{"id":"https://openalex.org/W4396214294","doi":"https://doi.org/10.1145/3649851","title":"Seneca: Taint-Based Call Graph Construction for Java Object Deserialization","display_name":"Seneca: Taint-Based Call Graph Construction for Java Object Deserialization","publication_year":2024,"publication_date":"2024-04-29","ids":{"openalex":"https://openalex.org/W4396214294","doi":"https://doi.org/10.1145/3649851"},"language":"en","primary_location":{"id":"doi:10.1145/3649851","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649851","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649851","source":{"id":"https://openalex.org/S4210216081","display_name":"Proceedings of the ACM on Programming Languages","issn_l":"2475-1421","issn":["2475-1421"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Programming Languages","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3649851","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5043541139","display_name":"Joanna C. S. Santos","orcid":"https://orcid.org/0000-0001-8743-2516"},"institutions":[{"id":"https://openalex.org/I107639228","display_name":"University of Notre Dame","ror":"https://ror.org/00mkhxb43","country_code":"US","type":"education","lineage":["https://openalex.org/I107639228"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Joanna C. S. Santos","raw_affiliation_strings":["University of Notre Dame, Notre Dame, USA"],"raw_orcid":"https://orcid.org/0000-0001-8743-2516","affiliations":[{"raw_affiliation_string":"University of Notre Dame, Notre Dame, USA","institution_ids":["https://openalex.org/I107639228"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088410123","display_name":"Mehdi Mirakhorli","orcid":"https://orcid.org/0000-0003-3470-6856"},"institutions":[{"id":"https://openalex.org/I117965899","display_name":"University of Hawai\u02bbi at M\u0101noa","ror":"https://ror.org/01wspgy28","country_code":"US","type":"education","lineage":["https://openalex.org/I117965899"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Mehdi Mirakhorli","raw_affiliation_strings":["University of Hawaii, Manoa, USA"],"raw_orcid":"https://orcid.org/0000-0003-3470-6856","affiliations":[{"raw_affiliation_string":"University of Hawaii, Manoa, USA","institution_ids":["https://openalex.org/I117965899"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5020004137","display_name":"Ali Shokri","orcid":"https://orcid.org/0000-0002-9758-3091"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ali Shokri","raw_affiliation_strings":["Virginia Tech, Blacksburg, USA"],"raw_orcid":"https://orcid.org/0000-0002-9758-3091","affiliations":[{"raw_affiliation_string":"Virginia Tech, Blacksburg, USA","institution_ids":["https://openalex.org/I859038795"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5043541139"],"corresponding_institution_ids":["https://openalex.org/I107639228"],"apc_list":null,"apc_paid":null,"fwci":2.6305,"has_fulltext":true,"cited_by_count":8,"citation_normalized_percentile":{"value":0.90462811,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"8","issue":"OOPSLA1","first_page":"1125","last_page":"1153"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.766173243522644},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7556901574134827},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.6098711490631104},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.5221110582351685},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.39575570821762085},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.16767308115959167}],"concepts":[{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.766173243522644},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7556901574134827},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.6098711490631104},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.5221110582351685},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.39575570821762085},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.16767308115959167}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3649851","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649851","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649851","source":{"id":"https://openalex.org/S4210216081","display_name":"Proceedings of the ACM on Programming Languages","issn_l":"2475-1421","issn":["2475-1421"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Programming Languages","raw_type":"journal-article"},{"id":"pmh:oai:vtechworks.lib.vt.edu:10919/118722","is_oa":true,"landing_page_url":"https://hdl.handle.net/10919/118722","pdf_url":"https://vtechworks.lib.vt.edu/bitstreams/cfeef39d-8a0c-46d6-9a8c-1f1d65859c67/download","source":{"id":"https://openalex.org/S4306400248","display_name":"VTechWorks (Virginia Tech)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I859038795","host_organization_name":"Virginia Tech","host_organization_lineage":["https://openalex.org/I859038795"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Text"}],"best_oa_location":{"id":"doi:10.1145/3649851","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649851","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649851","source":{"id":"https://openalex.org/S4210216081","display_name":"Proceedings of the ACM on Programming Languages","issn_l":"2475-1421","issn":["2475-1421"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Programming