TripleCross/docs/bibliography/bibliography.bib

%%INTRODUCTION

@report{ransomware_paloalto,
	institution = {Palo Alto Networks},
	title = {Ransomware Threat Report 2022},
	url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf}
},

@report{ransomware_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}
},

@report{rootkit_ptsecurity,
	institution = {Positive Technologies},
	title = {Rootkits: evolution and detection methods},
	date = {2021-11-03},
	url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/}
},

@online{ebpf_linux318,
	indextitle={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	url={https://kernelnewbies.org/Linux_3.18}
},

@report{bvp47_report,
	institution = {Pangu Lab},
	title = {Bvp47 Top-tier Backdoor of US NSA Equation Group},
	date = {2022-02-23},
	url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}
},

@report{bpfdoor_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
	pages = {37}
},

@proceedings{ebpf_friends,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
},

@proceedings{evil_ebpf,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}
},

@online{bad_ebpf,
	author = {Pat Hogan},
	organization= {DEFCON 27},
	eventtitle = {Bad BPF - Warping reality using eBPF},
	url = {https://www.youtube.com/watch?v=g6SKWT7sROQ}
},

@online{ebpf_windows,
	title={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	url={https://kernelnewbies.org/Linux_3.18}
},
@online{ebpf_android,
	title={eBPF for Windows},
	url={https://source.android.com/devices/architecture/kernel/bpf}
},



@article{bpf_bsd_origin,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}
},

@article{bpf_bsd_origin_bpf_page1,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={1}
},

@article{bpf_bsd_origin_bpf_page5,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={5}
},

@article{bpf_bsd_origin_bpf_page7,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={7}
},

@article{bpf_bsd_origin_bpf_page8,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={8}
},

@online{ebpf_history_opensource,
	title={An intro to using eBPF to filter packets in the Linux kernel},
	date={2017-08-11},
	url={https://opensource.com/article/17/9/intro-ebpf}
},

@manual{ebpf_io,
	title={eBPF Documentation},
	url={https://ebpf.io/what-is-ebpf/}
},

@manual{ebpf_io_arch,
	title={eBPF Documentation: Loader and verification architecture},
	url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture}
},

@manual{ebpf_io_verification,
	title={eBPF Documentation: Verification},
	url={https://ebpf.io/what-is-ebpf/#verification}
},

@manual{index_register,
	title={Index register},
	url={https://gunkies.org/wiki/Index_register}
}

@online{bpf_organicprogrammer_analysis,
	title={Write a Linux packet sniffer from scratch: part two- BPF},
	date={2022-03-28},
	url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/}
},

@manual{tcpdump_page,
	title={Tcpdump and Libpcap},
	url={https://www.tcpdump.org}
},

@manual{ebpf_funcs_by_ver,
	title={BPF features by Linux Kernel Version},
	organization={iovisor},
	url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md}
},

@book{brendan_gregg_bpf_book,
	title={BPF performance tools},
	author={Brendan Gregg},
	url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/}
},

@manual{ebpf_inst_set,
	title={eBPF instruction set},
	url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html}
},

@manual{8664_inst_set_specs,
	title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4},
	author={Intel},
	volume={2A},
	pages={507},
	urldate={2022-05-13},
	url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html}
},

@proceedings{ebpf_starovo_slides,
	title={BPF – in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	institution={PLUMgrid}
},

@proceedings{ebpf_starovo_slides_page23,
	title={BPF – in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	institution={PLUMgrid},
	pages={23}
},

@manual{ebpf_JIT,
	title={A JIT for packet filters},
	url={https://lwn.net/Articles/437981/},
	date={2011-04-12},
	author={Jonathan Corbet}
},

@proceedings{ebpf_JIT_demystify_page13,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={13}
},

@proceedings{ebpf_JIT_demystify_page14,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={14}
},

@proceedings{ebpf_JIT_demystify_page17-22,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	pages={17-22}
},

@book{brendan_gregg_bpf_book_bpf_vm,
	title={BPF performance tools},
	author={Brendan Gregg},
	url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code}
},

@manual{jit_enable_setting,
	title={bpf\_jit\_enable},
	url={https://sysctl-explorer.net/net/core/bpf_jit_enable/}
},

@manual{ebpf_verifier_kerneldocs,
	title={eBPF verifier},
	url={https://kernel.org/doc/html/latest/bpf/verifier.html}
},

