mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
Reformatted gitignore and removed some annoying files from cache
This commit is contained in:
h3xduck
12
.gitignore
vendored
12
.gitignore
vendored
@@ -1,12 +0,0 @@
|
||||
src/log
|
||||
*.aux
|
||||
*/document.bcf
|
||||
*.blg
|
||||
*.fdb_latexmk
|
||||
*.fls
|
||||
*.lof
|
||||
*.log
|
||||
*.lot
|
||||
*.out
|
||||
*.toc
|
||||
*.xmpi
|
||||
10
docs/.gitignore
vendored
Normal file
10
docs/.gitignore
vendored
Normal file
@@ -0,0 +1,10 @@
|
||||
/*
|
||||
bibliography/texput.log
|
||||
!.gitignore
|
||||
!document.pdf
|
||||
!document.tex
|
||||
!Makefile
|
||||
!original_template/
|
||||
!images/
|
||||
!chapters/
|
||||
!bibliography/bibliography.bib
|
||||
1283
docs/Makefile.log
1283
docs/Makefile.log
File diff suppressed because it is too large
Load Diff
@@ -1,21 +0,0 @@
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 4 JUN 2022 11:00
|
||||
entering extended mode
|
||||
restricted \write18 enabled.
|
||||
%&-line parsing enabled.
|
||||
**bibliography.tex
|
||||
|
||||
! Emergency stop.
|
||||
<*> bibliography.tex
|
||||
|
||||
*** (job aborted, file error in nonstop mode)
|
||||
|
||||
|
||||
Here is how much of TeX's memory you used:
|
||||
2 strings out of 481209
|
||||
102 string characters out of 5914747
|
||||
266276 words of memory out of 5000000
|
||||
17052 multiletter control sequences out of 15000+600000
|
||||
403430 words of font info for 27 fonts, out of 8000000 for 9000
|
||||
36 hyphenation exceptions out of 8191
|
||||
0i,0n,0p,1b,6s stack positions out of 5000i,500n,10000p,200000b,80000s
|
||||
! ==> Fatal error occurred, no output PDF file produced!
|
||||
@@ -1,2 +0,0 @@
|
||||
os.remove("creationdate.timestamp")
|
||||
io.output("creationdate.timestamp"):write(os.date("\\edef\\tempa{\\string D:%Y%m%d%H%M%S}\n\\def\\tempb{%z}"))
|
||||
@@ -1,652 +0,0 @@
|
||||
\relax
|
||||
\providecommand\hyper@newdestlabel[2]{}
|
||||
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
|
||||
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
|
||||
\global\let\oldcontentsline\contentsline
|
||||
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
|
||||
\global\let\oldnewlabel\newlabel
|
||||
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
|
||||
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
|
||||
\AtEndDocument{\ifx\hyper@anchor\@undefined
|
||||
\let\contentsline\oldcontentsline
|
||||
\let\newlabel\oldnewlabel
|
||||
\fi}
|
||||
\fi}
|
||||
\global\let\hyper@last\relax
|
||||
\gdef\HyperFirstAtBeginDocument#1{#1}
|
||||
\providecommand\HyField@AuxAddToFields[1]{}
|
||||
\providecommand\HyField@AuxAddToCoFields[2]{}
|
||||
\providecommand\babel@aux[2]{}
|
||||
\@nameuse{bbl@beforestart}
|
||||
\@writefile{toc}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
||||
\@writefile{lof}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
||||
\@writefile{lot}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
||||
\abx@aux@refcontext{none/global//global/global}
|
||||
\babel@aux{english}{}
|
||||
\abx@aux@cite{ransomware_pwc}
|
||||
\abx@aux@segm{0}{0}{ransomware_pwc}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}\protected@file@percent }
|
||||
\newlabel{section:motivation}{{1.1}{1}{Motivation}{section.1.1}{}}
|
||||
\abx@aux@cite{rootkit_ptsecurity}
|
||||
\abx@aux@segm{0}{0}{rootkit_ptsecurity}
|
||||
\abx@aux@cite{ebpf_linux318}
|
||||
\abx@aux@segm{0}{0}{ebpf_linux318}
|
||||
\abx@aux@cite{bvp47_report}
|
||||
\abx@aux@segm{0}{0}{bvp47_report}
|
||||
\abx@aux@cite{bpfdoor_pwc}
|
||||
\abx@aux@segm{0}{0}{bpfdoor_pwc}
|
||||
\abx@aux@cite{ebpf_windows}
|
||||
\abx@aux@segm{0}{0}{ebpf_windows}
|
||||
\abx@aux@cite{ebpf_android}
|
||||
\abx@aux@segm{0}{0}{ebpf_android}
|
||||
\abx@aux@cite{evil_ebpf}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf}
|
||||
\abx@aux@cite{bad_ebpf}
|
||||
\abx@aux@segm{0}{0}{bad_ebpf}
|
||||
\abx@aux@cite{ebpf_friends}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}\protected@file@percent }
|
||||
\newlabel{section:project_objectives}{{1.2}{3}{Project objectives}{section.1.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{4}{section.1.3}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.5}Code availability}{4}{section.1.5}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_io}
|
||||
\abx@aux@segm{0}{0}{ebpf_io}
|
||||