Languages","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.5600000023841858,"display_name":"Reduced inequalities","id":"https://metadata.un.org/sdg/10"}],"awards":[{"id":"https://openalex.org/G1219454150","display_name":null,"funder_award_id":"CCF-1943300","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G2457751358","display_name":"CAREER: Synthesizing Architectural Tactics","funder_award_id":"1943300","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4396214294.pdf","grobid_xml":"https://content.openalex.org/works/W4396214294.grobid-xml"},"referenced_works_count":53,"referenced_works":["https://openalex.org/W100599422","https://openalex.org/W198969604","https://openalex.org/W203573882","https://openalex.org/W1502745543","https://openalex.org/W1557543533","https://openalex.org/W1982205631","https://openalex.org/W2017971446","https://openalex.org/W2046699259","https://openalex.org/W2047764386","https://openalex.org/W2060692877","https://openalex.org/W2109427294","https://openalex.org/W2117426803","https://openalex.org/W2135389226","https://openalex.org/W2152225177","https://openalex.org/W2158591033","https://openalex.org/W2162739315","https://openalex.org/W2166743230","https://openalex.org/W2167363133","https://openalex.org/W2171240827","https://openalex.org/W2396234346","https://openalex.org/W2804700615","https://openalex.org/W2909110209","https://openalex.org/W2911270308","https://openalex.org/W2912447136","https://openalex.org/W2912997785","https://openalex.org/W2913734115","https://openalex.org/W2914132986","https://openalex.org/W2914825488","https://openalex.org/W2962823786","https://openalex.org/W2991942790","https://openalex.org/W3004884024","https://openalex.org/W3033653001","https://openalex.org/W3033849929","https://openalex.org/W3089825636","https://openalex.org/W3109458504","https://openalex.org/W3163546604","https://openalex.org/W4233730851","https://openalex.org/W4237993802","https://openalex.org/W4238988491","https://openalex.org/W4239756179","https://openalex.org/W4241395538","https://openalex.org/W4244465467","https://openalex.org/W4244679343","https://openalex.org/W4245810380","https://openalex.org/W4247889999","https://openalex.org/W4252411141","https://openalex.org/W4253335293","https://openalex.org/W4255293410","https://openalex.org/W4256478796","https://openalex.org/W4285827657","https://openalex.org/W4289939589","https://openalex.org/W4300520791","https://openalex.org/W6677549501"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W2358668433","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W2382290278","https://openalex.org/W4395014643","https://openalex.org/W4391913857","https://openalex.org/W2350741829"],"abstract_inverted_index":{"Object":[0],"serialization":[1,125,181],"and":[2,9,30,76,142,160,193],"deserialization":[3,166],"are":[4,62,70,74,81],"widely":[5],"used":[6],"for":[7,20,45,86,123,199],"storing":[8],"preserving":[10],"objects":[11,73],"in":[12,129,162],"files,":[13],"memory,":[14],"or":[15],"database":[16],"as":[17,19],"well":[18],"transporting":[21],"them":[22],"across":[23],"machines,":[24],"enabling":[25],"remote":[26],"interaction":[27],"among":[28],"processes":[29],"many":[31],"more.":[32],"This":[33],"mechanism":[34],"relies":[35,138],"on":[36,139],"reflection,":[37],"a":[38,82],"dynamic":[39],"language":[40],"that":[41,69,110,171],"introduces":[42],"serious":[43],"challenges":[44],"static":[46],"analyses.":[47],"Current":[48],"state-of-the-art":[49],"call":[50,79,102,133,148,176,185],"graph":[51,103,134],"construction":[52],"algorithms":[53],"do":[54,187],"not":[55,105,188],"fully":[56],"support":[57],"object":[58,165,208],"serialization/deserialization,":[59],"i.e.,":[60],"they":[61],"unable":[63],"to":[64,145,156,180,196],"uncover":[65],"the":[66,101,130],"callback":[67,113],"methods":[68],"invoked":[71],"when":[72],"serialized":[75],"deserialized.":[77],"Since":[78],"graphs":[80,177,186],"core":[83],"data":[84],"structure":[85],"multiple":[87],"types":[88],"of":[89,132,202],"analysis":[90,96,141],"(e.g.,":[91],"vulnerability":[92],"detection),":[93],"an":[94,121],"appropriate":[95],"cannot":[97],"be":[98,197],"performed":[99],"since":[100],"does":[104],"capture":[106],"hidden":[107],"(vulnerable)":[108],"paths":[109,204],"occur":[111],"via":[112],"methods.":[114],"In":[115],"this":[116],"paper,":[117],"we":[118],"present":[119],"Seneca,":[120],"approach":[122,137,153],"handling":[124],"with":[126,154,178],"improved":[127],"soundness":[128],"context":[131],"construction.":[135],"Our":[136,168],"taint":[140],"API":[143],"modeling":[144],"construct":[146],"sound":[147,175],"graphs.":[149],"We":[150],"evaluated":[151],"our":[152],"respect":[155,179],"soundness,":[157],"precision,":[158],"performance,":[159],"usefulness":[161],"detecting":[163],"untrusted":[164,207],"vulnerabilities.":[167],"results":[169],"show":[170],"Seneca":[172],"can":[173],"create":[174],"features.":[182],"The":[183],"resulting":[184],"incur":[189],"significant":[190],"runtime":[191],"overhead":[192],"were":[194],"shown":[195],"useful":[198],"performing":[200],"identification":[201],"vulnerable":[203],"caused":[205],"by":[206],"deserialization.":[209]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":6},{"year":2024,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2024-04-30T00:00:00"}