{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,16]],"date-time":"2026-07-16T21:40:54Z","timestamp":1784238054578,"version":"3.55.0"},"reference-count":50,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2023,3,1]],"date-time":"2023-03-01T00:00:00Z","timestamp":1677628800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,3,1]],"date-time":"2023-03-01T00:00:00Z","timestamp":1677628800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,3,1]],"date-time":"2023-03-01T00:00:00Z","timestamp":1677628800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"National Key R&amp;D Program of China","award":["2021YFB2012402"],"award-info":[{"award-number":["2021YFB2012402"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61872111"],"award-info":[{"award-number":["61872111"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Serv. Comput."],"published-print":{"date-parts":[[2023,3,1]]},"DOI":"10.1109\/tsc.2022.3173791","type":"journal-article","created":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T19:32:57Z","timestamp":1652211177000},"page":"1431-1443","source":"Crossref","is-referenced-by-count":21,"title":["Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1981-5878","authenticated-orcid":false,"given":"Dongyang","family":"Zhan","sequence":"first","affiliation":[{"name":"School of Cyberspace Science, Harbin Institute of Technology, Harbin, Heilongjiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhaofeng","family":"Yu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Science, Harbin Institute of Technology, Harbin, Heilongjiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xiangzhan","family":"Yu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Science, Harbin Institute of Technology, Harbin, Heilongjiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8167-7106","authenticated-orcid":false,"given":"Hongli","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Cyberspace Science, Harbin Institute of Technology, Harbin, Heilongjiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9647-0271","authenticated-orcid":false,"given":"Lin","family":"Ye","sequence":"additional","affiliation":[{"name":"School of Cyberspace Science, Harbin Institute of Technology, Harbin, Heilongjiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2911732"},{"key":"ref5","first-page":"459","article-title":"Sysfilter: Automated system call filtering for commodity software","volume-title":"Proc. 23rd Int. Symp. Res. Attacks Intrusions Defenses","author":"DeMarinis"},{"key":"ref6","first-page":"443","article-title":"Confine: Automated system call policy generation for container attack surface reduction","volume-title":"Proc. 23rd Int. Symp. Res. Attacks Intrusions Defenses","author":"Ghavamnia"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/2592798.2592812"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2017.16"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1147\/JRD.2016.2574138"},{"key":"ref13","article-title":"Tailored application-specific system call tables","author":"Zeng","year":"2014"},{"key":"ref16","first-page":"1769","article-title":"Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Lu"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594295"},{"key":"ref18","first-page":"941","article-title":"Enforcing forward-edge control-flow integrity in GCC & LLVM","volume-title":"Proc. 23rd USENIX Secur. Symp.","author":"Tice"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274739"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00017"},{"key":"ref21","article-title":"Program analysis and specialization for the c programming language","author":"Andersen","year":"1994"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931047"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23287"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00035"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIS.2019.00012"},{"key":"ref27","first-page":"1205","article-title":"PeX: A permission check analysis framework for linux kernel","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Zhang"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2541883.2541895"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/Confluence47617.2020.9058115"},{"key":"ref33","article-title":"Analysis of docker security","author":"Bui","year":"2015"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.4436"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2945930"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2016.100"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354227"},{"key":"ref38","first-page":"81","article-title":"BASTION: A security enforcement network stack for container networks","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Nam"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2017.49"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2879605"},{"key":"ref41","first-page":"689","article-title":"SCONE: Secure linux containers with intel SGX","volume-title":"Proc. 12th USENIX Symp. Operating Syst. Des. Implementation","author":"Arnautov"},{"key":"ref42","first-page":"1749","article-title":"Temporal system call specialization for attack surface reduction","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Ghavamnia"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3058060.3058085"},{"key":"ref44","article-title":"Over 30% of official images in docker hub contain high priority security vulnerabilities","author":"Gummaraju","year":"2015"},{"key":"ref45","article-title":"Static vulnerability analysis of docker images","author":"Henriksson","year":"2017"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029832"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"ref48","article-title":"Security analysis of docker containers in a production environment","author":"Kabbe","year":"2017"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/i-Society.2016.7854163"},{"key":"ref50","article-title":"A security evaluation methodology for container images","author":"Abbott","year":"2017"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2018.03.011"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2017.66"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2019.863"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346917"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/PDP50117.2020.00069"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1002\/eng2.12080"},{"key":"ref57","first-page":"869","article-title":"Debloating software through piece-wise compilation and loading","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Quach"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359823"},{"key":"ref59","first-page":"1733","article-title":"RAZOR: A framework for post-deployment software debloating","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Qian"},{"key":"ref60","article-title":"Libfilter: Debloating dynamically-linked libraries through binary recompilation","author":"Shteinfeld"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274703"}],"container-title":["IEEE Transactions on Services Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/4629386\/10097430\/09772368.pdf?arnumber=9772368","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,22]],"date-time":"2024-01-22T22:49:06Z","timestamp":1705963746000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9772368\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,1]]},"references-count":50,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tsc.2022.3173791","relation":{},"ISSN":["1939-1374","2372-0204"],"issn-type":[{"value":"1939-1374","type":"electronic"},{"value":"2372-0204","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,1]]}}}