\abx@aux@cite{bpf_bsd_origin}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin}
|
||||
\abx@aux@cite{ebpf_history_opensource}
|
||||
\abx@aux@segm{0}{0}{ebpf_history_opensource}
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page2}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page2}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}BPF}{5}{section.2.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}\protected@file@percent }
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
|
||||
\abx@aux@cite{index_register}
|
||||
\abx@aux@segm{0}{0}{index_register}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}\protected@file@percent }
|
||||
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
|
||||
\newlabel{fig:classif_bpf}{{2.1}{6}{Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }{figure.caption.7}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}\protected@file@percent }
|
||||
\newlabel{subsection:analysis_bpf_filter_prog}{{2.1.3}{6}{Analysis of a BPF filter program}{subsection.2.1.3}{}}
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page5}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5}
|
||||
\abx@aux@cite{bpf_organicprogrammer_analysis}
|
||||
\abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent }
|
||||
\newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}\protected@file@percent }
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7}
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
|
||||
\abx@aux@cite{tcpdump_page}
|
||||
\abx@aux@segm{0}{0}{tcpdump_page}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}\protected@file@percent }
|
||||
\newlabel{table:bpf_inst_format}{{2.1}{8}{BPF instruction format.\relax }{table.caption.9}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{8}{subsection.2.1.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }}{9}{figure.caption.10}\protected@file@percent }
|
||||
\newlabel{fig:bpf_instructions}{{2.3}{9}{Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
|
||||
\newlabel{fig:bpf_address_mode}{{2.4}{9}{BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent }
|
||||
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Modern eBPF}{10}{section.2.2}\protected@file@percent }
|
||||
\newlabel{section:modern_ebpf}{{2.2}{10}{Modern eBPF}{section.2.2}{}}
|
||||
\abx@aux@cite{ebpf_funcs_by_ver}
|
||||
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
|
||||
\abx@aux@cite{ebpf_funcs_by_ver}
|
||||
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
|
||||
\abx@aux@cite{brendan_gregg_bpf_book}
|
||||
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
|
||||
\abx@aux@cite{brendan_gregg_bpf_book}
|
||||
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
|
||||
\abx@aux@cite{ebpf_io_arch}
|
||||
\abx@aux@segm{0}{0}{ebpf_io_arch}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
|
||||
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent }
|
||||
\newlabel{table:ebpf_history}{{2.2}{11}{Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
|
||||
\abx@aux@cite{ebpf_inst_set}
|
||||
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
||||
\abx@aux@cite{8664_inst_set_specs}
|
||||
\abx@aux@segm{0}{0}{8664_inst_set_specs}
|
||||
\abx@aux@cite{ebpf_inst_set}
|
||||
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
||||
\abx@aux@cite{ebpf_inst_set}
|
||||
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
||||
\abx@aux@cite{ebpf_starovo_slides}
|
||||
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
|
||||
\abx@aux@cite{ebpf_inst_set}
|
||||
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
||||
\abx@aux@cite{ebpf_starovo_slides}
|
||||
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
|
||||
\abx@aux@cite{ebpf_JIT}
|
||||
\abx@aux@segm{0}{0}{ebpf_JIT}
|
||||
\abx@aux@cite{ebpf_JIT_demystify_page13}
|
||||
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page13}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent }
|
||||
\newlabel{fig:ebpf_architecture}{{2.7}{12}{eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{12}{subsection.2.2.1}\protected@file@percent }
|
||||
\newlabel{subsection:ebpf_inst_set}{{2.2.1}{12}{eBPF instruction set}{subsection.2.2.1}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}\protected@file@percent }
|
||||
\newlabel{table:ebpf_inst_format}{{2.3}{12}{eBPF instruction format.\relax }{table.caption.16}{}}
