{"id":"https://openalex.org/W2955471678","doi":"https://doi.org/10.1145/3332371","title":"Static Identification of Injection Attacks in Java","display_name":"Static Identification of Injection Attacks in Java","publication_year":2019,"publication_date":"2019-07-02","ids":{"openalex":"https://openalex.org/W2955471678","doi":"https://doi.org/10.1145/3332371","mag":"2955471678"},"language":"en","primary_location":{"id":"doi:10.1145/3332371","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3332371","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3332371","source":{"id":"https://openalex.org/S41449414","display_name":"ACM Transactions on Programming Languages and Systems","issn_l":"0164-0925","issn":["0164-0925","1558-4593"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Programming Languages and Systems","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"bronze","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3332371","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5051480560","display_name":"Fausto Spoto","orcid":"https://orcid.org/0000-0003-2973-0384"},"institutions":[{"id":"https://openalex.org/I119439378","display_name":"University of Verona","ror":"https://ror.org/039bp8j42","country_code":"IT","type":"education","lineage":["https://openalex.org/I119439378"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Fausto Spoto","raw_affiliation_strings":["Universit\u00e0 di Verona, Italy and JuliaSoft Srl, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universit\u00e0 di Verona, Italy and JuliaSoft Srl, Verona, Italy","institution_ids":["https://openalex.org/I119439378"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050163017","display_name":"Elisa Burato","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Elisa Burato","raw_affiliation_strings":["JuliaSoft Srl, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"JuliaSoft Srl, Verona, Italy","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5032068969","display_name":"Michael D. Ernst","orcid":"https://orcid.org/0000-0001-9379-277X"},"institutions":[{"id":"https://openalex.org/I201448701","display_name":"University of Washington","ror":"https://ror.org/00cvxb145","country_code":"US","type":"education","lineage":["https://openalex.org/I201448701"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Michael D. Ernst","raw_affiliation_strings":["University of Washington, Seattle, WA, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Washington, Seattle, WA, USA","institution_ids":["https://openalex.org/I201448701"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5070919681","display_name":"Pietro Ferrara","orcid":"https://orcid.org/0000-0002-4678-933X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pietro Ferrara","raw_affiliation_strings":["JuliaSoft Srl, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"JuliaSoft Srl, Verona, Italy","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5021973624","display_name":"Alberto Lovato","orcid":null},"institutions":[{"id":"https://openalex.org/I119439378","display_name":"University of Verona","ror":"https://ror.org/039bp8j42","country_code":"IT","type":"education","lineage":["https://openalex.org/I119439378"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Alberto Lovato","raw_affiliation_strings":["Universit\u00e0 di Verona, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universit\u00e0 di Verona, Verona, Italy","institution_ids":["https://openalex.org/I119439378"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071769968","display_name":"Damiano Macedonio","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Damiano Macedonio","raw_affiliation_strings":["JuliaSoft Srl, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"JuliaSoft Srl, Verona, Italy","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5070426648","display_name":"Ciprian Spiridon","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ciprian Spiridon","raw_affiliation_strings":["JuliaSoft Srl, Verona, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"JuliaSoft Srl, Verona, Italy","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":2.0245,"has_fulltext":true,"cited_by_count":36,"citation_normalized_percentile":{"value":0.90028715,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"41","issue":"3","first_page":"1","last_page":"58"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9983999729156494,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.9167829751968384},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.7356653809547424},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.4962959885597229},{"id":"https://openalex.org/keywords/heap","display_name":"Heap (data structure)","score":0.4783170521259308},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.47434723377227783},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.4670155644416809},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.4551408886909485},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.43785661458969116},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.42181718349456787},{"id":"https://openalex.org/keywords/data-flow-analysis","display_name":"Data-flow analysis","score":0.41169053316116333},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3479180335998535},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.27185970544815063},{"id":"https://openalex.org/keywords/data-flow-diagram","display_name":"Data flow