{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:20:41Z","timestamp":1775470841252,"version":"3.50.1"},"reference-count":73,"publisher":"Association for Computing Machinery (ACM)","issue":"OOPSLA1","license":[{"start":{"date-parts":[[2024,4,29]],"date-time":"2024-04-29T00:00:00Z","timestamp":1714348800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation","award":["CCF-1943300"],"award-info":[{"award-number":["CCF-1943300"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2024,4,29]]},"abstract":"<jats:p>Object serialization and deserialization are widely used for storing and preserving objects in files, memory, or database as well as for transporting them across machines, enabling remote interaction among processes and many more. This mechanism relies on reflection, a dynamic language that introduces serious challenges for static analyses. Current state-of-the-art call graph construction algorithms do not fully support object serialization\/deserialization, i.e., they are unable to uncover the callback methods that are invoked when objects are serialized and deserialized. Since call graphs are a core data structure for multiple types of analysis (e.g., vulnerability detection), an appropriate analysis cannot be performed since the call graph does not capture hidden (vulnerable) paths that occur via callback methods. In this paper, we present Seneca, an approach for handling serialization with improved soundness in the context of call graph construction. Our approach relies on taint analysis and API modeling to construct sound call graphs. We evaluated our approach with respect to soundness, precision, performance, and usefulness in detecting untrusted object deserialization vulnerabilities. Our results show that Seneca can create sound call graphs with respect to serialization features. The resulting call graphs do not incur significant runtime overhead and were shown to be useful for performing identification of vulnerable paths caused by untrusted object deserialization.<\/jats:p>","DOI":"10.1145\/3649851","type":"journal-article","created":{"date-parts":[[2024,4,29]],"date-time":"2024-04-29T17:53:50Z","timestamp":1714413230000},"page":"1125-1153","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["Seneca: Taint-Based Call Graph Construction for Java Object Deserialization"],"prefix":"10.1145","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8743-2516","authenticated-orcid":false,"given":"Joanna C. S.","family":"Santos","sequence":"first","affiliation":[{"name":"University of Notre Dame, Notre Dame, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3470-6856","authenticated-orcid":false,"given":"Mehdi","family":"Mirakhorli","sequence":"additional","affiliation":[{"name":"University of Hawaii, Manoa, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9758-3091","authenticated-orcid":false,"given":"Ali","family":"Shokri","sequence":"additional","affiliation":[{"name":"Virginia Tech, Blacksburg, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,4,29]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"https:\/\/www.tensorflow. org [Online","year":"2023","unstructured":"2023. TensorFlow. https:\/\/www.tensorflow. org [Online; accessed 21. Oct. 2023 ]."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE"},{"key":"e_1_2_1_3_1","volume-title":"European Conference on Object-Oriented Programming. Springer, 688-712","author":"Ali Karim","year":"2012","unstructured":"Karim Ali and Ond\u0159ej Lhot\u00e1k. 2012. Application-only call graph construction. In European Conference on Object-Oriented Programming. Springer, 688-712."},{"key":"e_1_2_1_4_1","first-page":"794","article-title":"Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room","author":"Antoniadis Anastasios","year":"2020","unstructured":"Anastasios Antoniadis, Nikos Filippakis, Paddy Krishnan, Raghavendra Ramesh, Nicholas Allen, and Yannis Smaragdakis. 2020. Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room.. In PLDI. 794-807.","journal-title":"PLDI."