DynamoRIO is a system for runtime code manipulation that is efficient, transparent, and comprehensive, able to observe and manipulate every executed instruction in an unmodified application running on a stock operating system and commodity hardware.
DynamoRIO operates in user mode on a target process. It acts as a process virtual machine, interposing between the application and the operating system. It has a complete view of the application code stream and acts as a runtime control point, allowing custom tools to be embedded inside it:
The application itself, along with the underlying operating system and hardware, remain unchanged. DynamoRIO operates in native (non-virtual) environments as well as inside guest operating systems running on virtual machines. Tools created on top of DynamoRIO will operate without change whether the underlying operating system is native or a virtual machine guest.
DynamoRIO operates by shifting an application's execution from its original instructions to a code cache, where the instructions can be freely modified. DynamoRIO occupies the address space with the application and has full control over execution, taking over whenever control leaves the code cache or when the operating system directly transfers control to the application (kernel-mediated control transfers):
DynamoRIO copies the application code one dynamic basic block at a time into its basic block code cache. A block that directly targets another block already resident in the cache is linked to that block to avoid the cost of returning to the DynamoRIO dispatcher.
Frequently executed sequences of basic blocks are combined into traces, which are placed in a separate code cache. DynamoRIO makes these traces available via its interface for convenient access to hot application code streams.
The following figure shows the flow of control between the components of DynamoRIO and its code caches:
The context switch is between DynamoRIO's operational state and the machine state of the application: both are still within the same process.
Indirect branches require dynamic resolution of their targets, which is performed via an inlined table lookup or a compare to a known target inlined into a trace.
Transparency is an important requirement for DynamoRIO and its clients. The subject is fully covered in Client Transparency.
The canonical reference for DynamoRIO is:
- Derek Bruening.
Efficient, Transparent, and Comprehensive Runtime Code Manipulation.
Ph.D. Thesis, MIT, September 2004.
Other publications describing DynamoRIO include:
- Derek Bruening and Vladimir Kiriansky.
Process-Shared and Persistent Code Caches.
International Conference on Virtual Execution Environments (VEE-08), March 2008.
- Derek Bruening, Vladimir Kiriansky, Timothy Garnett, and Sanjeev Banerji.
Thread-Shared Software Code Caches.
International Symposium on Code Generation and Optimization (CGO-06), March 2006.
- Derek Bruening and Saman Amarasinghe.
Maintaining Consistency and Bounding Capacity of Software Code Caches.
International Symposium on Code Generation and Optimization (CGO-05), March 2005.
- Gregory Sullivan, Derek Bruening, Iris Baron, Timothy Garnett, and Saman Amarasinghe.
Dynamic Native Optimization of Interpreters.
ACM Workshop on Interpreters, Virtual Machines and Emulators (IVME-03), June 2003.
- Derek Bruening, Timothy Garnett, and Saman Amarasinghe.
An Infrastructure for Adaptive Dynamic Optimization.
International Symposium on Code Generation and Optimization (CGO-03), March 2003.
- Derek Bruening, Evelyn Duesterwald, and Saman Amarasinghe.
Design and Implementation of a Dynamic Optimization Framework for Windows.
4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4), December 2001.