A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

With the wide application of software system, software vulnerability has become a major risk in computer security. +e on-time detection and proper repair for possible software vulnerabilities are of great importance in maintaining system security and decreasing system crashes. +e Control Flow Integrity (CFI) can be used to detect the exploit by some researchers. In this paper, we propose an improved Control Flow Graph with Jump (JCFG) based on CFI and develop a novel Vulnerability Exploit Detection Method based on JCFG (JCFG-VEDM). +e detection method of the exploit program is realized based on the analysis results of the exploit program. +en the JCFG is addressed through combining the features of the exploit program and the jump instruction. Finally, we implement JCFG-VEDM and conduct the experiments to verify the effectiveness of the proposed method. +e experimental results show that the proposed detection method (JCFG-VEDM) is feasible and effective.


Introduction
With the development of society, the computer network has taken roots in every direction of the society as an essential part of modern life. However, there is no effective detection method for existing malicious programs in the network. People enjoy the convenience brought by computer technology but do not have an effective method to prevent the exploit programs [1][2][3]. At present, researchers have made some achievements in this field, but in the face of the endless stream hijacking attacks, the current exploit detection methods are still lacking pertinence [4][5][6].
erefore, in view of the current vulnerability exploit attacks and their variants, we propose an improved Control Flow Graph (CFG) incorporating the features of the exploit programs. It is of great significance to the detection of exploit programs, beneficial to researches on the detection method of exploit programs. We also propose a Vulnerability Exploit Detection Method based on CFG with Jump (JCFG) (JCFG-VEDM).
e main contributions of this paper are as follows: (1) e feature definition of the exploit for the abnormal jump is proposed based on empirical analysis. (2) Under the premise of understanding the attack principles of existing exploits, we analyze the features of exploits, integrate the feature information into the CFG, and add pointer-related concepts. In addition, we propose the JCFG by combining the Control Flow Integrity (CFI) detection method. (3) Based on the research of vulnerability features, this paper also proposes the JCFG-VEDM and focuses on the JCFG based on the features of the vulnerability exploit generation and detection algorithm of exploit programs. e experiments have shown that JCFG-VEDM has good feasibility and effectiveness in detecting abnormal jumps of exploit programs. e rest of the paper is organized as follows. In Section 2, we describe the related work. In Section 3, we introduce the analysis method of the exploit based on program features and Section 4 proposes the vulnerability exploit detection method based on the features of vulnerability exploit. e experimental analysis is reported in Section 5. Conclusions are presented in Section 6.

