TripleCross/docs/bibliography/bibliography.bib

%%INTRODUCTION

@report{ransomware_paloalto,
	institution = {Palo Alto Networks},
	title = {Ransomware Threat Report 2022},
	url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf}
},

@report{ransomware_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}
},

@report{rootkit_ptsecurity,
	institution = {Positive Technologies},
	title = {Rootkits: evolution and detection methods},
	date = {2021-11-03},
	url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/}
},

@online{ebpf_linux318,
	indextitle={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	url={https://kernelnewbies.org/Linux_3.18}
},

@report{bvp47_report,
	institution = {Pangu Lab},
	title = {Bvp47 Top-tier Backdoor of US NSA Equation Group},
	date = {2022-02-23},
	url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}
},

@report{bpfdoor_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
	pages = {37}
},

@proceedings{ebpf_friends,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
},

@proceedings{evil_ebpf,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}
},

@online{bad_ebpf,
	author = {Pat Hogan},
	organization= {DEFCON 27},
	eventtitle = {Bad BPF - Warping reality using eBPF},
	url = {https://www.youtube.com/watch?v=g6SKWT7sROQ}
},

@online{ebpf_windows,
	title={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	url={https://kernelnewbies.org/Linux_3.18}
},
@online{ebpf_android,
	title={eBPF for Windows},
	url={https://source.android.com/devices/architecture/kernel/bpf}
},



@article{bpf_bsd_origin,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}
},

@article{bpf_bsd_origin_bpf_page1,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={1}
},

@article{bpf_bsd_origin_bpf_page2,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={1}
},

@article{bpf_bsd_origin_bpf_page5,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={5}
},

@article{bpf_bsd_origin_bpf_page7,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={7}
},

@article{bpf_bsd_origin_bpf_page8,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={8}
},

@online{ebpf_history_opensource,
	title={An intro to using eBPF to filter packets in the Linux kernel},
	date={2017-08-11},
	url={https://opensource.com/article/17/9/intro-ebpf}
},

@manual{ebpf_io,
	title={eBPF Documentation},
	url={https://ebpf.io/what-is-ebpf/}
},

@manual{ebpf_io_arch,
	title={eBPF Documentation: Loader and verification architecture},
	url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture}
},

@manual{ebpf_io_verification,
	title={eBPF Documentation: Verification},
	url={https://ebpf.io/what-is-ebpf/#verification}
},

@manual{index_register,
	title={Index register},
	url={https://gunkies.org/wiki/Index_register}
}

@online{bpf_organicprogrammer_analysis,
	title={Write a Linux packet sniffer from scratch: part two- BPF},
	date={2022-03-28},
	url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/}
},

@manual{tcpdump_page,
	title={Tcpdump and Libpcap},
	url={https://www.tcpdump.org}
},

@manual{ebpf_funcs_by_ver,
	title={BPF features by Linux Kernel Version},
	organization={iovisor},
	url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md}
},

@book{brendan_gregg_bpf_book,
	title={BPF performance tools},
	author={Brendan Gregg},
	url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/}
},

@manual{ebpf_inst_set,
	title={eBPF instruction set},
	url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html}
},

@manual{8664_inst_set_specs,
	title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4},
	author={Intel},
	volume={2A},
	pages={507},
	urldate={2022-05-13},
	url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html}
},

@proceedings{ebpf_starovo_slides,
	title={BPF – in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	institution={PLUMgrid}
},

@proceedings{ebpf_starovo_slides_page23,
	title={BPF – in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	institution={PLUMgrid},
	pages={23}
},

@manual{ebpf_JIT,
	title={A JIT for packet filters},
	url={https://lwn.net/Articles/437981/},
	date={2011-04-12},
	author={Jonathan Corbet}
},

@proceedings{ebpf_JIT_demystify_page13,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={13}
},

@proceedings{ebpf_JIT_demystify_page14,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={14}
},

@proceedings{ebpf_JIT_demystify_page17-22,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={17-22}
},

@book{brendan_gregg_bpf_book_bpf_vm,
	title={BPF performance tools},
	author={Brendan Gregg},
	url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code}
},

@manual{jit_enable_setting,
	title={bpf\_jit\_enable},
	url={https://sysctl-explorer.net/net/core/bpf_jit_enable/}
},

