DynamoRIO


DynamoRIO is a BSD licensed dynamic binary instrumentation framework for the development of dynamic program analysis tools. DynamoRIO targets user space applications under the Android, Linux, and Windows operating systems running on the AArch32, IA-32, and x86-64 instruction set architectures.
DynamoRIO was originally created as a dynamic binary optimization system but has since been used for security, debugging, and analysis tools. DynamoRIO originated in a collaboration between Hewlett-Packard's Dynamo optimization system and the Runtime Introspection and Optimization research group at MIT; hence the combined name "DynamoRIO". It was first released publicly as a proprietary binary toolkit in June 2002 and was later open-sourced with a BSD license in January 2009.

Overview

DynamoRIO is a process virtual machine that redirects a program's execution from its original binary code to a copy of that code. Instrumentation that carries out the actions of the desired tool are then added to this copy. No changes are made to the original program, which does not need to be specially prepared in any way. DynamoRIO operates completely at run time and handles legacy code, dynamically loaded libraries, dynamically generated code, and self-modifying code.
DynamoRIO monitors all control flow to capture the entire execution of the target program. This monitoring adds overhead even when no tool is present. DynamoRIO's average overhead is 11 percent.

Features

DynamoRIO's API abstracts away the details of the virtualization process and focuses on monitoring or modifying the dynamic code stream of the program. A tool can insert trampolines into the program that invoke tool actions at specific program points. A tool can also insert instrumentation at the assembly language level, which provides fine-grained control over tool actions and tool performance. DynamoRIO supports adaptive optimization and adaptive instrumentation by allowing a tool to remove or modify its instrumentation at any point throughout the execution of the target program.
DynamoRIO invokes tool-registered callbacks at a number of common program event points, such as thread creation, library loading, system calls, signals, or exceptions. Its API also allows inspecting the program's libraries and address space in addition to its code.
DynamoRIO's API and event callbacks are designed to be cross-platform, enabling the same tool code to operate on both Windows and Linux and on both IA-32 and x86-64. DynamoRIO ensures tool transparency by isolating the tool's resources, such as its stack, memory, and file accesses, from the program upon which the tool is operating.
DynamoRIO contains libraries that extend its API to provide symbol table access, function wrapping and replacing, and memory address tracing utilities.

Tools

The first tools built for DynamoRIO focused on dynamic optimization. A number of research tools have been built for a variety of purposes, including taint checking and profiling.

Program Shepherding

Applying DynamoRIO to the security field resulted in a technique called program shepherding. The program shepherding instrumentation monitors the origin of each program instruction and the control flow between instructions in order to prevent a security exploit from taking control of the program. In 2003, program shepherding was commercialized as the brand-named Memory Firewall host intrusion prevention software in a startup company called Determina. Determina was acquired by VMware in August 2007.

Dr. Memory

Dr. Memory is an open-source memory debugger built on DynamoRIO and released under an LGPL license. Dr. Memory monitors memory allocations and memory accesses using shadow memory. It detects memory-related programming errors such as accesses of uninitialized memory, accesses to freed memory, heap overflow and underflow, and memory leaks. Its feature set is similar to that of the Valgrind-based Memcheck tool, though it operates on Windows as well as Linux and is twice as fast as Memcheck.