DynamoRIO

Last updated
DynamoRIO
Developer(s) Authors of DynamoRIO
Initial releaseJune 2002;21 years ago (2002-06)
Stable release
7.0.17598 [1] / 12 March 2018; 17 August 2023;Error: first parameter cannot be parsed as a date or time. (12 March 2018; 17 August 2023)
Preview release
7.0.0-RC1 / February 3, 2017;7 years ago (2017-02-03)
Repository
Operating system Android, Linux, Windows
Platform AArch32, AArch64, IA-32, x86-64
Type Instrumentation framework, profiler
License BSD
Website dynamorio.org

DynamoRIO is a BSD-licensed dynamic binary instrumentation framework for the development of dynamic program analysis tools. DynamoRIO targets user space applications under the Android, Linux, and Windows operating systems running on the AArch32, IA-32, and x86-64 instruction set architectures.

Contents

DynamoRIO was originally created as a dynamic binary optimization system but has since been used for security, debugging, and analysis tools. DynamoRIO originated in a collaboration between Hewlett-Packard's Dynamo optimization system and the Runtime Introspection and Optimization (RIO) research group [2] at MIT; hence the combined name "DynamoRIO". It was first released publicly as a proprietary binary toolkit in June 2002 and was later open-sourced with a BSD license in January 2009.

Overview

DynamoRIO is a process virtual machine that redirects a program's execution from its original binary code to a copy of that code. Instrumentation that carries out the actions of the desired tool are then added to this copy. No changes are made to the original program, which does not need to be specially prepared in any way. DynamoRIO operates completely at run time and handles legacy code, dynamically loaded libraries, dynamically generated code, and self-modifying code.

DynamoRIO monitors all control flow to capture the entire execution of the target program. This monitoring adds overhead even when no tool is present. DynamoRIO's average overhead is 11 percent. [3]

Features

DynamoRIO's API abstracts away the details of the virtualization process and focuses on monitoring or modifying the dynamic code stream of the program. A tool can insert trampolines into the program that invoke tool actions at specific program points. A tool can also insert instrumentation at the assembly language level, which provides fine-grained control over tool actions and tool performance. DynamoRIO supports adaptive optimization and adaptive instrumentation by allowing a tool to remove or modify its instrumentation at any point throughout the execution of the target program.

DynamoRIO invokes tool-registered callbacks at a number of common program event points, such as thread creation, library loading, system calls, signals, or exceptions. Its API also allows inspecting the program's libraries and address space in addition to its code.

DynamoRIO's API and event callbacks are designed to be cross-platform, enabling the same tool code to operate on both Windows and Linux and on both IA-32 and x86-64. DynamoRIO ensures tool transparency by isolating the tool's resources, such as its stack, memory, and file accesses, from the program upon which the tool is operating.

DynamoRIO contains libraries that extend its API to provide symbol table access, function wrapping and replacing, and memory address tracing utilities.

Tools

The first tools built for DynamoRIO focused on dynamic optimization. [4] A number of research tools have been built for a variety of purposes, including taint checking [5] and profiling. [6]

Program Shepherding

Applying DynamoRIO to the security field resulted in a technique called program shepherding. [7] The program shepherding instrumentation monitors the origin of each program instruction and the control flow between instructions in order to prevent a security exploit from taking control of the program. In 2003, program shepherding was commercialized as the brand-named Memory Firewall host intrusion prevention software in a startup company called Determina. Determina was acquired by VMware in August 2007. [8]

Dr. Memory

Dr. Memory is an open-source memory debugger built on DynamoRIO and released under an LGPL license. [9] Dr. Memory monitors memory allocations and memory accesses using shadow memory. It detects memory-related programming errors such as accesses of uninitialized memory, accesses to freed memory, heap overflow and underflow, and memory leaks. Its feature set is similar to that of the Valgrind-based Memcheck tool, though it operates on Windows as well as Linux and is twice as fast as Memcheck. [10]

See also

Notes

  1. "Release 7.0.17598". 12 March 2018. Retrieved 13 March 2018.
  2. The RIO Project: Runtime Introspection and Optimization
  3. Transparent Dynamic Instrumentation, Figure 4
  4. An Infrastructure for Adaptive Dynamic Optimization
  5. TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting
  6. PiPA: Pipelined Profiling and Analysis on Multi-Core Systems
  7. Secure Execution Via Program Shepherding
  8. VMware acquires HIPS provider Determina
  9. Dr. Memory: Memory Debugger for Windows and Linux
  10. Practical Memory Checking with Dr. Memory

Related Research Articles

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger or debugging tool is a computer program used to test and debug other programs. The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its execution and monitor changes in computer resources that may indicate malfunctioning code. Typical debugging facilities include the ability to run or halt the target program at specific points, display the contents of memory, CPU registers or storage devices, and modify memory or register contents in order to enter selected test data that might be a cause of faulty program execution.