},{"key":"e_1_2_1_5_1","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1145\/2594291.2594299","volume-title":"Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation","author":"Arzt Steven","year":"2014","unstructured":"Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 259-269. https: \/\/doi.org\/10.1145\/2594291.2594299 10.1145\/2594291.2594299"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the 11th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 324-341","author":"Bacon David F","year":"1996","unstructured":"David F Bacon and Peter F Sweeney. 1996. Fast static analysis of C++ virtual function calls. In Proceedings of the 11th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 324-341. https:\/\/doi.org\/10. 1145\/236337.236371 10.1145\/236337.236371"},{"key":"e_1_2_1_7_1","volume-title":"Eventually Sound Points-To Analysis with Specifications. In 33rd European Conference on Object-Oriented Programming (ECOOP 2019 ). Schloss DagstuhlLeibniz-Zentrum fuer Informatik. https:\/\/doi.org\/10","author":"Bastani Osbert","year":"2019","unstructured":"Osbert Bastani, Rahul Sharma, Lazaro Clapp, Saswat Anand, and Alex Aiken. 2019. Eventually Sound Points-To Analysis with Specifications. In 33rd European Conference on Object-Oriented Programming (ECOOP 2019 ). Schloss DagstuhlLeibniz-Zentrum fuer Informatik. https:\/\/doi.org\/10.4230\/LIPIcs.ECOOP. 2019.11 10.4230\/LIPIcs.ECOOP.2019.11"},{"key":"e_1_2_1_8_1","first-page":"241","volume-title":"Proceedings of the 33rd International Conference on Software Engineering (ICSE'11)","author":"Bodden Eric","year":"2011","unstructured":"Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. 2011. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering (ICSE'11). ACM, New York, NY, USA, 241-250. https:\/\/doi.org\/10.1145\/1985793.1985827 10.1145\/1985793.1985827"},{"key":"e_1_2_1_9_1","first-page":"243","volume-title":"Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (Orlando, Florida, USA) ( OOPSLA '09). Association for Computing Machinery","author":"Bravenboer Martin","year":"2009","unstructured":"Martin Bravenboer and Yannis Smaragdakis. 2009. Strictly Declarative Specification of Sophisticated Points-to Analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (Orlando, Florida, USA) ( OOPSLA '09). Association for Computing Machinery, New York, NY, USA, 243-262. https: \/\/doi.org\/10.1145\/1640089.1640108 10.1145\/1640089.1640108"},{"key":"e_1_2_1_10_1","volume-title":"ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing. arXiv preprint arXiv:2304.04233 ( 2023 ).","author":"Cao Sicong","year":"2023","unstructured":"Sicong Cao, Biao He, Xiaobing Sun, Yu Ouyang, Chao Zhang, Xiaoxue Wu, Ting Su, Lili Bo, Bin Li, Chuanlei Ma, et al. 2023. ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing. arXiv preprint arXiv:2304.04233 ( 2023 )."},{"key":"e_1_2_1_11_1","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1145\/2771284.2771286","volume-title":"Proceedings of the 4th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis","author":"Cifuentes Cristina","year":"2015","unstructured":"Cristina Cifuentes, Andrew Gross, and Nathan Keynes. 2015. Understanding Caller-Sensitive Method Vulnerabilities: A Class of Access Control Vulnerabilities in the Java Platform. In Proceedings of the 4th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis (Portland, OR, USA) ( SOAP 2015). ACM, New York, NY, USA, 7-12. https:\/\/doi.org\/10.1145\/2771284.2771286 10.1145\/2771284.2771286"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/115372.115320"},{"key":"e_1_2_1_13_1","volume-title":"European Conference on Object-Oriented Programming. Springer, 77-101","author":"Dean Jefrey","year":"1995","unstructured":"Jefrey Dean, David Grove, and Craig Chambers. 1995. Optimization of object-oriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming. Springer, 77-101. https:\/\/doi.org\/10.1007\/3-540-49538-X_5 10.1007\/3-540-49538-X_5"},{"key":"e_1_2_1_14_1","volume-title":"Evil Pickles: DoS Attacks Based on ObjectGraph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017","volume":"74","author":"Dietrich Jens","year":"2017","unstructured":"Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017a. Evil Pickles: DoS Attacks Based on ObjectGraph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017), Vol. 74. Schloss DagstuhlLeibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 10 : 1-10 : 32. https:\/\/doi.org\/10.4230\/LIPIcs.ECOOP. 