach $\sim$45 and $\sim$35 other functions, respectively. Though these averages collapse the differences among the benchmarks, it is useful to compare these with the average cardinality of the PSCGs reported by PDSG, which is $\sim$6 functions; similarly the complement sets of the PSCGs hold $\sim$35 functions on average. In other words, PDSG’s trained model is much more restrictive than enabling the otherwise large, statically reachable function sets such as in Decker; and the benefit to attack surface reduction is limited by the mispredictions and unseen inputs not available during training.

The performance overhead is shown in Figure 4. The average overhead is 8.9%. The other debloating techniques with runtime components, Decker and BlankIt, report 5.2% and 18% overhead on SPEC, respectively. (Note that BlankIt protects libraries, however, and that it reports for SPEC 2006, not 2017). PDSG’s improved defense over Decker appears to come at a cost of 3.7% overhead. Compared with BlankIt, PDSG of course has less gadget reduction but does not incur the the heavier slowdowns.

The overheads can be broken down into four groups: page-map** instrumentation, prediction and rectification, tracing support, and ensue querying. The cost of activating and deactivating pages (both outside and inside of loops) is similar to comparable works such as Decker. In other words, PDSG’s additional slowdown over these techniques is from the other three components. We isolate and measure their contributions. Tracing adds $\sim$0.5%, and there is $\sim$2% overhead from the ensue queries. The remaining $\sim$1% overhead is due to the prediction and rectification. We also test with larger ensue buffers (in the critical path and without blocking), and see ensue querying add up to $\sim$4% overhead for 16-element ensue buffers (vs. a simpler two-element history). We notice seven of the SPEC benchmarks have decision trees with max depths over 10 levels: perlbench, gcc, parest, omnetpp, xalancbmk, x264, and blender. We find this corresponds loosely with worst-case slowdowns from Figure 4, which merits further investigation (i.e. more closely measuring and then checking how limiting their tree depths affects the overall security and performance).

Another focus of our performance overhead study is the contribution from indirect function calls. Of all the predictions issued by PDSG, $\sim$32% of these are due to indirect calls. More importantly, because they require instrumentation inside of loops, they are heavy contributors to the slowdown. PDSG “caches” active code pages inside of loops (i.e. keeps them active until loop exit) to mitigate this overhead. Thus, the prediction cost to performance should only be paid once per indirect call inside of a loop, but the instrumentation instructions will still be expensive. We disable tracing, ensue querying, and indirect call instrumentation in an additional experiment and see only $\sim$3% overhead from PDSG over baseline SPEC CPU 2017. This is partly expected but also remarkable. It demonstrates the heavy penalty for instrumenting inside of loops and strongly suggests that the PDSG profile data could be leveraged to avoid instrumenting in particularly hot loop sections.

We capture the percent of callgraph edges with rectification instrumentation, and we record at runtime how frequently these edges are traversed. The former metric gives a sense of how many RPs are actually needed to ensure sound behavior at runtime. “Lower is better” does not necessarily hold here. A high count of RPs could be due to a benchmark’s particular callgraph structure and how it is exercised by its training inputs (which ultimately determines the predicted sets and thus the RPs); nevertheless, a low count of RPs implies that there are fewer “gates” through which an attack must pass if it is attempting to load functions outside of the predicted set.

The second metric is a useful way to report the prediction accuracy. When execution reaches an RP (i.e. when it traverses a callgraph edge with rectification instrumentation), it is because execution is flowing outside of the predicted set of functions – a misprediction. In the current implementation, the rectification behavior is to map all remaining functions in that SCG. Therefore, whenever execution reaches an RP, the misprediction is handled once (and only once) for that SCG. The misprediction rate is thus the percentage of all rectification events over all prediction events.

Regarding the former metric, the average percentage of edges that are instrumented with RPs for SPEC is $\sim$6.3%. All but two benchmarks have 10% or less of their edges instrumented with RPs. lbm has 13.3%, and x264 has 44.8%. Regarding the second metric, Table 3 reports the frequency of the prediction events vs. the rectification events. The rightmost column reports this as a percentage. On average, PDSG must rectify 3.8% of all predictions that happen for SPEC CPU 2017. The worst case is leela, which has only 4 predictions, 1 of which triggers rectification.

The PDSG compiler pass outputs a Datalog program which includes all $head$, $tail$, $next$, $leaf$, and $belong$ facts, along with the derived relations for $last$ and $ensue$, and, crucially, a single query as its final line: $ensue(A,B)?$. We execute this Datalog program offline. Datalog reads all of the facts, derives $last$ and $ensue$, and returns the result of the final query, which is a list of all ensue relations.

The results are shown in Table 4. The column headers mean the following: Time is the length of time for Datalog to produce all ensue relations for the application, rounded to the nearest minute; Size is the filesize (reported by du -sm) of the output from Datalog of all ensue relations; #Facts is the number of facts in the Datalog program (input); #Ensue is the number of ensue relations Datalog reports (output).

In half of the benchmarks, Datalog completes in less than 1 minute. The most striking case is gcc, which takes nearly 8 hours to complete. Though all of this processing is offline, this result shows that calculating ensue relations for highly complex callgraphs can be compute-intensive. Furthermore, the Size result (output filesize) matters for runtime, because it must be loaded into memory as a fast data structure and queried during execution. In all cases but gcc, the data size is reasonable. The benchmark with the most Datalog facts after gcc is perlbench. Though gcc has $\sim$5x more facts than perlbench, its output (in terms of filesize, which is correlated with the number of ensue relations), is $\sim$30x, and it takes $\sim$30x longer to run, as well. In other words, the relative complexity of gcc is exceptionally high compared with the other benchmarks, as seen in its ensue count, and this increases its computational costs for Datalog.