diagram","score":0.26277977228164673},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.1957208812236786},{"id":"https://openalex.org/keywords/query-by-example","display_name":"Query by Example","score":0.13111954927444458},{"id":"https://openalex.org/keywords/web-search-query","display_name":"Web search query","score":0.11046302318572998}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.9167829751968384},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.7356653809547424},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.4962959885597229},{"id":"https://openalex.org/C134757568","wikidata":"https://www.wikidata.org/wiki/Q274089","display_name":"Heap (data structure)","level":2,"score":0.4783170521259308},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.47434723377227783},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.4670155644416809},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.4551408886909485},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.43785661458969116},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.42181718349456787},{"id":"https://openalex.org/C88468194","wikidata":"https://www.wikidata.org/wiki/Q1172416","display_name":"Data-flow analysis","level":3,"score":0.41169053316116333},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3479180335998535},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.27185970544815063},{"id":"https://openalex.org/C489000","wikidata":"https://www.wikidata.org/wiki/Q747385","display_name":"Data flow diagram","level":2,"score":0.26277977228164673},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.1957208812236786},{"id":"https://openalex.org/C194222762","wikidata":"https://www.wikidata.org/wiki/Q114486","display_name":"Query by Example","level":4,"score":0.13111954927444458},{"id":"https://openalex.org/C164120249","wikidata":"https://www.wikidata.org/wiki/Q995982","display_name":"Web search query","level":3,"score":0.11046302318572998},{"id":"https://openalex.org/C97854310","wikidata":"https://www.wikidata.org/wiki/Q19541","display_name":"Search engine","level":2,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3332371","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3332371","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3332371","source":{"id":"https://openalex.org/S41449414","display_name":"ACM Transactions on Programming Languages and Systems","issn_l":"0164-0925","issn":["0164-0925","1558-4593"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Programming Languages and Systems","raw_type":"journal-article"},{"id":"pmh:oai:iris.unive.it:10278/3730032","is_oa":false,"landing_page_url":"https://dl.acm.org/citation.cfm?doid=3343145.3332371","pdf_url":null,"source":{"id":"https://openalex.org/S4306402336","display_name":"ARCA (Universit\u00e0 Ca' Foscari Venezia)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I149461666","host_organization_name":"Ca' Foscari University of Venice","host_organization_lineage":["https://openalex.org/I149461666"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/article"}],"best_oa_location":{"id":"doi:10.1145/3332371","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3332371","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3332371","source":{"id":"https://openalex.org/S41449414","display_name":"ACM Transactions on Programming Languages and Systems","issn_l":"0164-0925","issn":["0164-0925","1558-4593"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Programming Languages and Systems","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.699999988079071,"display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G7102211986","display_name":null,"funder_award_id":"FA8750-12-C-0174","funder_id":"https://openalex.org/F4320332467","funder_display_name":"U.S. Air Force"}],"funders":[{"id":"https://openalex.org/F4320332467","display_name":"U.S. Air Force","ror":"https://ror.org/006gmme17"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2955471678.pdf","grobid_xml":"https://content.openalex.org/works/W2955471678.grobid-xml"},"referenced_works_count":57,"referenced_works":["https://openalex.org/W179639259","https://openalex.org/W200081508","https://openalex.org/W1493079268","https://openalex.org/W1519566437","https://openalex.org/W1536265389","https://openalex.org/W1548432452","https://openalex.org/W1573821685","https://openalex.org/W1574640530","https://openalex.org/W1585369582","https://openalex.org/W1614825945","https://openalex.org/W1668251704","https://openalex.org/W1893485003","https://openalex.org/W1978492394","https://openalex.org/W1987856704","https://openalex.org/W1991231882","https://openalex.org/W1995268059","https://openalex.org/W2000194923","https://openalex.org/W2008158744","https://openalex.org/W2017639917","https://openalex.org/W2030224590","https://openalex.org/W2038315427","https://openalex.org/W2043100293","https://openalex.org/W2054936630","https://openalex.org/W2055351465","https://openalex.org/W2060995180","https://openalex.org/W2065555413","https://openalex.org/W2067726273","https://openalex.org/W2067872353","https://openalex.org/W2076840859","https://openalex.org/W2080573945","https://openalex.org/W2093080079","https://openalex.org/W2103660000","https://openalex.org/W2122049982","https://openalex.org/W2125357166","https://openalex.org/W2145708265","https://openalex.org/W2150174204","https://openalex.org/W2158267769","https://openalex.org/W2166743230","https://openalex.org/W2168197596","https://openalex.org/W2241404614","https://openalex.org/W2263666543","https://openalex.org/W2281841402","https://openalex.org/W2339647006","https://openalex.org