In computer science, dynamic recompilation is a feature of some emulators and virtual machines, where the system may recompile some part of a program during execution. By compiling during execution, the system can tailor the generated code to reflect the program's run-time environment, and potentially produce more efficient code by exploiting information that is not available to a traditional static compiler.

A memory debugger is a debugger for finding software memory problems such as memory leaks and buffer overflows. These are due to bugs related to the allocation and deallocation of dynamic memory. Programs written in languages that have garbage collection, such as managed code, might also need memory debuggers, e.g. for memory leaks due to "living" references in collections.

<span class="mw-page-title-main">Valgrind</span> Programming tool for profiling, memory debugging and memory leak detection

Valgrind is a programming tool for memory debugging, memory leak detection, and profiling.

Insure++ is a memory debugger computer program, used by software developers to detect various errors in programs written in C and C++. It is made by Parasoft, and is functionally similar to other memory debuggers, such as Purify, Valgrind and Dr Memory.

In software engineering, profiling is a form of dynamic program analysis that measures, for example, the space (memory) or time complexity of a program, the usage of particular instructions, or the frequency and duration of function calls. Most commonly, profiling information serves to aid program optimization, and more specifically, performance engineering.

Dynamic program analysis is analysis of computer software that involves executing the program in question. Dynamic program analysis includes familiar techniques from software engineering such as unit testing, debugging, and measuring code coverage, but also includes lesser-known techniques like program slicing and invariant inference. Dynamic program analysis is widely applied in security in the form of runtime memory error detection, fuzzing, dynamic symbolic execution, and taint tracking.

BoundsChecker is a memory checking and API call validation tool used for C++ software development with Microsoft Visual C++. It was created by NuMega in the early 1990s. When NuMega was purchased by Compuware in 1997, BoundsChecker became part of a larger tool suite, DevPartner Studio. Micro Focus purchased the product line from Compuware in 2009. Comparable tools include Purify, Insure++ and Valgrind.

In the context of computer programming, instrumentation refers to the measure of a product's performance, in order to diagnose errors and to write trace information. Instrumentation can be of two types: source instrumentation and binary instrumentation.

Intel Fortran Compiler, as part of Intel OneAPI HPC toolkit, is a group of Fortran compilers from Intel for Windows, macOS, and Linux.

<span class="mw-page-title-main">Vala (programming language)</span> Programming language

Vala is an object-oriented programming language with a self-hosting compiler that generates C code and uses the GObject system.

Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers. For example, Java is said to be memory-safe because its runtime error detection checks array bounds and pointer dereferences. In contrast, C and C++ allow arbitrary pointer arithmetic with pointers implemented as direct memory addresses with no provision for bounds checking, and thus are potentially memory-unsafe.

In computing, shadow memory is a technique used to track and store information on computer memory used by a program during its execution. Shadow memory consists of shadow bytes that map to individual bits or one or more bytes in main memory. These shadow bytes are typically invisible to the original program and are used to record information about the original piece of data.

The Java Development Kit (JDK) is a distribution of Java technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the Java virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for Java programmers.

<span class="mw-page-title-main">Node.js</span> JavaScript runtime environment

Node.js is a cross-platform, open-source JavaScript runtime environment that can run on Windows, Linux, Unix, macOS, and more. Node.js runs on the V8 JavaScript engine, and executes JavaScript code outside a web browser.

Pin is a platform for creating analysis tools. A pin tool comprises instrumentation, analysis and callback routines. Instrumentation routines are called when code that has not yet been recompiled is about to be run, and enable the insertion of analysis routines. Analysis routines are called when the code associated with them is run. Callback routines are only called when specific conditions are met, or when a certain event has occurred. Pin provides an extensive application programming interface (API) for instrumentation at different abstraction levels, from one instruction to an entire binary module. It also supports callbacks for many events such as library loads, system calls, signals/exceptions and thread creation events.

<span class="mw-page-title-main">GraalVM</span> Virtual machine software

GraalVM is a Java Development Kit (JDK) written in Java. The open-source distribution of GraalVM is based on OpenJDK, and the enterprise distribution is based on Oracle JDK. As well as just-in-time (JIT) compilation, GraalVM can compile a Java application ahead of time. This allows for faster initialization, greater runtime performance, and decreased resource consumption, but the resulting executable can only run on the platform it was compiled for. It provides additional programming languages and execution modes. The first production-ready release, GraalVM 19.0, was distributed in May 2019. The most recent release is GraalVM for JDK 21, made available in September 2023.

CodeXL was an open-source software development tool suite which included a GPU debugger, a GPU profiler, a CPU profiler, a graphics frame analyzer and a static shader/kernel analyzer.

Microsoft Detours is an open source library for intercepting, monitoring and instrumenting binary functions on Microsoft Windows. It is developed by Microsoft and is most commonly used to intercept Win32 API calls within Windows applications. Detours makes it possible to add debugging instrumentation and to attach arbitrary DLLs to any existing Win32 binary. Detours does not require other software frameworks as a dependency and works on ARM, x86, x64, and IA-64 systems. The interception code is applied dynamically at execution time.

References