Related Work
e current exploit detection methods mainly use the control flow of a program to detect and protect the program, including CFI and taint analysis. e original intention of CFI is to eliminate control flow hijacking attacks. In 2005, CCS (ACM Conference on Computer and Communications Security) published a paper called "Control Flow Integrity (CFI)" proposing the concept of CFI [7,8].
CFI detection is divided into fine-grained CFI and coarse-grained CFI. e fine-grained CFI is proposed primarily, obtaining the corresponding CFG through static analysis of the program, calculating the destination address that the jump instruction may reach, and assigning an address ID to each address. Whenever the program jumps, it is logically checked to check whether the jump is a legal address [9,10]. For example, XFI [11] modularized the program by combining memory access mechanisms to protect and monitor the program while it is running. However, due to the fine-grained CFI imposes too much overhead on the system, it is difficult to implement. e CFI program proposes a simplified version of the solution, which is called coarse-grained CFI [12,13]. Coarse-grained CFI neither needs to obtain the CFG of the program nor needs to assign a corresponding address ID to each address where the program jumps. It only needs to perform a static analysis on the program and calculate the legal transfer addresses through the corresponding rules [14][15][16]. For example, CCFIR (Compact Control Flow Integrity and Randomization) [17] collects all legal transfer addresses together, and the program can only jump between these legal addresses. CFIMon [18] uses static analysis of the program to obtain the legal access addresses and then uses the score tracking storage mechanism (LBR, etc.) in the processor to detect the program and analyze the CFI of the program in real time. For all that, these coarse-grained CFI detection methods can reduce system overhead, the jump instruction and the return instruction cannot be one-to-one correspondence due to the fact that each jump address is not assigned a corresponding address ID, which leads to a call instruction that can enter any function. In the beginning, a vulnerability is created.
At present, among the various techniques for program analysis, researchers in the field of program analysis prefer stain propagation analysis, which is combined with the analysis technology to analyze the program for a more accurate program analysis report. Stain analysis is divided into static analysis and dynamic analysis [19]. Static Taint Analysis is to analyze the program statically without running the program to detect whether the data can be transmitted from the source of the taint to the spot [20][21][22], whereas Dynamic Taint Analysis is to detect whether the data can be transmitted from the source to the aggregation point while the program is running [23,24].
In recent years, the academic circles mainly use CFI, stain analysis, and other detection schemes to detect the exploit [25,26]. ese schemes detect the abnormal control flow during running the program and have achieved certain results in practical application. However, the integrity detection of control flow needs to deal with the program at code level. Taint analysis mainly monitors the dynamic execution process of the program and sends out an alarm when the tainted data are used abnormally. e detection results have a certain degree of error because of the method's own limitations. ese methods need instrumentation in the program and have excessive system overhead. erefore, in view of the abnormal jump in the exploit, it is of great significance to deeply analyze the features of the exploit and provide the definition and unified formal description of the features of the exploit, which can further promote the research on the detection of the exploit, and the approach that we proposed does not need instrumentation, making security researchers more convenient to detect the exploits.

Analysis Method of Exploit Based on
Program Features e program features of the exploit rely mainly on the result of abstracting the program features of the exploit identified by the program feature. So far, the research on the program features of the exploit is not mature enough. e feature definition and formal description of the exploit are beneficial to the research of the exploit detection method.
is section first analyzes the features of the exploit and then the JCFG is proposed. Finally, the exploit is formalized through JCFG in this section. ere are diversified ways of exploiting exploits, with the main modality referred to the use of some specific instructions to achieve the attack from the perspective of assembly code. erefore, we analyze the exploit from three aspects: lexicon, grammar, and semantics. For example, for each transfer instruction, when the transferred address does not exist in the legal transfer address, the node of the transfer instruction constitutes a dangerous node of exploit. An exploit example with C source code is shown in Figure 1.

Definition of Exploit
is program compares the string in the file with PASSWORD, verifies whether it is consistent, and outputs the result. In this program, there is a vulnerability in the buff array in the verification function. By overwriting its return address, the program can jump to the starting address of the shellcode to perform related operations. Its corresponding assembly code flowchart is shown in Figure 2.
In Figure 2, the exploit can direct the control flow of the program to the address of the shellcode by overwriting the return address of the verity function. is is the dangerous node of exploit. Figure 2 mainly shows that the structure block of the verity function is mainly shown without some other system function calls. e call, jmp, jz, jnz, retn, and so on are instructions in the assembly code which constitute the grammatical features of the exploit. rough summarizing

29.
30. Security and Communication Networks the grammatical features of these instructions, the following points are obtained: (1) function call instruction Call; (2) address transfer instruction JXX; (3) return instruction Return. In this paper, we refer to the grammatical features of these exploits as the dangerous element of exploit represented by σ. e dangerous node of exploit must contain the dangerous element of exploit. erefore, we mainly analyze the address of the dangerous element of an exploit in the program to determine whether it is dangerous. e previously mentioned dangerous element of exploit is shown in Figure 2. By analyzing the location of the dangerous element of exploit, it can be judged whether it belongs to the dangerous node of exploit, when the block program pointed by the dotted line of the program is executed in Figure 2. In this paper, a collective symbol D is established to contain all the dangerous nodes of exploit in the program. Afterwards, we will further analyze the dangerous node of exploit to determine whether they belong to the exploit nodes. In addition, the set of exploit nodes is denoted as V.

