{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T11:24:17Z","timestamp":1780399457454,"version":"3.54.1"},"publisher-location":"Cham","reference-count":46,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030004699","type":"print"},{"value":"9783030004705","type":"electronic"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-030-00470-5_20","type":"book-chapter","created":{"date-parts":[[2018,9,6]],"date-time":"2018-09-06T06:43:19Z","timestamp":1536216199000},"page":"423-444","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":28,"title":["$$\\tau $$ CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2462-7612","authenticated-orcid":false,"given":"Paul","family":"Muntean","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Matthias","family":"Fischer","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6109-6091","authenticated-orcid":false,"given":"Gang","family":"Tan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1320-1015","authenticated-orcid":false,"given":"Zhiqiang","family":"Lin","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1093-1282","authenticated-orcid":false,"given":"Jens","family":"Grossklags","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2201-3828","authenticated-orcid":false,"given":"Claudia","family":"Eckert","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2018,9,7]]},"reference":[{"key":"20_CR1","unstructured":"LLVM: Clang CFI (2017). https:\/\/goo.gl\/W7aMF9"},{"key":"20_CR2","unstructured":"LLVM: Clang\u2019s SafeStack. https:\/\/clang.llvm.org\/docs\/SafeStack.html"},{"key":"20_CR3","unstructured":"Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: S&P (2015)"},{"key":"20_CR4","doi-asserted-by":"crossref","unstructured":"Crane, S., et al.: It\u2019s a TRaP: table randomization and protection against function-reuse attacks. In: CCS (2015)","DOI":"10.1145\/2810103.2813682"},{"key":"20_CR5","unstructured":"Lettner, J., et al.: Subversive-C: abusing and protecting dynamic message dispatch. In: USENIX ATC (2016)"},{"key":"20_CR6","unstructured":"BlueLotus Team: BCTF challenge: Bypass VTable read-only checks (2015). https:\/\/goo.gl\/4RYDS2"},{"key":"20_CR7","doi-asserted-by":"crossref","unstructured":"Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., Zeng, Q.: Loop-oriented programming: a new code reuse attack to bypass modern defenses. In: IEEE Trustcom\/BigDataSE\/ISPA (2015)","DOI":"10.1109\/Trustcom.2015.374"},{"key":"20_CR8","doi-asserted-by":"crossref","unstructured":"Evans, I., et al.: Control Jujutsu: on the weaknesses of fine-grained control flow integrity. In: CCS (2015)","DOI":"10.1145\/2810103.2813646"},{"key":"20_CR9","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, \u00da., Ligatti, J.: Control flow integrity. In: CCS (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"20_CR10","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, \u00da., Ligatti, J.: Control flow integrity principles, implementations, and applications. In: TISSEC (2009)","DOI":"10.1145\/1609956.1609960"},{"key":"20_CR11","doi-asserted-by":"publisher","first-page":"16:1","DOI":"10.1145\/3054924","volume":"50","author":"N Burow","year":"2017","unstructured":"Burow, N.: Control-flow integrity: precision, security, and performance. CSUR 50, 16:1\u201316:33 (2017)","journal-title":"CSUR"},{"key":"20_CR12","doi-asserted-by":"crossref","unstructured":"Tan, G., Jaeger, T.: CFG construction soundness in control-flow integrity. In: PLAS (2017)","DOI":"10.1145\/3139337.3139339"},{"key":"20_CR13","doi-asserted-by":"publisher","first-page":"1467","DOI":"10.1145\/186025.186041","volume":"16","author":"G Ramalingam","year":"1994","unstructured":"Ramalingam, G.: The undecidability of aliasing. TOPLAS 16, 1467\u20131471 (1994)","journal-title":"TOPLAS"},{"key":"20_CR14","doi-asserted-by":"crossref","unstructured":"Jang, D., Tatlock, T., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: NDSS (2014)","DOI":"10.14722\/ndss.2014.23287"},{"key":"20_CR15","doi-asserted-by":"crossref","unstructured":"Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI (2014)","DOI":"10.1145\/2594291.2594295"},{"key":"20_CR16","doi-asserted-by":"crossref","unstructured":"Niu, B., Tan, G.: RockJIT: securing just-in-time compilation using modular control-flow inegrity. In: CCS (2014)","DOI":"10.1145\/2660267.2660281"},{"key":"20_CR17","doi-asserted-by":"crossref","unstructured":"Haller, I., Goktas, E., Athanasopoulos, E., Portokalidis, G., Bos, H.: ShrinkWrap: VTable protection without loose ends. In: ACSAC (2015)","DOI":"10.1145\/2818000.2818025"},{"key":"20_CR18","doi-asserted-by":"crossref","unstructured":"Bounov, D., G\u00f6khan K., R., Lerner, S.: Protecting C++ dynamic dispatch through VTable interleaving. In: NDSS (2016)","DOI":"10.14722\/ndss.2016.23421"},{"key":"20_CR19","unstructured":"Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC and LLVM. In: USENIX Security (2014)"},{"key":"20_CR20","unstructured":"Zhang, C., et al. : Practical control flow integrity and randomization for binary executables. In: S&P (2013)"},{"key":"20_CR21","doi-asserted-by":"crossref","unstructured":"Prakash, A., Hu, X., Yin, H.: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)","DOI":"10.14722\/ndss.2015.23297"},{"key":"20_CR22","doi-asserted-by":"crossref","unstructured":"Zhang, C., Song, C., Zhijie, K.C., Chen, Z., Song, D.: VTint: protecting virtual function tables\u2019 integrity. In: NDSS (2015)","DOI":"10.14722\/ndss.2015.23099"},{"key":"20_CR23","doi-asserted-by":"crossref","unstructured":"Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C ++ binaries. In: ASIACCS (2017)","DOI":"10.1145\/3052973.3052976"},{"key":"20_CR24","doi-asserted-by":"crossref","unstructured":"Pawlowski, A., et al.: MARX: uncovering class hierarchies in C++ programs. In: NDSS (2017)","DOI":"10.14722\/ndss.2017.23096"},{"key":"20_CR25","doi-asserted-by":"crossref","unstructured":"Veen, V.V.D., et al.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: S&P (2016)","DOI":"10.1109\/SP.2016.60"},{"key":"20_CR26","unstructured":"Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: OSDI (2014)"},{"key":"20_CR27","unstructured":"Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security (2015)"},{"key":"20_CR28","unstructured":"Goktas, E., et al.: Bypassing Clang\u2019s SafeStack for fun and profit. In: Blackhat Europe (2016). https:\/\/goo.gl\/zKMHzs"},{"key":"20_CR29","doi-asserted-by":"crossref","unstructured":"Dang, T., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ASIACCS (2015)","DOI":"10.1145\/2714576.2714635"},{"key":"20_CR30","doi-asserted-by":"crossref","unstructured":"Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: PASTE (2011)","DOI":"10.1145\/2024569.2024572"},{"key":"20_CR31","unstructured":"Andriesse, D., Chen, X., Veen, V.V.D., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86\/x64 binaries. In: USENIX Security (2016)"},{"key":"20_CR32","unstructured":"Mycroft, A.: Lecture Notes (2007). https:\/\/goo.gl\/F7tUZj"},{"key":"20_CR33","unstructured":"Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS (2010)"},{"key":"20_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-642-22110-1_37","volume-title":"Computer Aided Verification","author":"D Brumley","year":"2011","unstructured":"Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463\u2013469. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-22110-1_37"},{"key":"20_CR35","doi-asserted-by":"crossref","unstructured":"Fokin, A., Derevenets, Y., Chernov, A., Troshina, K.: SmartDec: approaching C++ decompilation. In: WCRE (2011)","DOI":"10.1109\/WCRE.2011.49"},{"key":"20_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-69738-1_1","volume-title":"Verification, Model Checking, and Abstract Interpretation","author":"G Balakrishnan","year":"2007","unstructured":"Balakrishnan, G., Reps, T.: DIVINE: discovering variables IN executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1\u201328. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-69738-1_1"},{"key":"20_CR37","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1145\/2896499","volume":"48","author":"J Caballero","year":"2016","unstructured":"Caballero, J., Lin, Z.: Type inference on executables. CSUR 48, 35 (2016)","journal-title":"CSUR"},{"key":"20_CR38","unstructured":"Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: USENIX Security (2015)"},{"key":"20_CR39","doi-asserted-by":"crossref","unstructured":"Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: Euro S&P (2017)","DOI":"10.1109\/EuroSP.2017.11"},{"key":"20_CR40","unstructured":"Bruening, D.: DynamoRIO. http:\/\/dynamorio.org\/home.html"},{"key":"20_CR41","unstructured":"Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)"},{"key":"20_CR42","unstructured":"Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security (2013)"},{"key":"20_CR43","unstructured":"Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security (2013)"},{"key":"20_CR44","doi-asserted-by":"crossref","unstructured":"Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS (2015)","DOI":"10.14722\/ndss.2015.23271"},{"key":"20_CR45","unstructured":"Veen, V.V.D., et al.: Practical context-sensiticve CFI. In: CCS (2015)"},{"key":"20_CR46","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"144","DOI":"10.1007\/978-3-319-20550-2_8","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"M Payer","year":"2015","unstructured":"Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144\u2013164. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-20550-2_8"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions, and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-00470-5_20","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,23]],"date-time":"2019-10-23T16:39:01Z","timestamp":1571848741000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-00470-5_20"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783030004699","9783030004705"],"references-count":46,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-00470-5_20","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018]]}}}