DynamoRIO is a process virtual machine that redirects a program's execution from its original binary code to a copy of that code. Instrumentation that carries out the actions of the desired tool are then added to this copy. No changes are made to the original program, which does not need to be specially prepared in any way. DynamoRIO operates completely at run time and handles legacy code, dynamically loaded libraries, dynamically generated code, and self-modifying code. DynamoRIO monitors all control flow to capture the entire execution of the target program. This monitoring adds overhead even when no tool is present. DynamoRIO's average overhead is 11 percent.
Features
DynamoRIO's API abstracts away the details of the virtualization process and focuses on monitoring or modifying the dynamic code stream of the program. A tool can insert trampolines into the program that invoke tool actions at specific program points. A tool can also insert instrumentation at the assembly language level, which provides fine-grained control over tool actions and tool performance. DynamoRIO supports adaptive optimization and adaptive instrumentation by allowing a tool to remove or modify its instrumentation at any point throughout the execution of the target program. DynamoRIO invokes tool-registered callbacks at a number of common program event points, such as thread creation, library loading, system calls, signals, or exceptions. Its API also allows inspecting the program's libraries and address space in addition to its code. DynamoRIO's API and event callbacks are designed to be cross-platform, enabling the same tool code to operate on both Windows and Linux and on both IA-32 and x86-64. DynamoRIO ensures tool transparency by isolating the tool's resources, such as its stack, memory, and file accesses, from the program upon which the tool is operating. DynamoRIO contains libraries that extend its API to provide symbol table access, function wrapping and replacing, and memory address tracing utilities.
Tools
The first tools built for DynamoRIO focused on dynamic optimization. A number of research tools have been built for a variety of purposes, including taint checking and profiling.
Program Shepherding
Applying DynamoRIO to the security field resulted in a technique called program shepherding. The program shepherding instrumentation monitors the origin of each program instruction and the control flow between instructions in order to prevent a security exploit from taking control of the program. In 2003, program shepherding was commercialized as the brand-named Memory Firewall host intrusion prevention software in a startup company called Determina. Determina was acquired by VMware in August 2007.
Dr. Memory
Dr. Memory is an open-source memory debugger built on DynamoRIO and released under an LGPL license. Dr. Memory monitors memory allocations and memory accesses using shadow memory. It detects memory-related programming errors such as accesses of uninitialized memory, accesses to freed memory, heap overflow and underflow, and memory leaks. Its feature set is similar to that of the Valgrind-based Memcheck tool, though it operates on Windows as well as Linux and is twice as fast as Memcheck.
