{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:20:42Z","timestamp":1775470842635,"version":"3.50.1"},"reference-count":70,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,1,31]],"date-time":"2023-01-31T00:00:00Z","timestamp":1675123200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Luxembourg National Research Fund (FNR) ONNIVA","award":["12696663"],"award-info":[{"award-number":["12696663"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2023,1,31]]},"abstract":"<jats:p>\n            Nowadays, an increasing number of applications use deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as\n            <jats:bold>remote code execution (RCE)<\/jats:bold>\n            if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP\u2019s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 \u00a0experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of\n            <jats:italic>gadgets<\/jats:italic>\n            present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class \u2013 such as making it\n            <jats:monospace>public<\/jats:monospace>\n            \u2013 can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.\n          <\/jats:p>\n          <jats:p>For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.<\/jats:p>","DOI":"10.1145\/3554732","type":"journal-article","created":{"date-parts":[[2022,8,5]],"date-time":"2022-08-05T11:57:17Z","timestamp":1659700637000},"page":"1-45","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":23,"title":["An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities"],"prefix":"10.1145","volume":"32","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5068-5878","authenticated-orcid":false,"given":"Imen","family":"Sayar","sequence":"first","affiliation":[{"name":"University of Toulouse, Blagnac Cedex, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1383-0372","authenticated-orcid":false,"given":"Alexandre","family":"Bartel","sequence":"additional","affiliation":[{"name":"Ume\u00e5 University, MIT-Huset, Ume\u00e5, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3470-3647","authenticated-orcid":false,"given":"Eric","family":"Bodden","sequence":"additional","affiliation":[{"name":"Paderborn University, Paderborn, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1045-4861","authenticated-orcid":false,"given":"Yves","family":"Le Traon","sequence":"additional","affiliation":[{"name":"University of Luxembourg, Kirchberg Campus, Luxembourg"}]}],"member":"320","published-online":{"date-parts":[[2023,2,13]]},"reference":[{"issue":"1","key":"e_1_3_6_2_2","first-page":"3:1\u20133:33","article-title":"The tip of the iceberg: On the merits of finding security bugs","volume":"24","author":"Alexopoulos Nikolaos","year":"2020","unstructured":"Nikolaos Alexopoulos, Sheikh Mahbub Habib, Steffen Schulz, and Max M\u00fchlh\u00e4user. 2020. The tip of the iceberg: On the merits of finding security bugs. ACM Trans. Priv. Secur. 24, 1 (2020), 3:1\u20133:33.","journal-title":"ACM Trans. Priv. Secur."},{"key":"e_1_3_6_3_2","doi-asserted-by":"crossref","first-page":"387","DOI":"10.1109\/SP.2008.22","volume-title":"2008 IEEE Symposium on Security and Privacy (S&P)","author":"Balzarotti Davide","year":"2008","unstructured":"Davide Balzarotti, Marco Cova, Viktoria Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 387\u2013401."},{"key":"e_1_3_6_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2894356"},{"key":"e_1_3_6_5_2","unstructured":"Daniel Blazquez. 2020. Insecure Deserialization: Attack examples Mitigation and Prevention. Retrieved 2022 from https:\/\/hdivsecurity.com\/bornsecure\/insecure-deserialization-attack-examples-mitigation\/."},{"key":"e_1_3_6_6_2","unstructured":"Nicky Bloor. [n. d.]. DeserLab. Retrieved 2022 from https:\/\/github.com\/NickstaDB\/DeserLab."},{"key":"e_1_3_6_7_2","unstructured":"Nicky Bloor. [n. d.]. SerializationDumper. Retrieved 2022 from https:\/\/github.com\/NickstaDB\/SerializationDumper#%23serializationdumper."