{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T23:16:05Z","timestamp":1763507765233,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":72,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T00:00:00Z","timestamp":1636761600000},"content-version":"vor","delay-in-days":1,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"DARPA","award":["HR00112020013 HR001120C0191"],"award-info":[{"award-number":["HR00112020013 HR001120C0191"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484736","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"1755-1770","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["Supply-Chain Vulnerability Elimination via Active Learning and Regeneration"],"prefix":"10.1145","author":[{"given":"Nikos","family":"Vasilakis","sequence":"first","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}]},{"given":"Achilles","family":"Benetopoulos","sequence":"additional","affiliation":[{"name":"University of California, Santa Cruz, Santa Cruz, CA, USA"}]},{"given":"Shivam","family":"Handa","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}]},{"given":"Alizee","family":"Schoen","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}]},{"given":"Jiasi","family":"Shen","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}]},{"given":"Martin C.","family":"Rinard","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420952"},{"key":"e_1_3_2_1_2_1","volume-title":"Mukund Raghothaman, Sanjit A Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, and Abhishek Udupa.","author":"Alur Rajeev","year":"2013","unstructured":"Rajeev Alur, Rastislav Bodik, Garvit Juniwal, Milo MK Martin, Mukund Raghothaman, Sanjit A Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, and Abhishek Udupa. 2013. Syntax-guided synthesis. In 2013 Formal Methods in Computer-Aided Design. IEEE, 1--8."},{"key":"e_1_3_2_1_3_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Azad Babak Amin","year":"2019","unstructured":"Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In 28th USENIX Security Symposium (USENIX Security 19). 1697--1714."},{"key":"e_1_3_2_1_4_1","volume-title":"International Conference on Cryptology and Information Security in Latin America. Springer, 64--83","author":"Bernstein Daniel J","year":"2014","unstructured":"Daniel J Bernstein, Bernard Van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, and Sjaak Smetsers. 2014. TweetNaCl: A crypto library in 100 tweets. In International Conference on Cryptology and Information Security in Latin America. Springer, 64--83. https:\/\/tweetnacl.cr.yp.to\/"},{"key":"e_1_3_2_1_5_1","unstructured":"Oscar Bolmsten. 2017. Malicious Package: crossenv and other 36 malicious packages. https:\/\/snyk.io\/vuln\/npm:crossenv:20170802 Accessed: 2019-03--19."},{"key":"e_1_3_2_1_6_1","unstructured":"Benjamin Byholm Rod Vagg and NAN contributors. 2018. Native Abstractions for Node. https:\/\/www.npmjs.com\/package\/nan Accessed: 2020-06--11."},{"key":"e_1_3_2_1_7_1","volume-title":"Evolution and Reengineering (SANER), 2015 IEEE 22nd International Conference on. IEEE, 516--519","author":"Cadariu Mircea","year":"2015","unstructured":"Mircea Cadariu, Eric Bouwers, Joost Visser, and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In Software Analysis, Evolution and Reengineering (SANER), 2015 IEEE 22nd International Conference on. IEEE, 516--519."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--662--46669--8_21"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359591.3359732"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"David Bryant Copeland. 2019. The Frightening State of Security Around NPM Package Management. https:\/\/bit.ly\/3pID2h1 Accessed: 2020--12--10.","DOI":"10.1201\/9781351072755-14"},{"key":"e_1_3_2_1_11_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. NDSS."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359813"},{"volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment , , Cristiano Giuffrida, S\u00e9bastien Bardin","author":"Fass Aurore","key":"e_1_3_2_1_13_1","unstructured":"Aurore Fass, Robert P. Krawczyk, Michael Backes, and Ben Stock. 2018. JaSt: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript. In Detection of Intrusions and Malware, and Vulnerability Assessment , , Cristiano Giuffrida, S\u00e9bastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 303--325."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3009837.3009851"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2737924.2737977"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568250"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1926385.1926423"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409732"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-54455-6_3"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243838"},{"key":"e_1_3_2_1_21_1","unstructured":"hugeglass. 2018. GitHub Repository for flatmap-stream. https:\/\/git.io\/Jtcdi Accessed: 2020--12--18."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806833"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.29"},{"volume-title":"SecureJS Compiler: Portable Memory Isolation in JavaScript. In SAC 2021-The 36th ACM\/SIGAPP Symposium On Applied Computing .","author":"Ko Yoonseok","key":"e_1_3_2_1_24_1","unstructured":"Yoonseok Ko, Tamara Rezk, and Manuel Serrano. [n. d.]. SecureJS Compiler: Portable Memory Isolation in JavaScript. In SAC 2021-The 36th ACM\/SIGAPP Symposium On Applied Computing ."},{"key":"e_1_3_2_1_25_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)","author":"Koishybayev Igibek","year":"2020","unstructured":"Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020) ."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3301417.3312501"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3144555.3144562"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Tobias Lauinger Abdelberi Chaabane Sajjad Arshad William Robertson Christo Wilson and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. (2017).","DOI":"10.14722\/ndss.2017.23414"},{"key":"e_1_3_2_1_29_1","unstructured":"SS Jeremy Long. 2015. OWASP Dependency Check. (2015)."},{"key":"e_1_3_2_1_30_1","unstructured":"Michael Maass. 2016. A Theory and Tools for Applying Sandboxes Effectively. Ph.D. Dissertation. Carnegie Mellon University."