{"id":"https://openalex.org/W4385080291","doi":"https://doi.org/10.1109/sp46215.2023.10179377","title":"ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing","display_name":"ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385080291","doi":"https://doi.org/10.1109/sp46215.2023.10179377"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179377","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179377","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5007104924","display_name":"Sicong Cao","orcid":"https://orcid.org/0000-0003-3688-4437"},"institutions":[{"id":"https://openalex.org/I78978612","display_name":"Yangzhou University","ror":"https://ror.org/03tqb8s11","country_code":"CN","type":"education","lineage":["https://openalex.org/I78978612"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Sicong Cao","raw_affiliation_strings":["Yangzhou University"],"affiliations":[{"raw_affiliation_string":"Yangzhou University","institution_ids":["https://openalex.org/I78978612"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100671876","display_name":"Biao He","orcid":"https://orcid.org/0000-0002-1295-7964"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Biao He","raw_affiliation_strings":["Ant Group"],"affiliations":[{"raw_affiliation_string":"Ant Group","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101335793","display_name":"Xiaobing Sun","orcid":"https://orcid.org/0000-0002-6634-7969"},"institutions":[{"id":"https://openalex.org/I78978612","display_name":"Yangzhou University","ror":"https://ror.org/03tqb8s11","country_code":"CN","type":"education","lineage":["https://openalex.org/I78978612"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xiaobing Sun","raw_affiliation_strings":["Yangzhou University"],"affiliations":[{"raw_affiliation_string":"Yangzhou University","institution_ids":["https://openalex.org/I78978612"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100629548","display_name":"Yu Ouyang","orcid":"https://orcid.org/0000-0002-2418-281X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yu Ouyang","raw_affiliation_strings":["Ant Group"],"affiliations":[{"raw_affiliation_string":"Ant Group","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100460096","display_name":"Chao Zhang","orcid":"https://orcid.org/0000-0001-7894-8828"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chao Zhang","raw_affiliation_strings":["Tsinghua University"],"affiliations":[{"raw_affiliation_string":"Tsinghua University","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102926361","display_name":"Xiaoxue Wu","orcid":"https://orcid.org/0009-0009-5432-651X"},"institutions":[{"id":"https://openalex.org/I78978612","display_name":"Yangzhou University","ror":"https://ror.org/03tqb8s11","country_code":"CN","type":"education","lineage":["https://openalex.org/I78978612"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xiaoxue Wu","raw_affiliation_strings":["Yangzhou University"],"affiliations":[{"raw_affiliation_string":"Yangzhou University","institution_ids":["https://openalex.org/I78978612"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5013955092","display_name":"Ting Su","orcid":"https://orcid.org/0000-0001-6292-1209"},"institutions":[{"id":"https://openalex.org/I66867065","display_name":"East China Normal University","ror":"https://ror.org/02n96ep67","country_code":"CN","type":"education","lineage":["https://openalex.org/I66867065"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ting Su","raw_affiliation_strings":["East China Normal University"],"affiliations":[{"raw_affiliation_string":"East China Normal University","institution_ids":["https://openalex.org/I66867065"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5013537395","display_name":"Lili Bo","orcid":"https://orcid.org/0000-0002-7267-4923"},"institutions":[{"id":"https://openalex.org/I78978612","display_name":"Yangzhou University","ror":"https://ror.org/03tqb8s11","country_code":"CN","type":"education","lineage":["https://openalex.org/I78978612"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Lili Bo","raw_affiliation_strings":["Yangzhou University"],"affiliations":[{"raw_affiliation_string":"Yangzhou University","institution_ids":["https://openalex.org/I78978612"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100365126","display_name":"Bin