Umeå University's logo

umu.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Gleipner: A benchmark for gadget chain detection in Java Deserialization Vulnerabilities
Umeå University, Faculty of Science and Technology, Department of Computing Science.
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0003-1383-0372
2025 (English)In: Proceedings of the ACM on Software Engineering, E-ISSN 2994-970, Vol. 2, no FSE001, p. 1-21Article in journal (Refereed) Published
Abstract [en]

While multiple recent publications on detecting Java Deserialization Vulnerabilities highlight an increasing relevance of the topic, until now no proper benchmark has been established to evaluate the individual approaches. Hence, it has become increasingly difficult to show improvements over previous tools and trade-offs that were made. In this work, we synthesize the main challenges in gadget chain detection. More specifically, this unveils the constraints program analysis faces in the context of gadget chain detection. From there, we develop Gleipner: the first synthetic, large-scale and systematic benchmark to validate the effectiveness of algorithms for detecting gadget chains in the Java programming language. We then benchmark seven previous publications in the field using Gleipner. As a result, it shows, that (1) our benchmark provides a transparent, qualitative, and sound measurement for the maturity of gadget chain detecting tools, (2) Gleipner alleviates severe benchmarking flaws which were previously common in the field and (3) state-of-the-art tools still struggle with most challenges in gadget chain detection.
Place, publisher, year, edition, pages
New York: Association for Computing Machinery (ACM), 2025. Vol. 2, no FSE001, p. 1-21
Keywords [en]
Java, benchmark, deserialization, gadget chain, program analysis, vulnerabilitiy
National Category
Security, Privacy and Cryptography
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:umu:diva-249205DOI: 10.1145/3715711OAI: oai:DiVA.org:umu-249205DiVA, id: diva2:2033796
Conference
ACM International Conference on the Foundations of Software Engineering (FSE), Trondheim, Norway, June 23-27, 2025
Funder
Wallenberg AI, Autonomous Systems and Software Program (WASP)Available from: 2026-01-30 Created: 2026-01-30 Last updated: 2026-02-02Bibliographically approved

Open Access in DiVA

fulltext(2361 kB)26 downloads
File information
File name FULLTEXT01.pdfFile size 2361 kBChecksum SHA-512
cc551ada3a8ad321220df89147a771c882f17d94a85856b51c0d5a8b07a21d0cdca08d5ec393f5f5b2853c428fd64ef2bb7f48a02b6c61e6d48f5cfce72dedc7
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Authority records

Kreyssig, BrunoBartel, Alexandre

Search in DiVA

By author/editor
Kreyssig, BrunoBartel, Alexandre
By organisation
Department of Computing Science
Security, Privacy and Cryptography

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 3193 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Log in
|
Manuals
|
Contact the Library