Definition
Description. Albeit many ways to exploit, generalizing them from the perspectives of grammar, morphology, and semantics can always find a certain similarity. In this paper, the program features of the exploit are denoted as μ, and the constraint of the exploit is denoted as C.
e program features of the exploit in this paper are described in Definition 1. Vul represents the type of vulnerability exploited by the exploit. Prog represents the program containing instructions for the dangerous element of exploit σ, that is, the dangerous node of exploit. D is the collection of these dangerous nodes of exploit, such that, D � d 1 , d 2 , . . . , d n . C represents the relevant vulnerability exploit constraints that the features of the exploit program need to meet, such that C � c 1 ||c 2 || · · · ||c j || · · · ||c n . For an exploit, the basic constraint Bc j and the additional constraint Tc j of the exploit need to be satisfied, meaning c j � Bc j ∧Tc j .
In the program feature μ of the exploit, D describes the performance and syntax features of the exploit, and C describes the semantic feature of the exploit. And, for the program feature of the exploit, it also has the following properties.

Property 1.
e number of nodes is limited for a program. Accordingly, the number of dangerous nodes of exploit is also limited.

Property 2.
For the dangerous node of exploit, the node must contain the dangerous element of exploit.

Formalization of Exploit Features.
e feature form of the exploit refers to the formal expression of the feature of the exploit, which provides a strong foundation for describing the exploit in more detail and facilitates the research on the detection of the exploit. e main research object of this section is the exploit of abnormal jump.

Control Flow Graph Based on Jump (JCFG).
At present, most of the detection methods for exploit used by researchers are to design corresponding exploit detection algorithms through the CFG of the program for detecting the exploit. e main detection method for exploit is CFI, which is divided into fine-grained CFI and coarse-grained CFI. For fine-grained CFI, it allocates a unique ID for each instruction jump and adds the detection function to the program. e system overhead is exceedingly large, and the efficiency cannot meet real needs. erefore, the researchers proposed the coarse-grained CFI which does not need to assign a unique ID to each jump instruction but needs to detect whether the address of each jump is in the legal address set. However, the coarse-grained CFI has a certain impact on the accuracy of detection. erefore, based on the strengths and weaknesses of the above two exploit detection methods, this paper proposes a new control flow graph based on the CFG by combining the features of the exploit, called the Control Flow Graph-based Jump (JCFG). In JCFG, only dangerous nodes of exploit are included. For each dangerous node of exploit, the node in JCFG mainly contains the following attributes: (1) instruction type, including jmp, call, jz, jnz, and retn; (2) the name of the called function; (3) jump address. ese attributes are recorded as the feature attributes of the node. For the dangerous node of exploit d in the set, d � (id, attr, next id ), id represents the number of the node in JCFG, attr represents the feature attribute of the node, and next_id represents the node that the current node points to. For next_id, there may be a forked path, so the first node pointed to is marked as * first, and the second node pointed to is marked as * second. For node attributes, address represents the current address of the instruction, attrName represents the name of the instruction, funcName represents the name of the function, and jAdress represents the jump destination address. E represents the combination of edges, used to express the direction relationship between nodes. R represents the set of return addresses.
For each call instruction, the address after instruction is called is added to R. Begin is the entry node, and End is the end node of JCFG.