Li","orcid":"https://orcid.org/0000-0001-8500-9917"},"institutions":[{"id":"https://openalex.org/I78978612","display_name":"Yangzhou University","ror":"https://ror.org/03tqb8s11","country_code":"CN","type":"education","lineage":["https://openalex.org/I78978612"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bin Li","raw_affiliation_strings":["Yangzhou University"],"affiliations":[{"raw_affiliation_string":"Yangzhou University","institution_ids":["https://openalex.org/I78978612"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5066077433","display_name":"Chuanlei Ma","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chuanlei Ma","raw_affiliation_strings":["Ant Group"],"affiliations":[{"raw_affiliation_string":"Ant Group","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5108050456","display_name":"Jiajia Li","orcid":"https://orcid.org/0009-0005-7848-0897"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jiajia Li","raw_affiliation_strings":["Ant Group"],"affiliations":[{"raw_affiliation_string":"Ant Group","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100660693","display_name":"Wei Tao","orcid":"https://orcid.org/0000-0002-1719-656X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tao Wei","raw_affiliation_strings":["Ant Group"],"affiliations":[{"raw_affiliation_string":"Ant Group","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":12,"corresponding_author_ids":["https://openalex.org/A5007104924"],"corresponding_institution_ids":["https://openalex.org/I78978612"],"apc_list":null,"apc_paid":null,"fwci":5.7097,"has_fulltext":false,"cited_by_count":29,"citation_normalized_percentile":{"value":0.971114,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"2726","last_page":"2743"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.9374306201934814},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8581664562225342},{"id":"https://openalex.org/keywords/gadget","display_name":"Gadget","score":0.857930600643158},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.7712716460227966},{"id":"https://openalex.org/keywords/oracle","display_name":"Oracle","score":0.5843732953071594},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.5479981899261475},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.48201170563697815},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.4167723059654236},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4157137870788574},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.28995978832244873},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.1973663568496704},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.13102784752845764}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.9374306201934814},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8581664562225342},{"id":"https://openalex.org/C119770614","wikidata":"https://www.wikidata.org/wiki/Q5516347","display_name":"Gadget","level":2,"score":0.857930600643158},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.7712716460227966},{"id":"https://openalex.org/C55166926","wikidata":"https://www.wikidata.org/wiki/Q2892946","display_name":"Oracle","level":2,"score":0.5843732953071594},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.5479981899261475},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.48201170563697815},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4167723059654236},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4157137870788574},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.28995978832244873},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.1973663568496704},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.13102784752845764}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46215.2023.10179377","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179377","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5199999809265137,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320324852","display_name":"Nanjing University","ror":"https://ror.org/01rxvg760"},{"id":"https://openalex.org/F4320326182","display_name":"Six Talent Peaks Project in Jiangsu Province","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":48,"referenced_works":["https://openalex.org/W1499141839","https://openalex.org/W1966831167","https://openalex.org/W2035260626","https://openalex.org/W2086631206","https://openalex.org/W2135032959","https://openalex.org/W2151152024","https://openalex.org/W2166743230","https://openalex.org/W2171240827","https://openalex.org/W2294434616","https://openalex.org/W2377819450","https://openalex.org/W2474947696","https://openalex.org/W2534728012","https://openalex.org/W2535617737","https://openalex.org/W2765755114","https://openalex.org/W2766540688","https://openalex.org/W2794670092","https://openalex.org/W2876719183","https://openalex.org/W2890772103","https://openalex.org/W2891235722","https://openalex.org/W2906628499","https://openalex.org/W2955354980","https://openalex.org/W2959352824","https://openalex.org/W2962200727","https://openalex.org/W2962823786","https://openalex.org/W2964097210","https://openalex.org/W2964241064","https://openalex.org/W2979357014","https://openalex.org/W2992281720","https://openalex.org/W3046946156","https://openalex.org/W3049735680","https://openalex.org/W3136748915","https://openalex.org/W3137781054","https://openalex.org/W3173320755","https://openalex.org/W3197715376","https://openalex.org/W4213412050","https://openalex.org/W4221033043","https://openalex.org/W4283835231","https://openalex.org/W4288057792","https://openalex.org/W4289939589","https://openalex.org/W4297902814","https://openalex.org/W4308643027","https://openalex.org/W4384304635","https://openalex.org/W4385695486","https://openalex.org/W6629812241","https://openalex.org/W6766950264","https://openalex.org/W6776771148","https://openalex.org/W6788674771","https://openalex.org/W6969334641"],"related_works":["https://openalex.org/W2511770387","https://openalex.org/W3120811337","https://openalex.org/W2766647240","https://openalex.org/W4385301282","https://openalex.org/W2990186179","https://openalex.org/W4252293060","https://openalex.org/W3203597304","https://openalex.org/W4248424560","https://openalex.org/W2464784130","https://openalex.org/W2735770104"],"abstract_inverted_index":{"Java":[0,51,144],"deserialization":[1,52,69,145],"vulnerability":[2],"is":[3],"a":[4,43,106,120,125,134],"severe":[5],"threat":[6],"in":[7],"practice.":[8],"Researchers":[9],"have":[10,34],"proposed":[11],"static":[12,58],"analysis":[13,60],"solutions":[14,21,33],"to":[15,22,28,48,61,76,91,99,111,128],"locate":[16,77],"candidate":[17,63],"vulnerabilities":[18],"and":[19,37,80,95,118,124,138,186,188],"fuzzing":[20,89],"generate":[23,96],"proof-of-concept":[24],"(PoC)":[25],"serialized":[26],"objects":[27],"trigger":[29],"them.":[30,169],"However,":[31],"existing":[32],"limited":[35],"effectiveness":[36],"efficiency.In":[38],"this":[39,72],"paper,":[40],"we":[41,172],"propose":[42],"novel":[44,121],"hybrid":[45,122],"solution":[46],"ODDFuzz":[47,55,74,85,104,137,151,174],"efficiently":[49],"discover":[50,153],"vulnerabilities.":[53,70],"First,":[54],"performs":[56,86],"lightweight":[57],"taint":[59],"identify":[62,166],"gadget":[64,159,194],"chains":[65,195],"that":[66],"may":[67],"cause":[68],"In":[71,170],"step,":[73],"tries":[75],"all":[78],"candidates":[79,94],"avoid":[81],"false":[82,101],"negatives.":[83],"Then,":[84],"directed":[87,131],"greybox":[88],"(DGF)":[90],"explore":[92],"those":[93],"PoC":[97],"testcases":[98],"mitigate":[100],"positives.":[102],"Specifically,":[103],"applies":[105],"structure-aware":[107],"seed":[108],"generation":[109],"method":[110],"guarantee":[112],"the":[113,116,130,142],"validity":[114],"of":[115,136,156,168],"testcases,":[117],"adopts":[119],"feedback":[123],"step-forward":[126],"strategy":[127],"guide":[129],"fuzzing.We":[132],"implemented":[133],"prototype":[135],"evaluated":[139,173],"it":[140],"on":[141,175],"popular":[143],"repository":[146],"ysoserial.":[147],"Results":[148],"show":[149],"that,":[150],"could":[152],"16":[154],"out":[155],"34":[157],"known":[158],"chains,":[160],"while":[161],"two":[162],"state-of-the-art":[163],"baselines":[164],"only":[165],"three":[167],"addition,":[171],"real-world":[176],"applications":[177],"including":[178],"Oracle":[179],"WebLogic":[180],"Server,":[181],"Apache":[182],"Dubbo,":[183],"Sonatype":[184],"Nexus,":[185],"protostuff,":[187],"found":[189],"six":[190],"previously":[191],"unreported":[192],"exploitable":[193],"with":[196],"five":[197],"CVEs":[198],"assigned.":[199]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":11},{"year":2024,"cited_by_count":15},{"year":2023,"cited_by_count":1}],"updated_date":"2026-04-06T07:47:59.780226","created_date":"2025-10-10T00:00:00"}