},{"key":"e_1_3_6_8_2","volume-title":"2021 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS)","author":"Bonnaventure William","year":"2021","unstructured":"William Bonnaventure, Ahmed Khanfir, Alexandre Bartel, Mike Papadakis, and Yves Le Traon. 2021. CONFUZZION: A Java virtual machine Fuzzer for type confusion vulnerabilities. In 2021 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS). IEEE."},{"key":"e_1_3_6_9_2","unstructured":"Hooman Broujerdi. 2018. JDK approach to address deserialization vulnerability. Retrieved 2022 from https:\/\/www.redhat.com\/en\/blog\/jdk-approach-address-deserialization."},{"key":"e_1_3_6_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00127"},{"key":"e_1_3_6_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3093337.3037725"},{"key":"e_1_3_6_12_2","unstructured":"IBM Company. [n. d.]. IBM download. Retrieved 2022 from https:\/\/www.ibm.com\/support\/pages\/java-sdk-downloads."},{"key":"e_1_3_6_13_2","unstructured":"The MITRE Corporation. 2020. Retrieved 2022 from https:\/\/cve.mitre.org\/cgi-bin\/cvekey.cgi?keyword=deserialization."},{"key":"e_1_3_6_14_2","unstructured":"The MITRE Corporation. 2020. Terminology - A glossary of terms used by the CVE Program. Retrieved 2022 from https:\/\/cve.mitre.org\/about\/terminology.html#vulnerability."},{"key":"e_1_3_6_15_2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"445","DOI":"10.1007\/978-3-030-00470-5_21","volume-title":"Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID","author":"Cristalli Stefano","year":"2018","unstructured":"Stefano Cristalli, Edoardo Vignati, Danilo Bruschi, and Andrea Lanzi. 2018. Trusted execution path for protecting Java applications against deserialization of untrusted data. In Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID(Lecture Notes in Computer Science, Vol. 11050). Springer, 445\u2013464."},{"key":"e_1_3_6_16_2","unstructured":"Michael C. Daconta. [n. d.]. When Runtime.exec() won\u2019t. Retrieved 2022 from https:\/\/www.infoworld.com\/article\/2071275\/when-runtime-exec---won-t.html."},{"key":"e_1_3_6_17_2","volume-title":"Vulnerability Summary for CVE-2020-5413","author":"Database NIST National Vulnerability","unstructured":"NIST National Vulnerability Database. [n. d.]. Vulnerability Summary for CVE-2020-5413. Retrieved 2022 from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-5413."},{"key":"e_1_3_6_18_2","volume-title":"Vulnerability Summary for CVE-2021-22569","author":"Database NIST National Vulnerability","unstructured":"NIST National Vulnerability Database. [n. d.]. Vulnerability Summary for CVE-2021-22569. Retrieved 2022 from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22569."},{"key":"e_1_3_6_19_2","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1109\/SECPRI.1996.502681","volume-title":"1996 IEEE Symposium on Security and Privacy","author":"Dean Drew","year":"1996","unstructured":"Drew Dean, Edward W. Felten, and Dan S. Wallach. 1996. Java security: From HotJava to Netscape and beyond. In 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society, 190\u2013200."},{"key":"e_1_3_6_20_2","series-title":"31st European Conference on Object-Oriented Programming (ECOOP 2017)","first-page":"10:1\u201310:32","volume":"74","author":"Dietrich Jens","year":"2017","unstructured":"Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017. Evil pickles: DoS attacks based on object-graph engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017)(Leibniz International Proceedings in Informatics (LIPIcs), Vol. 74). 10:1\u201310:32."},{"key":"e_1_3_6_21_2","unstructured":"Software Engineering Institute. [n. d.]. Prevent deserialization of untrusted data. Retrieved 2022 from https:\/\/wiki.sei.cmu.edu\/confluence\/display\/java\/SER12-J.+Prevent+deserialization+of+untrusted+data."},{"key":"e_1_3_6_22_2","unstructured":"Sondre Fingann. [n. d.]