{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T17:58:42Z","timestamp":1773511122265,"version":"3.50.1"},"reference-count":37,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T00:00:00Z","timestamp":1664755200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T00:00:00Z","timestamp":1664755200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["CNS-1815650"],"award-info":[{"award-number":["CNS-1815650"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"NSFC","doi-asserted-by":"publisher","award":["62132011"],"award-info":[{"award-number":["62132011"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,10,3]]},"DOI":"10.1109\/cns56114.2022.9947248","type":"proceedings-article","created":{"date-parts":[[2022,11,18]],"date-time":"2022-11-18T20:49:54Z","timestamp":1668804594000},"page":"236-244","source":"Crossref","is-referenced-by-count":3,"title":["SysCap: Profiling and Crosschecking Syscall and Capability Configurations for Docker Images"],"prefix":"10.1109","author":[{"given":"Yunlong","family":"Xing","sequence":"first","affiliation":[{"name":"George Mason University,Fairfax,VA,USA"}]},{"given":"Jiahao","family":"Cao","sequence":"additional","affiliation":[{"name":"Tsinghua University,Beijing,China"}]},{"given":"Xinda","family":"Wang","sequence":"additional","affiliation":[{"name":"George Mason University,Fairfax,VA,USA"}]},{"given":"Sadegh","family":"Torabi","sequence":"additional","affiliation":[{"name":"George Mason University,Fairfax,VA,USA"}]},{"given":"Kun","family":"Sun","sequence":"additional","affiliation":[{"name":"George Mason University,Fairfax,VA,USA"}]},{"given":"Fei","family":"Yan","sequence":"additional","affiliation":[{"name":"Wuhan University,Wuhan,China"}]},{"given":"Qi","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University,Beijing,China"}]}],"member":"263","reference":[{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2016.2521368"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1002\/smr.1803"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion.2019.00136"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.9"},{"key":"ref37","article-title":"Instance generator and problem representation to improve object oriented code coverage","author":"sakti","year":"2014","journal-title":"IEEE Transactions on Software Engineering"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3339002"},{"key":"ref35","article-title":"An empirical study of fault localization families and their combinations","author":"zou","year":"2019","journal-title":"IEEE Transactions on Software Engineering"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.62"},{"key":"ref10","year":"0","journal-title":"ET Docker"},{"key":"ref11","year":"0","journal-title":"Whole program llvm a wrapper script to build whole-program llvm bitcode files"},{"key":"ref12","article-title":"Pex: A permission check analysis framework for linux kernel","author":"zhang","year":"2019","journal-title":"28th USENIX Security Symposium ( USENIX Security 19)"},{"key":"ref13","year":"0","journal-title":"Dockerfile reference"},{"key":"ref14","year":"0","journal-title":"Transitive closure"},{"key":"ref15","year":"0","journal-title":"capability definition"},{"key":"ref16","year":"0","journal-title":"Docker Hyb"},{"key":"ref17","year":"0","journal-title":"FuzzingTools"},{"key":"ref18","year":"0","journal-title":"Common Vulnerabilities and Exposures"},{"key":"ref19","year":"0","journal-title":"Confine source code"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref4","year":"0","journal-title":"DefCap"},{"key":"ref27","article-title":"Control-flow bending: On the effectiveness of control-flow integrity","author":"carlini","year":"2015","journal-title":"24th USENIX Security Symposium USENIX Security 15"},{"key":"ref3","year":"0","journal-title":"SECCOMP"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2017.16"},{"key":"ref29","first-page":"49","article-title":"Under-constrained symbolic execution: Correctness checking for real code","author":"ramos","year":"2015","journal-title":"24th USENIX Security Symposium USENIX Security 15"},{"key":"ref5","year":"0","journal-title":"Seccomp profiles"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106271"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"ref2","year":"0","journal-title":"Capability"},{"key":"ref9","article-title":"Confine: Automated system call policy generation for container attack surface reduction","author":"ghavamnia","year":"2020","journal-title":"23rd International Symposium on Research in Attacks Intrusions and Defenses (RAID 2020)"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484744"},{"key":"ref20","year":"0","journal-title":"The core implementation of confine source code"},{"key":"ref22","author":"zeng","year":"2014","journal-title":"Tailored application-specific system call tables"},{"key":"ref21","year":"0","journal-title":"Confine customizes the system call blacklist for ubuntu image"},{"key":"ref24","article-title":"Temporal system call specialization for attack surface reduction","author":"ghavamnia","year":"2020","journal-title":"29th USENIX Security Symposium (USENIX Security 20)"},{"key":"ref23","first-page":"257","article-title":"Improving host security with system call policies","author":"provos","year":"2003","journal-title":"USENIX Security Symposium"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892235"},{"key":"ref25","first-page":"459","article-title":"sysfilter: Automated system call filtering for commodity software","author":"demarinis","year":"2020","journal-title":"23rd International Symposium on Research in Attacks Intrusions and Defenses (RAID 2020)"}],"event":{"name":"2022 IEEE Conference on Communications and Network Security (CNS)","location":"Austin, TX, USA","start":{"date-parts":[[2022,10,3]]},"end":{"date-parts":[[2022,10,5]]}},"container-title":["2022 IEEE Conference on Communications and Network Security (CNS)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9947203\/9947223\/09947248.pdf?arnumber=9947248","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,12]],"date-time":"2022-12-12T19:57:02Z","timestamp":1670875022000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9947248\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,3]]},"references-count":37,"URL":"https:\/\/doi.org\/10.1109\/cns56114.2022.9947248","relation":{},"subject":[],"published":{"date-parts":[[2022,10,3]]}}}