{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:20:41Z","timestamp":1775470841358,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":36,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,21]],"date-time":"2020-12-21T00:00:00Z","timestamp":1608508800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,21]]},"DOI":"10.1145\/3324884.3418931","type":"proceedings-article","created":{"date-parts":[[2021,1,27]],"date-time":"2021-01-27T23:39:02Z","timestamp":1611790742000},"page":"1209-1213","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["A hybrid analysis to detect Java serialisation vulnerabilities"],"prefix":"10.1145","author":[{"given":"Shawn","family":"Rasheed","sequence":"first","affiliation":[{"name":"Massey University, Palmerston North, New Zealand"}]},{"given":"Jens","family":"Dietrich","sequence":"additional","affiliation":[{"name":"Victoria University of Wellington, Wellington, New Zealand"}]}],"member":"320","published-online":{"date-parts":[[2021,1,27]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Steven Arzt Siegfried Rasthofer and Eric Bodden. 2013. SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks."},{"key":"e_1_3_2_1_2_1","volume-title":"Effective Java","author":"Bloch Joshua","unstructured":"Joshua Bloch. 2008. Effective Java (2nd Edition) (The Java Series) (2 ed.). Prentice Hall PTR, NJ, USA.","edition":"2"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/566171.566191"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1640089.1640108"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2771284.2771286"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273476"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1988042.1988046"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.602"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1062455.1062533"},{"key":"e_1_3_2_1_11_1","volume-title":"https:\/\/www.cvedetails.com\/cve\/CVE-2015-3253\/. [Online","author":"CVE","year":"2020","unstructured":"CVE Details 2015. CVE-2015-3253 (Vulnerability in Groovy). https:\/\/www.cvedetails.com\/cve\/CVE-2015-3253\/. [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_12_1","volume-title":"http:\/\/www.cvedetails.com\/cve\/CVE-2015-4852 [Online","author":"Oracle WebLogic CVE","year":"2020","unstructured":"CVE Details 2015. CVE-2015-4852 (Vulnerability in Oracle WebLogic Server). http:\/\/www.cvedetails.com\/cve\/CVE-2015-4852 [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_13_1","volume-title":"https:\/\/www.cvedetails.com\/cve\/CVE-2016-1000031. [Online","author":"CVE","year":"2020","unstructured":"CVE Details 2016. CVE-2016-1000031 (Vulnerability in Struts). https:\/\/www.cvedetails.com\/cve\/CVE-2016-1000031. [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_14_1","volume-title":"https:\/\/www.cvedetails.com\/cve\/CVE-2016-4000\/. [Online","author":"CVE","year":"2020","unstructured":"CVE Details 2016. CVE-2016-4000 (Vulnerability in Jython). https:\/\/www.cvedetails.com\/cve\/CVE-2016-4000\/. [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660363"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2017.10"},{"key":"e_1_3_2_1_17_1","volume-title":"http:\/\/frohoff.github.io\/appseccali-marshalling-pickles\/ [Online","author":"Frohoff Christopher","year":"2020","unstructured":"Christopher Frohoff and Gabriel Lawrence. 2015. Marshalling Pickles. http:\/\/frohoff.github.io\/appseccali-marshalling-pickles\/ [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_18_1","volume-title":"ysoserial (A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.). https:\/\/github.com\/frohoff\/ysoserial [Online","author":"Frohoff Christopher","year":"2020","unstructured":"Christopher Frohoff and Gabriel Lawrence. 2015. ysoserial (A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.). https:\/\/github.com\/frohoff\/ysoserial [Online; accessed 25-August-2020]."},{"key":"e_1_3_2_1_19_1","volume-title":"Automated Discovery of Deserialization Gadget Chains. https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf [Online","author":"Haken Ian","year":"2020","unstructured":"Ian Haken. 2018. Automated Discovery of Deserialization Gadget Chains. https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/69622.357182"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978361"},{"key":"e_1_3_2_1_22_1","unstructured":"Karthick Jayaraman David Harvison Vijay Ganesh and Adam Kiezun. 