Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. This dissertation advances the theory and practice of dynamic binary analysis and instrumentation, with an emphasis on the importance of the use and support of metadata. The dissertation has three main parts. The first part describes a DBI framework called Valgrind which provides novel features to support heavyweight DBA tools that maintain rich metadata, especially location metadata— the shadowing of every register and memory location with a metavalue. Location metadata is used in shadow computation, a kind of DBA where every normal operation is shadowed by an abstract operation. The second part describes three powerful DBA tools. The first tool performs detailed cache profiling. The second tool does an old kind of dynamic analysis—bounds-checking—in a new way. The third tool produces dynamic data flow graphs, a novel visualisation that cuts

This report describes the design and implementation of a set of tools for capturing and analysing program traces called Logrind 2. The tools are implemented as add-ons to the popular Valgrind and GDB debugging tools. Program traces are captured using dynamic instrumentation and stored in a relational database. Logrind 2 provides support for pretty-printing these traces in a clear and understandable format. The toolset also includes an extended SQL query language that ranges over program traces. Other tools may interface with Logrind 2 using this query language. The program trace schema supports multiple sources and can be used to compare runs of a program. Logrind 2 supports random access navigation of program traces using the concept of a program trace ’cursor’. Users may use this feature to examine the historical state of a process. Program trace capture using Logrind 2 was benchmarked using the BYTEmark benchmark program and the results are described in this report. The report also evaluates the program trace query language with a discussion of possible optimisations.