{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:20:30Z","timestamp":1775470830864,"version":"3.50.1"},"publisher-location":"Cham","reference-count":34,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031708954","type":"print"},{"value":"9783031708961","type":"electronic"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"DOI":"10.1007\/978-3-031-70896-1_9","type":"book-chapter","created":{"date-parts":[[2024,9,5]],"date-time":"2024-09-05T12:03:57Z","timestamp":1725537837000},"page":"174-193","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["SerdeSniffer: Enhancing Java Deserialization Vulnerability Detection with\u00a0Function Summaries"],"prefix":"10.1007","author":[{"given":"Xinrong","family":"Liu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"He","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Meng","family":"Xu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuqing","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,9,6]]},"reference":[{"key":"9_CR1","unstructured":"alibaba\/fastjson. https:\/\/github.com\/alibaba\/fastjson"},{"key":"9_CR2","unstructured":"Collections - home. https:\/\/commons.apache.org\/proper\/commons-collections\/"},{"key":"9_CR3","unstructured":"CVE-2017-20189. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-20189"},{"key":"9_CR4","unstructured":"CVE-2024-22871. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-22871"},{"key":"9_CR5","unstructured":"Gadget chains in zaproxy. https:\/\/bugcrowd.com\/submissions\/33b61ea8-30cd-40b2-81c8-30b5dff979d0"},{"key":"9_CR6","unstructured":"GCMiner\/GCMiner: Artifact for ICSE 2023. https:\/\/github.com\/GCMiner\/GCMiner"},{"key":"9_CR7","unstructured":"Issues $$\\cdot $$ GCMiner\/GCMiner. https:\/\/github.com\/GCMiner\/GCMiner"},{"key":"9_CR8","unstructured":"neo4j\/neo4j: Graphs for everyone. https:\/\/github.com\/neo4j\/neo4j"},{"key":"9_CR9","unstructured":"ODDFuzz\/ODDFuzz. https:\/\/github.com\/ODDFuzz\/ODDFuzz"},{"key":"9_CR10","unstructured":"SerdeSniffer\/SerdeSniffer. https:\/\/github.com\/SerdeSniffer\/SerdeSniffer"},{"key":"9_CR11","unstructured":"Snyk vulnerability database | snyk. https:\/\/security.snyk.io\/"},{"key":"9_CR12","unstructured":"unshorn\/serhybridpub. https:\/\/bitbucket.org\/unshorn\/serhybridpub\/src\/master\/"},{"key":"9_CR13","unstructured":"Weblogic server|oracle. https:\/\/www.oracle.com\/java\/weblogic\/"},{"key":"9_CR14","unstructured":"wh1t3p1g\/tabby: Code analysis tool. https:\/\/github.com\/wh1t3p1g\/tabby"},{"issue":"2","key":"9_CR15","doi-asserted-by":"publisher","first-page":"498","DOI":"10.1128\/JCM.39.2.498-505.2001","volume":"39","author":"A Allard","year":"2001","unstructured":"Allard, A., Albinsson, B., Wadell, G.: Rapid typing of human adenoviruses by a general PCR combined with restriction endonuclease analysis. J. Clin. Microbiol. 39(2), 498\u2013505 (2001)","journal-title":"J. Clin. Microbiol."},{"key":"9_CR16","doi-asserted-by":"publisher","unstructured":"Antoniadis, T., et\u00a0al.: Porting doop to souffl\u00e9: a tale of inter-engine portability for datalog-based analyses. In: Proceedings of the 6th ACM SIGPLAN Int. Workshop on SOAP, pp. 25\u201330. ACM (2017). https:\/\/doi.org\/10.1145\/3088515.3088522","DOI":"10.1145\/3088515.3088522"},{"key":"9_CR17","doi-asserted-by":"crossref","unstructured":"Bravenboer, M., et\u00a0al.: Strictly declarative specification of sophisticated points-to analyses. In: OOPSLA09, pp. 243\u2013262. ACM (2009)","DOI":"10.1145\/1639949.1640108"},{"key":"9_CR18","doi-asserted-by":"crossref","unstructured":"Cao, S., et\u00a0al.: Improving java deserialization gadget chain mining via overriding-guided object generation. In: 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE), pp. 397\u2013409. IEEE (2023)","DOI":"10.1109\/ICSE48619.2023.00044"},{"key":"9_CR19","doi-asserted-by":"crossref","unstructured":"Cao, S., et\u00a0al.: ODDFuzz: Discovering java deserialization vulnerabilities via structure-aware directed greybox fuzzing. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2726\u20132743. IEEE (2023)","DOI":"10.1109\/SP46215.2023.10179377"},{"key":"9_CR20","doi-asserted-by":"crossref","unstructured":"Chen, B., et\u00a0al.: Efficient detection of java deserialization gadget chains via bottom-up gadget search and dataflow-aided payload construction. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 150\u2013150. IEEE Computer Society (2024)","DOI":"10.1109\/SP54263.2024.00150"},{"key":"9_CR21","doi-asserted-by":"crossref","unstructured":"Chen, X., et\u00a0al.: Tabby: automated gadget chain detection for java deserialization vulnerabilities. In: 2023 53rd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 179\u2013192. IEEE (2023)","DOI":"10.1109\/DSN58367.2023.00028"},{"key":"9_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/3-540-49538-X_5","volume-title":"ECOOP\u201995 \u2014 Object-Oriented Programming, 9th European Conference, \u00c5arhus, Denmark, August 7\u201311, 1995","author":"J Dean","year":"1995","unstructured":"Dean, J., Grove, D., Chambers, C.: Optimization of object-oriented programs using static class hierarchy analysis. In: Tokoro, M., Pareschi, R. (eds.) ECOOP 1995. LNCS, vol. 952, pp. 77\u2013101. Springer, Heidelberg (1995). https:\/\/doi.org\/10.1007\/3-540-49538-X_5"},{"key":"9_CR23","unstructured":"Frohoff, C.: ysoserial (2015). https:\/\/github.com\/frohoff\/ysoserial"},{"key":"9_CR24","doi-asserted-by":"crossref","unstructured":"Grech, N., Smaragdakis, Y.: P\/Taint: unified points-to and taint analysis. Proc. ACM Program. Lang. 1(OOPSLA), 1\u201328 (2017)","DOI":"10.1145\/3133926"},{"key":"9_CR25","unstructured":"Haken, I.: Gadget inspector. https:\/\/github.com\/JackOfMostTrades\/gadgetinspector"},{"key":"9_CR26","doi-asserted-by":"crossref","unstructured":"Hasti, R., et\u00a0al.: Using static single assignment form to improve flow-insensitive pointer analysis. In: Proceedings of the ACM SIGPLAN 1998 Conference on Programming Language Design and Implementation. PLDI \u201998, New York, NY, USA, pp. 97\u2013105. Association for Computing Machinery (1998)","DOI":"10.1145\/277650.277668"},{"key":"9_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"422","DOI":"10.1007\/978-3-319-41540-6_23","volume-title":"Computer Aided Verification","author":"H Jordan","year":"2016","unstructured":"Jordan, H., Scholz, B., Suboti\u0107, P.: Souffl\u00e9: on synthesis of program analyzers. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016, Part II. LNCS, vol. 9780, pp. 422\u2013430. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-41540-6_23"},{"key":"9_CR28","unstructured":"Lam, P., et\u00a0al.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infastructure Workshop (CETUS 2011), vol.\u00a015 (2011)"},{"key":"9_CR29","doi-asserted-by":"publisher","unstructured":"Milojkovic, N., et\u00a0al.: Polymorphism in the spotlight: studying its prevalence in java and smalltalk. In: 2015 IEEE 23rd International Conference on Program Comprehension, pp. 186\u2013195 (2015). https:\/\/doi.org\/10.1109\/ICPC.2015.29","DOI":"10.1109\/ICPC.2015.29"},{"key":"9_CR30","unstructured":"Needham, M., Hodler, A.E.: Graph algorithms: practical examples in Apache Spark and Neo4j. O\u2019Reilly Media (2019)"},{"key":"9_CR31","doi-asserted-by":"crossref","unstructured":"Pacheco, C., Ernst, M.D.: Randoop: feedback-directed random testing for java. In: Companion to the 22nd ACM SIGPLAN conference on object-oriented programming systems and applications Companion, pp. 815\u2013816 (2007)","DOI":"10.1145\/1297846.1297902"},{"key":"9_CR32","doi-asserted-by":"publisher","unstructured":"Padhye, R., et\u00a0al.: JQF: coverage-guided property-based testing in java. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 398\u2013401. ACM (2019). https:\/\/doi.org\/10.1145\/3293882.3339002","DOI":"10.1145\/3293882.3339002"},{"key":"9_CR33","doi-asserted-by":"crossref","unstructured":"Rasheed, S., et\u00a0al.: A hybrid analysis to detect java serialisation vulnerabilities. In: Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering. ASE \u201920, pp. 1209\u20131213. Association for Computing Machinery (2021)","DOI":"10.1145\/3324884.3418931"},{"key":"9_CR34","doi-asserted-by":"crossref","unstructured":"Scholz, B., Jordan, H., Suboti\u0107, P., Westmann, T.: On fast large-scale program analysis in datalog. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 196\u2013206 (2016)","DOI":"10.1145\/2892208.2892226"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2024"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-70896-1_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,11,27]],"date-time":"2024-11-27T20:22:48Z","timestamp":1732738968000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-70896-1_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031708954","9783031708961"],"references-count":34,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-70896-1_9","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"6 September 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Bydgoszcz","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Poland","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 September 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 September 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/esorics2024.org","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}