Exploiting Control-flow Enforcement Technology for Sound and Precise Static Binary Disassembly

TL;DR

This paper introduces TVA, a method leveraging Intel's CET to improve static binary disassembly accuracy and efficiency, enabling sound, precise rewriting without hardware support, and demonstrating significant performance gains.

Contribution

The paper presents TVA, a novel approach that exploits CET to enhance disassembly soundness and precision, reducing overhead and enabling effective binary rewriting on x86_64 architectures.

Findings

TVA achieves up to 1.3x faster instrumentation times.

TVA effectively prunes spurious disassembly paths using CET.

The approach works on real-world applications and SPEC CPU2017.

Abstract

Rewriting x86_64 binaries-whether for security hardening, dynamic instrumentation, or performance profiling is notoriously difficult due to variable-length instructions, interleaved code and data, and indirect jumps to arbitrary byte offsets. Existing solutions (e.g., "superset disassembly") ensure soundness but incur significant overhead and produce large rewritten binaries, especially for on-the-fly instrumentation. This paper addresses these challenges by introducing the Time Variance Authority (TVA), which leverages Intel's Control-Flow Enforcement Technology (CET). By recognizing endbr64 as the only valid indirect jump target, TVA prunes spurious disassembly paths while preserving soundness and emulates CET constraints on processors lacking native CET support, effectively mitigating ROP/JOP exploits without new hardware. We implement TVA by modernizing the Multiverse rewriter for 64-bit Linux. Our evaluation on SPEC CPU2017 and real-world applications shows that TVA-guided rewriting achieves up to 1.3x faster instrumentation time. These results underscore TVA's feasibility as a high-performance, uprobes-free alternative for robust x86_64 binary analysis and rewriting.