research-article

Revealing injection vulnerabilities by leveraging existing tests

Authors:

Katherine Hough,

Gebrehiwet Welearegai,

Christian Hammer,

Jonathan BellAuthors Info & Claims

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Pages 284 - 296

https://doi.org/10.1145/3377811.3380326

Published: 01 October 2020 Publication History

Abstract

Code injection attacks, like the one used in the high-profile 2017 Equifax breach, have become increasingly common, now ranking #1 on OWASP's list of critical web application vulnerabilities. Static analyses for detecting these vulnerabilities can overwhelm developers with false positive reports. Meanwhile, most dynamic analyses rely on detecting vulnerabilities as they occur in the field, which can introduce a high performance overhead in production code. This paper describes a new approach for detecting injection vulnerabilities in applications by harnessing the combined power of human developers' test suites and automated dynamic analysis. Our new approach, Rivulet, monitors the execution of developer-written functional tests in order to detect information flows that may be vulnerable to attack. Then, Rivulet uses a white-box test generation technique to repurpose those functional tests to check if any vulnerable flow could be exploited. When applied to the version of Apache Struts exploited in the 2017 Equifax attack, Rivulet quickly identifies the vulnerability, leveraging only the tests that existed in Struts at that time. We compared Rivulet to the state-of-the-art static vulnerability detector Julia on benchmarks, finding that Rivulet outperformed Julia in both false positives and false negatives. We also used Rivulet to detect new vulnerabilities.

References

[1]

Christoffer Quist Adamsen, Gianluca Mezzetti, and Anders Møller. 2015. Systematic Execution of Android Test Suites in Adverse Conditions. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015). ACM, New York, NY, USA, 83--93.

Digital Library

[2]

Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V. N. Venkatakrishnan. 2018. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18). USENIX Association, Berkeley, CA, USA, 377--392. http://dl.acm.org/citation.cfm?id=3277203.3277232

[3]

Apache Foundation. 2019. Apache Struts. https://struts.apache.org.

[4]

Apache Foundation. 2019. Apache Struts Release History. https://struts.apache.org/releases.html.

[5]

Apache Foundation. 2019. Apache Tomcat. https://tomcat.apache.org.

[6]

Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014). ACM, New York, NY, USA, 259--269.

Digital Library

[7]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14). ACM, New York, NY, USA, 259--269.

Digital Library

[8]

Jonathan Bell and Gail Kaiser. 2014. Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs. In ACM International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA '14). ACM, New York, NY, USA, 83--101.

Digital Library

[9]

Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53 (February 2010), 66--75. Issue 2.

Digital Library

[10]

Steve Bousquet. 2016. Criminal charges filed in hacking of Florida elections websites. http://www.miamiherald.com/news/politics-government/article75670177.html.

[11]

Shay Chen. 2014. The Web Application Vulnerability Scanner Evaluation Project. https://code.google.com/archive/p/wavsep/.

[12]

Winnie Cheng, Qin Zhao, Bei Yu, and Scott Hiroshige. 2006. Taint Trace: Efficient Flow Tracing with Dynamic Binary Rewriting. In 11th IEEE Symposium on Computers and Communications (ISCC '06). IEEE, Washington, DC, USA, 6.

Digital Library

[13]

Erika Chin and David Wagner. 2009. Efficient Character-level Taint Tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (SWS '09). ACM, New York, NY, USA, 3--12.

Digital Library

[14]

Al Daniel. 2019. cloc: Count Lines of Code. https://github.com/AlDanial/cloc.

[15]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI'10. USENIX Association, Berkeley, CA, USA, 6. http://dl.acm.org/citation.cfm?id=1924943.1924971

[16]

Exploit Database. 2019. Offensive Security's Exploit Database Archive. https://www.exploit-db.com.

[17]

Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-Based Directed Whitebox Fuzzing. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, USA, 474--484.

Digital Library

[18]

Jeff Goldman. 2016. Researchers Find Russian Hacker Selling Access to U.S. Election Assistance Commission. https://www.esecurityplanet.com/hackers/researchers-find-russian-hacker-selling-access-to-u.s.-election-assistance-commission.html.

[19]

Google. 2019. Error-Prone: Catch Common Java Mistakes as Compile-Time Errors. https://github.com/google/error-prone.