@online{ebpf_bounded_loops,
	title={Bounded loops in BPF for the 5.3 kernel},
	url={https://lwn.net/Articles/794934/},
	date={2019-06-30},
	author={Marta Rybczynska}
},

@manual{ebpf_maps_kernel,
	title={eBPF maps},
	url={https://www.kernel.org/doc/html/latest/bpf/maps.html}
},

@manual{ebpf_maps_rddocs,
	title={eBPF maps},
	url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html}
},

@manual{bpf_syscall,
	title={bpf(2)- Linux manual page},
	url={https://man7.org/linux/man-pages/man2/bpf.2.html}
},

@manual{ebpf_helpers,
	title={bpf-helpers(7)- Linux manual page},
	url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html}
},

@online{xdp_gentle_intro,
	title={A Gentle Introduction to XDP},
	date={2022-02-03},
	url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/},
	author={Daniel Lavie}
},

@manual{xdp_manual,
	title={XDP actions},
	url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html}
},

@online{tc_differences,
	title={tc/BPF and XDP/BPF},
	url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/},
	date={2019-03-13},
	author={Hangbin}
},

@online{tc_direct_action,
	title={Understanding tc “direct action” mode for BPF},
	url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/},
	date={2020-04-11},
	author={Quentin Monnet}
},

@online{tc_docs_complete,
	title={Traffic Control HOWTO},
	url={http://linux-ip.net/articles/Traffic-Control-HOWTO/},
	author={Martin A. Brown},
	date={2006-10-01}
},

@online{tc_ret_list_complete,
	title={Linux kernel source tree},
	url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h},
	indextitle={index : kernel/git/torvalds/linux.git}
},

@manual{tp_kernel,
	title={Using the Linux Kernel Tracepoints},
	url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html},
	author={Mathieu Desnoyers}
},

@manual{kprobe_manual,
	title={Kernel Probes (Kprobes)},
	author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu},
	url={https://www.kernel.org/doc/html/latest/trace/kprobes.html}
},

@online{kallsyms_kernel,
	title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes},
	author={Nick Alcock},
	date={2021-06-06},
	url={https://lwn.net/Articles/862021/}
},

@online{bcc_github,
	title={BPF Compiler Collection (BCC)},
	url={https://github.com/iovisor/bcc}
},

@online{libbpf_upstream,
	title={BPF next kernel tree},
	url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next}
},

@online{libbpf_github,
	indextitle={libbpf GitHub},
	url={https://github.com/libbpf/libbpf}
},

@online{libbpf_core,
	title={BPF Portability and CO-RE},
	url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html},
	author={Andrii Nakryiko},
	date={2020-02-19}
},

@manual{ebpf_kernel_flags,
	title={Installing BCC: Kernel Configuration},
	url={https://github.com/iovisor/bcc/blob/master/INSTALL.md}
},

@manual{ubuntu_caps,
	title={capabilities - overview of Linux capabilities},
	url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html}
},

@proceedings{evil_ebpf_p9,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
	pages={9}
},

@online{ebpf_caps_intro,
	title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF},
	url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/}
},

@online{ebpf_caps_lwn,
	title={capability: introduce CAP\_BPF and CAP\_TRACING},
	url={https://lwn.net/Articles/797807/}
},

@online{unprivileged_ebpf,
	title={Reconsidering unprivileged BPF},
	url={https://lwn.net/Articles/796328/}
},

@online{cve_unpriv_ebpf,
	title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability},
	url={https://www.openwall.com/lists/oss-security/2022/01/11/4}
},

@online{unpriv_ebpf_ubuntu,
	title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM},
	url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047}
},

@online{unpriv_ebpf_redhat,
	title={CVE-2022-0002},
	url={https://access.redhat.com/security/cve/cve-2021-4001}
},

@online{unpriv_ebpf_suse,
	title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default},
	url={https://www.suse.com/support/kb/doc/?id=000020545}
},

@manual{8664_params_abi,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={148},
	date={2018-01-28},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@proceedings{ebpf_friends_p15,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
	pages={15}
},

@online{ebpf_override_return,
	title={BPF-based error injection for the kernel},
	url={https://lwn.net/Articles/740146/}
},

@online{code_kernel_open,
	indextitle={Linux kernel source code},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192}
},

@online{code_kernel_open,
	indextitle={Linux kernel source code},
	url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233}
},

@online{fault_injection,
	title={},
	url={https://lwn.net/Articles/209257/},
	date={2006-11-04}
}