@manual{ebpf_verifier_kerneldocs,
	title={eBPF verifier},
	url={https://kernel.org/doc/html/latest/bpf/verifier.html}
},

@online{ebpf_bounded_loops,
	title={Bounded loops in BPF for the 5.3 kernel},
	url={https://lwn.net/Articles/794934/},
	date={2019-06-30},
	author={Marta Rybczynska}
},

@manual{ebpf_maps_kernel,
	title={eBPF maps},
	url={https://www.kernel.org/doc/html/latest/bpf/maps.html}
},

@manual{ebpf_maps_rddocs,
	title={eBPF maps},
	url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html}
},

@manual{bpf_syscall,
	title={bpf(2)- Linux manual page},
	url={https://man7.org/linux/man-pages/man2/bpf.2.html}
},

@manual{ebpf_helpers,
	title={bpf-helpers(7)- Linux manual page},
	url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html}
},

@online{xdp_gentle_intro,
	title={A Gentle Introduction to XDP},
	date={2022-02-03},
	url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/},
	author={Daniel Lavie}
},

@manual{xdp_manual,
	title={XDP actions},
	url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html}
},

@online{tc_differences,
	title={tc/BPF and XDP/BPF},
	url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/},
	date={2019-03-13},
	author={Hangbin}
},

@online{tc_direct_action,
	title={Understanding tc “direct action” mode for BPF},
	url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/},
	date={2020-04-11},
	author={Quentin Monnet}
},

@online{tc_docs_complete,
	title={Traffic Control HOWTO},
	url={http://linux-ip.net/articles/Traffic-Control-HOWTO/},
	author={Martin A. Brown},
	date={2006-10-01}
},

@online{tc_ret_list_complete,
	title={Linux kernel source tree},
	url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h},
	indextitle={index : kernel/git/torvalds/linux.git}
},

@manual{tp_kernel,
	title={Using the Linux Kernel Tracepoints},
	url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html},
	author={Mathieu Desnoyers}
},

@manual{kprobe_manual,
	title={Kernel Probes (Kprobes)},
	author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu},
	url={https://www.kernel.org/doc/html/latest/trace/kprobes.html}
},

@online{kallsyms_kernel,
	title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes},
	author={Nick Alcock},
	date={2021-06-06},
	url={https://lwn.net/Articles/862021/}
},

@online{bcc_github,
	title={BPF Compiler Collection (BCC)},
	url={https://github.com/iovisor/bcc}
},

@online{libbpf_upstream,
	title={BPF next kernel tree},
	url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next}
},

@online{libbpf_github,
	indextitle={libbpf GitHub},
	url={https://github.com/libbpf/libbpf}
},

@online{libbpf_core,
	title={BPF Portability and CO-RE},
	url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html},
	author={Andrii Nakryiko},
	date={2020-02-19}
},

@manual{ebpf_kernel_flags,
	title={Installing BCC: Kernel Configuration},
	url={https://github.com/iovisor/bcc/blob/master/INSTALL.md}
},

@manual{ubuntu_caps,
	title={capabilities - overview of Linux capabilities},
	url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html}
},

@proceedings{evil_ebpf_p9,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
	pages={9}
},

@online{ebpf_caps_intro,
	title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF},
	url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/}
},

@online{ebpf_caps_lwn,
	title={capability: introduce CAP\_BPF and CAP\_TRACING},
	url={https://lwn.net/Articles/797807/}
},

@online{unprivileged_ebpf,
	title={Reconsidering unprivileged BPF},
	url={https://lwn.net/Articles/796328/}
},

@online{cve_unpriv_ebpf,
	title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability},
	url={https://www.openwall.com/lists/oss-security/2022/01/11/4}
},

@online{unpriv_ebpf_ubuntu,
	title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM},
	url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047}
},

@online{unpriv_ebpf_redhat,
	title={CVE-2022-0002},
	url={https://access.redhat.com/security/cve/cve-2021-4001}
},

@online{unpriv_ebpf_suse,
	title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default},
	url={https://www.suse.com/support/kb/doc/?id=000020545}
},

@manual{8664_params_abi,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={148},
	date={2018-01-28},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@proceedings{ebpf_friends_p15,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
	pages={15}
},

@online{ebpf_override_return,
	title={BPF-based error injection for the kernel},
	url={https://lwn.net/Articles/740146/}
},

