Exploiting Control-flow Enforcement Technology for Sound and Precise Static Binary Disassembly

Abstract: Rewriting x86_64 binaries-whether for security hardening, dynamic instrumentation, or performance profiling is notoriously difficult due to variable-length instructions, interleaved code and data, and indirect jumps to arbitrary byte offsets. Existing solutions (e.g., "superset disassembly") ensure soundness but incur significant overhead and produce large rewritten binaries, especially for on-the-fly instrumentation. This paper addresses these challenges by introducing the Time Variance Authority (TVA), which leverages Intel's Control-Flow Enforcement Technology (CET). By recognizing endbr64 as the only valid indirect jump target, TVA prunes spurious disassembly paths while preserving soundness and emulates CET constraints on processors lacking native CET support, effectively mitigating ROP/JOP exploits without new hardware. We implement TVA by modernizing the Multiverse rewriter for 64-bit Linux. Our evaluation on SPEC CPU2017 and real-world applications shows that TVA-guided rewriting achieves up to 1.3x faster instrumentation time. These results underscore TVA's feasibility as a high-performance, uprobes-free alternative for robust x86_64 binary analysis and rewriting.