{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T09:11:25Z","timestamp":1767863485395,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":40,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,7,23]],"date-time":"2020-07-23T00:00:00Z","timestamp":1595462400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,7,23]]},"DOI":"10.1145\/3427761.3428343","type":"proceedings-article","created":{"date-parts":[[2020,11,25]],"date-time":"2020-11-25T02:48:04Z","timestamp":1606272484000},"page":"18-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Salsa: static analysis of serialization features"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8743-2516","authenticated-orcid":false,"given":"Joanna C. S.","family":"Santos","sequence":"first","affiliation":[{"name":"Rochester Institute of Technology, USA"}]},{"given":"Reese A.","family":"Jones","sequence":"additional","affiliation":[{"name":"Rochester Institute of Technology, USA"}]},{"given":"Mehdi","family":"Mirakhorli","sequence":"additional","affiliation":[{"name":"Rochester Institute of Technology, USA"}]}],"member":"320","published-online":{"date-parts":[[2020,11,16]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Alfred V Aho Ravi Sethi and Jefrey D Ullman. 1986. Compilers principles techniques. Addison wesley 7 8 ( 1986 ) 9.  Alfred V Aho Ravi Sethi and Jefrey D Ullman. 1986. Compilers principles techniques. Addison wesley 7 8 ( 1986 ) 9."},{"key":"e_1_3_2_1_2_1","volume-title":"A Study of Call Graph Construction for JVMHosted Languages","author":"Ali Karim","year":"2019","unstructured":"Karim Ali , Xiaoni Lai , Zhaoyi Luo , Ondrej Lhot\u00e1k , Julian Dolby , and Frank Tip . 2019. A Study of Call Graph Construction for JVMHosted Languages . IEEE Transactions on Software Engineering ( 2019 ). htps:\/\/doi.org\/10.1109\/TSE. 2019.2956925 10.1109\/TSE Karim Ali, Xiaoni Lai, Zhaoyi Luo, Ondrej Lhot\u00e1k, Julian Dolby, and Frank Tip. 2019. A Study of Call Graph Construction for JVMHosted Languages. IEEE Transactions on Software Engineering ( 2019 ). htps:\/\/doi.org\/10.1109\/TSE. 2019.2956925"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/236337.236371"},{"key":"e_1_3_2_1_4_1","volume-title":"Eventually Sound Points-To Analysis with Specifications. In 33rd European Conference on Object-Oriented Programming (ECOOP 2019 ). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10","author":"Bastani Osbert","year":"2019","unstructured":"Osbert Bastani , Rahul Sharma , Lazaro Clapp , Saswat Anand , and Alex Aiken . 2019 . Eventually Sound Points-To Analysis with Specifications. In 33rd European Conference on Object-Oriented Programming (ECOOP 2019 ). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10 .4230\/LIPIcs.ECOOP. 2019.11 10.4230\/LIPIcs.ECOOP Osbert Bastani, Rahul Sharma, Lazaro Clapp, Saswat Anand, and Alex Aiken. 2019. Eventually Sound Points-To Analysis with Specifications. In 33rd European Conference on Object-Oriented Programming (ECOOP 2019 ). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10.4230\/LIPIcs.ECOOP. 2019.11"},{"key":"e_1_3_2_1_5_1","volume-title":"23rd International Conference on Software Analysis, Evolution, and Reengineering. 470-481","author":"Beller M.","year":"2016","unstructured":"M. Beller , R. Bholanath , S. McIntosh , and A. Zaidman . 2016. Analyzing the state of static analysis: A large-scale evaluation in open source software . In 23rd International Conference on Software Analysis, Evolution, and Reengineering. 470-481 . htps:\/\/doi.org\/10.1109\/SANER. 2016 .105 10.1109\/SANER M. Beller, R. Bholanath, S. McIntosh, and A. Zaidman. 2016. Analyzing the state of static analysis: A large-scale evaluation in open source software. In 23rd International Conference on Software Analysis, Evolution, and Reengineering. 470-481. htps:\/\/doi.org\/10.1109\/SANER. 