English
Related papers

Related papers: Sleeping Giants -- Activating Dormant Java Deseria…

200 papers
Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation

Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques…

Cryptography and Security · Computer Science 2023-04-05 Sicong Cao , Xiaobing Sun , Xiaoxue Wu , Lili Bo , Bin Li , Rongxin Wu , Wei Liu , Biao He , Yu Ouyang , Jiajia Li
Deserialization Gadget Chains are not a Pathological Problem in Android:an In-Depth Study of Java Gadget Chains in AOSP

Inter-app communication is a mandatory and security-critical functionality of operating systems, such as Android. On the application level, Android implements this facility through Intents, which can also transfer non-primitive objects…

Cryptography and Security · Computer Science 2025-02-13 Bruno Kreyssig , Timothée Riom , Sabine Houy , Alexandre Bartel , Patrick McDaniel
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code…

Cryptography and Security · Computer Science 2022-08-18 Imen Sayar , Alexandre Bartel , Eric Bodden , Yves Le Traon
Analyzing Dependency Distribution Changes Arising from Code Smell Interactions

Dependencies between modules can trigger ripple effects when changes are made, making maintenance complex and costly, so minimizing these dependencies is crucial. Consequently, understanding what drives dependencies is important. One…

Software Engineering · Computer Science 2026-03-05 Zushuai Zhang , Elliott Wen , Ewan Tempero
ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing

Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to…

Cryptography and Security · Computer Science 2023-04-11 Sicong Cao , Biao He , Xiaobing Sun , Yu Ouyang , Chao Zhang , Xiaoxue Wu , Ting Su , Lili Bo , Bin Li , Chuanlei Ma , Jiajia Li , Tao Wei
Automatic Specialization of Third-Party Java Dependencies

Large-scale code reuse significantly reduces both development costs and time. However, the massive share of third-party code in software projects poses new challenges, especially in terms of maintenance and security. In this paper, we…

Software Engineering · Computer Science 2023-10-16 César Soto-Valero , Deepika Tiwari , Tim Toady , Benoit Baudry
Bytecode-centric Detection of Known-to-be-vulnerable Dependencies in Java Projects

On average, 71% of the code in typical Java projects comes from open-source software (OSS) dependencies, making OSS dependencies the dominant component of modern software code bases. This high degree of OSS reliance comes with a…

Software Engineering · Computer Science 2025-10-23 Stefan Schott , Serena Elisa Ponta , Wolfram Fischer , Jonas Klauke , Eric Bodden
The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller…

Software Engineering · Computer Science 2021-08-12 Serena Elisa Ponta , Wolfram Fischer , Henrik Plate , Antonino Sabetta
Extended Abstract - Model-Based Debugging of Java Programs

Model-based reasoning is a central concept in current research into intelligent diagnostic systems. It is based on the assumption that sources of incorrect behavior in technical devices can be located and identified via the existence of a…

Software Engineering · Computer Science 2007-05-23 Cristinel Mateis , Markus Stumptner , Dominik Wieland , Franz Wotawa
Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order

Java projects frequently rely on package managers such as Maven to manage complex webs of external dependencies. While these tools streamline development, they also introduce subtle risks to the software supply chain. In this paper, we…

Cryptography and Security · Computer Science 2025-10-31 Frank Reyes , Federico Bono , Aman Sharma , Benoit Baudry , Martin Monperrus
Can Network Analysis Techniques help to Predict Design Dependencies? An Initial Study

The degree of dependencies among the modules of a software system is a key attribute to characterize its design structure and its ability to evolve over time. Several design problems are often correlated with undesired dependencies among…

Software Engineering · Computer Science 2018-10-29 J. Andrés Díaz-Pace , Antonela Tommasel , Daniela Godoy
ACDC: Altering Control Dependence Chains for Automated Patch Generation

Once a failure is observed, the primary concern of the developer is to identify what caused it in order to repair the code that induced the incorrect behavior. Until a permanent repair is afforded, code repair patches are invaluable. The…

Software Engineering · Computer Science 2017-05-03 Rawad Abou Assi , Chadi Trad , Wes Masri
Uncovering Hidden Inclusions of Vulnerable Dependencies in Real-World Java Projects

Open-source software (OSS) dependencies are a dominant component of modern software code bases. Using proven and well-tested OSS components lets developers reduce development time and cost while improving quality. However, heavy reliance on…

Software Engineering · Computer Science 2026-02-02 Stefan Schott , Serena Elisa Ponta , Wolfram Fischer , Jonas Klauke , Eric Bodden
Dirty-Waters: Detecting Software Supply Chain Smells

Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks…

Software Engineering · Computer Science 2025-09-08 Raphina Liu , Sofia Bobadilla , Benoit Baudry , Martin Monperrus
A Soundness and Precision Benchmark for Java Debloating Tools

Modern software development reuses code by importing libraries as dependencies. Software projects typically include an average of 36 dependencies, with 80% being transitive, meaning they are dependencies of dependencies. Recent research…

Software Engineering · Computer Science 2025-10-24 Jonas Klauke , Tom Ohlmer , Stefan Schott , Serena Elisa Ponta , Wolfram Fischer , Eric Bodden
Can We Trust Tests To Automate Dependency Updates? A Case Study of Java Projects

Developers are increasingly using services such as Dependabot to automate dependency updates. However, recent research has shown that developers perceive such services as unreliable, as they heavily rely on test coverage to detect conflicts…

Software Engineering · Computer Science 2021-09-27 Joseph Hejderup , Georgios Gousios
Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present…

Software Engineering · Computer Science 2018-08-30 Ivan Pashchenko , Henrik Plate , Serena Elisa Ponta , Antonino Sabetta , Fabio Massacci
Cataloging Dependency Injection Anti-Patterns in Software Systems

Context: Dependency Injection (DI) is a commonly applied mechanism to decouple classes from their dependencies in order to provide higher modularization. However, bad DI practices often lead to negative consequences, such as increasing…

Software Engineering · Computer Science 2021-10-19 Rodrigo Laigner , Diogo Mendonça , Alessandro Garcia , Marcos Kalinowski
Memory and Resource Leak Defects and their Repairs in Java Projects

Despite huge software engineering efforts and programming language support, resource and memory leaks are still a troublesome issue, even in memory-managed languages such as Java. Understanding the properties of leak-inducing defects, how…

Software Engineering · Computer Science 2019-12-17 Mohammadreza Ghanavati , Diego Costa , Janos Seboek , David Lo , Artur Andrzejak
Mining for Lags in Updating Critical Security Threats: A Case Study of Log4j Library

The Log4j-Core vulnerability, known as Log4Shell, exposed significant challenges to dependency management in software ecosystems. When a critical vulnerability is disclosed, it is imperative that dependent packages quickly adopt patched…

Software Engineering · Computer Science 2025-04-15 Hidetake Tanaka , Kazuma Yamasaki , Momoka Hirose , Takashi Nakano , Youmei Fan , Kazumasa Shimari , Raula Gaikovina Kula , Kenichi Matsumoto
‹ Prev 1 2 3 10 Next ›