[20]

Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05). IEEE Computer Society, Washington, DC, USA, 303--311.

Digital Library

[21]

William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006. Using Positive Tainting and Syntax-aware Evaluation to Counter SQL Injection Attacks. In SIGSOFT '06/FSE-14. ACM, New York, NY, USA, 175--185.

Digital Library

[22]

Sarah Heckman, Kathryn T. Stolee, and Christopher Parnin. 2018. 10+ Years of Teaching Software Engineering with Itrust: The Good, the Bad, and the Ugly. In Proceedings of the 40th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET '18). ACM, New York, NY, USA, 1--4.

Digital Library

[23]

Matthias Höschele and Andreas Zeller. 2017. Mining input grammars with AUTOGRAM. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20--28, 2017 - Companion Volume. 31--34.

Digital Library

[24]

Katherine Hough, Gebrehiwet Welearegai, Christian Hammer, and Jonathan Bell. 2020. Revealing Injection Vulnerabilities by Leveraging Existing Tests (Artifact). (2020).

[25]

Katherine Hough, Gebrehiwet Welearegai, Christian Hammer, and Jonathan Bell. 2020. Revealing Injection Vulnerabilities by Leveraging Existing Tests (GitHub). https://github.com/gmu-swe/rivulet.

[26]

iTrust Team. 2019. iTrust - GitHub. https://github.com/ncsu-csc326/iTrust.

[27]

Sadeeq Jan, Cu D. Nguyen, and Lionel C. Briand. 2016. Automated and Effective Testing of Web Services for XML Injection Attacks. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA 2016). ACM, New York, NY, USA, 12--23.

Digital Library

[28]

Jenkins Project Developers. 2019. Jenkins. https://jenkins.io.

[29]

Jonathan Hedley. 2019. jsoup: Java HTML Parser. https://jsoup.org/.

[30]

JSqlParser Project Authors. 2019. JSqlParser. http://jsqlparser.sourceforge.net/.

[31]

Vasileios P. Kemerlis, Georgios Portokalidis, Kangkook Jee, and Angelos D. Keromytis. 2012. Libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE '12). ACM, New York, NY, USA, 121--132.

Digital Library

[32]

Adam Kieżun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE 2009, Proceedings of the 31st International Conference on Software Engineering. Vancouver, BC, Canada, 199--209.

[33]

Tracy Kitten. 2013. Card Fraud Scheme: The Breached Victims. http://www.bankinfosecurity.com/card-fraud-scheme-breached-victims-a-5941.

[34]

George T. Klees, Andrew Ruef, Benjamin Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[35]

Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 1193--1204.

Digital Library

[36]

Ben Livshits. 2005. Defining a Set of Common Benchmarks for Web Application Security. In Proceedings of the Workshop on Defining the State of the Art in Software Security Tools.

[37]

Benjamin Livshits and Stephen Chong. 2013. Towards Fully Automatic Placement of Security Sanitizers and Declassifiers. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '13). ACM, New York, NY, USA, 385--398.

Digital Library

[38]

Wes Masri and Andy Podgurski. 2005. Using Dynamic Information Flow Analysis to Detect Attacks Against Applications. In Proceedings of the 2005 Workshop on Software Engineering for Secure Systems---Building Trustworthy Applications (SESS '05). ACM, New York, NY, USA, 1--7.

Digital Library

[39]

Rick Miller. 2016. "Foreign" hack attack on state voter registration site. http://capitolfax.com/2016/07/21/foreign-hack-attack-on-state-voter-registration-site/.

[40]

M. Mohammadi, B. Chu, and H. R. Lipford. 2017. Detecting Cross-Site Scripting Vulnerabilities through Automated Unit Testing. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). 364--373.

[41]

Lou Montulli and David M. Kristol. 2000. HTTP State Management Mechanism. RFC 2965.

Digital Library

[42]

National Institute of Standards and Technology. 2017. Juliet Test Suite for Java. https://samate.nist.gov/SRD/testsuite.php.

[43]

National Vulnerability Database. 2017. CVE-2017-5638 Detail. https://nvd.nist.gov/vuln/detail/CVE-2017-5638.