2017.10 10.4230\/LIPIcs.ECOOP.2017.10"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5381\/jot"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. 195-204","author":"Dolby Julian","year":"2007","unstructured":"Julian Dolby, Mandana Vaziri, and Frank Tip. 2007. Finding bugs eficiently with a SAT solver. In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. 195-204."},{"key":"e_1_2_1_17_1","unstructured":"Michael Eichberg. 2020. JCG-SerializableClasses. https:\/\/bitbucket.org\/delors\/jcg\/src\/master\/jcg_testcases\/src\/main\/ resources\/Serialization.md. (Accessed on 06\/01\/ 2020 )."},{"key":"e_1_2_1_18_1","first-page":"1","volume-title":"Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis","author":"Eichberg Michael","year":"2014","unstructured":"Michael Eichberg and Ben Hermann. 2014. A Software Product Line for Static Analyses: The OPAL Framework. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (Edinburgh, United Kingdom) (SOAP '14). Association for Computing Machinery, New York, NY, USA, 1-6. https:\/\/doi.org\/10.1145\/2614628. 2614630 10.1145\/2614628.2614630"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_2_1_20_1","volume-title":"2013 35th International Conference on Software Engineering (ICSE). 752-761","author":"Feldthaus A.","year":"2013","unstructured":"A. Feldthaus, M. Sch\u00e4fer, M. Sridharan, J. Dolby, and F. Tip. 2013. Eficient construction of approximate call graphs for JavaScript IDE services. In 2013 35th International Conference on Software Engineering (ICSE). 752-761. https: \/\/doi.org\/10.1109\/ICSE. 2013.6606621 10.1109\/ICSE.2013.6606621"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26529-2_25"},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. 209-220","author":"Fourtounis George","year":"2018","unstructured":"George Fourtounis, George Kastrinis, and Yannis Smaragdakis. 2018. Static analysis of Java dynamic proxies. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. 209-220."},{"key":"e_1_2_1_23_1","unstructured":"Chris Frohof. 2018. frohof\/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. https:\/\/github.com\/frohof\/ysoserial. (Accessed on 05\/26\/ 2018 )."},{"key":"e_1_2_1_24_1","article-title":"A framework for call graph construction algorithms","volume":"23","author":"Grove David","year":"2001","unstructured":"David Grove and Craig Chambers. 2001. A framework for call graph construction algorithms. ACM Transactions on Programming Languages and Systems (TOPLAS) 23, 6 ( 2001 ), 685-746.","journal-title":"ACM Transactions on Programming Languages and Systems (TOPLAS)"},{"key":"e_1_2_1_25_1","first-page":"108","volume-title":"Proceedings of the 12th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications (OOPSLA'97)","author":"Grove David","year":"1997","unstructured":"David Grove, Greg DeFouw, Jefrey Dean, and Craig Chambers. 1997. Call graph construction in object-oriented languages. In Proceedings of the 12th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications (OOPSLA'97). ACM, New York, NY, USA, 108-124. https:\/\/doi.org\/10.1145\/263698.264352 10.1145\/263698.264352"},{"key":"e_1_2_1_26_1","unstructured":"Ian Haken. 2018. Automated Discovery of Deserialization Gadget Chains."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","unstructured":"Nevin Heintze and Olivier Tardieu. 2001. Demand-driven pointer analysis. ACM SIGPLAN Notices 36 5 ( 2001 ) 24-34. https:\/\/doi.org\/10.1145\/381694.378802 10.1145\/381694.378802","DOI":"10.1145\/381694.378802"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering. 54-61","author":"Hind Michael","year":"2001","unstructured":"Michael Hind. 2001. Pointer analysis: Haven't we solved this problem yet?. In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering. 54-61. https:\/\/doi.org\/10.1145\/379605.379665 10.1145\/379605.379665"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1086228"},{"key":"e_1_2_1_30_1","first-page":"263","volume-title":"2006 IEEE Symposium on Security and Privacy (S P'06)","author":"Jovanovic N.","unstructured":"N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S P'06). 6 pp.