|
||||
\abx@aux@cite{ebpf_JIT_demystify_page14}
|
||||
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page14}
|
||||
\abx@aux@cite{jit_enable_setting}
|
||||
\abx@aux@segm{0}{0}{jit_enable_setting}
|
||||
\abx@aux@cite{ebpf_starovo_slides_page23}
|
||||
\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23}
|
||||
\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm}
|
||||
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent }
|
||||
\newlabel{table:ebpf_regs}{{2.4}{13}{eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{13}{subsection.2.2.3}\protected@file@percent }
|
||||
\newlabel{subsection:ebpf_verifier}{{2.2.3}{13}{The eBPF verifier}{subsection.2.2.3}{}}
|
||||
\abx@aux@cite{ebpf_verifier_kerneldocs}
|
||||
\abx@aux@segm{0}{0}{ebpf_verifier_kerneldocs}
|
||||
\abx@aux@cite{ebpf_JIT_demystify_page17-22}
|
||||
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page17-22}
|
||||
\abx@aux@cite{ebpf_bounded_loops}
|
||||
\abx@aux@segm{0}{0}{ebpf_bounded_loops}
|
||||
\abx@aux@cite{ebpf_maps_kernel}
|
||||
\abx@aux@segm{0}{0}{ebpf_maps_kernel}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{14}{subsection.2.2.4}\protected@file@percent }
|
||||
\newlabel{subsection:ebpf_maps}{{2.2.4}{14}{eBPF maps}{subsection.2.2.4}{}}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{bpf_syscall}
|
||||
\abx@aux@segm{0}{0}{bpf_syscall}
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
|
||||
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Common fields for creating an eBPF map.\relax }{table.caption.18}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
|
||||
\newlabel{table:ebpf_map_types}{{2.6}{15}{Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.19}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{15}{subsection.2.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{15}{The eBPF ring buffer}{subsection.2.2.5}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{15}{subsection.2.2.6}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_syscall}{{2.2.6}{15}{The bpf() syscall}{subsection.2.2.6}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{15}{subsection.2.2.7}\protected@file@percent }
|
||||
\newlabel{subsection:ebpf_helpers}{{2.2.7}{15}{eBPF helpers}{subsection.2.2.7}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
|
||||
\newlabel{table:ebpf_syscall}{{2.7}{16}{Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}\protected@file@percent }
|
||||
\newlabel{table:ebpf_prog_types}{{2.8}{16}{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}\protected@file@percent }
|
||||
\newlabel{table:ebpf_helpers}{{2.9}{17}{Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
|
||||
\abx@aux@cite{xdp_gentle_intro}
|
||||
\abx@aux@segm{0}{0}{xdp_gentle_intro}
|
||||
\abx@aux@cite{xdp_manual}
|
||||
\abx@aux@segm{0}{0}{xdp_manual}
|
||||
\abx@aux@cite{tc_differences}
|
||||
\abx@aux@segm{0}{0}{tc_differences}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
|
||||
\newlabel{section:ebpf_prog_types}{{2.3}{18}{eBPF program types}{section.2.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
|
||||
\newlabel{subsection:xdp}{{2.3.1}{18}{XDP}{subsection.2.3.1}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}\protected@file@percent }
|
||||
\newlabel{table:xdp_actions_av}{{2.10}{18}{Relevant XDP return values.\relax }{table.caption.24}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{18}{subsection.2.3.2}\protected@file@percent }
|
||||
\newlabel{subsection:tc}{{2.3.2}{18}{Traffic Control}{subsection.2.3.2}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
|
||||
\newlabel{fig:xdp_diag}{{2.8}{19}{XDP and TC modules integration in the network processing module of the Linux kernel.\relax }{figure.caption.23}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}\protected@file@percent }
|
||||
\newlabel{table:xdp_helpers}{{2.11}{19}{Relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
|
||||
\abx@aux@cite{tc_docs_complete}
|
||||
\abx@aux@segm{0}{0}{tc_docs_complete}
|
||||
\abx@aux@cite{tc_direct_action}
|
||||
\abx@aux@segm{0}{0}{tc_direct_action}
|
||||
\abx@aux@cite{tc_ret_list_complete}
|
||||
\abx@aux@segm{0}{0}{tc_ret_list_complete}
|
||||
\abx@aux@cite{tc_ret_list_complete}
|
||||
\abx@aux@segm{0}{0}{tc_ret_list_complete}
|
||||
\abx@aux@cite{tp_kernel}
|
||||
\abx@aux@segm{0}{0}{tp_kernel}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}\protected@file@percent }
