2022-04-27 21:56:37 -04:00
|
|
|
\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax
|
|
|
|
|
\babel@toc {english}{}
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-21 16:56:05 -04:00
|
|
|
\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-21 19:43:51 -04:00
|
|
|
\contentsline {section}{\numberline {1.3}Regulatory framework}{4}{section.1.3}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-21 19:43:51 -04:00
|
|
|
\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-21 19:43:51 -04:00
|
|
|
\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-22 08:19:32 -04:00
|
|
|
\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}%
|
2022-05-21 20:56:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {chapter}{\numberline {2}State of the art}{5}{chapter.2}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-23 07:08:46 -04:00
|
|
|
\contentsline {section}{\numberline {2.1}eBPF history - Classic BPF}{5}{section.2.1}%
|
2022-05-22 08:19:32 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-23 07:08:46 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}%
|
2022-05-22 19:57:47 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-23 07:08:46 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-25 22:00:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-25 22:00:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 15:21:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}%
|
2022-05-23 07:08:46 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-23 08:47:39 -04:00
|
|
|
\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
|
2022-05-23 07:08:46 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-25 22:00:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}%
|
2022-05-23 07:08:46 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-25 22:00:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}%
|
2022-05-23 07:08:46 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 08:39:45 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}%
|
2022-05-23 08:47:39 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 15:21:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}%
|
2022-05-23 08:47:39 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 15:21:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}%
|
2022-05-24 20:53:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 15:21:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}%
|
2022-05-25 22:00:28 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 15:21:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 21:47:28 -04:00
|
|
|
\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}%
|
2022-05-26 15:21:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 21:47:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}%
|
2022-05-26 15:21:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-26 21:47:28 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}%
|
2022-05-26 15:21:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-27 20:56:36 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}%
|
2022-05-26 21:47:28 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-27 20:56:36 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.3.4}Kprobes}{22}{subsection.2.3.4}%
|
2022-05-26 21:47:28 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-27 20:56:36 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}%
|
2022-05-26 21:47:28 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-27 20:56:36 -04:00
|
|
|
\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}%
|
2022-05-26 21:47:28 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-27 20:56:36 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-02 19:00:10 -04:00
|
|
|
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{24}{subsection.2.4.2}%
|
2022-05-27 20:56:36 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
2022-05-28 09:23:41 -04:00
|
|
|
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}%
|
2022-05-27 20:56:36 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-02 19:00:10 -04:00
|
|
|
\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}%
|
2022-05-27 20:56:36 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-02 19:00:10 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.1.1}Access control}{28}{subsection.3.1.1}%
|
2022-05-27 20:56:36 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-02 19:00:10 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}%
|
2022-05-28 09:23:41 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-02 19:00:10 -04:00
|
|
|
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-03 21:47:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{34}{subsection.3.2.2}%
|
2022-06-02 19:00:10 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-03 21:47:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}%
|
2022-06-02 19:00:10 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-03 21:47:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}%
|
2022-06-02 19:00:10 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-03 21:47:00 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{36}{subsection.3.2.5}%
|
2022-06-02 19:00:10 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-03 21:47:00 -04:00
|
|
|
\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}%
|
2022-06-02 19:00:10 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-04 08:55:45 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.3.1}Memory management in Linux}{36}{subsection.3.3.1}%
|
2022-06-02 21:07:42 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-04 08:55:45 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.3.2}Process virtual memory}{39}{subsection.3.3.2}%
|
2022-06-03 21:47:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-04 08:55:45 -04:00
|
|
|
\contentsline {subsection}{\numberline {3.3.3}Accessing user memory}{39}{subsection.3.3.3}%
|
2022-06-03 21:47:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-04 08:55:45 -04:00
|
|
|
\contentsline {chapter}{\numberline {4}Methods??}{40}{chapter.4}%
|
2022-06-03 21:47:00 -04:00
|
|
|
\defcounter {refsection}{0}\relax
|
2022-06-04 08:55:45 -04:00
|
|
|
\contentsline {chapter}{\numberline {5}Results}{41}{chapter.5}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {chapter}{\numberline {6}Conclusion and future work}{42}{chapter.6}%
|
|
|
|
|
\defcounter {refsection}{0}\relax
|
|
|
|
|
\contentsline {chapter}{Bibliography}{43}{chapter.6}%
|
2022-04-27 21:56:37 -04:00
|
|
|
\contentsfinish
|