2009. jFuzz: A Concolic Whitebox Fuzzer for Java. In NASA Formal Methods."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931098"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3138820"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2644805"},{"key":"e_1_3_2_1_26_1","volume-title":"Manuel Egele, Edward J. Schwartz, and Maverick Woo.","author":"Man\u00e8s Valentin J. M.","year":"2018","unstructured":"Valentin J. M. Man\u00e8s, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2018. Fuzzing: Art, Science, and Engineering. CoRR abs\/1812.00140 (2018). arXiv:1812.00140 http:\/\/arxiv.org\/abs\/1812.00140"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"e_1_3_2_1_28_1","unstructured":"A. Mu\u00f1oz and C. Schneider. 2016. The Perils of Java Deserialization. https:\/\/community.hpe.com\/t5\/Security-Research\/The-perils-of-Java-deserialization\/ba-p\/6838995#.WECzUsJ96cY [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1297846.1297902"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330576"},{"key":"e_1_3_2_1_31_1","volume-title":"2015 30th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 201--211","author":"Shamshiri S.","unstructured":"S. Shamshiri, R. Just, J. M. Rojas, G. Fraser, P. McMinn, and A. Arcuri. 2015. Do Automatically Generated Unit Tests Find Real Faults? An Empirical Study of Effectiveness and Challenges (T). In 2015 30th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 201--211."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1103845.1094817"},{"key":"e_1_3_2_1_33_1","volume-title":"Expression Language Injection. https:\/\/www.mindedsecurity.com\/fileshare\/ExpressionLanguageInjection.pdf. https:\/\/www.mindedsecurity.com\/fileshare\/ExpressionLanguageInjection.pdf [Online","author":"Stefano Di Paola Arshan Dabirsiaghi","year":"2020","unstructured":"Arshan Dabirsiaghi Stefano Di Paola. 2016. Expression Language Injection. https:\/\/www.mindedsecurity.com\/fileshare\/ExpressionLanguageInjection.pdf. https:\/\/www.mindedsecurity.com\/fileshare\/ExpressionLanguageInjection.pdf [Online; accessed 25-May-2020]."},{"key":"e_1_3_2_1_34_1","volume-title":"On the Soundness of Call Graph Construction in the Presence of Dynamic Language Features - A Benchmark and Tool Evaluation","author":"Sui Li","unstructured":"Li Sui, Jens Dietrich, Michael Emery, Shawn Rasheed, and Amjed Tahir. 2018. On the Soundness of Call Graph Construction in the Presence of Dynamic Language Features - A Benchmark and Tool Evaluation. In Programming Languages and Systems, Sukyoung Ryu (Ed.). Springer International Publishing, Cham."},{"key":"e_1_3_2_1_35_1","volume-title":"On the Recall of Static Call Graph Construction in Practice. In 2020 IEEE\/ACM 42nd International Conference on Software Engineering (ICSE).","author":"Sui Li","year":"2020","unstructured":"Li Sui, Jens Dietrich, Amjed Tahir, and George Fourtounis. 2020. On the Recall of Static Call Graph Construction in Practice. In 2020 IEEE\/ACM 42nd International Conference on Software Engineering (ICSE)."},{"key":"e_1_3_2_1_36_1","unstructured":"Michal Zalewski. 2017. American Fuzzy Lop (AFL). http:\/\/lcamtuf.coredump.cx\/afl\/technical_details.txt. http:\/\/lcamtuf.coredump.cx\/afl\/technical_details.txt [Online; accessed 25-May-2020]."}],"event":{"name":"ASE '20: 35th IEEE\/ACM International Conference on Automated Software Engineering","location":"Virtual Event Australia","acronym":"ASE '20","sponsor":["SIGAI ACM Special Interest Group on Artificial Intelligence","SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3324884.3418931","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3324884.3418931","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:47:23Z","timestamp":1750193243000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3324884.3418931"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,21]]},"references-count":36,"alternative-id":["10.1145\/3324884.3418931","10.1145\/3324884"],"URL":"https:\/\/doi.org\/10.1145\/3324884.3418931","relation":{},"subject":[],"published":{"date-parts":[[2020,12,21]]},"assertion":[{"value":"2021-01-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}