Related Definitions
Definition 3. Call instruction: Call represents call instruction.
Definition 4. Jump instruction: JXX represents the jump instruction, which includes the conditional jump instruction JCC (where CC represents the character sequence of the test condition type, including jz and jnz) and the unconditional jump instruction jmp.
Definition 5. Return instruction: Return represents return instruction, including RETN and RETF return instructions. RETN represents return from the subroutine transferred in the segment, and RETF represents return from the subroutine transferred in between segments. Definition 6. Return address set: each time a function call instruction is executed, the address following the call instruction is stored in the return address set R. Definition 7. Node judgement: for the program, there may be remerging the two execution paths after jnz, so the judgement is made to avoid duplication. e judgement function is recorded as isSame (jAdress).
Definition 8. JCFG node pointer: * p represents the current JCFG node pointer pointing to the Begin node by default. After the main function is executed, * p points to the first dangerous node of exploit under the Begin node. Figure 3 shows the code segment of a simple program. is program is simplified based on the code segment of the exploit given in Figure 1. Its specific assembly code flow graph is shown in Figure 4, and the JCFG formed is shown in Figure 5.

Example Analysis.
First, the Begin node is obtained according to the main function, and the next address of the call instruction in the return address set R is stored. en the conditional jump instruction in the JXX instruction is matched, forming the d 1 node through it. Each time the jump instruction JXX is matched, the same node determination function is called, and the same node is checked first. If it exists, the node pointing to it is directly pointed to the existing node. If it does not exist, then it is examined whether it exists if the node with the same jump destination address exists, and the next node id of the jump destination address path is added to the next_id of the node. e d 1 node has two successor nodes. e process of d 1 node is as follows: (1) select a successor path of d 1 ; (2) read the next call instruction; (3) put its next address into the return address set R; (4) get the d 2 node, read two call instructions and in turn, get d 3 and d 4 nodes, and put the next address of their call instruction into the return address set. e next matched instruction is the conditional jump instruction in the JXX instruction, through which the d 5 node is formed. e d 5 node has two successor nodes. e process of d 5 node is similar to d 1 node, generating the d 6 node. e subsequent matched instruction is the unconditional jump instruction in the two JXX instructions. e d 7 node and the d 8 node are formed, respectively, and then the matched instruction is found to exist through the same node judgement function, so the d 8 node points to the d 1 node. en, it returns to another instruction path of the previous d 5 node. Followed by a call instruction and a JXX instruction, the corresponding d 9 and d 10 nodes are obtained, the following instruction is a Call instruction to get the corresponding d 11 node, followed by a return instruction Return, and there is only one return address in the return address set R. erefore, the node is determined as the End node. Backing up again, another instruction path can access the d 1 node, through the same node determination function, d 11 can be added to the next_id set of d 1 . is is the end and the JCFG graph is generated.
Here is just a brief description of the generation of JCFG. e specific JCFG generation algorithm will be introduced in detail in the next section.

Control Flow Graph Generation Method by IDA.
For the exploit to be detected, with the static analysis of the exploit, the exploit is imported into IDA, getting its assembly code and reading its instructions. e efficiency of generating JCFG directly by extracting instructions from the assembly code of the program to be tested is extremely low. erefore, the process of generating the JCFG is as follows: (1) use IDA scripts to generate corresponding CFG; (2) use the CFG that generated by IDA to filter out some unimportant instructions and retain the required Call, JXX, Return, and other key Command; (3) process the generated CFG to obtain the required JCFG. e node information structure of the CFG is shown in Figure 6.

25.
26. e algorithm uses a recursive method to generate the CFG. e input is the assembly code of the exploit, and the output is the SQL file containing the CFG structure and all CFG node information. Algorithm 1 shows how to further process the statements containing key instructions in the assembly code of the exploit. Lines 7-12 are for processing the statements containing Call instructions, and lines 13-15 are for processing the statements containing Return. Lines 15-31 are to process the instruction statement containing JXX. e timeconsuming is mainly on the program traversal process of the algorithm, with the time complexity O (n), where n is the number of assembly code lines of the exploit.

Node Information Extraction Method.
e node information extraction method mainly extracts the node information contained in the generated CFG. e instruction information in the exploit has been filtered out of a large part of the noncritical information in the process of generating the CFG. Here, the corresponding processing is mainly for the filtered information, which is convenient for use when generating the JCFG. In Figure 6, we can see the data structure design of the node attributes of the CFG. In Figure 7, we have further extracted the instruction information and subdivided it for the data structure design of the node attributes of the CFG, which are the instruction name, function name, and destination address.
ere are two types of command names, namely, the Call command and the JXX command mentioned.