[44]

National Vulnerability Database. 2019. National Vulnerability Database search for "execute arbitrary commands". https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=execute+arbitrary+commands&search_type=all.

[45]

University of Maryland. 2019. FindBugs - Find Bugs in Java Programs. http://findbugs.sourceforge.net.

[46]

Open Web Application Security Project. 2017. OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Top_10-2017_Top_10.

[47]

Open Web Application Security Project. 2019. Expression Language Injection. https://www.owasp.org/index.php/Expression_Language_Injection.

[48]

Open Web Application Security Project. 2019. OWASP Benchmark Project. https://www.owasp.org/index.php/Benchmark.

[49]

Open Web Application Security Project. 2019. Testing for SQL Wildcard Attacks (OWASP-DS-001). https://www.owasp.org/index.php/Testing_for_SQL_Wildcard_Attacks_(OWASP-DS-001).

[50]

Open Web Application Security Project. 2019. XSS Filter Evasion Cheat Sheet. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

[51]

OW2 Consortium. 2019. ASM. https://asm.ow2.io/.

[52]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS. https://www.vusec.net/download/?t=papers/vuzzer_ndss17.pdf

[53]

A. Sabelfeld and A. C. Myers. 2006. Language-based Information-flow Security. IEEE J.Sel. A. Commun. 21, 1 (Sept. 2006), 5--19.

Digital Library

[54]

Tejas Saoji, Thomas H. Austin, and Cormac Flanagan. 2017. Using Precise Taint Tracking for Auto-sanitization. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security (PLAS '17). ACM, New York, NY, USA, 15--24.

Digital Library

[55]

Matthew Schwartz. 2019. Equifax's Data Breach Costs Hit $1.4 Billion. https://www.bankinfosecurity.com/equifaxs-data-breach-costs-hit-14-billion-a-12473.

[56]

Ashwin Seshagiri. 2015. How Hackers Made $1 Million by Stealing One News Release. https://www.nytimes.com/2015/08/12/business/dealbook/how-hackers-made-1-million-by-stealing-one-news-release.html?_r=0.

[57]

Dimitris E. Simos, Jovan Zivanovic, and Manuel Leithner. 2019. Automated Combinatorial Testing for Detecting SQL Vulnerabilities in Web Applications. In Proceedings of the 14th International Workshop on Automation of Software Test (AST '19). IEEE Press, Piscataway, NJ, USA, 55--61.

Digital Library

[58]

Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Diglossia: detecting code injection attacks with precision and efficiency. In CCS '13. ACM, New York, NY, USA, 12.

Digital Library

[59]

Fausto Spoto, Elisa Burato, Michael D. Ernst, Pietro Ferrara, Alberto Lovato, Damiano Macedonio, and Ciprian Spiridon. 2019. Static Identification of Injection Attacks in Java. ACM Trans. Program. Lang. Syst. 41, 3, Article 18 (July 2019), 58 pages.

Digital Library

[60]

Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: Taint Analysis of Framework-based Web Applications. In OOPSLA '11. ACM, 16.

Digital Library

[61]

Derek Staahl. 2016. Hack that targeted Arizona voter database was easy to prevent, expert says. http://www.azfamily.com/story/32945105/hack-that-targeted-arizona-voter-database-was-easy-to-prevent-expert-says.

[62]

Zhendong Su and Gary Wassermann. 2006. The Essence of Command Injection Attacks in Web Applications. In Conference Record of the 33rd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL '06). ACM, New York, NY, USA, 372--382.

Digital Library

[63]

G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. 2004. Secure Program Execution via Dynamic Information Flow Tracking. In ASPLOS XI. ACM, New York, NY, USA, 85--96.

Digital Library

[64]

Yang Tang, Phillip Ames, Sravan Bhamidipati, Ashish Bijlani, Roxana Geambasu, and Nikhil Sarda. 2012. CleanOS: Limiting Mobile Data Exposure with Idle Eviction. In Presented as part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12). USENIX, Hollywood, CA, 77--91. https://www.usenix.org/conference/osdi12/technical-sessions/presentation/tang

[65]

Terence Parr. 2019. ANTLR. https://www.antlr.org/.

[66]

The Apache Software Foundation. 2019. OGNL - Apache Commons OGNL - Developer Guide. https://commons.apache.org/proper/commons-ognl/developer-guide.html.