2016.105"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985827"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3193992.3194000"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2771284.2771286"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/115372.115320"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-49538-X_5"},{"key":"e_1_3_2_1_11_1","volume-title":"Evil Pickles: DoS Attacks Based on Object-Graph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017","volume":"74","author":"Dietrich Jens","year":"2017","unstructured":"Jens Dietrich , Kamil Jezek , Shawn Rasheed , Amjed Tahir , and Alex Potanin . 2017 . Evil Pickles: DoS Attacks Based on Object-Graph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017 ), Vol. 74 . Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 10 : 1-10 : 32. htps:\/\/doi.org\/10.4230\/LIPIcs. ECOOP. 2017.10 10.4230\/LIPIcs Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017. Evil Pickles: DoS Attacks Based on Object-Graph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017), Vol. 74. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 10 : 1-10 : 32. htps:\/\/doi.org\/10.4230\/LIPIcs. ECOOP. 2017.10"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2008.923410"},{"key":"e_1_3_2_1_13_1","unstructured":"Michael Eichberg. 2020. JCG-SerializableClasses. htps: \/\/bitbucket.org\/delors\/jcg\/src\/master\/jcg_testcases\/src\/main\/ resources\/Serialization.md. (Accessed on 06\/01\/ 2020 ).  Michael Eichberg. 2020. JCG-SerializableClasses. htps: \/\/bitbucket.org\/delors\/jcg\/src\/master\/jcg_testcases\/src\/main\/ resources\/Serialization.md. (Accessed on 06\/01\/ 2020 )."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26529-2_25"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/24039.24041"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/263698.264352"},{"key":"#cr-split#-e_1_3_2_1_17_1.1","doi-asserted-by":"crossref","unstructured":"Nevin Heintze and Olivier Tardieu. 2001. Demand-driven pointer analysis. ACM SIGPLAN Notices 36 5 ( 2001 ) 24-34. htps:\/\/doi.org\/ 10.1145\/381694.378802 10.1145\/381694.378802","DOI":"10.1145\/381694.378802"},{"key":"#cr-split#-e_1_3_2_1_17_1.2","doi-asserted-by":"crossref","unstructured":"Nevin Heintze and Olivier Tardieu. 2001. Demand-driven pointer analysis. ACM SIGPLAN Notices 36 5 ( 2001 ) 24-34. htps:\/\/doi.org\/ 10.1145\/381694.378802","DOI":"10.1145\/381694.378802"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/379605.379665"},{"key":"e_1_3_2_1_19_1","unstructured":"IBM. [n.d.]. T.J. Watson Libraries for Analysis (WALA). htp:\/\/wala. sourceforge.net\/wiki\/index.php\/Main_Page. (Accessed on 06\/05\/ 2020 ).  IBM. [n.d.]. T.J. Watson Libraries for Analysis (WALA). htp:\/\/wala. sourceforge.net\/wiki\/index.php\/Main_Page. (Accessed on 06\/05\/ 2020 )."},{"key":"#cr-split#-e_1_3_2_1_20_1.1","doi-asserted-by":"crossref","unstructured":"George Kastrinis and Yannis Smaragdakis. 2013. Hybrid contextsensitivity for points-to analysis. ACM SIGPLAN Notices 48 6 ( 2013 ) 423-434. htps:\/\/doi.org\/10.1145\/2499370.2462191 10.1145\/2499370.2462191","DOI":"10.1145\/2499370.2462191"},{"key":"#cr-split#-e_1_3_2_1_20_1.2","doi-asserted-by":"crossref","unstructured":"George Kastrinis and Yannis Smaragdakis. 2013. Hybrid contextsensitivity for points-to analysis. ACM SIGPLAN Notices 48 6 ( 2013 ) 423-434. htps:\/\/doi.org\/10.1145\/2499370.2462191","DOI":"10.1145\/2499370.2462191"},{"key":"e_1_3_2_1_21_1","first-page":"507","volume-title":"Proceedings of the 39th International Conference on Software Engineering (ICSE'17)","author":"Landman Davy","year":"2017","unstructured":"Davy Landman , Alexander Serebrenik , and Jurgen J. Vinju . 2017. Challenges for Static Analysis of Java Reflection: Literature Review and Empirical Study . In Proceedings of the 39th International Conference on Software Engineering (ICSE'17) . IEEE Press , 507 - 518 . htps: \/\/doi.org\/10.1109\/ICSE. 2017 .53 10.1109\/ICSE Davy Landman, Alexander Serebrenik, and Jurgen J. Vinju. 2017. Challenges for Static Analysis of Java Reflection: Literature Review and Empirical Study. In Proceedings of the 39th International Conference on Software Engineering (ICSE'17). IEEE Press, 507-518. htps: \/\/doi.org\/10.1109\/ICSE. 2017.53"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/11688839_5"},{"key":"e_1_3_2_1_23_1","volume-title":"Static analysis of android apps: A systematic literature review. Information and Software Technology 88 ( 2017 ), 67-95. htps:\/\/doi.org\/10. 