{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T14:40:36Z","timestamp":1775054436262,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":60,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,5,30]],"date-time":"2016-05-30T00:00:00Z","timestamp":1464566400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,5,30]]},"DOI":"10.1145\/2897845.2897894","type":"proceedings-article","created":{"date-parts":[[2016,5,27]],"date-time":"2016-05-27T12:37:36Z","timestamp":1464352656000},"page":"47-58","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["ROPMEMU"],"prefix":"10.1145","author":[{"given":"Mariano","family":"Graziano","sequence":"first","affiliation":[{"name":"Cisco Systems, Inc., Vimercate, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"Eurecom, Antibes, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alain","family":"Zidouemba","sequence":"additional","affiliation":[{"name":"Cisco Systems, Inc., Columbia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2016,5,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Apple code signing. https:\/\/developer.apple.com\/library\/mac\/documentation\/Security\/Conceptual\/CodeSigningGuide\/Introduction\/Introduction.html.  Apple code signing. https:\/\/developer.apple.com\/library\/mac\/documentation\/Security\/Conceptual\/CodeSigningGuide\/Introduction\/Introduction.html."},{"key":"e_1_3_2_1_2_1","unstructured":"Microsoft Code Signing. https:\/\/msdn.microsoft.com\/en-us\/library\/ms537361.aspx.  Microsoft Code Signing. https:\/\/msdn.microsoft.com\/en-us\/library\/ms537361.aspx."},{"key":"e_1_3_2_1_3_1","unstructured":"Microsoft Driver Signing. https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff544865%28v=vs.85%29.aspx.  Microsoft Driver Signing. https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff544865%28v=vs.85%29.aspx."},{"key":"e_1_3_2_1_4_1","unstructured":"Volatility framework: Volatile memory artifact extraction utility framework. http:\/\/www.volatilityfoundation.org\/.  Volatility framework: Volatile memory artifact extraction utility framework. http:\/\/www.volatilityfoundation.org\/."},{"key":"e_1_3_2_1_5_1","unstructured":"Aaron Portnoy. Bypassing All Of The Things. https:\/\/www.exodusintel.com\/files\/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf.  Aaron Portnoy. Bypassing All Of The Things. https:\/\/www.exodusintel.com\/files\/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf."},{"key":"e_1_3_2_1_6_1","unstructured":"Aurelien Wailly. nROP. http:\/\/aurelien.wail.ly\/nrop.  Aurelien Wailly. nROP. http:\/\/aurelien.wail.ly\/nrop."},{"key":"e_1_3_2_1_7_1","unstructured":"Axel Souchet. rp. https:\/\/github.com\/0vercl0k\/rp.  Axel Souchet. rp. https:\/\/github.com\/0vercl0k\/rp."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247360.1247401"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.22"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"e_1_3_2_1_11_1","volume-title":"Security & Privacy","author":"Bosman E.","year":"2014","unstructured":"E. Bosman and H. Bos . We got signal. a return to portable exploits . In Security & Privacy , 2014 . E. Bosman and H. Bos. We got signal. a return to portable exploits. In Security & Privacy, 2014."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455776"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23156"},{"key":"e_1_3_2_1_15_1","volume-title":"In Workshop on Hot Topics in Dependable Systems","author":"Chipounov V.","year":"2009","unstructured":"V. Chipounov , V. Georgescu , C. Zamfir , and G. C. Selective symbolic execution . In In Workshop on Hot Topics in Dependable Systems , 2009 . V. Chipounov, V. Georgescu, C. Zamfir, and G. C. Selective symbolic execution. In In Workshop on Hot Topics in Dependable Systems, 2009."},{"key":"e_1_3_2_1_16_1","unstructured":"Corelan. Mona. https:\/\/github.com\/corelan\/mona.  Corelan. Mona. https:\/\/github.com\/corelan\/mona."},{"key":"e_1_3_2_1_17_1","unstructured":"Dan Rosenberg. SMEP: What is It and How to Beat It on Linux. http:\/\/vulnfactory.org\/blog\/2011\/06\/05\/smep-what-is-it-and-how-to-beat-it-on-linux\/.  Dan Rosenberg. SMEP: What is It and How to Beat It on Linux. http:\/\/vulnfactory.org\/blog\/2011\/06\/05\/smep-what-is-it-and-how-to-beat-it-on-linux\/."},{"key":"e_1_3_2_1_18_1","first-page":"401","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Davi L.","year":"2014","unstructured":"L. Davi , A.-R. Sadeghi , D. Lehmann , and F. Monrose . Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection . In 23rd USENIX Security Symposium (USENIX Security 14) , pages 401 -- 416 , San Diego, CA , Aug. 2014 . USENIX Association. L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14), pages 401--416, San Diego, CA, Aug. 2014. USENIX Association."},{"key":"e_1_3_2_1_19_1","unstructured":"Dino Dai Zovi. Hardware Virtualization Rootkits. https:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Zovi.pdf.  Dino Dai Zovi. Hardware Virtualization Rootkits. https:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Zovi.pdf."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1460877.1460892"},{"key":"e_1_3_2_1_21_1","volume-title":"USENIX Security","author":"G\u00f6ktas E.","year":"2014","unstructured":"E. G\u00f6ktas , E. Athanasopoulos , M. Polychronakis , H. Bos , and G. Portokalidis . Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard . In USENIX Security 2014 . E. G\u00f6ktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security 2014."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_2"},{"key":"e_1_3_2_1_23_1","volume-title":"Proceedings of the 18th Conference on USENIX Security Symposium","author":"Hund R.","year":"2009","unstructured":"R. Hund , T. Holz , and F. C. Freiling . Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms . In Proceedings of the 18th Conference on USENIX Security Symposium , 2009 . R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009."},{"key":"e_1_3_2_1_24_1","unstructured":"James T. Bennett - FireEye. The Number of the Beast. https:\/\/www.fireeye.com\/blog\/threat-research\/2013\/02\/the-number-of-the-beast.html.  James T. Bennett - FireEye. The Number of the Beast. https:\/\/www.fireeye.com\/blog\/threat-research\/2013\/02\/the-number-of-the-beast.html."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"crossref","unstructured":"Jared DeMott - Bromium Labs. Bypassing EMET 4.1. https:\/\/bromiumlabs.files.wordpress.com\/2014\/02\/bypassing-emet-4--1.pdf.  Jared DeMott - Bromium Labs. Bypassing EMET 4.1. https:\/\/bromiumlabs.files.wordpress.com\/2014\/02\/bypassing-emet-4--1.pdf.","DOI":"10.1109\/MSP.2015.75"},{"key":"e_1_3_2_1_26_1","unstructured":"Jean - Sogeti ESEC Lab. Analysis of the jailbreakme v3 font exploit. http:\/\/esec-lab.sogeti.com\/posts\/2011\/07\/16\/analysis-of-the-jailbreakme-v3-font-exploit.html.  Jean - Sogeti ESEC Lab. Analysis of the jailbreakme v3 font exploit. http:\/\/esec-lab.sogeti.com\/posts\/2011\/07\/16\/analysis-of-the-jailbreakme-v3-font-exploit.html."},{"key":"e_1_3_2_1_27_1","unstructured":"Joanna Rutkowska. Bluepill. http:\/\/web.archive.org\/web\/20080418123748\/http:\/\/www.bluepillproject.org\/.  Joanna Rutkowska. Bluepill. http:\/\/web.archive.org\/web\/20080418123748\/http:\/\/www.bluepillproject.org\/."},{"key":"e_1_3_2_1_28_1","unstructured":"Joe Damato. A closer look at a recent privilege escalation bug in Linux (CVE-2013--2094). http:\/\/timetobleed.com\/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013--2094\/.  Joe Damato. A closer look at a recent privilege escalation bug in Linux (CVE-2013--2094). http:\/\/timetobleed.com\/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013--2094\/."},{"key":"e_1_3_2_1_29_1","unstructured":"Jonathan Corbet. Supervisor mode access prevention. http:\/\/lwn.net\/Articles\/517475\/.  Jonathan Corbet. Supervisor mode access prevention. http:\/\/lwn.net\/Articles\/517475\/."},{"key":"e_1_3_2_1_30_1","unstructured":"Jonathan Salwan. ROPgadget - Gadgets finder and auto-roper. http:\/\/shell-storm.org\/project\/ROPgadget\/.  Jonathan Salwan. ROPgadget - Gadgets finder and auto-roper. http:\/\/shell-storm.org\/project\/ROPgadget\/."},{"key":"e_1_3_2_1_31_1","unstructured":"Kees Cook. Kernel address space layout randomization. http:\/\/selinuxproject.org\/jmorris\/lss2013_slides\/cook_kaslr.pdf.  Kees Cook. Kernel address space layout randomization. http:\/\/selinuxproject.org\/jmorris\/lss2013_slides\/cook_kaslr.pdf."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.38"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_9"},{"key":"e_1_3_2_1_34_1","volume-title":"Master's Thesis - Ruhr-Universitat Bochum","author":"Kornau T.","year":"2009","unstructured":"T. Kornau . Return oriented programming for the arm architecture . In Master's Thesis - Ruhr-Universitat Bochum , 2009 . T. Kornau. Return oriented programming for the arm architecture. In Master's Thesis - Ruhr-Universitat Bochum, 2009."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_6"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076784"},{"key":"e_1_3_2_1_37_1","unstructured":"Microsoft. Enhanced Mitigation Experience Toolkit. https:\/\/technet.microsoft.com\/en-us\/security\/jj653751.  Microsoft. Enhanced Mitigation Experience Toolkit. https:\/\/technet.microsoft.com\/en-us\/security\/jj653751."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_3_2_1_39_1","unstructured":"Nergal. Advanced return-into-lib(c) exploits. http:\/\/phrack.org\/issues\/58\/4.html.  Nergal. Advanced return-into-lib(c) exploits. http:\/\/phrack.org\/issues\/58\/4.html."},{"key":"e_1_3_2_1_40_1","volume-title":"BlackHat","author":"Quynh Nguyen Anh","year":"2013","unstructured":"Nguyen Anh Quynh . OptiROP: the art of hunting ROP gadgets . In BlackHat 2013 . Nguyen Anh Quynh. OptiROP: the art of hunting ROP gadgets. In BlackHat 2013."},{"key":"e_1_3_2_1_41_1","unstructured":"Nguyen Anh Quynh and Dang Hoang Vu. Unicorn - The ultimate CPU emulator. http:\/\/www.unicorn-engine.org\/.  Nguyen Anh Quynh and Dang Hoang Vu. Unicorn - The ultimate CPU emulator. http:\/\/www.unicorn-engine.org\/."},{"key":"e_1_3_2_1_42_1","unstructured":"Nicolas Economou - CoreSecurity. Agafi (Advanced Gadget Finder). http:\/\/www.coresecurity.com\/corelabs-research\/publications\/agafi-advanced-gadget-finder.  Nicolas Economou - CoreSecurity. Agafi (Advanced Gadget Finder). http:\/\/www.coresecurity.com\/corelabs-research\/publications\/agafi-advanced-gadget-finder."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920269"},{"key":"e_1_3_2_1_44_1","unstructured":"pakt. ropc. https:\/\/gdtr.wordpress.com\/2013\/12\/13\/ropc-turing-complete-rop-compiler-part-1\/.  pakt. ropc. https:\/\/gdtr.wordpress.com\/2013\/12\/13\/ropc-turing-complete-rop-compiler-part-1\/."},{"key":"e_1_3_2_1_45_1","volume-title":"Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13)","author":"Pappas V.","year":"2013","unstructured":"V. Pappas , M. Polychronakis , and A. D. Keromytis . Transparent rop exploit mitigation using indirect branch tracing . In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) , Washington , D.C. , 2013 . V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C., 2013."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_2"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2011.6112327"},{"key":"e_1_3_2_1_48_1","unstructured":"Rene Freingruber. EMET 5.1 - Armor or Curtain? https:\/\/prezi.com\/tnqeqis3vhum\/zeronights-2014-emet-51-armor-or-curtain\/.  Rene Freingruber. EMET 5.1 - Armor or Curtain? https:\/\/prezi.com\/tnqeqis3vhum\/zeronights-2014-emet-51-armor-or-curtain\/."},{"key":"e_1_3_2_1_49_1","unstructured":"sashs. ropper. https:\/\/scoding.de\/ropper\/.  sashs. ropper. https:\/\/scoding.de\/ropper\/."},{"key":"e_1_3_2_1_50_1","unstructured":"Sebastian Krahmer. x86--64 buffer overflow exploits and the borrowed code chunks exploitation technique. http:\/\/users.suse.com\/krahmer\/no-nx.pdf.  Sebastian Krahmer. x86--64 buffer overflow exploits and the borrowed code chunks exploitation technique. http:\/\/users.suse.com\/krahmer\/no-nx.pdf."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.45"},{"key":"e_1_3_2_1_53_1","unstructured":"Solar Designer. Openwall. http:\/\/www.openwall.com\/linux\/README.shtml.  Solar Designer. Openwall. http:\/\/www.openwall.com\/linux\/README.shtml."},{"key":"e_1_3_2_1_54_1","unstructured":"spender. UDEREF. https:\/\/grsecurity.net\/ spender\/uderef.txt.  spender. UDEREF. https:\/\/grsecurity.net\/ spender\/uderef.txt."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_4"},{"key":"e_1_3_2_1_56_1","unstructured":"The PaX Team. Pageexec. https:\/\/pax.grsecurity.net\/docs\/pageexec.txt.  The PaX Team. Pageexec. https:\/\/pax.grsecurity.net\/docs\/pageexec.txt."},{"key":"e_1_3_2_1_57_1","unstructured":"The PaX Team. Segmexec. https:\/\/pax.grsecurity.net\/docs\/segmexec.txt.  The PaX Team. Segmexec. https:\/\/pax.grsecurity.net\/docs\/segmexec.txt."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23019"},{"key":"e_1_3_2_1_59_1","unstructured":"Websense Security Labs. Technical Analysis on iPhone Jailbreaking. http:\/\/community.websense.com\/blogs\/securitylabs\/archive\/2010\/08\/06\/technical-analysis-on-iphone-jailbreaking.aspx.  Websense Security Labs. Technical Analysis on iPhone Jailbreaking. http:\/\/community.websense.com\/blogs\/securitylabs\/archive\/2010\/08\/06\/technical-analysis-on-iphone-jailbreaking.aspx."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.47"}],"event":{"name":"ASIA CCS '16: ACM Asia Conference on Computer and Communications Security","location":"Xi'an China","acronym":"ASIA CCS '16","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897894","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2897845.2897894","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T05:07:01Z","timestamp":1750223221000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897894"}},"subtitle":["A Framework for the Analysis of Complex Code-Reuse Attacks"],"short-title":[],"issued":{"date-parts":[[2016,5,30]]},"references-count":60,"alternative-id":["10.1145\/2897845.2897894","10.1145\/2897845"],"URL":"https:\/\/doi.org\/10.1145\/2897845.2897894","relation":{},"subject":[],"published":{"date-parts":[[2016,5,30]]},"assertion":[{"value":"2016-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}