I am not academia either.

So lots of bad papers come out of infosec academia, but certainly, there is a lot of good stuff coming from academia. With the exception of Spectre/Meltdown, the side channel space is completely dominated by academia. CFI started in academia. etc.

CFI didn't start in academia but with yours truly ;). hint: pax-future.txt

I should have guessed that. Apologies.

While there were ideas to restrict control-flow before CFI, CFI was formalized and implemented in academia then iterated on several times. We try to explain the situation and give an overview in our survey: nebelwelt.net/publications/f…

as for 'formalized', it's wrong too, if you read and understand their model, it's basically a tautology (assumes a model in which control flow violations aren't possible then "proves" it). btw, where's any mention of RAP (or FPValidator for that matter) in your 'survey'?

If you want your work cited, go write it up properly. Academia frowns on citation of commercial tools without at least a whitepaper explaining and evaluating the research.

Marketing copy and slides is insufficient for anything but “these people did a thing but we don’t really know how it works so cannot properly evaluate or compare with it.”

One wonders how you could ever mention Windows or Linux or any other software. The source code was published and capable of compiling the entire Linux kernel. If you can't figure out how it works from the code/presentation/disasm, maybe you should find a different profession?

My point is that it's not my job to reverse engineer RAP. If you want citations, then make it citable. Simply having an idea or an implementation is not enough. You need to write it up as well. Communication is part of science. I'm happy to help review your paper if you want 🙂