{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T10:04:14Z","timestamp":1773655454766,"version":"3.50.1"},"publisher-location":"Berlin, Heidelberg","reference-count":45,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783642107719","type":"print"},{"value":"9783642107726","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009]]},"DOI":"10.1007\/978-3-642-10772-6_13","type":"book-chapter","created":{"date-parts":[[2009,11,13]],"date-time":"2009-11-13T07:37:49Z","timestamp":1258097869000},"page":"163-177","source":"Crossref","is-referenced-by-count":104,"title":["DROP: Detecting Return-Oriented Programming Malicious Code"],"prefix":"10.1007","author":[{"given":"Ping","family":"Chen","sequence":"first","affiliation":[]},{"given":"Hai","family":"Xiao","sequence":"additional","affiliation":[]},{"given":"Xiaobin","family":"Shen","sequence":"additional","affiliation":[]},{"given":"Xinchun","family":"Yin","sequence":"additional","affiliation":[]},{"given":"Bing","family":"Mao","sequence":"additional","affiliation":[]},{"given":"Li","family":"Xie","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"13_CR1","unstructured":"The pax project (2004), \n                    \n                      http:\/\/pax.grsecurity.net\/"},{"key":"13_CR2","unstructured":"linux\/x86 execve(\u201c\/bin\/sh\u201d, [\u201c\/bin\/sh\u201d, null]). milw0rm (2006), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/1635"},{"key":"13_CR3","unstructured":"linux\/x86 execve(rm -rf \/) shellcode. milw0rm (2006), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/2801"},{"key":"13_CR4","unstructured":"linux\/x86 normal exit w\/ random (so to speak) return value. milw0rm (2006), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/1435"},{"key":"13_CR5","unstructured":"linux\/x86 portbind (define your own port). milw0rm (2006), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/1979"},{"key":"13_CR6","unstructured":"linux\/x86 \/sbin\/iptables -f. milw0rm (2007), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/3445"},{"key":"13_CR7","unstructured":"linux\/x86 edit \/etc\/sudoers for full access. milw0rm (2008), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/7161"},{"key":"13_CR8","unstructured":"linux\/x86 chmod (\u201c\/etc\/shadow\u201d,666) & exit(0). milw0rm (2009), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/8081"},{"key":"13_CR9","unstructured":"linux\/x86 killall5 shellcode. milw0rm (2009), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/8972"},{"key":"13_CR10","unstructured":"linux\/x86 push reboot(). milw0rm (2009), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/7808"},{"key":"13_CR11","unstructured":"linux\/x86 setreuid(geteuid(),geteuid()),execve(\u201c\/bin\/sh\u201d,0,0). milw0rm (2009), \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/8972"},{"key":"13_CR12","doi-asserted-by":"publisher","first-page":"340","DOI":"10.1145\/1102120.1102165","volume-title":"Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS)","author":"M. Abadi","year":"2005","unstructured":"Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 340\u2013353. ACM Press, New York (2005)"},{"key":"13_CR13","first-page":"21","volume-title":"Proceedings of the Annual Conference on USENIX Annual Technical Conference","author":"A. Baratloo","year":"2000","unstructured":"Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, p. 21. USENIX Association, Berkeley (2000)"},{"key":"13_CR14","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1145\/1455770.1455776","volume-title":"Proceedings of the 15th ACM Conference on Computer and Communications Security(CCS)","author":"E. Buchanan","year":"2008","unstructured":"Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security(CCS), pp. 27\u201338. ACM, New York (2008)"},{"key":"13_CR15","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1145\/1370905.1370911","volume-title":"Proceedings of the 4th International Workshop on Software Engineering for Secure Systems(SESS)","author":"L. Cavallaro","year":"2008","unstructured":"Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the 4th International Workshop on Software Engineering for Secure Systems(SESS), pp. 41\u201348. ACM, New York (2008)"},{"issue":"4","key":"13_CR16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1455258.1455259","volume":"26","author":"M. Costa","year":"2008","unstructured":"Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worm epidemics. ACM Transactions on Computer Systems (TOCS)\u00a026(4), 1\u201368 (2008)","journal-title":"ACM Transactions on Computer Systems (TOCS)"},{"key":"13_CR17","first-page":"5","volume-title":"Proceedings of the 7th Conference on USENIX Security Symposium","author":"C. Cowan","year":"1998","unstructured":"Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium, p. 5. USENIX Association, Berkeley (1998)"},{"key":"13_CR18","unstructured":"Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Formatguard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th conference on USENIX Security Symposium, p. 2003 (2000)"},{"key":"13_CR19","first-page":"7","volume-title":"Proceedings of the 12th Conference on USENIX Security Symposium","author":"C. Cowan","year":"2003","unstructured":"Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th Conference on USENIX Security Symposium, p. 7. USENIX Association, Berkeley (2003)"},{"key":"13_CR20","doi-asserted-by":"crossref","unstructured":"Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 235\u2013248 (2005)","DOI":"10.1145\/1102120.1102152"},{"key":"13_CR21","unstructured":"Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium (2009)"},{"key":"13_CR22","first-page":"19","volume-title":"Proceedings of the 13th Conference on