-263. https:\/\/doi.org\/10.1109\/SP. 2006.29 10.1109\/SP.2006.29"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","unstructured":"George Kastrinis and Yannis Smaragdakis. 2013. Hybrid context-sensitivity for points-to analysis. ACM SIGPLAN Notices 48 6 ( 2013 ) 423-434. https:\/\/doi.org\/10.1145\/2499370.2462191 10.1145\/2499370.2462191","DOI":"10.1145\/2499370.2462191"},{"key":"e_1_2_1_32_1","volume-title":"2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE). 619-630","author":"Khatchadourian R.","year":"2019","unstructured":"R. Khatchadourian, Y. Tang, M. Bagherzadeh, and S. Ahmed. 2019. Safe Automated Refactoring for Intelligent Parallelization of Java 8 Streams. In 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE). 619-630. https: \/\/doi.org\/10.1109\/ICSE. 2019.00072 10.1109\/ICSE.2019.00072"},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the 23rd Pan-Hellenic Conference on Informatics. 67-72","author":"Koutroumpouchos Nikolaos","year":"2019","unstructured":"Nikolaos Koutroumpouchos, Georgios Lavdanis, Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2019. ObjectMap: detecting insecure object deserialization. In Proceedings of the 23rd Pan-Hellenic Conference on Informatics. 67-72."},{"key":"e_1_2_1_34_1","volume-title":"Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. In 2021 International Conference on Code Quality (ICCQ). IEEE, 1-15","author":"Kummita Sriteja","year":"2021","unstructured":"Sriteja Kummita, Goran Piskachev, Johannes Sp\u00e4th, and Eric Bodden. 2021. Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. In 2021 International Conference on Code Quality (ICCQ). IEEE, 1-15. https:\/\/doi.org\/ 10.1109\/ICCQ51190. 2021.9392986 10.1109\/ICCQ51190.2021.9392986"},{"key":"e_1_2_1_35_1","first-page":"507","volume-title":"Proceedings of the 39th International Conference on Software Engineering","author":"Landman Davy","year":"2017","unstructured":"Davy Landman, Alexander Serebrenik, and Jurgen J. Vinju. 2017. Challenges for Static Analysis of Java Reflection: Literature Review and Empirical Study. In Proceedings of the 39th International Conference on Software Engineering (Buenos Aires, Argentina) (ICSE'17). IEEE, New York, NY, USA, 507-518. https:\/\/doi.org\/10.1109\/ICSE. 2017.53 10.1109\/ICSE.2017.53"},{"key":"e_1_2_1_36_1","volume-title":"International Conference on Compiler Construction. Springer, 47-64","author":"Lhot\u00e1k Ond\u0159ej","year":"2006","unstructured":"Ond\u0159ej Lhot\u00e1k and Laurie Hendren. 2006. Context-sensitive points-to analysis: is it worth it?. In International Conference on Compiler Construction. Springer, 47-64. https:\/\/doi.org\/10.1007\/11688839_5 10.1007\/11688839_5"},{"key":"e_1_2_1_37_1","first-page":"27","volume-title":"Proceedings of the 28th European Conference on ECOOP 2014-Object-Oriented Programming-Volume 8586","author":"Li Yue","year":"2014","unstructured":"Yue Li, Tian Tan, Yulei Sui, and Jingling Xue. 2014. Self-Inferencing Reflection Resolution for Java. In Proceedings of the 28th European Conference on ECOOP 2014-Object-Oriented Programming-Volume 8586. Springer-Verlag, Berlin, Heidelberg, 27-53. https:\/\/doi.org\/10.1007\/978-3-662-44202-9_2 10.1007\/978-3-662-44202-9_2"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3295739"},{"key":"e_1_2_1_39_1","volume-title":"Proceedings of 2011 International Conference on Computer Science and Network Technology","volume":"3","author":"Ping Liu","year":"2011","unstructured":"Liu Ping, Su Jin, and Yang Xinfeng. 2011. Research on software security vulnerability detection technology. In Proceedings of 2011 International Conference on Computer Science and Network Technology, Vol. 3. 1873-1876. https:\/\/doi.org\/10.1109\/ ICCSNT. 2011.6182335 10.1109\/ICCSNT.2011.6182335"},{"key":"e_1_2_1_40_1","unstructured":"Alvaro Mu\u00f1oz and Christian Schneider. 2018. Serial killer: Silently pwning your Java endpoints. http:\/\/www.slideshare.net\/ cschneider4711\/owasp-benelux-day-2016-serial-killer-silently-pwning-your-java-endpoints. (Accessed on 11\/15\/ 2019 )."