1016\/j.infsof","author":"Li Li","year":"2017","unstructured":"Li Li , Tegawend\u00e9 F. Bissyand\u00e9 , Mike Papadakis , Siegfried Rasthofer , Alexandre Bartel , Damien Octeau , Jacques Klein , and Le Traon . 2017. Static analysis of android apps: A systematic literature review. Information and Software Technology 88 ( 2017 ), 67-95. htps:\/\/doi.org\/10. 1016\/j.infsof . 2017 . 04.001 Li Li, Tegawend\u00e9 F. Bissyand\u00e9, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Le Traon. 2017. Static analysis of android apps: A systematic literature review. Information and Software Technology 88 ( 2017 ), 67-95. htps:\/\/doi.org\/10. 1016\/j.infsof. 2017. 04.001"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44202-9_2"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3295739"},{"key":"e_1_3_2_1_26_1","first-page":"139","volume-title":"Proceedings of the Third Asian Conference on Programming Languages and Systems","author":"Livshits Benjamin","unstructured":"Benjamin Livshits , John Whaley , and Monica S. Lam . 2005. Reflection Analysis for Java . In Proceedings of the Third Asian Conference on Programming Languages and Systems ( Tsukuba, Japan) (APLAS'05). Springer-Verlag, Berlin, Heidelberg , 139 - 160 . htps:\/\/doi.org\/10.1007\/ 11575467_11 Benjamin Livshits, John Whaley, and Monica S. Lam. 2005. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems (Tsukuba, Japan) (APLAS'05). Springer-Verlag, Berlin, Heidelberg, 139-160. htps:\/\/doi.org\/10.1007\/ 11575467_11"},{"key":"e_1_3_2_1_27_1","unstructured":"Oracle. [n.d.]. Java Object Serialization Specification (version 6.0 ). htps:\/\/docs.oracle.com\/javase\/8\/docs\/platform\/serialization\/spec\/ serialTOC.html. (Accessed on 05\/24\/ 2020 ).  Oracle. [n.d.]. Java Object Serialization Specification (version 6.0 ). htps:\/\/docs.oracle.com\/javase\/8\/docs\/platform\/serialization\/spec\/ serialTOC.html. (Accessed on 05\/24\/ 2020 )."},{"key":"e_1_3_2_1_28_1","volume-title":"9th USENIX Workshop on Ofensive Technologies (WOOT 15)","author":"Peles Or","year":"2015","unstructured":"Or Peles and Roee Hay . 2015 . One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android . In 9th USENIX Workshop on Ofensive Technologies (WOOT 15) . USENIX Association, Washington, D.C. Or Peles and Roee Hay. 2015. One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android. In 9th USENIX Workshop on Ofensive Technologies (WOOT 15). USENIX Association, Washington, D.C."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330555"},{"key":"e_1_3_2_1_30_1","first-page":"107","volume-title":"Systematic Evaluation of the Unsoundness of Call Graph Construction Algorithms for Java. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops (ISSTA'18)","author":"Reif Michael","year":"2018","unstructured":"Michael Reif , Florian K\u00fcbler , Michael Eichberg , and Mira Mezini . 2018 . Systematic Evaluation of the Unsoundness of Call Graph Construction Algorithms for Java. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops (ISSTA'18) . ACM, 107 - 112 . htps:\/\/doi.org\/10.1145\/ 3236454.3236503 Michael Reif, Florian K\u00fcbler, Michael Eichberg, and Mira Mezini. 2018. Systematic Evaluation of the Unsoundness of Call Graph Construction Algorithms for Java. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops (ISSTA'18). ACM, 107-112. htps:\/\/doi.org\/10.1145\/ 3236454.3236503"},{"key":"#cr-split#-e_1_3_2_1_31_1.1","doi-asserted-by":"crossref","unstructured":"Atanas Rountev Ana Milanova and Barbara G Ryder. 2001. Points-to analysis for Java using annotated constraints. ACM SIGPLAN Notices 36 11 ( 2001 ) 43-55. htps:\/\/doi.org\/10.1145\/504311.504286 10.1145\/504311.504286","DOI":"10.1145\/504311.504286"},{"key":"#cr-split#-e_1_3_2_1_31_1.2","doi-asserted-by":"crossref","unstructured":"Atanas Rountev Ana Milanova and Barbara G Ryder. 