JCFG Generation Method.
e JCFG generated in the algorithm is recursive. e input is the CFG generated by the IDA script, and the output is the JCFG. Algorithm 2 further processes the node information of each node in the CFG. Lines 5-11 are for processing the node information of CFG nodes containing Call instructions, and lines 12-28 are for CFG nodes containing JXX instructions to process the node   information. Among them, lines 13-19 are for the node information of the CFG node of the direct jump instruction in the JXX instruction, and lines 20-27 are for the indirect jump instruction in the JXX instruction. e operation time of this algorithm is mainly spent on traversing the CFG graph nodes. As the number of CFG graph nodes is limited, the time complexity of this algorithm is O (n), where n is the number of nodes in the CFG.

Exploit Detection Method Based on JCFG
e focus of this paper is to study the detection methods for the exploit from all aspects of the exploit. In the previous section, JCFG is proposed; in this section, we will use the JCFG to detect the exploit. is section explains the process of detecting the exploit with JCFG and the further analysis of the nodes in it with the aim of determining whether it meets the constraints of the exploit.

Exploit Detection Framework.
is paper proposes a Vulnerability Exploit Detection Method based on JCFG, denoted as JCFG-VEDM, which is used to detect vulnerabilities. In addition, the proposed JCFG-VEDM is evaluated according to the detection results of this method. Figure 8 shows the components of the JCFG-VEDM, including the following modules: JCFG generation module, execution module of exploit, and exploit judgement module.

Related Definitions
Definition 9. Function Name Judgement, CNameJudge (JCFGNode, * q): when the program is dynamically executed, the current execution instruction is the Call. Comparing the function name of the node pointed to by the name of the calling function after the call and the node pointer of the current JCFG, if both are consistent, false is returned; otherwise, true is returned.
Definition 10. Jump Address Judgement, JAdressJudge (JCFGNode, * q): when the program is dynamically executed, the current execution instruction is JXX, and the subsequent jump address is compared with the destination address JAdress of the node pointed to by the current JCFG node pointer. e same returns false, and the different returns true.
Definition 11. Return Address Judgement, RetnJudge (R, * q): when the program is dynamically executed, the current execution instruction is the Return, and the address after execution is compared with the uppermost address in the return address set R. e same returns false, and the different returns true.
Definition 12. Instruction containment: Include(d, instruction) to indicate that the currently executed instruction node d contains an instruction that has been defined like the Call, the JXX, or the Return. For example, (∃d ∈ Prog)∧(Include(d, Call)). is means that the current execution instruction node of the Prog has Call. Definition 13. Program execution pointer: * q represents the instruction node that the program is currently executing.