},{"key":"e_1_2_1_41_1","article-title":"An empirical study of static call graph extractors","volume":"7","author":"Murphy Gail C","year":"1998","unstructured":"Gail C Murphy, David Notkin, William G Griswold, and Erica S Lan. 1998. An empirical study of static call graph extractors. ACM Transactions on Software Engineering and Methodology (TOSEM) 7, 2 ( 1998 ), 158-191.","journal-title":"ACM Transactions on Software Engineering and Methodology (TOSEM)"},{"key":"e_1_2_1_42_1","volume-title":"https:\/\/samate.nist.gov\/SARD\/test-suites\/111 [Online","author":"NSA Center for Assured Software. 2017. Juliet Java 1.3.","year":"2022","unstructured":"NSA Center for Assured Software. 2017. Juliet Java 1.3. https:\/\/samate.nist.gov\/SARD\/test-suites\/111 [Online; accessed 1. May. 2022 ]."},{"key":"e_1_2_1_43_1","unstructured":"Oracle. 2010. Java Object Serialization Specification-version 6.0. https:\/\/docs.oracle.com\/javase\/8\/docs\/platform\/ serialization\/spec\/serialTOC.html. (Accessed on 04\/07\/ 2020 )."},{"key":"e_1_2_1_44_1","volume-title":"9th USENIX Workshop on Ofensive Technologies (WOOT 15)","author":"Peles Or","year":"2015","unstructured":"Or Peles and Roee Hay. 2015. One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android. In 9th USENIX Workshop on Ofensive Technologies (WOOT 15). USENIX Association, Washington, D.C., 12."},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering. 1209-1213","author":"Rasheed Shawn","year":"2020","unstructured":"Shawn Rasheed and Jens Dietrich. 2020. A hybrid analysis to detect Java serialisation vulnerabilities. In Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering. 1209-1213."},{"key":"e_1_2_1_46_1","volume-title":"mreif\/jcg-Docker Image | Docker Hub. https:\/\/hub.docker.com\/r\/mreif\/jcg [Online","author":"Reif Michael","year":"2023","unstructured":"Michael Reif. 2023. mreif\/jcg-Docker Image | Docker Hub. https:\/\/hub.docker.com\/r\/mreif\/jcg [Online; accessed 20. Oct. 2023 ]."},{"key":"e_1_2_1_47_1","first-page":"251","volume-title":"Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (Beijing, China) ( ISSTA 2019). ACM","author":"Reif Michael","year":"2019","unstructured":"Michael Reif, Florian K\u00fcbler, Michael Eichberg, Dominik Helm, and Mira Mezini. 2019. Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in Call Graphs. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (Beijing, China) ( ISSTA 2019). ACM, New York, NY, USA, 251-261. https:\/\/doi.org\/10. 1145\/3293882.3330555 10.1145\/3293882.3330555"},{"key":"e_1_2_1_48_1","first-page":"107","volume-title":"Systematic Evaluation of the Unsoundness of Call Graph Construction Algorithms for Java. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops (ISSTA'18)","author":"Reif Michael","year":"2018","unstructured":"Michael Reif, Florian K\u00fcbler, Michael Eichberg, and Mira Mezini. 2018. Systematic Evaluation of the Unsoundness of Call Graph Construction Algorithms for Java. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops (ISSTA'18). ACM, New York, NY, USA, 107-112. https:\/\/doi.org\/10.1145\/3236454.3236503 10.1145\/3236454.3236503"},{"key":"e_1_2_1_49_1","article-title":"Classes of recursively enumerable sets and their decision problems","volume":"74","author":"Rice Henry Gordon","year":"1953","unstructured":"Henry Gordon Rice. 1953. Classes of recursively enumerable sets and their decision problems. Trans. Amer. Math. Soc. 74, 2 ( 1953 ), 358-366.","journal-title":"Trans. Amer. Math. Soc."},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 12-27","author":"Rosen Barry K","year":"1988","unstructured":"Barry K Rosen, Mark N Wegman, and F Kenneth Zadeck. 1988. Global value numbers and redundant computations. In Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 12-27."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","unstructured":"Atanas Rountev Ana Milanova and Barbara G Ryder. 2001. Points-to analysis for Java using annotated constraints. ACM SIGPLAN Notices 36 11 ( 2001 ) 43-55. https:\/\/doi.org\/10.1145\/504311.504286 10.1145\/504311.504286","DOI":"10.1145\/504311.504286"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-008-9102-8"},{"key":"e_1_2_1_53_1","volume-title":"Proceedings of the 10th ACM SIGPLAN International Workshop on the State of the Art in Program Analysis.","author":"Santos Joanna C. S.","year":"2021","unstructured":"Joanna C. S. Santos, Reese A. Jones, Chinomso Ashiogwu, and Mehdi Mirakhorli. 