2001. Points-to analysis for Java using annotated constraints. ACM SIGPLAN Notices 36 11 ( 2001 ) 43-55. htps:\/\/doi.org\/10.1145\/504311.504286","DOI":"10.1145\/504311.504286"},{"key":"e_1_3_2_1_32_1","unstructured":"Christian Schneider and Alvaro Mu\u00f1oz. 2016. Java Deserialization Attacks. htps:\/\/owasp.org\/www-pdf-archive\/GOD16-Deserialization. pdf. (Accessed on 11\/15\/ 2019 ).  Christian Schneider and Alvaro Mu\u00f1oz. 2016. Java Deserialization Attacks. htps:\/\/owasp.org\/www-pdf-archive\/GOD16-Deserialization. pdf. (Accessed on 11\/15\/ 2019 )."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2006.93"},{"key":"e_1_3_2_1_34_1","volume-title":"More Sound Static Handling of Java Reflection","author":"Smaragdakis Yannis","unstructured":"Yannis Smaragdakis , George Balatsouras , George Kastrinis , and Martin Bravenboer . 2015. More Sound Static Handling of Java Reflection . In Programming Languages and Systems, Xinyu Feng and Sungwoo Park (Eds.). Springer International Publishing , Cham , 485-503. htps:\/\/doi.org\/10.1007\/978-3-319-26529-2_26 10.1007\/978-3-319-26529-2_26 Yannis Smaragdakis, George Balatsouras, George Kastrinis, and Martin Bravenboer. 2015. More Sound Static Handling of Java Reflection. In Programming Languages and Systems, Xinyu Feng and Sungwoo Park (Eds.). Springer International Publishing, Cham, 485-503. htps:\/\/doi.org\/10.1007\/978-3-319-26529-2_26"},{"key":"e_1_3_2_1_35_1","volume-title":"32nd European Conference on Object-Oriented Programming (ECOOP 2018 ). Schloss DagstuhlLeibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10","author":"Smaragdakis Yannis","year":"2018","unstructured":"Yannis Smaragdakis and George Kastrinis . 2018 . Defensive Points-To Analysis: Efective Soundness via Laziness . In 32nd European Conference on Object-Oriented Programming (ECOOP 2018 ). Schloss DagstuhlLeibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10 .4230\/LIPIcs. ECOOP. 2018.23 10.4230\/LIPIcs Yannis Smaragdakis and George Kastrinis. 2018. Defensive Points-To Analysis: Efective Soundness via Laziness. In 32nd European Conference on Object-Oriented Programming (ECOOP 2018 ). Schloss DagstuhlLeibniz-Zentrum fuer Informatik. htps:\/\/doi.org\/10.4230\/LIPIcs. ECOOP. 2018.23"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2048066.2048145"},{"key":"e_1_3_2_1_37_1","volume-title":"Aliasing in Object-Oriented Programming. Types, Analysis and Verification","author":"Sridharan Manu","unstructured":"Manu Sridharan , Satish Chandra , Julian Dolby , Stephen J Fink , and Eran Yahav . 2013. Alias analysis for object-oriented programs . In Aliasing in Object-Oriented Programming. Types, Analysis and Verification . Springer , 196-232. htps:\/\/doi.org\/10.1007\/978-3-642-36946-9_8 10.1007\/978-3-642-36946-9_8 Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J Fink, and Eran Yahav. 2013. Alias analysis for object-oriented programs. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification. Springer, 196-232. htps:\/\/doi.org\/10.1007\/978-3-642-36946-9_8"}],"event":{"name":"SPLASH '20: Conference on Systems, Programming, Languages, and Applications, Software for Humanity","location":"Virtual USA","acronym":"SPLASH '20","sponsor":["SIGPLAN ACM Special Interest Group on Programming Languages"]},"container-title":["Proceedings of the 22nd ACM SIGPLAN International Workshop on Formal Techniques for Java-Like Programs"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427761.3428343","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427761.3428343","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:40Z","timestamp":1750195480000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427761.3428343"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,7,23]]},"references-count":40,"alternative-id":["10.1145\/3427761.3428343","10.1145\/3427761"],"URL":"https:\/\/doi.org\/10.1145\/3427761.3428343","relation":{},"subject":[],"published":{"date-parts":[[2020,7,23]]},"assertion":[{"value":"2020-11-16","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}