{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T08:51:23Z","timestamp":1770281483777,"version":"3.49.0"},"reference-count":99,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179471","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"1561-1577","source":"Crossref","is-referenced-by-count":10,"title":["Continuous Intrusion: Characterizing the Security of Continuous Integration Services"],"prefix":"10.1109","author":[{"given":"Yacong","family":"Gu","sequence":"first","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Lingyun","family":"Ying","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Huajun","family":"Chai","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Chu","family":"Qiao","sequence":"additional","affiliation":[{"name":"University of Delaware"}]},{"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]},{"given":"Xing","family":"Gao","sequence":"additional","affiliation":[{"name":"University of Delaware"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Enterprise CI\/CD: A Holistic View"},{"key":"ref2","article-title":"State of Continuous Delivery Report: The Evolution of Software Delivery Performance"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"ref4","article-title":"GHSL-2020-235: Arbitrary Command Injection in wayou\/turn-issues-to-posts-action"},{"key":"ref5","article-title":"Hackers Backdoor PHP Source Code After Breaching Internal Git Server"},{"key":"ref6","article-title":"Travis-CI"},{"key":"ref7","article-title":"Cloud Application Platform | Heroku"},{"key":"ref8","article-title":"Security Alert: Attack Campaign Involving Stolen OAuth User Tokens Issued to Two Third-Party Integrators"},{"key":"ref9","article-title":"Characterizing the Security of GitHub CI Workflows","author":"Koishybayev","year":"2022","journal-title":"USENIX Security"},{"key":"ref10","article-title":"About Self-hosted Runners - GitHub Doc"},{"key":"ref11","article-title":"Storing Build Artifacts - CircleCI"},{"key":"ref12","article-title":"Controller Isolation"},{"key":"ref13","article-title":"GitHub Actions Update: Helping Maintainers Combat Bad Actors"},{"key":"ref14","article-title":"About Protected Branches"},{"key":"ref15","article-title":"KernelHardening - Ubuntu Wiki"},{"key":"ref16","article-title":"GitHub Docs: Creating A Personal Access Token"},{"key":"ref17","article-title":"Personal Access Tokens - GitLab"},{"key":"ref18","article-title":"Security Hardening for GitHub Actions"},{"key":"ref19","article-title":"GitHub Actions Artifacts"},{"key":"ref20","article-title":"Job Artifacts API - GitLab"},{"key":"ref21","article-title":"GitLab CI\/CD Job Token"},{"key":"ref22","article-title":"Automatic Token Authentication"},{"key":"ref23","article-title":"Managing Deploy Keys"},{"key":"ref24","article-title":"Team Tools - The State of Developer Ecosystem in 2020 Infographic"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2838131"},{"key":"ref26","article-title":"mitmproxy - an interactive HTTPS proxy"},{"key":"ref27","article-title":"Docker Inspect"},{"key":"ref28","article-title":"Branches API - GitHub"},{"key":"ref29","article-title":"Jobs API - GitLab"},{"key":"ref30","article-title":"The Bitbucket Cloud REST API"},{"key":"ref31","article-title":"PutObject - Amazon Simple Storage Service"},{"key":"ref32","article-title":"Trivy"},{"key":"ref33","article-title":"About GitHub-hosted Runners"},{"key":"ref34","article-title":"Sudo CircleCI Make Me a Sandwich"},{"key":"ref35","article-title":"Java Virtual Machine Tool Interface (JVM TI)"},{"key":"ref36","article-title":"JVM Tool Interface"},{"key":"ref37","article-title":"GitLab Token Overview"},{"key":"ref38","article-title":"Using S3 Object Lock - Amazon Simple Storage Service"},{"key":"ref39","article-title":"Uploading Artifacts on Travis CI"},{"key":"ref40","article-title":"Personal Access Tokens"},{"key":"ref41","article-title":"Authenticating with GitHub Apps"},{"key":"ref42","article-title":"Updates to Maximum Duration of Jobs"},{"key":"ref43","article-title":"The Data-Driven Case for CI: What 30 Million Workflows Reveal About Devops In Practice"},{"key":"ref44","article-title":"Static Application Security Testing (SAST) - GitLab"},{"key":"ref45","article-title":"Merge When Pipeline Succeeds - GitLab"},{"key":"ref46","article-title":"Suggest or Require Checks Before a Merge Bitbucket Cloud"},{"key":"ref47","article-title":"Java Network Launch Protocol - The Java Tutorials"},{"key":"ref48","article-title":"Using Temporary Credentials with AWS Resources"},{"key":"ref49","article-title":"Generating a Presigned URL to Upload an Object - Amazon Simple Storage Service"},{"key":"ref50","article-title":"[JENKINS-50518] Use Presigned URLs for Upload"},{"key":"ref51","article-title":"Generate a Pre-Signed URL for an Amazon S3 PUT Operation with a Specific Payload"},{"key":"ref52","article-title":"Projects API - GitLab"},{"key":"ref53","article-title":"List Public Repositories - The Bitbucket Cloud REST API"},{"key":"ref54","article-title":"Repository Files API - GitLab"},{"key":"ref55","article-title":"Get File or Directory Contents - The Bitbucket Cloud REST API"},{"key":"ref56","article-title":"GH Archive"},{"key":"ref57","article-title":"GitHub Data, Ready for You to Explore with BigQuery"},{"key":"ref58","article-title":"Github Actions - Runner Authentication and Authorization"},{"key":"ref59","article-title":"Protected Branches"},{"key":"ref60","article-title":"Introducing Fine-grained Personal Access Tokens for GitHub"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054818"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115619"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833686"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2685629"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2018.00024"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3416616"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510211"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106270"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833803"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23418"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/2491055.2491070"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2019.8870152"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA-C.2019.00026"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00033"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00028"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409709"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09785-8"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6819"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545955"},{"key":"ref82","article-title":"Attacking and Fixing PKCS# 11 Security Tokens","author":"Bortolozzo","year":"2010","journal-title":"ACM CCS"},{"key":"ref83","article-title":"Eavesdropping One-Time Tokens Over Magnetic Secure Transmission in Samsung Pay","author":"Choi","year":"2016","journal-title":"WOOT"},{"key":"ref84","article-title":"Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment","author":"Bai","year":"2017","journal-title":"USENIX Security"},{"key":"ref85","doi-asserted-by":"crossref","DOI":"10.1145\/3196398.3196401","article-title":"On the Impact of Security Vulnerabilities in the npm Package Dependency Network","author":"Decan","year":"2018","journal-title":"MSR"},{"key":"ref86","volume-title":"Dependencies We Trust: How Vulnerable Are Dependencies in Software Modules?","author":"Hejderup","year":"2015"},{"key":"ref87","article-title":"Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers","author":"Staicu","year":"2018","journal-title":"USENIX Security"},{"key":"ref88","article-title":"A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning","author":"Davis","year":"2018","journal-title":"USENIX Security"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445085"},{"key":"ref91","volume-title":"A Survey Study of Password Setting and Reuse","author":"Li","year":"2020"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23350"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23058"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.16"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14577-3_15"},{"key":"ref96","article-title":"The Long \u2019Taile\u2019 of Typosquatting Domain Names","author":"Szurdi","year":"2014","journal-title":"USENIX Security"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"ref99","article-title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","author":"Zimmermann","year":"2019","journal-title":"USENIX Security"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179471.pdf?arnumber=10179471","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:16:48Z","timestamp":1721452608000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179471\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":99,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179471","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}