2021. Serialization-Aware Call Graph Construction. In Proceedings of the 10th ACM SIGPLAN International Workshop on the State of the Art in Program Analysis."},{"key":"e_1_2_1_54_1","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1145\/3427761.3428343","volume-title":"Proceedings of the 22th ACM SIGPLAN International Workshop on Formal Techniques for Java-Like Programs (FTfJP '20)","author":"Santos Joanna C. S.","year":"2020","unstructured":"Joanna C. S. Santos, Reese A. Jones, and Mehdi Mirakhorli. 2020. Salsa: Static Analysis of Serialization Features. In Proceedings of the 22th ACM SIGPLAN International Workshop on Formal Techniques for Java-Like Programs (FTfJP '20) ( Virtual) (FTfJP 2020). ACM, New York, NY, USA, 18-25. https:\/\/doi.org\/10.1145\/3427761.3428343 10.1145\/3427761.3428343"},{"key":"e_1_2_1_55_1","article-title":"An in-depth study of java deserialization remote-code execution exploits and vulnerabilities","volume":"32","author":"Sayar Imen","year":"2023","unstructured":"Imen Sayar, Alexandre Bartel, Eric Bodden, and Yves Le Traon. 2023. An in-depth study of java deserialization remote-code execution exploits and vulnerabilities. ACM Transactions on Software Engineering and Methodology 32, 1 ( 2023 ), 1-45.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"e_1_2_1_56_1","unstructured":"Christian Schneider and Alvaro Mu\u00f1oz. 2016. Java Deserialization Attacks. https:\/\/owasp.org\/www-pdf-archive\/GOD16-Deserialization.pdf. (Accessed on 11\/15\/ 2019 )."},{"key":"e_1_2_1_57_1","volume-title":"2010 IEEE symposium on Security and privacy. IEEE, 317-331","author":"Schwartz Edward J","year":"2010","unstructured":"Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In 2010 IEEE symposium on Security and privacy. IEEE, 317-331."},{"key":"e_1_2_1_58_1","volume-title":"Proceedings of the 31st Annual ACM Symposium on Applied Computing. 801-807","author":"Shahriar Hossain","year":"2016","unstructured":"Hossain Shahriar and Hisham Haddad. 2016. Object injection vulnerability discovery based on latent semantic indexing. In Proceedings of the 31st Annual ACM Symposium on Applied Computing. 801-807."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE"},{"key":"e_1_2_1_60_1","volume-title":"Network and Distributed Systems Security (NDSS) Symposium","author":"Shcherbakov Mikhail","year":"2021","unstructured":"Mikhail Shcherbakov and Musard Balliu. 2021. Serialdetector: Principled and practical exploration of object injection vulnerabilities for the web. In Network and Distributed Systems Security (NDSS) Symposium 202121-24 February 2021."},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26529-2_26"},{"key":"e_1_2_1_62_1","volume-title":"32nd European Conference on Object-Oriented Programming (ECOOP 2018 ). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. https:\/\/doi.org\/10","author":"Smaragdakis Yannis","year":"2018","unstructured":"Yannis Smaragdakis and George Kastrinis. 2018. Defensive Points-To Analysis: Efective Soundness via Laziness. In 32nd European Conference on Object-Oriented Programming (ECOOP 2018 ). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. https:\/\/doi.org\/10.4230\/LIPIcs.ECOOP. 2018.23 10.4230\/LIPIcs.ECOOP.2018.23"},{"key":"e_1_2_1_63_1","first-page":"1053","volume-title":"Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (Portland, Oregon, USA) ( OOPSLA '11). ACM","author":"Sridharan Manu","year":"2011","unstructured":"Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: Taint Analysis of Framework-Based Web Applications. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (Portland, Oregon, USA) ( OOPSLA '11). ACM, New York, NY, USA, 1053-1068. https:\/\/doi.org\/10.1145\/2048066.2048145 10.1145\/2048066.2048145"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36946-9_8"},{"key":"e_1_2_1_65_1","volume-title":"Asian Symposium on Programming Languages and Systems. Springer, 69-88","author":"Sui Li","year":"2018","unstructured":"Li Sui, Jens Dietrich, Michael Emery, Shawn Rasheed, and Amjed Tahir. 