In this paper, for their experiments, they focused on CFGs that are derived by a static binary analysis not dynamic analysis. For dynamic CFI, you can see this paper that describes about dynamic CFI that protects legacy, binary-only executables and libraries.
Q2. How the instrumented code works?
They assumed that the Code and Data section is non-writable. Based on this, they made a unique IDs as 32-bit(for software of reasonable size) and assigned that IDs to proper CFG. The instrumented code which checks whether the CFG is valid or not will be inserted to each ret, jmp, indirect call instruction. If the check failed, it jumps to the error_label.
+) I couldn't remember the other questions. If you have more, please comment on this issue.
Q1. How about dynamic CFG like libraries?
In this paper, for their experiments, they focused on CFGs that are derived by a static binary analysis not dynamic analysis. For dynamic CFI, you can see this paper that describes about dynamic CFI that protects legacy, binary-only executables and libraries.
Q2. How the instrumented code works?
They assumed that the Code and Data section is non-writable. Based on this, they made a unique IDs as 32-bit(for software of reasonable size) and assigned that IDs to proper CFG. The instrumented code which checks whether the CFG is valid or not will be inserted to each ret, jmp, indirect call instruction. If the check failed, it jumps to the error_label.
+) I couldn't remember the other questions. If you have more, please comment on this issue.