{"id":"https://openalex.org/W4405182718","doi":"https://doi.org/10.1145/3658644.3670366","title":"Toward Understanding the Security of Plugins in Continuous Integration Services","display_name":"Toward Understanding the Security of Plugins in Continuous Integration Services","publication_year":2024,"publication_date":"2024-12-02","ids":{"openalex":"https://openalex.org/W4405182718","doi":"https://doi.org/10.1145/3658644.3670366"},"language":"en","primary_location":{"id":"doi:10.1145/3658644.3670366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670366","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670366","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5088868666","display_name":"Xiaofan Li","orcid":"https://orcid.org/0009-0003-5951-1948"},"institutions":[{"id":"https://openalex.org/I86501945","display_name":"University of Delaware","ror":"https://ror.org/01sbq1a82","country_code":"US","type":"education","lineage":["https://openalex.org/I86501945"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Xiaofan Li","raw_affiliation_strings":["The University of Delaware, Newark, DE, USA"],"affiliations":[{"raw_affiliation_string":"The University of Delaware, Newark, DE, USA","institution_ids":["https://openalex.org/I86501945"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101152479","display_name":"Yacong Gu","orcid":"https://orcid.org/0000-0003-2221-5689"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yacong Gu","raw_affiliation_strings":["Tsinghua University QI-ANXIN Group, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Tsinghua University QI-ANXIN Group, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100962809","display_name":"Qiao Chu","orcid":"https://orcid.org/0000-0001-7491-310X"},"institutions":[{"id":"https://openalex.org/I86501945","display_name":"University of Delaware","ror":"https://ror.org/01sbq1a82","country_code":"US","type":"education","lineage":["https://openalex.org/I86501945"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Chu Qiao","raw_affiliation_strings":["The University of Delaware, Newark, DE, USA"],"affiliations":[{"raw_affiliation_string":"The University of Delaware, Newark, DE, USA","institution_ids":["https://openalex.org/I86501945"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101696649","display_name":"Zhenkai Zhang","orcid":"https://orcid.org/0000-0002-9025-3460"},"institutions":[{"id":"https://openalex.org/I8078737","display_name":"Clemson University","ror":"https://ror.org/037s24f05","country_code":"US","type":"education","lineage":["https://openalex.org/I8078737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhenkai Zhang","raw_affiliation_strings":["Clemson University, Clemson, SC, USA"],"affiliations":[{"raw_affiliation_string":"Clemson University, Clemson, SC, USA","institution_ids":["https://openalex.org/I8078737"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5053996887","display_name":"Daiping Liu","orcid":"https://orcid.org/0000-0002-9660-4444"},"institutions":[{"id":"https://openalex.org/I4210108451","display_name":"Palo Alto Networks (United States)","ror":"https://ror.org/01rn6rn86","country_code":"US","type":"company","lineage":["https://openalex.org/I4210108451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Daiping Liu","raw_affiliation_strings":["Palo Alto Networks, Santa Clara, CA, USA"],"affiliations":[{"raw_affiliation_string":"Palo Alto Networks, Santa Clara, CA, USA","institution_ids":["https://openalex.org/I4210108451"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100414046","display_name":"Lingyun Ying","orcid":"https://orcid.org/0000-0001-7445-9103"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lingyun Ying","raw_affiliation_strings":["QI-ANXIN Technology Research Institute, Beijing, China"],"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute, Beijing, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067799841","display_name":"Haixin Duan","orcid":"https://orcid.org/0000-0003-0083-733X"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haixin Duan","raw_affiliation_strings":["Tsinghua University Zhongguancun Laboratory, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Tsinghua University Zhongguancun Laboratory, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5003274478","display_name":"Xing Gao","orcid":"https://orcid.org/0009-0000-2574-029X"},"institutions":[{"id":"https://openalex.org/I86501945","display_name":"University of Delaware","ror":"https://ror.org/01sbq1a82","country_code":"US","type":"education","lineage":["https://openalex.org/I86501945"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xing Gao","raw_affiliation_strings":["The University of Delaware, Newark, DE, USA"],"affiliations":[{"raw_affiliation_string":"The University of Delaware, Newark, DE, USA","institution_ids":["https://openalex.org/I86501945"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5088868666"],"corresponding_institution_ids":["https://openalex.org/I86501945"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.24390632,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"482","last_page":"496"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/plug-in","display_name":"Plug-in","score":0.9813473224639893},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7789478302001953},{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.6134416460990906},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.4849851131439209},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.4474211633205414},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.41013598442077637},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.38026440143