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04897-0_10"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064978.1065018"},{"key":"e_1_3_2_1_33_1","volume-title":"Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT. arXiv preprint arXiv:1903.01950","author":"Melara Marcela S","year":"2019","unstructured":"Marcela S Melara, David H Liu, and Michael J Freedman. 2019. Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT. arXiv preprint arXiv:1903.01950 (2019)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.24"},{"key":"e_1_3_2_1_36_1","volume-title":"Caja: Safe active content in sanitized JavaScript","author":"Miller Mark S","year":"2009","unstructured":"Mark S Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2009. Caja: Safe active content in sanitized JavaScript, 2008. Google white paper (2009)."},{"key":"e_1_3_2_1_37_1","unstructured":"Paul Miller. 2016. How an irate developer briefly broke JavaScript. https:\/\/bit.ly\/36CkBDI Accessed: 2020--12--10."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3321705.3329841"},{"key":"e_1_3_2_1_39_1","volume-title":"Retrofitting Fine Grain Isolation in the Firefox Renderer. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Narayan Shravan","year":"2020","unstructured":"Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In 29th USENIX Security Symposium (USENIX Security 20). 699--716."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_3_2_1_41_1","unstructured":"npm Inc. 2018. Details about the event-stream incident. https:\/\/blog.npmjs.org\/post\/180565383195\/details-about-the-event-stream-incident Accessed: 2018--12--18."},{"key":"e_1_3_2_1_42_1","unstructured":"npm Inc. 2019 a. Malicious Package: stream-combine. https:\/\/www.npmjs.com\/advisories\/774 Accessed: 2019-01--25."},{"key":"e_1_3_2_1_43_1","unstructured":"npm Inc. 2019 b. Malicious Package: stream-combine. https:\/\/www.npmjs.com\/advisories\/765 Accessed: 2019-01--25."},{"key":"e_1_3_2_1_44_1","unstructured":"npm Inc. 2020. Node Package Manager. https:\/\/www.npmjs.com\/search?q=string&ranking=popularity"},{"key":"e_1_3_2_1_45_1","unstructured":"Jarrod Overson. 2018. BadJS--Malicious JavaScript found in the wild: Event-Stream. https:\/\/badjs.org\/posts\/event-stream\/ Accessed: 2020--12--18."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Giancarlo Pellegrino and Davide Balzarotti. 2014. Toward Black-Box Detection of Logic Flaws in Web Applications.","DOI":"10.14722\/ndss.2014.23021"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/2980983.2908093"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11530"},{"volume-title":"Moving target defense","author":"Rinard Martin","key":"e_1_3_2_1_49_1","unstructured":"Martin Rinard. 2011. Manipulating program functionality to eliminate security vulnerabilities. In Moving target defense. Springer, 109--115."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3276954.3276959"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55415-5_23"},{"key":"e_1_3_2_1_52_1","unstructured":"Thomas Hunter II (Intrinsic Security). 2018. Compromised npm Package: event-stream. https:\/\/medium.com\/intrinsic\/compromised-npm-package-event-stream-d47d08605502 Accessed: 2019-03--19."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945448"},{"key":"e_1_3_2_1_54_1","unstructured":"Burr Settles. 2009. Active Learning Literature Survey. Computer Sciences Technical Report 1648. University of Wisconsin--Madison."},{"key":"e_1_3_2_1_55_1","volume-title":"Automatic Synthesis of Parallel Unix Commands and Pipelines with KumQuat. CoRR","author":"Shen Jiasi","year":"2021","unstructured":"Jiasi Shen, Martin Rinard, and Nikos Vasilakis. 2021. Automatic Synthesis of Parallel Unix Commands and Pipelines with KumQuat. CoRR , Vol. abs\/2012.15443 (2021). arxiv: 2012.15443 https:\/\/arxiv.org\/abs\/2012.15443"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314591"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3430952"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3290386"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.14778\/2977797.2977807"},{"key":"e_1_3_2_1_60_1","unstructured":"Snyk. 2016. Find fix and monitor for known vulnerabilities in Node.js and Ruby packages. https:\/\/snyk.io\/"},{"key":"e_1_3_2_1_61_1","volume-title":"mbox","author":"Ayrton Sparling","year":"2018","unstructured":"Ayrton Sparling et almbox. 2018. Event-Stream, GitHub Issue 116: I don't know what to say. https:\/\/github.com\/dominictarr\/event-stream\/issues\/116 Accessed: 2018--12--18."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338504.3357339"},{"key":"e_1_3_2_1_64_1","unstructured":"Trent Earl John Wilkinson and the Verdaccio contributors. 2018. Verdaccio--npm Proxy Private Registry. https:\/\/verdaccio.org\/ Accessed: 2020--11--10."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23131"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484535"},{"volume-title":"Using dynamic analysis to infer Python programs and convert them into database programs. Master's thesis","author":"Jerry Wu.","key":"e_1_3_2_1_67_1","unstructured":"Jerry Wu. 2018. Using dynamic analysis to infer Python programs and convert them into database programs. Master's thesis. Massachusetts Institute of Technology."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3187009.3177735"},{"key":"e_1_3_2_1_69_1","unstructured":"Serdar Yegulalp. 2016. How one yanked JavaScript package wreaked havoc. https:\/\/bit.ly\/3ofwkz2 Accessed: 2020--12--10."},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_3_2_1_71_1","volume-title":"Zakas and ESLint contributors","author":"Nicholas","year":"2013","unstructured":"Nicholas C. Zakas and ESLint contributors. 2013. ESLint--Pluggable JavaScript linter. https:\/\/eslint.org\/ Accessed: 2018-07--12."},{"key":"e_1_3_2_1_72_1","volume-title":"Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19)","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 995--1010."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event Republic of Korea","acronym":"CCS '21"},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484736","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484736","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484736","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:48:49Z","timestamp":1763498929000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484736"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":72,"alternative-id":["10.1145\/3460120.3484736","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484736","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}