In fact, if you look at tools that operate at link time, the only way they can run dynamic applications is by using a profiling run to gather information about code boundaries and indirect branch targets. But a profiling run is only representative of typical runs -- for security we need to know about the current run. We really need to be at runtime.

There are existing systems that operate at runtime, but they're either built for simulation and are too slow, or they're meant for inserting a few instrumentation calls, not fine-grained examination of every control transfer. We really need a new kind of tool...