Abnormal Jump.
e execution flow is hijacked during running the program, so that the program executes code that should not be executed, which is called an abnormal jump. According to the feature definition of the exploit, μ(AJ) � D, C { }, with a formal description of the vulnerable node D and the program feature constraint condition C of the exploit followed: And D RetnJudge represents the program return address judgement and returns a collection of nodes that refer to true.
Description: the constraint C 2 related to the features of the exploit means the existence of the exploit JCFG node * p in the dangerous nodes of exploit set D, the existence of the instruction node * q in the detected exploit, and the instruction of the node where * p is located which is JXX. e instruction of the instruction node where * q is located is also JXX. Currently, it calls the jump address judgement to determine whether there is an abnormal jump.
Description: the constraint C 3 related to the features of the exploit means that there is an exploit JCFG node * p in the dangerous nodes of exploit set D and an instruction node * q in the detected exploit. e instruction of the node where * p is located is Return instruction, and the instruction of the instruction node where * q is located is also the Return. Currently, the return address judgement is called to determine whether there is an abnormal jump. Figure 9 shows a code segment of an exploit. e exploiting in this program is to overwrite the return address of the strcpy function in the verity function to import the execution flow of the program into the shellcode. In the main function, the program reads the string in the password.txt and compares it with PASSWORD. e JCFG Input: CFG Output: JCFG (1) JCFG � new JCFG (); / * Initialize JCFG * / (2) Stack cN � new Stack <> (); / * Create a stack to store conditional jumps and path fork nodes * / (3)
In Figure 10, the part of the JCFG that will cause the abnormal jump in the exploit is mainly for analysis. After the program has executed a series of instructions in the d i node, it should return from the entered _strcpy function. e last node executed before returning is the d j node, while the node executed afterwards should be the d j+1 node. e node information corresponding to these nodes is shown in Figure 11. However, when the exploit is officially executed, the return address of this program is overwritten because the program reads the information in the txt, and the execution flow is imported into the shellcode. When the program generates an abnormal jump, after the program executes the d j node, the next instruction read is Call MessageBoxA, and the information of the * q execution node is shown in Figure 11. e * p node in the current JCFG is at the position of the d j node. By comparing the node information of the subsequent nodes, the * q node and the * p node in the JCFG, it will be found that both do not match, with an abnormal jump generated.

Vulnerability Exploit Detection Method Based on JCFG.
For the exploit to be detected, it is dynamically analyzed after static analysis is finished. Ollydbg is an extremely popular program dynamic analysis tool, through which the program can be dynamically analyzed very conveniently. When the program is dynamically analyzed, corresponding instruction nodes are generated for the key instructions in the execution process. e key instructions include the previously defined Call, JXX, and Return. e node attribute data structure design of the instruction node is shown in Figure 12. For key instructions in the execution process, the corresponding instruction nodes are generated and compared with the execution nodes in the JCFG to determine whether abnormal jumps occurred. e specific description of the Vulnerability Exploit Detection Method based on JCFG is shown in Algorithm 3, and the part about extracting key instruction information during execution is omitted from the algorithm. e algorithm mainly shows the detection function of the exploit. According to the input execution instruction node and the node pointer of the JCFG, the detection result is obtained by matching. In lines 6-18, these are to match the subsequent first node of the execution instruction node * q and the node pointer * p of the JCFG. Lines 7-10 are the check function for the key instruction Call. Lines 11-14 are for the key instruction JXX check, and lines 15-18 are check functions for the key instruction Return. en, it matches the subsequent second node of the execution instruction node * q and the node pointer * p of the JCFG. e specific operation is like the previous operation. Lines [20][21][22] indicate that the execution instruction node * q does not match the subsequent first node and second node of the node pointer * p of the JCFG, so the current execution instruction node and the node of the JCFG are stored in the exploit node stack. Most of the execution time of the algorithm is spent on the stepby-step reading of the execution instructions. e exploit has limited instruction statements, so the execution instruction nodes formed are less than the number of instruction statements of the exploit. e time complexity of this algorithm is O (n), where n is the total number of nodes that generate and execute instructions.

Experimental Analysis
is chapter mainly elaborates the various information of the experiment, which includes the various indicators needed for the experiment, the prepared experimental plan, and the experimental results.

Experimental Program.
is section selects some typical exploits for detection which cover a variety of attack types, including ret-to-libc, ROP, and JIT Spraying, and will give the comparison of JCFG with DEP protection strategy of the system and ASLR address randomization protection strategy. e exploits to be detected are shown in Table 1.
First, the IDA script is used to perform static analysis on the exploit, extracting the obtained assembly code, the key instruction information, and the corresponding CFG generated, which is stored in the database. en by further extracting the node information in the CFG, the  corresponding JCFG is generated and stored in the database. After obtaining the JCFG, the program is analyzed dynamically, reading the instruction information during each step-by-step execution, extracting information from the instruction information containing key nodes, and finally, obtaining the corresponding instruction node, calling the corresponding instruction determination function, and statistically analyzing the pointer nodes of the obtained JCFG with the node which obtain comparison to determine whether there is an abnormal jump, so as to determine whether the program to be detected belongs to an exploit.