2018. On the soundness of call graph construction in the presence of dynamic language features-a benchmark and tool evaluation. In Asian Symposium on Programming Languages and Systems. Springer, 69-88."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","unstructured":"Li Sui Jens Dietrich Amjed Tahir and George Fourtounis. 2020. On the Recall of Static Call Graph Construction in Practice. https:\/\/doi.org\/10.1145\/3377811.3380441 10.1145\/3377811.3380441","DOI":"10.1145\/3377811.3380441"},{"key":"e_1_2_1_67_1","volume-title":"2020 IEEE Workshop on Validation, Analysis and Evolution of Software Tests (VST). 24-27","author":"Thaller H.","year":"2020","unstructured":"H. Thaller, L. Linsbauer, A. Egyed, and S. Fischer. 2020. Towards Fault Localization via Probabilistic Software Modeling. In 2020 IEEE Workshop on Validation, Analysis and Evolution of Software Tests (VST). 24-27. https:\/\/doi.org\/10.1109\/ VST50071. 2020.9051635 10.1109\/VST50071.2020.9051635"},{"key":"e_1_2_1_68_1","volume-title":"Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 1004-1008","author":"Thom\u00e9 Julian","year":"2017","unstructured":"Julian Thom\u00e9, Lwin Khin Shar, Domenico Bianculli, and Lionel C Briand. 2017. Joanaudit: A tool for auditing common injection vulnerabilities. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 1004-1008."},{"key":"e_1_2_1_69_1","volume-title":"Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 281-293","author":"Tip Frank","year":"2000","unstructured":"Frank Tip and Jens Palsberg. 2000. Scalable propagation-based call graph construction algorithms. In Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 281-293."},{"key":"e_1_2_1_70_1","volume-title":"Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research (Mississauga","author":"Vall\u00e9e-Rai Raja","year":"1999","unstructured":"Raja Vall\u00e9e-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot-a Java Bytecode Optimization Framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research (Mississauga, Ontario, Canada) (CASCON '99). IBM Press, 13."},{"key":"e_1_2_1_71_1","doi-asserted-by":"crossref","first-page":"236","DOI":"10.1007\/3-540-55984-1_22","volume-title":"Compiler Construction: 4th International Conference, CC'92 Paderborn, FRG","author":"Vitek Jan","year":"1992","unstructured":"Jan Vitek, R Nigel Horspool, and James S Uhl. 1992. Compile-time analysis of object-oriented programs. In Compiler Construction: 4th International Conference, CC'92 Paderborn, FRG, October 5-7, 1992 Proceedings 4. Springer, 236-250."},{"key":"e_1_2_1_72_1","volume-title":"wala\/WALA: T.J. Watson Libraries for Analysis, with frontends for Java, Android, and JavaScript, and many common static program analyses. https:\/\/github.com\/wala\/WALA [Online","author":"WALA.","year":"2024","unstructured":"WALA. 2024. wala\/WALA: T.J. Watson Libraries for Analysis, with frontends for Java, Android, and JavaScript, and many common static program analyses. https:\/\/github.com\/wala\/WALA [Online; accessed 8. Mar. 2024 ]."},{"key":"e_1_2_1_73_1","first-page":"24","volume-title":"Proceedings of the 1st International Workshop on Bots in Software Engineering (Montreal","author":"Wyrich Marvin","year":"2019","unstructured":"Marvin Wyrich and Justus Bogner. 2019. Towards an Autonomous Bot for Automatic Source Code Refactoring. In Proceedings of the 1st International Workshop on Bots in Software Engineering (Montreal, Quebec, Canada) ( BotSE '19). IEEE Press, 24-28. https:\/\/doi.org\/10.1109\/BotSE. 2019.00015 10.1109\/BotSE.2019.00015"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3649851","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3649851","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:54:07Z","timestamp":1750287247000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3649851"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,29]]},"references-count":73,"journal-issue":{"issue":"OOPSLA1","published-print":{"date-parts":[[2024,4,29]]}},"alternative-id":["10.1145\/3649851"],"URL":"https:\/\/doi.org\/10.1145\/3649851","relation":{},"ISSN":["2475-1421"],"issn-type":[{"value":"2475-1421","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,29]]},"assertion":[{"value":"2024-04-29","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}