{"id":"https://openalex.org/W4289939589","doi":"https://doi.org/10.1145/3554732","title":"An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities","display_name":"An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities","publication_year":2022,"publication_date":"2022-08-05","ids":{"openalex":"https://openalex.org/W4289939589","doi":"https://doi.org/10.1145/3554732"},"language":"en","primary_location":{"id":"doi:10.1145/3554732","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3554732","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2208.08173","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5067849557","display_name":"Imen Sayar","orcid":"https://orcid.org/0000-0001-5068-5878"},"institutions":[{"id":"https://openalex.org/I17866349","display_name":"Universit\u00e9 F\u00e9d\u00e9rale de Toulouse Midi-Pyr\u00e9n\u00e9es","ror":"https://ror.org/004raaa70","country_code":"FR","type":"education","lineage":["https://openalex.org/I17866349"]},{"id":"https://openalex.org/I186903577","display_name":"University of Luxembourg","ror":"https://ror.org/036x5ad56","country_code":"LU","type":"education","lineage":["https://openalex.org/I186903577"]},{"id":"https://openalex.org/I4210152422","display_name":"Universit\u00e9 Toulouse - Jean Jaur\u00e8s","ror":"https://ror.org/04ezk3x31","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210152422","https://openalex.org/I4405258862"]}],"countries":["FR","LU"],"is_corresponding":true,"raw_author_name":"Imen Sayar","raw_affiliation_strings":["University of Toulouse, Blagnac Cedex, France","Smart Modeling for softw@re Research and Technology","University of Luxembourg [Luxembourg]","Universit\u00e9 Toulouse - Jean Jaur\u00e8s"],"affiliations":[{"raw_affiliation_string":"University of Toulouse, Blagnac Cedex, France","institution_ids":["https://openalex.org/I17866349"]},{"raw_affiliation_string":"Smart Modeling for softw@re Research and Technology","institution_ids":[]},{"raw_affiliation_string":"University of Luxembourg [Luxembourg]","institution_ids":["https://openalex.org/I186903577"]},{"raw_affiliation_string":"Universit\u00e9 Toulouse - Jean Jaur\u00e8s","institution_ids":["https://openalex.org/I4210152422"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5019300625","display_name":"Alexandre Bartel","orcid":"https://orcid.org/0000-0003-1383-0372"},"institutions":[{"id":"https://openalex.org/I186903577","display_name":"University of Luxembourg","ror":"https://ror.org/036x5ad56","country_code":"LU","type":"education","lineage":["https://openalex.org/I186903577"]},{"id":"https://openalex.org/I90267481","display_name":"Ume\u00e5 University","ror":"https://ror.org/05kb8h459","country_code":"SE","type":"education","lineage":["https://openalex.org/I90267481"]}],"countries":["LU","SE"],"is_corresponding":false,"raw_author_name":"Alexandre Bartel","raw_affiliation_strings":["Ume\u00e5 University, MIT-Huset, Ume\u00e5, Sweden","University of Luxembourg [Luxembourg]","Ume\u00e5 University"],"affiliations":[{"raw_affiliation_string":"Ume\u00e5 University, MIT-Huset, Ume\u00e5, Sweden","institution_ids":["https://openalex.org/I90267481"]},{"raw_affiliation_string":"University of Luxembourg [Luxembourg]","institution_ids":["https://openalex.org/I186903577"]},{"raw_affiliation_string":"Ume\u00e5 University","institution_ids":["https://openalex.org/I90267481"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5076678278","display_name":"Eric Bodden","orcid":"https://orcid.org/0000-0003-3470-3647"},"institutions":[{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Eric Bodden","raw_affiliation_strings":["Paderborn University, Paderborn, Germany","Universit\u00e4t Paderborn"],"affiliations":[{"raw_affiliation_string":"Paderborn University, Paderborn, Germany","institution_ids":["https://openalex.org/I206945453"]},{"raw_affiliation_string":"Universit\u00e4t Paderborn","institution_ids":["https://openalex.org/I206945453"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5040574362","display_name":"Yves Le Traon","orcid":"https://orcid.org/0000-0002-1045-4861"},"institutions":[{"id":"https://openalex.org/I186903577","display_name":"University of Luxembourg","ror":"https://ror.org/036x5ad56","country_code":"LU","type":"education","lineage":["https://openalex.org/I186903577"]},{"id":"https://openalex.org/I4210134190","display_name":"Recherches Scientifiques Luxembourg","ror":"https://ror.org/0333e3w09","country_code":"LU","type":"facility","lineage":["https://openalex.org/I4210134190"]}],"countries":["LU"],"is_corresponding":false,"raw_author_name":"Yves Le Traon","raw_affiliation_strings":["University of Luxembourg, Kirchberg Campus, Luxembourg","University of Luxembourg [Luxembourg]"],"affiliations":[{"raw_affiliation_string":"University of Luxembourg, Kirchberg Campus, Luxembourg","institution_ids":["https://openalex.org/I4210134190","https://openalex.org/I186903577"]},{"raw_affiliation_string":"University of Luxembourg [Luxembourg]","institution_ids":["https://openalex.org/I186903577"]}]}],"institutions":[],"countries_distinct_count":4,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5067849557"],"corresponding_institution_ids":["https://openalex.org/I17866349","https://openalex.org/I186903577","https://openalex.org/I4210152422"],"apc_list":null,"apc_paid":null,"fwci":3.4706,"has_fulltext":false,"cited_by_count":27,"citation_normalized_percentile":{"value":0.934195,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":"32","issue":"1","first_page":"1","last_page":"45"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8945120573043823},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.8644336462020874},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.7804913520812988},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.6110513210296631},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5278691649436951},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.4904060363769531},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.29145294427871704},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.18856769800186157},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.18459463119506836}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8945120573043823},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.8644336462020874},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.7804913520812988},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.6110513210296631},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5278691649436951},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4904060363769531},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.29145294427871704},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.18856769800186157},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.18459463119506836},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.0},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3554732","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3554732","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},{"id":"pmh:oai:arXiv.org:2208.08173","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2208.08173","pdf_url":"https://arxiv.org/pdf/2208.08173","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"pmh:oai:HAL:hal-03747004v1","is_oa":true,"landing_page_url":"https://hal.science/hal-03747004","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://dl.acm.org/doi/10.1145/3554732","raw_type":"Journal articles"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2208.08173","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2208.08173","pdf_url":"https://arxiv.org/pdf/2208.08173","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[{"score":0.7099999785423279,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W1460196902","https://openalex.org/W1984471991","https://openalex.org/W2111487235","https://openalex.org/W2124360577","https://openalex.org/W2295517818","https://openalex.org/W2474947696","https://openalex.org/W2534728012","https://openalex.org/W2605404816","https://openalex.org/W2688711791","https://openalex.org/W2730150466","https://openalex.org/W2760927723","https://openalex.org/W2890772103","https://openalex.org/W2897614888","https://openalex.org/W2918098492","https://openalex.org/W2954978134","https://openalex.org/W3122488687","https://openalex.org/W3136748915","https://openalex.org/W4213009331","https://openalex.org/W4226253272","https://openalex.org/W4247087493","https://openalex.org/W4251039970","https://openalex.org/W4255445045","https://openalex.org/W4289038676","https://openalex.org/W6697651354","https://openalex.org/W6904020065"],"related_works":["https://openalex.org/W17155033","https://openalex.org/W3207760230","https://openalex.org/W1496222301","https://openalex.org/W1590307681","https://openalex.org/W2536018345","https://openalex.org/W4385719733","https://openalex.org/W3085047896","https://openalex.org/W2241929320","https://openalex.org/W2979496624","https://openalex.org/W2297096600"],"abstract_inverted_index":{"Nowadays,":[0],"an":[1,46,166],"increasing":[2],"number":[3],"of":[4,15,60,78,128,132,146,180,184,196,249],"applications":[5,79,330],"use":[6],"deserialization.":[7],"This":[8,68],"technique,":[9],"based":[10],"on":[11,140,154,193],"rebuilding":[12],"the":[13,28,39,75,89,121,161,178,185,247,273,287,312,335],"instance":[14],"objects":[16,213],"from":[17,45],"serialized":[18],"byte":[19],"streams,":[20],"can":[21,26,217,263],"be":[22,218],"dangerous":[23],"since":[24,334],"it":[25,260],"open":[27],"application":[29],"to":[30,41,223,231,297],"attacks":[31,101,191],"such":[32,257],"as":[33,258],"remote":[34],"code":[35,336],"execution":[36],"(RCE)":[37],"if":[38],"data":[40],"deserialize":[42],"is":[43,69,207,211,222,324,338],"originating":[44],"untrusted":[47],"source.":[48],"Deserialization":[49],"vulnerabilities":[50,118,155,295,300,313],"are":[51,56,104,108,117,277,301,314,331],"so":[52],"critical":[53],"that":[54,216,246,271,311,320],"they":[55,105,240],"in":[57,74,83,88,120,149,157,174,199,253,305],"OWASP\u2019s":[58],"list":[59],"top":[61],"10":[62],"security":[63],"risks":[64],"for":[65,114,182,283],"web":[66],"applications.":[67,94,159,308],"mainly":[70],"caused":[71],"by":[72,81,92,170],"faults":[73],"development":[76],"process":[77],"and":[80,111,152,230,238,303],"flaws":[82,87],"their":[84],"dependencies,":[85],"i.e.,":[86,143],"libraries":[90,181],"used":[91],"these":[93],"No":[95],"previous":[96],"work":[97],"has":[98],"studied":[99,274],"deserialization":[100,294],"in-depth:":[102],"How":[103,107],"performed?":[106],"weaknesses":[109],"introduced":[110,237,302],"patched?":[112],"And":[113],"how":[115,233,239,299],"long":[116],"present":[119,148,156,198],"codebase?":[122],"To":[123],"yield":[124],"a":[125,194,208,254,266,321,327],"deeper":[126],"understanding":[127],"this":[129],"important":[130],"kind":[131],"vulnerability,":[133],"we":[134,164,176,269,290],"perform":[135],"two":[136],"main":[137],"analyses:":[138],"one":[139,153,200,250],"attack":[141],"gadgets,":[142],"exploitable":[144],"pieces":[145],"code,":[147],"Java":[150,158,203,307],"libraries,":[151,275],"For":[160,286],"first":[162],"analysis,":[163,289],"conduct":[165],"exploratory":[167],"large-scale":[168],"study":[169],"running":[171],"256515":[172],"experiments":[173],"which":[175,210],"vary":[177],"versions":[179,227],"each":[183],"19":[186],"publicly":[187],"available":[188,282],"exploits.":[189],"Such":[190],"rely":[192],"combination":[195],"gadgets":[197,229,234,281],"or":[201,214,319],"multiple":[202],"libraries.":[204],"A":[205],"gadget":[206],"method":[209],"using":[212],"fields":[215],"attacker-controlled.":[219],"Our":[220],"goal":[221],"precisely":[224],"identify":[225],"library":[226],"containing":[228],"understand":[232,298],"have":[235,241],"been":[236,242],"patched.":[243],"We":[244],"observe":[245],"modification":[248],"innocent-looking":[251],"detail":[252],"class":[255],"\u2013":[256,262],"making":[259],"public":[261],"already":[264],"introduce":[265],"gadget.":[267],"Furthermore,":[268],"noticed":[270],"among":[272],"37.5%":[276],"not":[278,315],"patched,":[279],"leaving":[280],"future":[284],"attacks.":[285],"second":[288],"manually":[291],"analyze":[292],"104":[293],"CVEs":[296],"patched":[304,318],"real-life":[306],"Results":[309],"indicate":[310],"always":[316],"completely":[317],"workaround":[322,328],"solution":[323],"proposed.":[325],"With":[326],"solution,":[329],"still":[332],"vulnerable":[333],"itself":[337],"unchanged.":[339]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":11},{"year":2023,"cited_by_count":7}],"updated_date":"2026-04-06T07:47:59.780226","created_date":"2025-10-10T00:00:00"}