. Java Deserialization Vulnerabilities Exploitation Techniques and Mitigations. Retrieved 2022 from https:\/\/www.duo.uio.no\/bitstream\/handle\/10852\/79730\/1\/Master-Thesis---Java-Deserialization-Vulnerabilities---Sondre-Fingann.pdf."},{"key":"e_1_3_6_23_2","unstructured":"Chris Frohoff and Matthias Kaiser. [n. d.]. ysoserial. Retrieved 2022 from https:\/\/github.com\/frohoff\/ysoserial."},{"key":"e_1_3_6_24_2","unstructured":"GitBook. 2022. Introducing Snyk. Retrieved 2022 from https:\/\/docs.snyk.io\/introducing-snyk."},{"key":"e_1_3_6_25_2","volume-title":"Protocol Buffers","unstructured":"Google. [n. d.]. Protocol Buffers. Retrieved 2022 from https:\/\/developers.google.com\/protocol-buffers."},{"key":"e_1_3_6_26_2","unstructured":"The Guardian. 2016. San Francisco Municipal Transport Agency attacked by hackers who locked up computers and data with 100 Bitcoin demand. Retrieved 2022 from https:\/\/www.theguardian.com\/technology\/2016\/nov\/28\/passengers-free-ride-san-francisco-muni-ransomeware."},{"key":"e_1_3_6_27_2","unstructured":"Ian Haken. [n. d.]. Gadget Inspector. Retrieved 2022 from https:\/\/github.com\/JackOfMostTrades\/gadgetinspector."},{"key":"e_1_3_6_28_2","first-page":"5:1\u20135:6","volume-title":"Proceedings of the 9th European Workshop on System Security, EUROSEC","author":"Haller Istv\u00e1n","year":"2016","unstructured":"Istv\u00e1n Haller, Erik van der Kouwe, Cristiano Giuffrida, and Herbert Bos. 2016. METAlloc: Efficient and comprehensive metadata management for software security hardening. In Proceedings of the 9th European Workshop on System Security, EUROSEC, Michalis Polychronakis and Cristiano Giuffrida (Eds.). ACM, 5:1\u20135:6."},{"key":"e_1_3_6_29_2","unstructured":"Red Hat. 2014. Java deserialization flaws: Part 2 XML deserialization. Retrieved 2022 from https:\/\/www.redhat.com\/en\/blog\/java-deserialization-flaws-part-2-xml-deserialization."},{"key":"e_1_3_6_30_2","doi-asserted-by":"crossref","first-page":"1027","DOI":"10.1109\/SP.2017.16","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Holzinger Philipp","year":"2017","unstructured":"Philipp Holzinger, Ben Hermann, Johannes Lerch, Eric Bodden, and Mira Mezini. 2017. Hardening Java\u2019s access control by abolishing implicit privilege elevation. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 1027\u20131040."},{"key":"e_1_3_6_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978361"},{"key":"e_1_3_6_32_2","unstructured":"Java. [n. d.]. S\u2019informer sur la technologie Java. Retrieved 2022 from https:\/\/www.java.com\/fr\/about\/."},{"key":"e_1_3_6_33_2","unstructured":"Go Java. [n. d.]. Retrieved 2022 from https:\/\/go.java\/."},{"key":"e_1_3_6_34_2","first-page":"67","volume-title":"Proceedings of the 23rd Pan-Hellenic Conference on Informatics, PCI","author":"Koutroumpouchos Nikolaos","year":"2019","unstructured":"Nikolaos Koutroumpouchos, Georgios Lavdanis, Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2019. ObjectMap: Detecting insecure object deserialization. In Proceedings of the 23rd Pan-Hellenic Conference on Informatics, PCI. ACM, 67\u201372."},{"key":"e_1_3_6_35_2","first-page":"147","volume-title":"11th USENIX Symposium on Operating Systems Design and Implementation, (OSDI\u201914","author":"Kuznetsov Volodymyr","year":"2014","unstructured":"Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, (OSDI\u201914), Jason Flinn and Hank Levy (Eds.). USENIX Association, 147\u2013163."},{"key":"e_1_3_6_36_2","unstructured":"Anton Lawrence. [n. d.]. Best Practices for Java Security. Retrieved 2022 from https:\/\/bitbucket.org\/blog\/best-practices-for-java-security."},{"key":"e_1_3_6_37_2","unstructured":"Gabriel Lawrence and Chris Frohoff. 2015. OWASP AppSecCali 2015 - Marshalling Pickles. Retrieved 2022 from https:\/\/www.slideshare.net\/frohoff1\/appseccali-2015-marshalling-pickles."},{"key":"e_1_3_6_38_2","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511809071"},{"key":"e_1_3_6_39_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09689-7"},{"key":"e_1_3_6_40_2","unstructured":"Microsoft Threat Intelligence Center (MSTIC) Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security. 