585205},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3094395101070404},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.2829018235206604},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2543615400791168}],"concepts":[{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.9813473224639893},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7789478302001953},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.6134416460990906},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.4849851131439209},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.4474211633205414},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.41013598442077637},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.38026440143585205},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3094395101070404},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2829018235206604},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2543615400791168}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3658644.3670366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670366","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3658644.3670366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670366","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1924809619","display_name":"National Dissemination of the National Engineering Projects in Community Service (EPICS) Program","funder_award_id":"0231361","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6894402473","display_name":null,"funder_award_id":"Fellowship","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8474645585","display_name":null,"funder_award_id":"CNS-2054657,CNS- 2317830,OAC-231997","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8867349783","display_name":"CICI: UCSS: Secure Containers in High-Performance Computing Infrastructure","funder_award_id":"2319975","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8944444892","display_name":"Collaborative Research: SaTC: CORE: Small: Investigation of Naming Space Hijacking Threat and Its Defense","funder_award_id":"2317830","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320323817","display_name":"Universitas Brawijaya","ror":"https://ror.org/01wk3d929"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4405182718.pdf","grobid_xml":"https://content.openalex.org/works/W4405182718.grobid-xml"},"referenced_works_count":11,"referenced_works":["https://openalex.org/W2148542607","https://openalex.org/W2350778671","https://openalex.org/W2789570312","https://openalex.org/W2946009361","https://openalex.org/W2955656327","https://openalex.org/W3010949534","https://openalex.org/W3106063118","https://openalex.org/W3161491624","https://openalex.org/W4226416841","https://openalex.org/W4284664377","https://openalex.org/W4388483305"],"related_works":["https://openalex.org/W17155033","https://openalex.org/W3207760230","https://openalex.org/W1496222301","https://openalex.org/W4312814274","https://openalex.org/W1590307681","https://openalex.org/W2536018345","https://openalex.org/W4285370786","https://openalex.org/W2296488620","https://openalex.org/W2358353312","https://openalex.org/W4386541577"],"abstract_inverted_index":{"Mainstream":[0],"Continuous":[1],"Integration":[2],"(CI)":[3],"platforms":[4,69],"have":[5,193],"provided":[6],"the":[7,12,118,135,144,163,189,196],"plugin":[8,63,85,125,128],"functionality":[9],"to":[10,48,99,116,188],"accelerate":[11],"development":[13],"of":[14,62,138,159,175],"CI":[15,18,55,68,165],"pipelines.":[16],"Unfortunately,":[17],"plugins,":[19,179],"which":[20],"are":[21,185],"essentially":[22],"reusable":[23],"code":[24,105],"snippets,":[25],"also":[26],"expose":[27],"new":[28],"attack":[29,93,136],"surfaces":[30],"as":[31],"plugins":[32,101,107,115],"might":[33,132],"be":[34],"developed":[35],"by":[36],"less":[37],"trusted":[38],"users.":[39],"In":[40],"this":[41],"paper,":[42],"we":[43,122,147],"present":[44],"an":[45],"in-depth":[46],"study":[47],"understand":[49],"potential":[50,145],"security":[51],"risks":[52],"in":[53,83],"existing":[54,84,178],"plugins.":[56],"We":[57,90,192],"conduct":[58,148],"a":[59,149,157,172],"comprehensive":[60],"analysis":[61],"implementations":[64],"on":[65,152],"four":[66],"mainstream":[67],"(GitHub":[70],"Actions,":[71],"GitLab":[72],"CI,":[73],"CircleCI,":[74],"and":[75,78,87,102,111,154,177,199],"Azure":[76],"Pipelines),":[77],"investigate":[79,91],"several":[80],"weak":[81],"links":[82],"distributions":[86],"isolation":[88],"mechanisms.":[89],"seven":[92],"vectors":[94],"that":[95,124,171],"can":[96],"enable":[97],"attackers":[98],"hijack":[100],"distribute":[103],"malicious":[104],"without":[106],"users":[108],"being":[109],"aware,":[110],"further":[112,133],"exploit":[113],"hijacked":[114],"manipulate":[117],"workflow":[119],"execution.":[120],"Additionally,":[121],"find":[123],"dependency":[126],"(a":[127],"references":[129],"other":[130],"plugins)":[131],"amplify":[134],"impact":[137],"our":[139],"disclosed":[140],"attacks.":[141,191],"To":[142],"evaluate":[143],"impact,":[146],"large-scale":[150],"measurement":[151,168],"GitHub":[153],"GitLab,":[155],"covering":[156],"total":[158],"1,328,912":[160],"repositories":[161,176],"using":[162],"aforementioned":[164],"platforms.":[166],"Our":[167],"results":[169],"show":[170],"large":[173],"number":[174],"including":[180],"many":[181],"widely":[182],"used":[183],"ones,":[184],"potentially":[186],"vulnerable":[187],"proposed":[190],"duly":[194],"reported":[195],"identified":[197],"vulnerabilities":[198],"received":[200],"positive":[201],"responses.":[202]},"counts_by_year":[],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}