[67]

The Apache Software Foundation. 2019. Security. https://struts.apache.org/security/.

[68]

The Eclipse Foundation. 2019. Jetty - Servlet Engine and Http Server. https://www.eclipse.org/jetty/.

[69]

The MITRE Corporation. 2019. CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). https://cwe.mitre.org/data/definitions/601.html.

[70]

Julian Thomé, Alessandra Gorla, and Andreas Zeller. 2014. Search-based Security Testing of Web Applications. In Proceedings of the 7th International Workshop on Search-Based Software Testing (SBST 2014). ACM, New York, NY, USA, 5--14.

Digital Library

[71]

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Effective Taint Analysis of Web Applications. In PLDI '09. ACM, New York, NY, USA, 87--97.

Digital Library

[72]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2011. Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution. ACM Trans. Inf. Syst. Secur. 14, 2, Article Article 15 (Sept. 2011), 28 pages.

Digital Library

[73]

World Wide Web Consortium. 2017. HTML 5.2. https://www.w3.org/TR/html52/.

[74]

World Wide Web Consortium. 2019. Parsing HTML Documents. https://html.spec.whatwg.org/multipage/parsing.html.

[75]

Pingyu Zhang and Sebastian Elbaum. 2012. Amplifying Tests to Validate Exception Handling Code. In Proceedings of the 34th International Conference on Software Engineering (ICSE '12). IEEE Press, Piscataway, NJ, USA, 595--605. http://dl.acm.org/citation.cfm?id=2337223.2337293

Digital Library

[76]

Pingyu Zhang and Sebastian Elbaum. 2014. Amplifying Tests to Validate Exception Handling Code: An Extended Study in the Mobile Application Domain. ACM Trans. Softw. Eng. Methodol. 23, 4, Article 32 (Sept. 2014), 28 pages.

Digital Library

Cited By

Li YXu ZZhou MWan HZhao XFilkov VRay BZhou M(2024)Trident: Detecting SQL Injection Attacks via Abstract Syntax Tree-based Neural NetworkProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695289(2225-2229)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695289
Al Kassar FCompagna LBalzarotti DCalandrino JTroncoso C(2023)WHIPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620577(6079-6096)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620577
Du XWen MWei ZWang SJin HChandra SBlincoe KTonella P(2023)An Extensive Study on Adversarial Attack against Pre-trained Models of CodeProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616356(489-501)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616356
Show More Cited By

Index Terms

Revealing injection vulnerabilities by leveraging existing tests
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Vulnerability management
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended ...
Securing native XML database-driven web applications from XQuery injection vulnerabilities

Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Mitigating program security vulnerabilities: Approaches and challenges

Programs are implemented in a variety of languages and contain serious vulnerabilities which might be exploited to cause security breaches. These vulnerabilities have been exploited in real life and caused damages to related stakeholders such as program ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

June 2020

1640 pages

ISBN:9781450371216

DOI:10.1145/3377811

General Chairs:
Gregg Rothermel
North Carolina State University
,
Doo-Hwan Bae
KAIST, South Korea

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ICSE '20

Sponsor:

SIGSOFT

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, South Korea

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
322
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)2

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li YXu ZZhou MWan HZhao XFilkov VRay BZhou M(2024)Trident: Detecting SQL Injection Attacks via Abstract Syntax Tree-based Neural NetworkProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695289(2225-2229)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695289
Al Kassar FCompagna LBalzarotti DCalandrino JTroncoso C(2023)WHIPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620577(6079-6096)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620577
Du XWen MWei ZWang SJin HChandra SBlincoe KTonella P(2023)An Extensive Study on Adversarial Attack against Pre-trained Models of CodeProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616356(489-501)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616356
Klein DRolle BBarber TKarl MJohns MMeng WJensen CCremers CKirda E(2023)General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616604(3343-3357)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616604
Hough KBell J(2021)A Practical Approach for Dynamic Taint Tracking with Control-flow RelationshipsACM Transactions on Software Engineering and Methodology10.1145/348546431:2(1-43)Online publication date: 24-Dec-2021
https://dl.acm.org/doi/10.1145/3485464

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten