RomanGol  committed 57bc91f

Add APLAS2012

A new paper

  • Participants
  • Parent commits 16a7b6e

Comments (0)

Files changed (12)

File APLAS2012/aplas.bib

+  title={Detection and analysis of cryptographic data inside software},
+  author={Zhao, R. and Gu, D. and Li, J. and Yu, R.},
+  journal={Information Security},
+  pages={182--196},
+  year={2011},
+  publisher={Springer}
+  title={Bochs: The open source ia-32 emulation project},
+  author={Lawton, K.},
+  journal={URL http://bochs. sourceforge. net},
+  year={2003}
+  title={SimpleScalar: An infrastructure for computer system modeling},
+  author={Austin, T. and Larson, E. and Ernst, D.},
+  journal={Computer},
+  volume={35},
+  number={2},
+  pages={59--67},
+  year={2002},
+  publisher={IEEE}
+  title={Pin: building customized program analysis tools with dynamic instrumentation},
+  author={Luk, C.K. and Cohn, R. and Muth, R. and Patil, H. and Klauser, A. and Lowney, G. and Wallace, S. and Reddi, V.J. and Hazelwood, K.},
+  booktitle={ACM SIGPLAN Notices},
+  volume={40},
+  number={6},
+  pages={190--200},
+  year={2005},
+  organization={ACM}
+  title={Valgrind: a framework for heavyweight dynamic binary instrumentation},
+  author={Nethercote, N. and Seward, J.},
+  journal={ACM SIGPLAN Notices},
+  volume={42},
+  number={6},
+  pages={89--100},
+  year={2007},
+  publisher={ACM}
+  title={Understanding data lifetime via whole system simulation},
+  author={Chow, J. and Pfaff, B. and Garfinkel, T. and Christopher, K. and Rosenblum, M.},
+  booktitle={Proceedings of the 13th conference on USENIX Security Symposium-Volume 13},
+  pages={22--22},
+  year={2004},
+  organization={USENIX Association}
+  title={BitBlaze: A new approach to computer security via binary analysis},
+  author={Song, D. and Brumley, D. and Yin, H. and Caballero, J. and Jager, I. and Kang, M. and Liang, Z. and Newsome, J. and Poosankam, P. and Saxena, P.},
+  journal={Information Systems Security},
+  pages={1--25},
+  year={2008},
+  publisher={Springer}
+  title={libemu-x86 shellcode detection and emulation. Website. November 2009},
+  author={BAECHER, P. and KOETTER, M.},
+  journal={URL http://libemu. carnivore. it}
+  title={Minemu: The World��s Fastest Taint Tracker},
+  author={Bosman, E. and Slowinska, A. and Bos, H.},
+  journal={Proc. of the 14th RAID},
+  pages={1--20},
+  year={2011}
+  title={TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones},
+  author={Enck, W. and Gilbert, P. and Chun, B.G. and Cox, L.P. and Jung, J. and McDaniel, P. and Sheth, A.N.},
+  booktitle={Proceedings of the 9th USENIX conference on Operating systems design and implementation},
+  pages={1--6},
+  year={2010},
+  organization={USENIX Association}
+  title={QEMU, a fast and portable dynamic translator},
+  author={Bellard, F.},
+  booktitle={Proceedings of the USENIX Annual Technical Conference, FREENIX Track},
+  pages={41--46},
+  year={2005}
+  title={A description of the model-view-controller user interface paradigm in the smalltalk-80 system},
+  author={Krasner, G.E. and Pope, S.T.},
+  journal={Journal of object oriented programming},
+  volume={1},
+  number={3},
+  pages={26--49},
+  year={1988}
+  title={Binary code extraction and interface identification for security applications},
+  author={Caballero, J.},
+  year={2009},
+  institution={DTIC Document}
+  title={IDA Pro Disassembler},
+  author={Rescue, D.},
+  journal={2006-10-20). http://www. datarescue. com/idabase}
+  title={OllyDbg 1.1: A 32-bit assembler level analysing debugger for Microsoft Windows},
+  author={Yuschuk, O.},
+  year={2004}
+  title={Detecting algorithms using dynamic analysis},
+  author={Oksanen, K.},
+  booktitle={Proceedings of the Ninth International Workshop on Dynamic Analysis},
+  pages={1--6},
+  year={2011},
+  organization={ACM}
+  title={All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)},
+  author={Schwartz, E.J. and Avgerinos, T. and Brumley, D.},
+  booktitle={Security and Privacy (SP), 2010 IEEE Symposium on},
+  pages={317--331},
+  year={2010},
+  organization={IEEE}
+  title={The art of unix programming},
+  author={Raymond, E.S.},
+  year={2003},
+  publisher={Pearson Education}
+  title={Network Modeling and Simulation: A Practical Perspective},
+  author={Guizani, M. and Rayes, A. and Khan, B. and Al-Fuqaha, A.},
+  year={2010},
+  publisher={Wiley-Interscience}

File APLAS2012/header.tex

+\usepackage[lined,boxed,commentsnumbered, ruled]{algorithm2e} % for algorithms
+    {figure/}
+} % imported pictures are put in .\figure\
+    \frontmatter          % for the preliminaries
+    \pagestyle{headings}  % switches on printing of running heads
+    \addtocmark{LxEmu: Dynamic program analysis via lightweight emulation} % additional mark in the TOC
+    \mainmatter              % start of the contributions

File APLAS2012/llncs.cls

+% LLNCS DOCUMENT CLASS -- version 2.17 (12-Jul-2010)
+% Springer Verlag LaTeX2e support for Lecture Notes in Computer Science
+%% \CharacterTable
+%%  {Upper-case    \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
+%%   Lower-case    \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
+%%   Digits        \0\1\2\3\4\5\6\7\8\9
+%%   Exclamation   \!     Double quote  \"     Hash (number) \#
+%%   Dollar        \$     Percent       \%     Ampersand     \&
+%%   Acute accent  \'     Left paren    \(     Right paren   \)
+%%   Asterisk      \*     Plus          \+     Comma         \,
+%%   Minus         \-     Point         \.     Solidus       \/
+%%   Colon         \:     Semicolon     \;     Less than     \<
+%%   Equals        \=     Greater than  \>     Question mark \?
+%%   Commercial at \@     Left bracket  \[     Backslash     \\
+%%   Right bracket \]     Circumflex    \^     Underscore    \_
+%%   Grave accent  \`     Left brace    \{     Vertical bar  \|
+%%   Right brace   \}     Tilde         \~}
+\ProvidesClass{llncs}[2010/07/12 v2.17
+^^J LaTeX document class for Lecture Notes in Computer Science]
+% Options
+% languages
+\RequirePackage{multicol} % needed for the list of participants, index
+  \ifnum #1>\c@tocdepth \else
+    \vskip \z@ \@plus.2\p@
+    {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by 0pt plus 2cm
+               \parfillskip -\rightskip \pretolerance=10000
+     \parindent #2\relax\@afterindenttrue
+     \interlinepenalty\@M
+     \leavevmode
+     \@tempdima #3\relax
+     \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip
+     {#4}\nobreak
+     \leaders\hbox{$\m@th
+        \mkern \@dotsep mu\hbox{.}\mkern \@dotsep
+        mu$}\hfill
+     \nobreak
+     \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}%
+     \par}%
+  \fi}
+\def\lastandname{\unskip, and}
+\def\contentsname{Table of Contents}
+\def\keywordname{{\bf Keywords:}}
+\def\contriblistname{List of Contributors}
+\def\listfigurename{List of Figures}
+\def\listtablename{List of Tables}
+\def\mailname{{\it Correspondence to\/}:}
+\def\noteaddname{Note added in proof}
+\def\subclassname{{\it Subject Classifications\/}:}
+% Names of theorem like environments are already defined
+% but must be translated if another language is chosen
+% French section
+\def\switcht@francais{%\typeout{On parle francais.}%
+ \def\abstractname{R\'esum\'e.}%
+ \def\ackname{Remerciements.}%
+ \def\andname{et}%
+ \def\lastandname{ et}%
+ \def\appendixname{Appendice}
+ \def\chaptername{Chapitre}%
+ \def\claimname{Pr\'etention}%
+ \def\conjecturename{Hypoth\`ese}%
+ \def\contentsname{Table des mati\`eres}%
+ \def\corollaryname{Corollaire}%
+ \def\definitionname{D\'efinition}%
+ \def\examplename{Exemple}%
+ \def\exercisename{Exercice}%
+ \def\figurename{Fig.}%
+ \def\keywordname{{\bf Mots-cl\'e:}}
+ \def\indexname{Index}
+ \def\lemmaname{Lemme}%
+ \def\contriblistname{Liste des contributeurs}
+ \def\listfigurename{Liste des figures}%
+ \def\listtablename{Liste des tables}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
+ \def\notename{Remarque}%
+ \def\partname{Partie}%
+ \def\problemname{Probl\`eme}%
+ \def\proofname{Preuve}%
+ \def\propertyname{Caract\'eristique}%
+ \def\questionname{Question}%
+ \def\remarkname{Remarque}%
+ \def\seename{voir}
+ \def\solutionname{Solution}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tableau}%
+ \def\theoremname{Th\'eor\`eme}%
+% German section
+\def\switcht@deutsch{%\typeout{Man spricht deutsch.}%
+ \def\abstractname{Zusammenfassung.}%
+ \def\ackname{Danksagung.}%
+ \def\andname{und}%
+ \def\lastandname{ und}%
+ \def\appendixname{Anhang}%
+ \def\chaptername{Kapitel}%
+ \def\claimname{Behauptung}%
+ \def\conjecturename{Hypothese}%
+ \def\contentsname{Inhaltsverzeichnis}%
+ \def\corollaryname{Korollar}%
+ \def\examplename{Beispiel}%
+ \def\exercisename{\"Ubung}%
+ \def\figurename{Abb.}%
+ \def\keywordname{{\bf Schl\"usselw\"orter:}}
+ \def\indexname{Index}
+ \def\contriblistname{Mitarbeiter}
+ \def\listfigurename{Abbildungsverzeichnis}%
+ \def\listtablename{Tabellenverzeichnis}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Nachtrag}%
+ \def\notename{Anmerkung}%
+ \def\partname{Teil}%
+ \def\proofname{Beweis}%
+ \def\propertyname{Eigenschaft}%
+ \def\questionname{Frage}%
+ \def\remarkname{Anmerkung}%
+ \def\seename{siehe}
+ \def\solutionname{L\"osung}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tabelle}%
+% Ragged bottom for the actual page
+\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
+   \@setfontsize\small\@ixpt{11}%
+   \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@
+   \abovedisplayshortskip \z@ \@plus2\p@
+   \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@
+   \def\@listi{\leftmargin\leftmargini
+               \parsep 0\p@ \@plus1\p@ \@minus\p@
+               \topsep 8\p@ \@plus2\p@ \@minus4\p@
+               \itemsep0\p@}%
+   \belowdisplayskip \abovedisplayskip
+\setlength\oddsidemargin   {63\p@}
+\setlength\evensidemargin  {63\p@}
+\setlength\marginparwidth  {90\p@}
+\setlength\headsep   {16\p@}
+\setlength\textfloatsep{8mm\@plus 2\p@ \@minus 4\p@}
+\setlength\intextsep   {8mm\@plus 2\p@ \@minus 2\p@}
+\newcounter {chapter}
+\renewcommand\thechapter      {\@arabic\c@chapter}
+\newif\if@mainmatter \@mainmattertrue
+            \@mainmatterfalse\pagenumbering{Roman}}
+       \@mainmattertrue\pagenumbering{arabic}}
+      \@mainmatterfalse}
+                 \thispagestyle{empty}%
+                 \if@twocolumn
+                     \onecolumn
+                     \@tempswatrue
+                   \else
+                     \@tempswafalse
+                 \fi
+                 \null\vfil
+                 \secdef\@part\@spart}
+    \ifnum \c@secnumdepth >-2\relax
+      \refstepcounter{part}%
+      \addcontentsline{toc}{part}{\thepart\hspace{1em}#1}%
+    \else
+      \addcontentsline{toc}{part}{#1}%
+    \fi
+    \markboth{}{}%
+    {\centering
+     \interlinepenalty \@M
+     \normalfont
+     \ifnum \c@secnumdepth >-2\relax
+       \huge\bfseries \partname~\thepart
+       \par
+       \vskip 20\p@
+     \fi
+     \Huge \bfseries #2\par}%
+    \@endpart}
+    {\centering
+     \interlinepenalty \@M
+     \normalfont
+     \Huge \bfseries #1\par}%
+    \@endpart}
+              \if@twoside
+                \null
+                \thispagestyle{empty}%
+                \newpage
+              \fi
+              \if@tempswa
+                \twocolumn
+              \fi}
+                    \thispagestyle{empty}%
+                    \global\@topnum\z@
+                    \@afterindentfalse
+                    \secdef\@chapter\@schapter}
+\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne
+                       \if@mainmatter
+                         \refstepcounter{chapter}%
+                         \typeout{\@chapapp\space\thechapter.}%
+                         \addcontentsline{toc}{chapter}%
+                                  {\protect\numberline{\thechapter}#1}%
+                       \else
+                         \addcontentsline{toc}{chapter}{#1}%
+                       \fi
+                    \else
+                      \addcontentsline{toc}{chapter}{#1}%
+                    \fi
+                    \chaptermark{#1}%
+                    \addtocontents{lof}{\protect\addvspace{10\p@}}%
+                    \addtocontents{lot}{\protect\addvspace{10\p@}}%
+                    \if@twocolumn
+                      \@topnewpage[\@makechapterhead{#2}]%
+                    \else
+                      \@makechapterhead{#2}%
+                      \@afterheading
+                    \fi}
+% \vspace*{50\p@}%
+  {\centering
+    \ifnum \c@secnumdepth >\m@ne
+      \if@mainmatter
+        \large\bfseries \@chapapp{} \thechapter
+        \par\nobreak
+        \vskip 20\p@
+      \fi
+    \fi
+    \interlinepenalty\@M
+    \Large \bfseries #1\par\nobreak
+    \vskip 40\p@
+  }}
+                   \@topnewpage[\@makeschapterhead{#1}]%
+                 \else
+                   \@makeschapterhead{#1}%
+                   \@afterheading
+                 \fi}
+% \vspace*{50\p@}%
+  {\centering
+    \normalfont
+    \interlinepenalty\@M
+    \Large \bfseries  #1\par\nobreak
+    \vskip 40\p@
+  }}
+                       {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+                       {12\p@ \@plus 4\p@ \@minus 4\p@}%
+                       {\normalfont\large\bfseries\boldmath
+                        \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+                       {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+                       {8\p@ \@plus 4\p@ \@minus 4\p@}%
+                       {\normalfont\normalsize\bfseries\boldmath
+                        \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+                       {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+                       {-0.5em \@plus -0.22em \@minus -0.1em}%
+                       {\normalfont\normalsize\bfseries\boldmath}}
+                       {-12\p@ \@plus -4\p@ \@minus -4\p@}%
+                       {-0.5em \@plus -0.22em \@minus -0.1em}%
+                       {\normalfont\normalsize\itshape}}
+\renewcommand\subparagraph[1]{\typeout{LLNCS warning: You should not use
+                  \string\subparagraph\space with this class}\vskip0.5cm
+You should not use \verb|\subparagraph| with this class.\vskip0.5cm}
+\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\def\bbbr{{\rm I\!R}} %reelle Zahlen
+\def\bbbm{{\rm I\!M}}
+\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
+\def\bbbf{{\rm I\!F}}
+\def\bbbh{{\rm I\!H}}
+\def\bbbk{{\rm I\!K}}
+\def\bbbp{{\rm I\!P}}
+\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
+{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
+\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}}
+\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}}
+\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}}
+{\setbox0=\hbox{$\displaystyle     \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle        \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle      \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}}
+\def\bbbz{{\mathchoice {\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\mathsf\scriptstyle Z\kern-0.3em Z$}}
+{\hbox{$\mathsf\scriptscriptstyle Z\kern-0.2em Z$}}}}
+\setlength\leftmargini  {17\p@}
+\setlength\leftmargin    {\leftmargini}
+\setlength\leftmarginii  {\leftmargini}
+\setlength\leftmarginiii {\leftmargini}
+\setlength\leftmarginiv  {\leftmargini}
+\setlength  \labelsep  {.5em}
+\setlength  \labelwidth{\leftmargini}
+            \parsep 0\p@ \@plus1\p@ \@minus\p@
+            \topsep 8\p@ \@plus2\p@ \@minus4\p@
+            \itemsep0\p@}
+\def\@listii {\leftmargin\leftmarginii
+              \labelwidth\leftmarginii
+              \advance\labelwidth-\labelsep
+              \topsep    0\p@ \@plus2\p@ \@minus\p@}
+              \labelwidth\leftmarginiii
+              \advance\labelwidth-\labelsep
+              \topsep    0\p@ \@plus\p@\@minus\p@
+              \parsep    \z@
+              \partopsep \p@ \@plus\z@ \@minus\p@}
+\renewcommand\labelitemi{\normalfont\bfseries --}
+                                                    {{\contentsname}}}
+ \def\authcount##1{\setcounter{auco}{##1}\setcounter{@auth}{1}}
+ \def\lastand{\ifnum\value{auco}=2\relax
+                 \unskip{} \andname\
+              \else
+                 \unskip \lastandname\
+              \fi}%
+ \def\and{\stepcounter{@auth}\relax
+          \ifnum\value{@auth}=\value{auco}%
+             \lastand
+          \else
+             \unskip,
+          \fi}%
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+   \addvspace{2em plus\p@}%  % space above part line
+   \begingroup
+     \parindent \z@
+     \rightskip \z@ plus 5em
+     \hrule\vskip5pt
+     \large               % same size as for a contribution heading
+     \bfseries\boldmath   % set line in boldface
+     \leavevmode          % TeX command to enter horizontal mode.
+     #1\par
+     \vskip5pt
+     \hrule
+     \vskip1pt
+     \nobreak             % Never break after part entry
+   \endgroup}
+                     {\thechapter}#3}{\thepage}\hyperhrefextend}}%
+\def\@adcmk[#1]{\ifcase #1 \or
+  \or    \def\@gtempa{\addcontentsmark}%
+  \or    \def\@gtempa{\addcontentsmarkwop}%
+  \fi\@gtempa{toc}{chapter}%
+ \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ {\large\bfseries\boldmath#1}\ifx0#2\hfil\null
+ \else
+      \nobreak
+      \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+      \@dotsep mu$}\hfill
+      \nobreak\hbox to\@pnumwidth{\hss #2}%
+ \fi\par
+ \penalty\@highpenalty \endgroup}
+ \addvspace{8pt plus 1pt}
+ \@tempdima \z@
+ \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ #1\nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hss #2}\par
+ \penalty\@highpenalty \endgroup}
+ \@tempdima=15\p@ %\z@
+ \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima %\hskip -\leftskip
+ \textit{#1}\par
+ \penalty\@highpenalty \endgroup}
+\tocchpnum=\z@            % no chapter numbers
+\tocsecnum=15\p@          % section 88. plus 2.222pt
+\tocsubsecnum=23\p@       % subsection 88.8 plus 2.222pt
+\tocsubsubsecnum=27\p@    % subsubsection 88.8.8 plus 1.444pt
+\tocparanum=35\p@         % paragraph plus 1.666pt
+\tocsubparanum=43\p@      % subparagraph plus 1.888pt
+\advance\tocsectotal by\tocsecnum
+\advance\tocsubsectotal by\tocsubsecnum
+\advance\tocsubsubsectotal by\tocsubsubsecnum
+\advance\tocparatotal by\tocparanum}
+ \fi\section*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
+ \@starttoc{lof}\if@restonecol\twocolumn\fi}
+ \fi\section*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
+ \@starttoc{lot}\if@restonecol\twocolumn\fi}
+    \section*{\listfigurename
+      \@mkboth{\listfigurename}{\listfigurename}}%
+    \@starttoc{lof}%
+    }
+    \section*{\listtablename
+      \@mkboth{\listtablename}{\listtablename}}%
+    \@starttoc{lot}%
+    }
+     {\section*{\refname}
+      \def\@biblabel##1{##1.}
+      \small
+      \list{\@biblabel{\@arabic\c@enumiv}}%
+           {\settowidth\labelwidth{\@biblabel{#1}}%
+            \leftmargin\labelwidth
+            \advance\leftmargin\labelsep
+            \if@openbib
+              \advance\leftmargin\bibindent
+              \itemindent -\bibindent
+              \listparindent \itemindent
+              \parsep \z@
+            \fi
+            \usecounter{enumiv}%
+            \let\p@enumiv\@empty
+            \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+      \if@openbib
+        \renewcommand\newblock{\par}%
+      \else
+        \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
+      \fi
+      \sloppy\clubpenalty4000\widowpenalty4000%
+      \sfcode`\.=\@m}
+     {\def\@noitemerr
+       {\@latex@warning{Empty `thebibliography' environment}}%
+      \endlist}
+     {\let\protect\noexpand\immediate
+     \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
+  \@tempcnta\z@\@tempcntb\m@ne\def\@citea{}\@cite{\@for\@citeb:=#2\do
+    {\@ifundefined
+       {b@\@citeb}{\@citeo\@tempcntb\m@ne\@citea\def\@citea{,}{\bfseries
+        ?}\@warning
+       {Citation `\@citeb' on page \thepage \space undefined}}%
+    {\setbox\z@\hbox{\global\@tempcntc0\csname b@\@citeb\endcsname\relax}%
+     \ifnum\@tempcntc=\z@ \@citeo\@tempcntb\m@ne
+       \@citea\def\@citea{,}\hbox{\csname b@\@citeb\endcsname}%
+     \else
+      \advance\@tempcntb\@ne
+      \ifnum\@tempcntb=\@tempcntc
+      \else\advance\@tempcntb\m@ne\@citeo
+      \@tempcnta\@tempcntc\@tempcntb\@tempcntc\fi\fi}}\@citeo}{#1}}
+               \@citea\def\@citea{,\,\hskip\z@skip}%
+               \ifnum\@tempcnta=\@tempcntb\the\@tempcnta\else
+               {\advance\@tempcnta\@ne\ifnum\@tempcnta=\@tempcntb \else
+                \def\@citea{--}\fi
+      \advance\@tempcnta\m@ne\the\@tempcnta\@citea\the\@tempcntb}\fi\fi}
+     {\section*{\refname}
+      \small
+      \list{}%
+           {\settowidth\labelwidth{}%
+            \leftmargin\parindent
+            \itemindent=-\parindent
+            \labelsep=\z@
+            \if@openbib
+              \advance\leftmargin\bibindent
+              \itemindent -\bibindent
+              \listparindent \itemindent
+              \parsep \z@
+            \fi
+            \usecounter{enumiv}%
+            \let\p@enumiv\@empty
+            \renewcommand\theenumiv{}}%
+      \if@openbib
+        \renewcommand\newblock{\par}%
+      \else
+        \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
+      \fi
+      \sloppy\clubpenalty4000\widowpenalty4000%
+      \sfcode`\.=\@m}
+     {\def\@noitemerr
+       {\@latex@warning{Empty `thebibliography' environment}}%
+      \endlist}
+      \def\@cite#1{#1}%
+      \def\@lbibitem[#1]#2{\item[]\if@filesw
+        {\def\protect##1{\string ##1\space}\immediate
+      \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
+   \fi
+\def\idxquad{\hskip 10\p@}% space that divides entry from number
+\def\@idxitem{\par\hangindent 10\p@}
+\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
+                \noindent\hangindent\wd0\box0}% index entry
+\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
+                \noindent\hangindent\wd0\box0}% order index entry
+\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
+               {\@mkboth{\indexname}{\indexname}%
+                \thispagestyle{empty}\parindent\z@
+                \parskip\z@ \@plus .3\p@\relax
+                \let\item\par
+                \def\,{\relax\ifmmode\mskip\thinmuskip
+                             \else\hskip0.2em\ignorespaces\fi}%
+                \normalfont\small
+                \begin{multicols}{2}[\@makeschapterhead{\indexname}]%
+                }
+                {\end{multicols}}
+  \kern-3\p@
+  \hrule\@width 2truecm
+  \kern2.6\p@}
+  \newdimen\fnindent
+  \fnindent1em
+    \parindent \fnindent%
+    \leftskip \fnindent%
+    \noindent
+    \llap{\hb@xt@1em{\hss\@makefnmark\ }}\ignorespaces#1}
+  \small
+  \vskip\abovecaptionskip
+  \sbox\@tempboxa{{\bfseries #1.} #2}%
+  \ifdim \wd\@tempboxa >\hsize
+    {\bfseries #1.} #2\par
+  \else
+    \global \@minipagefalse
+    \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}%
+  \fi
+  \vskip\belowcaptionskip}
+\def \@floatboxreset {%
+        \reset@font
+        \small
+        \@setnobreak
+        \@setminipage
+               {\setlength\abovecaptionskip{0\p@}%
+                \setlength\belowcaptionskip{10\p@}%
+                \@float{table}}
+               {\end@float}
+               {\setlength\abovecaptionskip{0\p@}%
+                \setlength\belowcaptionskip{10\p@}%
+                \@dblfloat{table}}
+               {\end@dblfloat}
+  ext@#1\endcsname}{#1}{\protect\numberline{\csname
+  the#1\endcsname}{\ignorespaces #2}}\begingroup
+    \@parboxrestore
+    \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+  \endgroup}
+% LaTeX does not provide a command to enter the authors institute
+% addresses. The \institute command is defined here.
+\def\clearheadinfo{\gdef\@author{No Author Given}%
+                   \gdef\@title{No Title Given}%
+                   \gdef\@subtitle{}%
+                   \gdef\@institute{No Institute Given}%
+                   \gdef\@thanks{}%
+                   \global\titlerunning={}\global\authorrunning={}%
+                   \global\toctitle={}\global\tocauthor={}}
+ \begingroup
+ \parskip=\z@
+ \parindent=\z@
+ \setcounter{@inst}{1}%
+ \def\and{\par\stepcounter{@inst}%
+ \noindent$^{\the@inst}$\enspace\ignorespaces}%
+ \setbox0=\vbox{\def\thanks##1{}\@institute}%
+ \ifnum\c@@inst=1\relax
+   \gdef\fnnstart{0}%
+ \else
+   \xdef\fnnstart{\c@@inst}%
+   \setcounter{@inst}{1}%
+   \noindent$^{\the@inst}$\enspace
+ \fi
+ \ignorespaces
+ \@institute\par
+ \endgroup}
+   {\star\star\star}\or \dagger\or \ddagger\or
+   \mathchar "278\or \mathchar "27B\or \|\or **\or \dagger\dagger
+   \or \ddagger\ddagger \else\@ctrerr\fi}}
+\def\homedir{\~{ }}
+%%% to avoid hyperref warnings
+%%% to make title-entry parent of section-entries
+  \refstepcounter{chapter}%
+  \stepcounter{section}%
+  \setcounter{section}{0}%
+  \setcounter{subsection}{0}%
+  \setcounter{figure}{0}
+  \setcounter{table}{0}
+  \setcounter{equation}{0}
+  \setcounter{footnote}{0}%
+  \begingroup
+    \parindent=\z@
+    \renewcommand\thefootnote{\@fnsymbol\c@footnote}%
+    \if@twocolumn
+      \ifnum \col@number=\@ne
+        \@maketitle
+      \else
+        \twocolumn[\@maketitle]%
+      \fi
+    \else
+      \newpage
+      \global\@topnum\z@   % Prevents figures from going at top of page.
+      \@maketitle
+    \fi
+    \thispagestyle{empty}\@thanks
+    \def\\{\unskip\ \ignorespaces}\def\inst##1{\unskip{}}%
+    \def\thanks##1{\unskip{}}\def\fnmsep{\unskip}%
+    \instindent=\hsize
+    \advance\instindent by-\headlineindent
+    \if!\the\toctitle!\addcontentsline{toc}{title}{\@title}\else
+       \addcontentsline{toc}{title}{\the\toctitle}\fi
+    \if@runhead
+       \if!\the\titlerunning!\else
+         \edef\@title{\the\titlerunning}%
+       \fi
+       \global\setbox\titrun=\hbox{\small\rm\unboldmath\ignorespaces\@title}%
+       \ifdim\wd\titrun>\instindent
+          \typeout{Title too long for running head. Please supply}%
+          \typeout{a shorter form with \string\titlerunning\space prior to
+                   \string\maketitle}%
+          \global\setbox\titrun=\hbox{\small\rm
+          Title Suppressed Due to Excessive Length}%
+       \fi
+       \xdef\@title{\copy\titrun}%
+    \fi
+    \if!\the\tocauthor!\relax
+      {\def\and{\noexpand\protect\noexpand\and}%
+      \protected@xdef\toc@uthor{\@author}}%
+    \else
+      \def\\{\noexpand\protect\noexpand\newline}%
+      \protected@xdef\scratch{\the\tocauthor}%
+      \protected@xdef\toc@uthor{\scratch}%
+    \fi
+    \addtocontents{toc}{\noexpand\protect\noexpand\authcount{\the\c@auco}}%
+    \addcontentsline{toc}{author}{\toc@uthor}%
+    \if@runhead
+       \if!\the\authorrunning!
+         \value{@inst}=\value{@auth}%
+         \setcounter{@auth}{1}%
+       \else
+         \edef\@author{\the\authorrunning}%
+       \fi
+       \global\setbox\authrun=\hbox{\small\unboldmath\@author\unskip}%
+       \ifdim\wd\authrun>\instindent
+          \typeout{Names of authors too long for running head. Please supply}%
+          \typeout{a shorter form with \string\authorrunning\space prior to
+                   \string\maketitle}%
+          \global\setbox\authrun=\hbox{\small\rm
+          Authors Suppressed Due to Excessive Length}%
+       \fi
+       \xdef\@author{\copy\authrun}%
+       \markboth{\@author}{\@title}%
+     \fi
+  \endgroup
+  \setcounter{footnote}{\fnnstart}%
+  \clearheadinfo}
+ \markboth{}{}%
+ \def\lastand{\ifnum\value{@inst}=2\relax
+                 \unskip{} \andname\
+              \else
+                 \unskip \lastandname\
+              \fi}%
+ \def\and{\stepcounter{@auth}\relax
+          \ifnum\value{@auth}=\value{@inst}%
+             \lastand
+          \else
+             \unskip,
+          \fi}%
+ \begin{center}%
+ \let\newline\\
+ {\Large \bfseries\boldmath
+  \pretolerance=10000
+  \@title \par}\vskip .8cm
+\if!\@subtitle!\else {\large \bfseries\boldmath
+  \vskip -.65cm
+  \pretolerance=10000
+  \@subtitle \par}\vskip .8cm\fi
+ \setbox0=\vbox{\setcounter{@auth}{1}\def\and{\stepcounter{@auth}}%
+ \def\thanks##1{}\@author}%
+ \global\value{@inst}=\value{@auth}%
+ \global\value{auco}=\value{@auth}%
+ \setcounter{@auth}{1}%
+{\lineskip .5em
+ {\small\institutename}
+ \end{center}%
+ }
+% definition of the "\spnewtheorem" command.
+% Usage:
+%     \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
+% or  \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
+% or  \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
+% New is "cap_font" and "body_font". It stands for
+% fontdefinition of the caption and the text itself.
+% "\spnewtheorem*" gives a theorem without number.
+% A defined spnewthoerem environment is used as described
+% by Lamport.
+% definition of \spnewtheorem with number
+  \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
+\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
+   {\@definecounter{#1}\@addtoreset{#1}{#3}%
+   \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
+     \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
+   \expandafter\xdef\csname #1name\endcsname{#2}%
+   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+                              \global\@namedef{end#1}{\@endtheorem}}}
+\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+   {\@definecounter{#1}%
+   \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+   \expandafter\xdef\csname #1name\endcsname{#2}%
+   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
+                               \global\@namedef{end#1}{\@endtheorem}}}
+  \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
+  {\expandafter\@ifdefinable\csname #1\endcsname
+  {\newaliascnt{#1}{#2}%
+  \expandafter\xdef\csname #1name\endcsname{#3}%
+  \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+  \global\@namedef{end#1}{\@endtheorem}}}}
+\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
+                    \ignorespaces}
+       the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
+                 \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
+      \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
+% definition of \spnewtheorem* without number
+\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+   {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
+    \expandafter\xdef\csname #1name\endcsname{#2}%
+    \global\@namedef{end#1}{\@endtheorem}}}
+\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+       {#4}{#2}{#3}\ignorespaces}
+                           \item[\hskip\labelsep{#2#1\@thmcounterend}]}
+      \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
+   \def\@thmcountersep{.}
+   \spnewtheorem{theorem}{Theorem}[section]{\bfseries}{\itshape}
+   \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
+   \if@envcntreset
+      \@addtoreset{theorem}{section}
+   \else
+      \@addtoreset{theorem}{chapter}
+   \fi
+%definition of divers theorem environments
+\if@envcntsame % alle Umgebungen wie Theorem.
+   \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
+\else % alle Umgebungen mit eigenem Zaehler
+   \if@envcntsect % mit section numeriert
+      \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[section]{#3}{#4}}
+   \else % nicht mit section numeriert
+      \if@envcntreset
+         \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+                                   \@addtoreset{#1}{section}}
+      \else
+         \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+                                   \@addtoreset{#1}{chapter}}%
+      \fi
+   \fi
+    \def\@tempa{#1}%
+    \let\@tempd\@elt
+    \def\@elt##1{%
+        \def\@tempb{##1}%
+        \ifx\@tempa\@tempb\else
+            \@addtoreset{##1}{#2}%
+        \fi}%
+    \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+    \expandafter\def\csname cl@#2\endcsname{}%
+    \@tempc
+    \let\@elt\@tempd}
+      \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
+                  \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+      \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
+      }
+      \list{}{\advance\topsep by0.35cm\relax\small
+      \leftmargin=1cm
+      \labelwidth=\z@
+      \listparindent=\z@
+      \itemindent\listparindent
+      \rightmargin\leftmargin}\item[\hskip\labelsep
+                                    \bfseries\abstractname]}
+    {\endlist}
+\newdimen\headlineindent             % dimension for space between
+\headlineindent=1.166cm              % number and text of headings.
+   \let\@oddfoot\@empty\let\@evenfoot\@empty
+   \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}%
+                  \leftmark\hfil}
+   \def\@oddhead{\normalfont\small\hfil\rightmark\hspace{\headlineindent}%
+                 \llap{\thepage}}
+   \def\chaptermark##1{}%
+   \def\sectionmark##1{}%
+   \def\subsectionmark##1{}}
+   \let\@oddfoot\@empty\let\@evenfoot\@empty
+   \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}%
+                  \hfil}
+   \def\@oddhead{\normalfont\small\hfil\hspace{\headlineindent}%
+                 \llap{\thepage}}
+   \def\chaptermark##1{}%
+   \def\sectionmark##1{}%
+   \def\subsectionmark##1{}}
+%end of file llncs.cls

File APLAS2012/llncsdoc.sty

+% This is LLNCSDOC.STY the modification of the
+% LLNCS class file for the documentation of
+% the class itself.
+  A\kern-.1667em\lower.5ex\hbox{M}\kern-.125emS}}
+    \small\list{}{\settowidth\labelwidth{}\leftmargin\parindent
+    \itemindent=-\parindent
+    \labelsep=\z@
+    \usecounter{enumi}}%
+    \def\newblock{\hskip .11em plus .33em minus -.07em}%
+    \sloppy
+    \sfcode`\.=1000\relax}%
+    \def\@cite##1{##1}%
+    \def\@lbibitem[##1]##2{\item[]\if@filesw
+      {\def\protect####1{\string ####1\space}\immediate
+    \write\@auxout{\string\bibcite{##2}{##1}}}\fi\ignorespaces}%
+\bibitem[1982]{clar:eke3} Clarke, F., Ekeland, I.: Nonlinear
+oscillations and boundary-value problems for Hamiltonian systems.
+Arch. Rat. Mech. Anal. {\bf 78} (1982) 315--333

File APLAS2012/main.tex

+% This is GoSSIP's APLAS 2012 paper
+The authors would like to thank SafeNet Inc. for the long-term support since 2009.
+% We recommend abbrvnat bibliography style.

File APLAS2012/sec_bkgd.tex

+\subsection{Dynamic analysis}
+Dynamic analysis has become a fundamental technique in computer security research.
+It allows analysts to reason about actual executions,
+and thus can perform concise security analysis based upon run-time information.
+Dynamic analysis monitors code as it executes and collects information about OS-level abstractions like processes and files.
+One important application of dynamic analysis is to monitor system function call.
+It can be implemented at different layers of abstraction within the operating system,
+and debugging mechanisms are employed to gather such information.
+Besides system level supporting, dynamic binary instrumentation\cite{luk2005pin}
+can also be leveraged to monitor the invocation of functions implemented by an application or dynamically linked libraries.
+Dynamic analysis is attractive because it allows us to reason about actual executions,
+and thus can perform precise security analysis based upon run-time information.
+Further, dynamic analysis is simple: we need only consider facts about one single execution at a time.
+Two of the most commonly employed dynamic analysis techniques in security research
+are dynamic taint analysis and forward symbolic execution\cite{schwartz2010all}.
+Dynamic taint analysis runs a program and observes which computations are affected by predefined taint sources such as user input.
+Dynamic forward symbolic execution automatically builds a logical formula describing a program execution path,
+which reduces the problem of reasoning about the execution to the domain of logic.
+The two analysis can be used in conjunction to build formulas representing only the parts of an execution that depend upon tainted values.
+Emulation refers to the ability of a computer program in one device to emulate another program or device.
+Alan Turing used the term "emulation" to refer to what happens when a universal machine executes a state transition table
+(in modern terminology, a computer runs a program)
+that describes the state transitions, inputs and outputs of a subject discrete-state machine\cite{guizani2010network}.
+Emulator is often used to execute a program that has to run on some inconvenient type of machine
+(for example, a newly designed mobile device that has not yet been built or an obsolete computer that is no longer available),
+or in a tightly controlled testing environment.
+From the theoretical viewpoint, the Church-Turing thesis implies that any operating environment can be emulated within any other.
+However, in practice, it is quite difficult,
+particularly when the exact behavior of the system to be emulated is not documented and has to be deduced through reverse engineering.
+What's more, the emulator does not perform as same as the original hardware,
+the emulated system may run much more fast/slowly than it would be on the original hardware.
+Emulation has become a useful part in reverse engineering to gain insight into the operation of binary codes,
+and thus is a powerful tool for program security analysis.
+Since the operation of the program is emulated,
+all the information about the operation is available to the analyst.
+Bochs\cite{lawton2003bochs} and QEMU\cite{bellard2005qemu} are typical
+State of the art full system emulators on commodity PC platforms that mainly support \emph{x86}, \emph{ARM} architectures.
+Specifically, QEMU is used in Android SDK to provide developers an emulated mobile device.
+Based on these two famous full system emulators, many security analyzing tools have been developed.
+TEMU\cite{song2008bitblaze} is a QEMU-based emulator that is able to perform dynamic taint analysis relying on whole-system emulation.
+TEMU keeps track of the tainted information propagating in the system.
+This feature also provides a plug-in environment for dynamic symbolic execution,
+in which symbolic values are marked as tainted,
+and concrete values as untainted.
+On Mobile platform, TaintDroid\cite{enck2010taintdroid} is a taint analysis system based on original Android emulator.
+Similar to TEMU, TaintDroid tracks how applications use sensitive information at a low level.
+iEMU is an emulator supporting iOS emulation that based on QEMU.
+The target of iEMU is to bring iOS Apps to different platforms and provide convenient dynamic analysis environment.
+Minemu\cite{bosman2011minemu} is a minimal emulator for dynamic taint analysis.
+Minemu incurs a slowdown of only 1.5x-3x for real-world applications.
+libemu\cite{baecherlibemu} is a small library written in C offering basic \emph{x86} emulation and shellcode detection using GetPC heuristics.
+It is designed to be used within network intrusion/prevention detections and honeypots.
+With libemu one can detect shellcodes, execute the shellcodes and profile shellcode behavior.
+Besides system emulators, SimpleScalar is an open source processor simulator\cite{austin2002simplescalar}.
+Using the SimpleScalar tools,
+users can build modeling applications that simulate real programs running on a range of modern processors and systems.
+SimpleScalar simulators can emulate the \emph{Alpha}, \emph{PISA}, \emph{ARM}, and \emph{x86} instruction sets.
+The tool set includes a machine definition infrastructure that
+permits most architectural details to be separated from simulator implementations.
+%All of the simulators distributed with the current release of SimpleScalar can run programs from any of the above listed instruction sets.
+%Complex instruction set emulation (e.g., x86) can be implemented with or without microcode,
+%making the SimpleScalar tools particularly useful for modeling CISC instruction sets.

File APLAS2012/sec_concl.tex

+A lightweight emulator supports core instructions execution.
+For very specific requirements such as shellcode detection and execution a stripped emulator is sufficient\cite{baecherlibemu}.
+String extraction and dynamic data pattern matching are common applications when analyzing malware.
+Except the discussed applications, we believe that more potential benefits may be brought by the lightweight emulation.
+\subsection{mobile emulation}
+Emulation for nowadays mobile device is difficult because of the various hardware provided by different manufactures.
+However, most of the mobile devices use ARM cortex processor as CPU and the instruction set is the same for different mobile devices.
+It is convenient to implement one simple emulator to support cross-platform dynamic analysis.
+\subsection{combination of lightweight and heavyweight emulation}
+The combination of lightweight emulation with debugger, heavyweight emulation or instrumentation may be useful.
+When using debugger or full emulator, at some certain points analyst may stop the debugging or emulating,
+taking advantage of lightweight emulation to create some \emph{virtual execution branches} with different states to deduce future behaviors.
+\subsection{hybrid analysis}
+Code division brings small and clear logic units.
+A hybrid analysis with different advanced techniques such as fuzzing or unit testing on code fragment can be done using lightweight emulator.
+Even static analysis would benefit from code fragment due to its simplicity.
+We introduced the conception and design principle of lightweight emulation.
+A lightweight emulation tends to perform a program-only fast emulation.
+The key elements of the lightweight emulation are emulator stripping, code fragment division and state reconstruction.
+And its applicability in practice includes(but not limited to) information extraction and dynamic pattern analysis.
+It is expected that the lightweight emulation techniques may improve the analyzing efficiency.
+We are currently searching for more applications of the lightweight emulation and hope to make it available to a more complex analysis.

File APLAS2012/sec_design.tex

+\section{Design Principle of Lightweight Emulation}
+Most of the traditional emulators are heavyweight and of full functionality.
+Now that emulator that supports full system characterization costs too much,
+a trade off is to use stripped lightweight emulator to analyze program directly.
+Our basic design principle of the lightweight emulation,
+is that the emulator should take advantage of the analyzed program \emph{only} to execute dynamic analysis(As shown in fig~\ref{fig_full}).
+That is to say, the lightweight emulator executes programs without emulating the entire system environment.
+Modern computer programs are of highly modularity and are a composite of plain logic instructions,
+system or third-party APIs and resources.
+The execution process highly depends on system or third-party APIs.
+The main factor that affects the emulation is how to implement these APIs imported in programs.
+Our solution for this problem is that the lightweight emulator doesn't handle the APIs,
+instead, it just handles plain instructions and considers the APIs as either black box state transitions or terminators,
+and the analyzed program is divided into many fragments.
+The lightweight emulator then deals with the code fragments.
+Moreover, function of APIs can be deployed as state transitions using other dynamic techniques such as debugging.
+The lightweight emulator connects these fragments with extra state transition information and fulfils long term emulation.
+% Our design inspiration of the lightweight emulator follows the philosophy of
+% simplescalar[], libemu[] and The  UNIX [\_philosophy.html].
+The implementation of lightweight emulator involves three aspects of work,
+\emph{emulator pruning, code fragment division, state reconstruction}.
+First, a pruning process on traditional full emulator architecture is executed to get a simple emulator.
+Then a code fragment division process is executed to search and test the code that is able to be lightweight emulated independently.
+Finally, the lightweight emulator needs reconstruct runtime context to fulfil the emulation.
+%Small is beautiful.  %Make each program do one thing well.  %Choose portability over efficiency.
+\subsubsection{Core Components}
+Basically, in order to emulate the processor and some operating system's
+functions, the emulator has the following components:
+\item [{CPU\ emulator}] When emulating a user-space process, every instruction
+in the process is emulated in the process emulator instead of running
+on a physical CPU. The CPU module contains execution context(e.g.
+registers), an instruction decoder, and one instruction handler for
+each emulated instruction. In each CPU loop, the emulator first fetches
+one instruction from memory, decodes and dispatches it to an instruction
+handler, and executes the handler to complete the instruction. The
+multi-threaded model in our process emulator is implemented as each
+thread has its own CPU instance and shares the emulated memory, and
+is scheduled by the host operating system.
+\item [{Memory\ management}] In x86 architecture, the 4GB virtual memory
+must be emulated by the process emulator, because the emulated process
+owns the whole linear address space, which cannot be mapped to the
+emulator's address space. The process emulator uses a paging memory-management
+scheme, which is similar to the Windows operating system. Memory allocations
+and deallocations are managed by the emulator, instead of directly
+using the system API. Also, the emulator also maintains heaps and
+stacks of the process, which cannot be managed directly by the operating
+\item [{API\ hooking\ interface}] System calls(APIs) are handled directly
+by the operating system, through the API hooking interface provided
+by the emulator. Whenever a system API is called, the emulator intercepts
+the calling thread, reserves its context, converts its pointers from
+the emulated address space to the emulator's address space, then calls
+the actual API instead, and restore the thread's context in the end.
+In this way, the system APIs are directly executed by the operating
+system, which is the key of performance boost comparing to full-system
+emulation. There are a few exceptions. Some system APIs concerning
+the emulated OS features cannot by directly executed by the operating
+system, and have to be emulated. Such APIs include memory management,
+threading, module management, etc.
+\item [{Module\ loading}] Each process to emulate is in the form of a
+PE module, who has its dependent modules(dynamic-link libraries) which
+are also PE modules. The process loader in the emulator is responsible
+for loading the process and its dependent modules into the emulated
+memory space, handling their import and export functions, and handling
+relocations. Some of the system's core libraries, such as kernel32.dll,
+is not loaded into memory. API calls to these libraries is handled
+by the API hooking interface, as mentioned above.
+\item [{Callbacks\ and\ message\ handling}] Some of the Windows APIs
+contain callback functions, especially those concerning the message
+looping in Windows. In order to support system callback functions,
+we have to hook these callback functions within the emulator, where
+the parameters are extracted from the emulated memory, and the actual
+callback functions are called by the emulator. If the emulated has
+graphical user interface, its messages are passed to the emulator,
+and then handled by the emulated callback routines. Hence, the emulator
+cannot have a message loop, otherwise it cannot emulate programs with
+graphical user interface.
+Program tracing becomes extremely easy using process emulation. Everything
+during execution is transparent to the analyst, including processor
+context, virtual memory, thread information, API calls, etc. Also,
+tracing and program analyzing can be run simultaneously, where the
+program analysis module is implemented as a plugin of the process
+emulator, which is the case in our whole program analysis system.
+\subsection{Emulator Pruning}
+As dynamic program analysis refers to a set of techniques that monitor the following behavior of an application while it is being executed.
+\item \emph{I/O and API invoking information}
+\item \emph{dynamic generated intermediate values}
+\item \emph{instruction execution sequence}
+We observed that the acquiring of the first item can be well achieved by introducing system-level monitoring mechanism,
+while the acquiring of last two items is fulfilled only with the support of fine-granularity instruction level analysis.
+We propose the following emulator pruning principle in order to meet the requirements of instruction level analysis.
+A lightweight emulator is an emulator that supports core instructions of the emulated processor.
+It only reserves a virtual \emph{Execution Engine} and a virtual \emph{Machine State} to support instruction-level execution,
+and considers not of the conception of operating system, I/O or any other high-level runtime environments(See Fig~\ref{fig_pruning}).
+\caption{Emulator Pruning}
+%The emulator is used as a filter that take program as input directly and outputs convenient data form.
+\subsection{Code fragment division}
+The main problem of the lightweight emulation is how to correctly execute programs without a full system emulated.
+In our scheme we don't emulate the entire program execution process.
+Instead, our strategy of emulation and analysis is a divide-and-conquer strategy.
+That is to say, we search for code fragment that is logic-based and is easy to be emulated,
+and we apply lightweight emulation on these fragments.
+Our emulation process takes an \emph{ostrich approach}.
+That is to say, we ignore the implementation of potential complex platform related interfaces.
+This assumes that to emulate programs and analyze properties especially those related to logic or security,
+we need not deal with complex interfaces about high level UI interactions, API calls and third party libraries.
+And it is more cost-effective to allow the emulation to stop when encountering these functions rather than to attempt to fulfil them.
+Besides, we notice that in applications, small part of code can often be analyzed independently.
+Following facts support our observation.
+First, experienced reverse engineers know the approximate function of a code section at a glance.
+This is because compiler and linker tend to place codes with similar functions together.
+Code fragments that are used for OS-level or library-level interactions are commonly separated from those used for logical control or arithmetic operation.
+Second, most of the modern programs are written with high-level object-oriented programming languages such as C++ and Objective-C.
+The features of object-oriented programming such as encapsulation and modularity naturally bring independency of localized code fragments.
+For instance, a method of an object generally operates on data members of this object only and requires few external functions.
+Third, many modern programs follow the design principle of the Model-View-Controller (MVC) architecture.
+The Model-View-Controller architecture separates the modeling of the domain, the presentation, and the actions based on user input into three separate classes\cite{krasner1988description}.
+For applications, the Model-View-Controller architecture enforces the separation of logic code and GUI code,
+and thus lightweight analysis is reasonable.
+In our lightweight emulation we inherit Caballero et al.'s idea\cite{caballero2009binary} of finding code fragment.
+Furthermore, because the purpose of our work is to observe rather than to reuse the binary code,
+we loosen the restriction that the code fragment should contain clear interface.
+What we try to find is the smallest testable part of an application.
+A pre-process of code division is given by static analysis,
+which finds start point of basic blocks and functions etc.
+Then we suggest a test-and-stop methodology for code division.
+That is, for a program, we first set some start points
+(usually the start points of functions or basic blocks) and use a lightweight emulator to perform test from these points.
+The test simply checks whether or not the executed instruction is supported by the emulator.
+If the lightweight emulator throws an exception
+(e.g., encountering certain instruction or API call that is unavailable to execute), the end point of a code fragment is determined.
+After collecting code fragment a more fine analysis could be employed.
+\caption{Code division and state reconstruction}
+%how many kinds of instructions are used? is there any privilege instructions or there are none?
+\subsection{Reconstruct Execution State}
+As mentioned above, one critical problem of the lightweight emulation,
+compared with full emulation, is the lack of execution context.
+A lightweight emulator may not be able to correctly emulate code fragment simply because the execution context
+(e.g., value of registers, stacks) is incomplete.
+The execution context may be self determined by code fragment, inherited from the invoker or from external libraries/system/devices.
+We define three general types of execution states during program execution,
+    \item \emph{self contained state}, the execution context can be determined in code fragment itself.
+    \item \emph{reference state}, the execution context is determined by external API call or global variables, and the context can be deduced by using the knowledge of external API call or global variables.
+    \item \emph{external state}, the execution context is determined by external API call or global variables but due to
+        the I/O or other environmental reasons, it is unable to deduce the context except for a complete emulation.
+As shown in fig~\ref{fig_pruning} the state of a lightweight emulator contains only necessary registers and values in memory.
+To reconstruct different states in a lightweight emulator, we adopt different strategies.
+For self contained state, we only need to initiate state with arbitrary or certain values.
+One typical situation is that an inner function is called by an outer function with certain arguments.
+The state is defined by these arguments.
+For reference state, it can be deduced for certain API calls are deterministic
+(e.g., the \emph{strlen} function) or the status of global variable is known.
+For the last situation, usually the state reconstruction is unavailable.
+If the emulator does need an external state,
+the state may be acquired by using either the original system monitoring or a full emulation,
+or even be defined by analyst herself.
+\caption{Different situations of state}
+Fig~\ref{fig_state} shows typical samples of different states.
+In self contained state situation of Fig~\ref{fig_state}, the memory is initialized using static data, and thus it's easy to rebuild the context.
+In reference state situation of Fig~\ref{fig_state}, the function is self contained except for the value of memory address [4050AC].
+However, this value can be acquired by analyzing the original memory loading process.
+In the situation of external state in Fig~\ref{fig_state}, the state relies on API function \emph{GetCommandLineA} but the result is determined by runtime inputs.
+Thus in this situation analyst needs extra information to support reconstruction.
+\subsection{IL-based Program Analysis}
+The goal of our work is to automatically detect algorithms in binary
+software executables using dynamic methods. To address the issues
+of dynamic data pattern analysis, we further extended this method
+by introducing intermediate language as analyzing medium, increasing
+its efficiency and accuracy, and acquiring platform compatibility
+at the same time.
+In this section, we'll first introduce the design principles of the
+intermediate language, and then talk about detailed description of
+each step of analysis based on the intermediate language.
+\subsubsection{Design Principles of Intermediate Language}
+Runtime data in dynamic program analysis is generated by program tracing,
+and in our case, through program emulation. As we know, dynamic program
+tracing usually produces low-level, fine-grained program data. For
+example, tracing result of x86 platform usually contains instruction
+opcodes, register values, memory access values, and so on. For other
+platforms like ARM or Java Virtual Machine, the situation is quite
+the same. So first of all, our IL should be close to machine language,
+so that translation from tracing result to IL can be done with the
+lowest cost.
+Second, the instruction set of our IL should be as reduced as possible.
+The purpose of using IL is to match dynamically translated programs
+with algorithm templates, which are implemented with the same IL.
+As implementations of the same algorithm can be various, the matching
+process is most likely NOT accurate. Therefore, we do not need the
+IL to be self-contained, which means that it should contain crucial
+information to the analysis and ignore the data that won't be used
+in analysis. A highly reduced instruction set helps to increase matching
+performance, and grasp primary runtime information at the same time.
+We use a variant of three-address code to represent each instruction
+of the IL, which can have at most three operands. Each operand is
+assigned with a type and ID, and an IL program can have unlimited
+number of temporary variables, which are distinguished by operand
+ID, and handled by the IL interpreter. Supported data types should
+include 32-bit integer, 64-bit integer, array, string, etc., and adding
+more data types to IL interpreter can be easy, because it's designed
+to be extensible. An IL program should explicitly specify its input
+arguments and output variable, so that it can be executed by the interpreter.
+In this way, we build up an IL that is light-weighted, platform-compatible
+and easy to analyze, and is used in each step of analysis, including
+dynamic translation, template algorithm implementation, program matching
+and dynamic data verification. A sample IL program is shown below.

File APLAS2012/sec_impl.tex

+\section{Lightweight emulation in practice}
+In this section, we briefly describe the implementation of our lightweight emulator LxEmu.
+\subsection{The LxEmu Lightweight Emulator}
+The LxEmu emulator is implemented as a process emulation platform on Windows x86. 
+The architecture of the emulator is shown in figure{[}{]}
+    \centering
+    \includegraphics[width=0.25\textwidth]{emulator.png}
+    \caption{Emualtor}
+\item [{Processor}] The emulator implements a subset of x86 instructions,
+containing around 300 of them, which are most commonly used in commodity
+software. These instructions include x86 instructions, x87 FPU, MMX
+and SSE extensions. Each instruction is decoded using libdasm and
+BeaEngine, and then interpreted in software, by a handler routine.
+The emulated x86 processor contains 8 general-purpose registers, 8
+segment registers, 17 eflags, an instruction pointer, FPU registers
+and SIMD(MMX and SSE) registers.
+\item [{Memory\ management}] The memory management module is similar to
+the one in Windows operating system, where 4GB virtual memory is separated
+into pages, and each page can be free, reserved or committed. Memory
+allocation and deallocations are done by Windows APIs such as VirtualAlloc()
+or VirtualFree(), thus these APIs are also emulated using the mechanisms
+provided by the emulator. Also, heaps and stacks are also implemented
+by the memory management module, as well as the corresponding APIs
+such as HeapAlloc(), HeapCreate(), and HeapDestroy(). Besides, a process(an
+executable, with extension .exe) has several imported modules(dynamic-link
+libraries, with extension .dll), these modules including the main
+executable are loaded into emulated memory before running the process,
+which simulates the behavior in the actual operating system.
+\item [{API\ Hooking}] The major problem of running a fully-functioned
+program is to pass the Windows APIs to host operating system when
+they are invoked. We take a simple approach that we write a wrapper
+function for each API provided by Windows operating system, and when
+an API is called by the emulated process, the actual API is invoked
+by the emulator instead. The key to achieve this is by converting
+pointers from emulated memory address to actual(emulator's) memory
+address, each API can be equally invoked by the emulator. Most common
+Windows APIs are exported in kernel32.dll, user32.dll, gdi32.dll,
+etc. These modules are emulated modules that are not loaded into the
+emulator when running a process.
+\item [{Exception\ handling}] Many instances of malware use exceptions
+for code packing or obfuscation, thus exception handling is also emulated
+by the emulator. Usually a program may deliberately raise an exception
+to execute its unpacking routine, and this behavior is carefully observed
+and simulated by the process emulator.
+\item [{Plugin\ interface}] To support different kinds of program analyzers
+without changing the core, the process emulator has a plugin interface
+where an analyzer can be implemented as a plugin. This interface includes
+callback routines that are invoked before and after executing an instruction,
+on each memory reading and writing, before and after running the process,
+\subsection{IL-based Program Analyzer}
+The program analyzer consists of a program partitioner, a translator,
+a template matcher and a data verifier, and is implemented as a plugin
+of the process emulator described above. As the analyzer has access
+to the program's data when the program is running, program analyzing
+is done simultaneously with the emulation of a program, without the
+need to trace a data into disk first.
+\item [{Program\ partitioner}] Partitioning with basic blocks is fairly
+easy. Since there's no branch instruction in a basic block, a new
+basic block is generated when a branch instruction is executed. These
+instructions include JMP, JEQ, JA, etc. Similar to basic blocks, the
+inter-procedure partitioner uses CALL/RET instructions as separators.
+The procedure partitioner is a little more complicated. It has to
+trace the calling level of the hierarchy, and generates a new partition
+when the level decreases. We limit the tracing level(current level
+minus the traced level) to a small number(usually two or three), because
+the partitioner has to keep all the data within a calling procedure,
+a high tracing level has a large memory consumption.
+\item [{Translation}] Most arithmetic, logical, bit-wise and data-transfer
+instructions are translated into IL instructions. Each x86 register
+is assigned with a unique ID, and is then represented by a variable
+in the IL program segment. One thing that we need to pay attention
+to is distinguishing memory access from register access. In current
+implementation, the whole memory is represented by a global array
+object, with unique ID 0. This array object can have arbitrary number
+of elements, subscripted by the addresses of memory locations. Our
+IL has instructions that operates array objects, simulating the manipulations
+of the memory. Optimizations of the translated segment may be required,
+since there's a lot of redundant code in the IL segment. We implemented
+several optimization algorithms such as dead-code elimination, pointer
+removal and copy propagation.
+\item [{Template\ matching}] Template matchers are implemented using the
+algorithms described in the previous section. We combine several matchers
+together to get a reasonable result, usually an IL segment is first
+evaluated using scale predicting, then instruction frequency or category
+frequency, or direct mapping for simple templates. The thresholds
+of these matchers are all a posteriori.
+\item [{Data\ verification}] We first convert all referenced data in the
+IL segment into data blocks. Each data block is a continuous memory
+region accessed by the dynamic program, and may contain the data needed
+for a template. A recursive data extractor is responsible for getting
+data according to the input/output format specified by the IL template.
+Each group of possible data is first converted from data blocks into
+array objects, and then injected into the IL interpreter for execution.
+The IL interpreter then runs the template and produces results, which
+is then sent to the data verifier. The data verifier searches possible
+matches using the array objects produced by the interpreter.

File APLAS2012/sec_intro.tex

+%Security certification of programs relies heavily on program analysis, especially dynamic analysis.
+%The basic target of dynamic analysis tends to understand \emph{observed behavior} of the program.
+%More sophisticated analysis aims at characterizing future behaviors in previously unseen circumstances.
+%Among various dynamic program analyzing techniques,
+Fine-granularity dynamic program analysis requires instruction level observation of program execution.
+Among various dynamic program analyzing techniques,
+Emulation and program instrumentation are the most popular ones.
+%Emulation is powerful for in-depth testing and debugging.
+Emulators are of great value for analysts to observe behaviors of applications on those devices that lack convenient mechanism of dynamic analysis.
+However, full emulator involves many irrelevant details.
+To implement emulators corresponding to such different kinds of hardware is a complicated task.
+In addition, the analysis often requires the deployment and execution of a full functional operating system,
+which may be time consuming.
+The above restrictions prevent analysts from launching efficient in-depth dynamic analysis.
+On the contrary, program instrumentation is much more convenient to analyze applications due to its sole requirement of static program code.
+Thus the target of emulator improving naturally turns to discover new type of emulation suitable for lightweight analysis.
+%Inspired by libemu\cite{baecherlibemu} and the UNIX philosophy -- \emph{Small is beautiful}[raymond2003art],
+We think it is necessary to complement existing emulation by introducing some tiny, flexible implementation.
+This tiny, flexible implementation, as we call the lightweight emulation, should satisfy following features.
+First, a lightweight emulator emulates program without fulfilling too many details about specific hardware and operating system.
+And because lightweight emulation reduces the traditional overhead of emulating operating system and other irrelevant processes,
+it is expected to be more efficient than traditional emulation.
+Second, the lightweight emulation should have an interface to receive runtime context.
+Instead of emulating external environment context, the emulator takes advantage of context information copied from real execution environment,
+and then sets the emulated state according to received information.
+In other words, the emulator creates an emulated copy of a program by 
+This methodology 
+The lightweight emulation directly deals with program code and outputs meaningful information.
+without the full emulation environment,
+So that most analyzing processes are still available.
+There are many advantages of the lightweight emulation.
+  \item \emph{Simplicity} A full system emulator is complicated to be implemented,
+        while it is quite simple to implement a lightweight emulator.
+        Besides, the execution of an entire operating system is a heavy burden for application analysis.
+        The development and operation of lightweight emulation is convenient.
+  \item \emph{Stability} Lightweight emulation concerns about core ISA,
+        thus is less affected by the changing of external hardware devices.
+  \item \emph{Efficiency} Lightweight emulation reduces the overhead significantly by only emulating applications.
+        It not only saves the developing cost of the emulator but also saves the time consumption of analyzing process.
+  \item \emph{Extensibility} Lightweight emulation can combine other techniques(taint analysis, fuzzing, unit testing) to give advanced analysis.
+In this paper we propose the lightweight emulation conception, discuss detail design principle and explore the potential benefits.
+We analyze the key elements of the lightweight emulation and argue its applicability in practice.
+And we've implemented a lightweight emulator LxEmu to prove the validity.
+Finally, we highlight the challenges that are imposed on lightweight emulation and provide solution.
+It is expected that lightweight emulation technique may improve the analyzing efficiency.
+The paper is organized as follows:
+Section~\ref{sec_bkgd} briefly reviews dynamic analysis and emulation techniques.
+Section~\ref{sec_lemu} proposes the main design principles and challenges of lightweight emulation.
+Section~\ref{sec_emuip} discuss the applicability of lightweight emulation in practice.
+And the conclusions are made in Section~\ref{sec_con}.
+\caption{From system emulation to lightweight emulation}

File APLAS2012/title.tex

+    LxEmu: Towards Lightweight Emulation and Intermediate Language Transformation
+    LxEmu: Towards Lightweight Emulation and Intermediate Language Transformation
+% abbreviated title (for running head)
+% also used for the TOC unless
+% \toctitle is used
+\author{Juanru Li \and Dawu Gu \and Ruoxu Zhao}
+\authorrunning{Juanru Li et al.}   % abbreviated author list (for running head)
+    Juanru Li, Dawu Gu, Ruoxu Zhao
+    Shanghai Jiao Tong University, Shanghai, China\\
+\maketitle              % typeset the title of the contribution
+Although traditional static and dynamic program analysis techniques are well developed,
+the variety of hardware devices and platforms makes it inconvenient to take tracing and analysis.
+Emulation is a common dynamic analysis technique introduced to fill the gap.
+But often an entire execution environment is required to be emulated to support program analysis, which brings heavy overhead.
+We design and implement a lightweight emulator, LxEmu, to directly emulate core ISA instead of the entire environment.
+The basic idea is to connect our emulator to operating system and hardware, and takes advantage of existing context and API rather than rebuild them.
+What's more, LxEmu uses IL-based program transformation to simplify the analysis process.
+LxEmu shows a good trade-off on efficiency and accuracy, and is of potential benefit for fast and fine-granularity emulation based program analysis.
+Dynamic analysis, Lightweight emulation, Intermediate language, Debugging.

File APLAS2012/tx.bat

+copy /Y main.bbl output\
+pdflatex -output-directory output -halt-on-error "main.tex"