USENIX Security Symposium","author":"H.A. Kim","year":"2004","unstructured":"Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th Conference on USENIX Security Symposium, p. 19. USENIX Association, Berkeley (2004)"},{"key":"13_CR23","unstructured":"Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), \n                    \n                      http:\/\/www.suse.de\/krahmer\/no-nx.pdf"},{"issue":"1","key":"13_CR24","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1145\/972374.972384","volume":"34","author":"C. Kreibich","year":"2004","unstructured":"Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review\u00a034(1), 51\u201356 (2004)","journal-title":"ACM SIGCOMM Computer Communication Review"},{"key":"13_CR25","unstructured":"Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 32\u201347 (2006)"},{"key":"13_CR26","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1145\/1065010.1065034","volume-title":"Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation","author":"C.K. Luk","year":"2005","unstructured":"Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 190\u2013200. ACM, New York (2005)"},{"key":"13_CR27","unstructured":"McDonald, J.: Defeating solaris\/sparc non-executable stack protection. Bugtraq (1999)"},{"key":"13_CR28","unstructured":"milw0rm: \n                    \n                      http:\/\/www.milw0rm.com\/shellcode\/linux\/x86"},{"key":"13_CR29","unstructured":"Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), \n                    \n                      http:\/\/www.phrack.org\/archives\/58\/p58-0x04"},{"key":"13_CR30","doi-asserted-by":"crossref","unstructured":"Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of the 2007 PLDI Conference, vol.\u00a042(6), pp. 89\u2013100 (2007)","DOI":"10.1145\/1250734.1250746"},{"key":"13_CR31","unstructured":"Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium, NDSS (2006)"},{"key":"13_CR32","doi-asserted-by":"crossref","unstructured":"Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226\u2013241 (2005)","DOI":"10.1109\/SP.2005.15"},{"key":"13_CR33","unstructured":"Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)"},{"key":"13_CR34","unstructured":"Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium, Berkeley, CA, USA, p. 3 (1998)"},{"key":"13_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/11790754_4","volume-title":"Detection of Intrusions and Malware & Vulnerability Assessment","author":"M. Polychronakis","year":"2006","unstructured":"Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: B\u00fcschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol.\u00a04064, pp. 54\u201373. Springer, Heidelberg (2006)"},{"key":"13_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1007\/978-3-540-74320-0_5","volume-title":"Recent Advances in Intrusion Detection","author":"M. Polychronakis","year":"2007","unstructured":"Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.\u00a04637, pp. 87\u2013106. Springer, Heidelberg (2007)"},{"key":"13_CR37","unstructured":"Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications (2009) (in review)"},{"key":"13_CR38","first-page":"229","volume-title":"Proceedings of the 13th USENIX Conference on System Administration","author":"M. Roesch","year":"1999","unstructured":"Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229\u2013238. USENIX Association, Berkeley (1999)"},{"key":"13_CR39","unstructured":"Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pp. 159\u2013169 (2004)"},{"key":"13_CR40","doi-asserted-by":"publisher","first-page":"552","DOI":"10.1145\/1315245.1315313","volume-title":"Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)","author":"H. Shacham","year":"2007","unstructured":"Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552\u2013561. ACM, New York (2007)"},{"key":"13_CR41","doi-asserted-by":"crossref","unstructured":"Shimamura, M., Kono, K.: Yataglass: Network-level code emulation for analyzing memory-scanning attacks. In: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 68\u201387 (2009)","DOI":"10.1007\/978-3-642-02918-9_5"},{"key":"13_CR42","first-page":"4","volume-title":"Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation(OSDI)","author":"S. Singh","year":"2004","unstructured":"Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation(OSDI), p. 4. USENIX Association, Berkeley (2004)"},{"key":"13_CR43","unstructured":"Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing\u00a099(2) (2006)"},{"key":"13_CR44","volume-title":"Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006)","author":"W. Xu","year":"2006","unstructured":"Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006). USENIX Association, Berkeley (2006)"},{"key":"13_CR45","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1145\/1229285.1229291","volume-title":"Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security","author":"Q. Zhang","year":"2007","unstructured":"Zhang, Q., Reeves, D.S., Ning, P., Iyer, S.P.: Analyzing network traffic to detect self-decrypting exploit code. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 4\u201312. ACM, New York (2007)"}],"container-title":["Lecture Notes in Computer Science","Information Systems Security"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-10772-6_13.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,4,30]],"date-time":"2021-04-30T11:40:42Z","timestamp":1619782842000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-10772-6_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009]]},"ISBN":["9783642107719","9783642107726"],"references-count":45,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-10772-6_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2009]]}}}