2021. HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved 2022 from https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/."},{"key":"e_1_3_6_41_2","unstructured":"Alvaro Mu\u00f1oz and Oleksandr Mirosh. 2017. Friday the 13th JSON Attacks. Retrieved 2022 from https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf."},{"key":"e_1_3_6_42_2","unstructured":"Alfred Ng. 2018. How the Equifax hack happened and what still needs to be done - A year after the revelation of the massive breach there\u2019s unfinished business. Retrieved 2022 from https:\/\/www.cnet.com\/news\/privacy\/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed\/."},{"key":"e_1_3_6_43_2","unstructured":"U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and The MITRE Corporation. [n. d.]. Glossary. Retrieved 2022 from https:\/\/www.cve.org\/ResourcesSupport\/Glossary#."},{"key":"e_1_3_6_44_2","unstructured":"U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and The MITRE Corporation. [n. d.]. Terminology. Retrieved 2022 from https:\/\/cve.mitre.org\/about\/terminology.html#cve_id."},{"key":"e_1_3_6_45_2","unstructured":"OpenJ9. [n. d.]. OpenJ9 download. Retrieved 2022 from https:\/\/adoptopenjdk.net\/releases.html?variant=openjdk8&jvmVariant=openj9."},{"key":"e_1_3_6_46_2","unstructured":"OpenJDK. [n. d.]. JEP 290: Filter Incoming Serialization Data. Retrieved 2022 from https:\/\/openjdk.java.net\/jeps\/290."},{"key":"e_1_3_6_47_2","unstructured":"Oracle. [n. d.]. Oracle SE downloads. Retrieved 2022 from https:\/\/www.oracle.com\/java\/technologies\/javase-downloads.html."},{"key":"e_1_3_6_48_2","unstructured":"Oracle. [n. d.]. Secure Coding Guidelines for Java SE. Retrieved 2022 from https:\/\/www.oracle.com\/java\/technologies\/javase\/seccodeguide.html."},{"key":"e_1_3_6_49_2","unstructured":"Oracle. 2018. Core Libraries - Serialization Filtering. Retrieved 2022 from https:\/\/docs.oracle.com\/en\/java\/javase\/11\/core\/serialization-filtering1.html#GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66."},{"key":"e_1_3_6_50_2","unstructured":"Oracle. 2021. Long Term Persistence. Retrieved 2022 from https:\/\/docs.oracle.com\/javase\/tutorial\/javabeans\/advanced\/longpersistence.html."},{"key":"e_1_3_6_51_2","unstructured":"OWASP. [n. d.]. A8:2017-Insecure Deserialization. Retrieved 2022 from https:\/\/owasp.org\/www-project-top-ten\/2017\/A8_2017-Insecure_Deserialization."},{"key":"e_1_3_6_52_2","unstructured":"OWASP. 2021. Buffer Overflow. Retrieved 2022 from https:\/\/owasp.org\/www-community\/vulnerabilities\/Buffer_Overflow."},{"key":"e_1_3_6_53_2","unstructured":"OWASP. 2021. OWASP top 10:2021. Retrieved 2022 from https:\/\/owasp.org\/Top10\/."},{"key":"e_1_3_6_54_2","volume-title":"9th USENIX Workshop on Offensive Technologies (WOOT\u201915)","author":"Peles Or","year":"2015","unstructured":"Or Peles and Roee Hay. 2015. One class to rule them all: 0-day deserialization vulnerabilities in Android. In 9th USENIX Workshop on Offensive Technologies (WOOT\u201915)."},{"key":"e_1_3_6_55_2","unstructured":"Laksh Raghavan. Jan 2016. Lessons Learned from the Java Deserialization Bug. Retrieved 2022 from https:\/\/medium.com\/paypal-engineering\/lessons-learned-from-the-java-deserialization-bug-cb859e9c8d24."},{"key":"e_1_3_6_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3418931"},{"issue":"4","key":"e_1_3_6_57_2","first-page":"291","article-title":"Pickling state in the Java system","volume":"9","author":"Riggs Roger","year":"1996","unstructured":"Roger Riggs, Jim Waldo, Ann Wollrath, and Krishna Bharat. 1996. Pickling state in the Java system. Computing Systems 9, 4 (1996), 291\u2013312.","journal-title":"Computing Systems"},{"key":"e_1_3_6_58_2","unstructured":"Christian Schneider. [n. d.]. Java Deserialization Security FAQ. Retrieved 2022 from https:\/\/christian-schneider.net\/JavaDeserializationSecurityFAQ.html."},{"key":"e_1_3_6_59_2","doi-asserted-by":"publisher","DOI":"10.13140\/RG.2.2.34012.49283"},{"key":"e_1_3_6_60_2","unstructured":"Hdiv Security. [n. d.]. Insecure Deserialization: OWASP Top 10 - A8. Retrieved 2022 from https:\/\/hdivsecurity.com\/owasp-insecure-deserialization."},{"key":"e_1_3_6_61_2","first-page":"552","volume-title":"Proceedings of the 2007 ACM Conference on Computer and Communications Security, (CCS\u201907","author":"Shacham Hovav","year":"2007","unstructured":"Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 2007 ACM Conference on Computer and Communications Security, (CCS\u201907), Alexandria, Virginia, USA, October 28-31, 2007. ACM, 552\u2013561."},{"key":"e_1_3_6_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/2851613.2851865"},{"key":"e_1_3_6_63_2","volume-title":"Network and Distributed System Security Symposium (NDSS\u201921)","author":"Shcherbakov Mikhail","year":"2021","unstructured":"Mikhail Shcherbakov and Balliu Musard. 21-24 February 2021. SerialDetector: Principled and practical exploration of object injection vulnerabilities for the web. In Network and Distributed System Security Symposium (NDSS\u201921)."},{"key":"e_1_3_6_64_2","unstructured":"Snyk. 2022. Snyk CLI. Retrieved 2022 from https:\/\/github.com\/snyk\/snyk."},{"key":"e_1_3_6_65_2","volume-title":"Kyro","author":"Software Esoteric","unstructured":"Esoteric Software. [n. d.]. Kyro. Retrieved 2022 from https:\/\/github.com\/EsotericSoftware\/kryo."},{"key":"e_1_3_6_66_2","unstructured":"Michael Stepankin. 2015. [manager.paypal.com] Remote Code Execution Vulnerability. Retrieved 2022 from https:\/\/artsploit.blogspot.com\/2016\/01\/paypal-rce.html."},{"key":"e_1_3_6_67_2","unstructured":"DOWASP study. 2017. OWASP Top Ten. Retrieved 2022 from https:\/\/owasp.org\/www-project-top-ten\/."},{"key":"e_1_3_6_68_2","doi-asserted-by":"crossref","unstructured":"Miles Tracy Wayne Jansen Karen Scarfone and Jason Butterfield. 2007. Guidelines on Electronic Mail Security. Retrieved 2022 from https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-45ver2.pdf.","DOI":"10.6028\/NIST.SP.800-45ver2"},{"key":"e_1_3_6_69_2","first-page":"2","volume-title":"Proceedings of the 14th International Conference on Mining Software Repositories, MSR","author":"V\u00e1squez Mario Linares","year":"2017","unstructured":"Mario Linares V\u00e1squez, Gabriele Bavota, and Camilo Escobar-Velasquez. 2017. An empirical study on Android-related vulnerabilities. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR, Jes\u00fas M. Gonz\u00e1lez-Barahona, Abram Hindle, and Lin Tan (Eds.). IEEE Computer Society, 2\u201313."},{"key":"e_1_3_6_70_2","unstructured":"Waratek. [n. d.]. The Deserialization Problem. Retrieved 2022 from https:\/\/www.waratek.com\/wp-content\/uploads\/2019\/06\/WP-Deserialization-20190610.pdf."},{"key":"e_1_3_6_71_2","volume-title":"22nd Annual Network and Distributed System Security Symposium, NDSS","author":"Younan Yves","year":"2015","unstructured":"Yves Younan. 2015. FreeSentry: Protecting against use-after-free vulnerabilities due to dangling pointers. In 22nd Annual Network and Distributed System Security Symposium, NDSS. The Internet Society."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3554732","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3554732","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:29Z","timestamp":1750182569000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3554732"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,31]]},"references-count":70,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,31]]}},"alternative-id":["10.1145\/3554732"],"URL":"https:\/\/doi.org\/10.1145\/3554732","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,31]]},"assertion":[{"value":"2021-12-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-07-12","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-02-13","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}