@online{code_kernel_open,
	indextitle={Linux kernel source code},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192}
},

@online{code_kernel_syscall,
	indextitle={Linux kernel source code},
	url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233}
},

@online{fault_injection,
	title={Injecting faults into the kernel},
	url={https://lwn.net/Articles/209257/},
	date={2006-11-04}
},

@online{mem_page_arch,
	title={Memory Management 101: Introduction
to Memory Management in Linux},
	url={https://events19.linuxfoundation.org/wp-content/uploads/2017/12/MM-101-Introduction-to-Linux-Memory-Management-Christoph-Lameter-Jump-Trading-LLC-1.pdf},
	date={2017-12-01},
	author={Christopher Lameter},
	organization={The Linux Foundation Open Source Summit},
	institution={Jump Trading LLC}
},

@online{page_faults,
	title={Understanding page faults and memory swap-in/outs},
	url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry},
	date={2019-08-19},
	author={Doug Breaker}
},

@online{mem_arch_proc,
	title={Stack-based Buffer Overflow - Part 1},
	url={https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html},
	date={2021-05-23},
	author={Marcos Sánchez Bajo}
},

@manual{8664_params_abi_p18,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={18},
	date={2018-01-28},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@online{write_helper_non_fault,
	title={probe\_write\_common\_error},
	url={https://www.spinics.net/lists/bpf/msg16795.html}
},

@online{code_vfs_read,
	indextitle={Linux kernel source code},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476}
},

@manual{8664_params_abi_p1922,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={19-22},
	date={2018-01-28},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@online{network_layers,
	title={The Network Layers Explained [with examples]},
	author={Alienor},
	date={2018-11-28},
	url={https://www.plixer.com/blog/network-layers-explained/}
},

@online{tcp_reliable,
	title={Transmission Control Protocol},
	date={2022-04-19},
	organization={IBM},
	url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol}
},

@online{tcp_handshake,
	title={Three-Way Handshake},
	url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake}
},

@proceedings{evil_ebpf_p6974,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
	pages={69-74}
},

@proceedings{ebpf_friends_p37,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
	pages={37}
},

@online{rop_prog_finder,
	title={ROPgadget Tool},
	url={https://github.com/JonathanSalwan/ROPgadget}
},

@online{glibc,
	title={The GNU C library},
	url={https://www.gnu.org/software/libc/}
},

@online{plt_got_technovelty,
	title={PLT and GOT - the key to code sharing and dynamic libraries},
	author={Ian Wienand},
	url={https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html},
	date={2011-05-11}
},

@online{plt_got_overlord,
	title={GOT and PLT for pwning.},
	author={David Tomaschik},
	url={https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html},
	date={2017-03-19}
},

@manual{elf,
	title={ELF},
	url={https://wiki.osdev.org/ELF}
},

@online{pie_exploit,
	title={Position Independent Code},
	url={https://ir0nstone.gitbook.io/notes/types/stack/pie}
},

@online{aslr_pie_intro,
	title={aslr/pie intro},
	url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro}
},

@online{relro_redhat,
	title={Hardening ELF binaries using Relocation Read-Only (RELRO)},
	author={Huzaifa Sidhpurwala},
	date={2019-01-28},
	url={https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro}
},

@online{cet_windows,
	title={R.I.P ROP: CET Internals in Windows 20H1},
	author={Yarden Shafir, Alex Ionescu},
	date={2020-05-01},
	url={https://windows-internals.com/cet-on-windows/}
},

@online{cet_linux,
	title={Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration},
	author={Michael Larabel},
	date={2021-07-21},
	url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29}
},

@online{canary_exploit,
	title={Stack Canaries},
	url={https://ir0nstone.gitbook.io/notes/types/stack/canaries}
},

@online{rawtcp_lib,
	title={RawTCP\_Lib},
	author={Marcos Sánchez Bajo},
	url={https://github.com/h3xduck/RawTCP_Lib}
},

@manual{proc_fs,
	title={proc(5) — Linux manual page},
	url={https://man7.org/linux/man-pages/man5/proc.5.html}
},

@online{proc_mem_write,
	title={enable writing to /proc/pid/mem},
	url={https://lwn.net/Articles/433326/}
},

@online{reverse_shell,
	title={Reverse Shell},
	url={https://www.imperva.com/learn/application-security/reverse-shell/}
}