/W2406562224","https://openalex.org/W2514492901","https://openalex.org/W2514783878","https://openalex.org/W2543953340","https://openalex.org/W2572065157","https://openalex.org/W2572469843","https://openalex.org/W2605138103","https://openalex.org/W2616370766","https://openalex.org/W2617348763","https://openalex.org/W2904624750","https://openalex.org/W2907724967","https://openalex.org/W2997271062","https://openalex.org/W4240951837","https://openalex.org/W6714231457"],"related_works":["https://openalex.org/W2295858576","https://openalex.org/W1988033384","https://openalex.org/W3035018584","https://openalex.org/W2761428514","https://openalex.org/W63144840","https://openalex.org/W2906386992","https://openalex.org/W2022689150","https://openalex.org/W2985048382","https://openalex.org/W4360585599","https://openalex.org/W2545238856"],"abstract_inverted_index":{"The":[0,210,242,366],"most":[1],"dangerous":[2,74,142],"security-related":[3],"software":[4],"errors,":[5],"according":[6],"to":[7,26,49,84,103,228,384],"the":[8,88,107,119,129,182,208,235,247,261,273,279,299,305,308,315,328,335,339,343,375],"OWASP":[9,340],"Top":[10],"Ten":[11],"2017":[12,309],"list,":[13],"affect":[14],"web":[15,41,51,133,145],"applications.":[16,296],"They":[17],"are":[18,147],"potential":[19],"injection":[20,36,46,55,66,81,269,379],"attacks":[21,117],"that":[22,128,252,372,380],"exploit":[23,118],"user-provided":[24,96],"data":[25,97,125,191,205,256,311,317],"execute":[27],"undesired":[28],"operations:":[29],"database":[30],"access":[31,83],"and":[32,61,94,217,221,237,240,266,277,338,364,390,393,398],"updates":[33],"(":[34,43,53,64,79,91,110],"SQL":[35],");":[37,47,56,67,82,93],"generation":[38],"of":[39,58,69,124,131,152,184,189,225,283,293,307,314,346,368],"malicious":[40],"pages":[42,52],"cross-site":[44],"scripting":[45],"redirection":[48],"user-specified":[50],"redirect":[54],"execution":[57],"OS":[59],"commands":[60],"arbitrary":[62,85],"scripts":[63],"command":[65,300],"loading":[68],"user-specified,":[70],"possibly":[71],"heavy":[72],"or":[73],"classes":[75],"at":[76,304],"run":[77],"time":[78],"reflection":[80],"files":[86],"on":[87,181,214,330,395],"file":[89],"system":[90],"path-traversal":[92],"storing":[95],"into":[98,136,249],"heap":[99,236],"regions":[100],"normally":[101],"assumed":[102],"be":[104,198],"shielded":[105],"from":[106,126],"outside":[108],"world":[109],"trust":[111],"boundary":[112],"violation":[113],").":[114],"All":[115],"these":[116,369],"same":[120],"weakness:":[121],"unconstrained":[122],"propagation":[123],"sources":[127],"user":[130],"a":[132,150,156,172,291],"application":[134],"controls":[135],"sinks":[137],"whose":[138],"activation":[139],"might":[140],"trigger":[141],"operations.":[143],"Although":[144],"applications":[146],"written":[148],"in":[149,159,192,207,234,272,278,290],"variety":[151],"languages,":[153],"Java":[154,193,265],"remains":[155],"frequent":[157],"choice,":[158],"particular":[160],"for":[161,264,342,349,378],"banking":[162,275],"applications,":[163],"where":[164],"security":[165,270,333],"has":[166],"tangible":[167],"relevance.":[168],"This":[169],"article":[170,325],"defines":[171],"unified,":[173],"sound":[174,382],"protection":[175],"mechanism":[176],"against":[177,355],"such":[178,387],"attacks,":[179],"based":[180,213],"identification":[183],"all":[185,254],"possible":[186,255],"explicit":[187],"flows":[188,196],"tainted":[190],"code.":[194],"Such":[195],"can":[197],"arbitrarily":[199],"complex,":[200],"passing":[201],"through":[202],"dynamically":[203,232],"allocated":[204,233],"structures":[206],"heap.":[209],"analysis":[211,243,377],"is":[212,218,238,303,371,374,381,400],"abstract":[215],"interpretation":[216],"interprocedural,":[219],"flow-sensitive,":[220],"context-sensitive.":[222],"Its":[223,258],"notion":[224],"taint":[226],"applies":[227],"reference":[229],"(non-primitive)":[230],"types":[231],"object-sensitive":[239],"field-sensitive.":[241],"works":[244,394],"by":[245],"translating":[246],"program":[248],"Boolean":[250],"formulas":[251],"model":[253],"flows.":[257],"implementation,":[259],"within":[260],"Julia":[262],"analyzer":[263],"Android,":[267],"found":[268,298],"vulnerabilities":[271],"Internet":[274],"service":[276],"customer":[280],"relationship":[281],"management":[282],"large":[284],"Italian":[285],"banks,":[286],"as":[287,289,388],"well":[288],"set":[292],"open-source":[294,332],"third-party":[295],"It":[297],"injection,":[301],"which":[302],"origin":[306],"Equifax":[310],"breach,":[312],"one":[313],"worst":[316],"breaches":[318],"ever.":[319],"For":[320],"objective,":[321],"repeatable":[322],"results,":[323],"this":[324,353],"also":[326,401],"evaluates":[327],"implementation":[329],"two":[331],"benchmarks:":[334],"Juliet":[336],"Suite":[337],"Benchmark":[341],"automatic":[344],"comparison":[345],"static":[347,360],"analyzers":[348],"cybersecurity.":[350],"We":[351],"compared":[352],"technique":[354],"more":[356,403],"than":[357,405],"10":[358],"other":[359,406],"analyzers,":[361],"both":[362],"free":[363],"commercial.":[365],"result":[367],"experiments":[370],"ours":[373],"only":[376],"(up":[383],"well-stated":[385],"limitations":[386],"multithreading":[389],"native":[391],"code)":[392],"industrial":[396],"code,":[397],"it":[399],"much":[402],"precise":[404],"tools.":[407]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":8},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":4},{"year":2020,"cited_by_count":5},{"year":2019,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}