Analysis of Results.
e Vulnerability Exploit Detection Method based on JCFG can successfully detect the exploit shown in Table 1 and store the nodes that produce abnormal jumps, which are convenient for security personnel to analyze the exploit. First, the exploit is prevented by the protective measures in the system, and then the exploit is detected by the JCFG-VEDM method proposed in this paper. e detection results are shown in Table 2.
In Table 2, the detection result section uses "1" to represent that the detection method can detect the exploit and uses "0" to represent that the exploit cannot be detected. It can be seen from the results in Table 2 that neither the DEP protection strategy of the system nor the ASLR address randomization protection strategy can protect the system against the above-mentioned exploits. However, the Vulnerability Exploit Detection Method based on JCFG proposed in this paper can detect the above. It reflects that JCFG-VEDM can detect common ret-to-libc, ROP, and JIT Spraying vulnerabilities. Hence, the effectiveness and feasibility of the JCFG-VEDM detection method are verified.
Here, the detection process and detection results of the Vulnerability Exploit Detection Method based on JCFG are described.
CVE-2017-8869 is caused by a buffer overflow vulnerability in MediaCoder. Attackers can construct the .m3u file to cause the program buffer overflow and overwrite the return address of the program to execute arbitrary code. In this experiment, MediaCoder runs on the experimental host of windows 7, and the assembly code of the program is also monitored through Ollydbg. During operation, the node with ID 476 at 0x1400f92d6L shows that the successor node of this node should be the node with ID 477 in the database, but at runtime, the control flow jumps to another address. us, the instruction node does not match the program instruction node in the static JCFG in the generated program, and it is determined that an abnormal jump has occurred. e hacker can use it to execute the shellcode that hides in the .m3u file. e experiment shows that the DEP and ASLR protection strategies fail to protect the system, the exploit program can execute the shellcode that hacker hided, and JCFG-VEDM can detect it by verity of the jump address of   executable file. And compared with the common CFI detection approach, JCFG-VEDM does not need the source code of the executable file to use the method of program instrumentation, it is convenient for security researchers to detect the vulnerability of executable program which cannot get the source code.

Threats to Validity
A threat to internal validity relates to the type of vulnerabilities used in the experimental analysis. To mitigate this threat, we have prepared more different CVE vulnerabilities regarding the buffer overflow vulnerability. A threat to external validity relates to the generalizability of our results because we used vulnerability data from only buffer overflow vulnerability to verify the effectiveness and the feasibility of the abnormal jump studied. Our future work will address this threat by examining other vulnerabilities like Heap Overflow, Stack Overflow, and so on.

Conclusion
ere are certain features in the occurrence of program vulnerabilities. is paper conducts an in-depth analysis of the features of the exploits of abnormal jumps and proposes a Vulnerability Exploit Detection Method based on JCFG (JCFG-VEDM). Firstly, this method analyzes the exploit features of the exploit to obtain its corresponding JCFG. And then it uses the Ollydbg tool to dynamically analyze the exploit, generating corresponding instruction nodes for the executed key instructions. Finally, it compares nodes pointed to by the JCFG node pointer to determine whether an abnormal jump has occurred. In addition, this method also can be utilized to determine whether the program is an exploit.
To verify the effectiveness and feasibility of the JCFG-VEDM method proposed in this paper, we compare the JCFG-VEDM with the current system's DEP protection strategy and ASLR address randomization protection strategy in the experimental analysis. Experimental results show that JCFG-VEDM can detect the above-mentioned exploits, while the system's DEP and ASLR protection strategies fail to protect the system, and compared with the traditional CFI, the JCFG-VEDM does not need instrumentation, and it is minifying the workload for the security researchers to detect the exploits by using the approach.
Data Availability e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.