|
||||
\newlabel{table:tc_actions}{{2.12}{20}{Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{20}{subsection.2.3.3}\protected@file@percent }
|
||||
\newlabel{subsection:tracepoints}{{2.3.3}{20}{Tracepoints}{subsection.2.3.3}{}}
|
||||
\abx@aux@cite{kprobe_manual}
|
||||
\abx@aux@segm{0}{0}{kprobe_manual}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
|
||||
\newlabel{table:tc_helpers}{{2.13}{21}{Relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.4}Kprobes}{21}{subsection.2.3.4}\protected@file@percent }
|
||||
\abx@aux@cite{kallsyms_kernel}
|
||||
\abx@aux@segm{0}{0}{kallsyms_kernel}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}\protected@file@percent }
|
||||
\abx@aux@cite{bcc_github}
|
||||
\abx@aux@segm{0}{0}{bcc_github}
|
||||
\abx@aux@cite{libbpf_github}
|
||||
\abx@aux@segm{0}{0}{libbpf_github}
|
||||
\abx@aux@cite{libbpf_upstream}
|
||||
\abx@aux@segm{0}{0}{libbpf_upstream}
|
||||
\abx@aux@cite{libbpf_core}
|
||||
\abx@aux@segm{0}{0}{libbpf_core}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}\protected@file@percent }
|
||||
\newlabel{fig:libbpf}{{2.9}{25}{Compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}\protected@file@percent }
|
||||
\newlabel{table:libbpf_skel}{{2.14}{25}{BPF skeleton functions.\relax }{table.caption.29}{}}
|
||||
\abx@aux@cite{ubuntu_caps}
|
||||
\abx@aux@segm{0}{0}{ubuntu_caps}
|
||||
\abx@aux@cite{evil_ebpf_p9}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p9}
|
||||
\abx@aux@cite{ebpf_caps_intro}
|
||||
\abx@aux@segm{0}{0}{ebpf_caps_intro}
|
||||
\abx@aux@cite{ebpf_caps_lwn}
|
||||
\abx@aux@segm{0}{0}{ebpf_caps_lwn}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.5}Security features in eBPF}{26}{section.2.5}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}\protected@file@percent }
|
||||
\newlabel{table:ebpf_kernel_flags}{{2.15}{26}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}\protected@file@percent }
|
||||
\newlabel{subsection:access_control}{{2.5.1}{26}{Access control}{subsection.2.5.1}{}}
|
||||
\abx@aux@cite{unprivileged_ebpf}
|
||||
\abx@aux@segm{0}{0}{unprivileged_ebpf}
|
||||
\abx@aux@cite{cve_unpriv_ebpf}
|
||||
\abx@aux@segm{0}{0}{cve_unpriv_ebpf}
|
||||
\abx@aux@cite{unpriv_ebpf_ubuntu}
|
||||
\abx@aux@segm{0}{0}{unpriv_ebpf_ubuntu}
|
||||
\abx@aux@cite{unpriv_ebpf_suse}
|
||||
\abx@aux@segm{0}{0}{unpriv_ebpf_suse}
|
||||
\abx@aux@cite{unpriv_ebpf_redhat}
|
||||
\abx@aux@segm{0}{0}{unpriv_ebpf_redhat}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.16}{\ignorespaces Capabilities needed for eBPF.\relax }}{27}{table.caption.31}\protected@file@percent }
|
||||
\newlabel{table:ebpf_caps_current}{{2.16}{27}{Capabilities needed for eBPF.\relax }{table.caption.31}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.17}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{27}{table.caption.32}\protected@file@percent }
|
||||
\newlabel{table:unpriv_ebpf_values}{{2.17}{27}{Values for unprivileged eBPF kernel parameter.\relax }{table.caption.32}{}}
|
||||
\abx@aux@cite{mem_page_arch}
|
||||
\abx@aux@segm{0}{0}{mem_page_arch}
|
||||
\abx@aux@cite{page_faults}
|
||||
\abx@aux@segm{0}{0}{page_faults}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.6}Memory management in Linux}{28}{section.2.6}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}\protected@file@percent }
|
||||
\newlabel{fig:mem_arch_pages}{{2.10}{28}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.33}{}}
|
||||
\abx@aux@cite{mem_arch_proc}
|
||||
\abx@aux@segm{0}{0}{mem_arch_proc}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}\protected@file@percent }
|
||||
\newlabel{fig:mem_major_page_fault}{{2.11}{29}{Major page fault after a page was removed from RAM.\relax }{figure.caption.34}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{29}{subsection.2.6.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}\protected@file@percent }
|
||||
\newlabel{fig:mem_minor_page_fault}{{2.12}{30}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.35}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}\protected@file@percent }
|
||||
\newlabel{fig:mem_proc_arch}{{2.13}{30}{Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }{figure.caption.36}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.3}The process stack}{31}{subsection.2.6.3}\protected@file@percent }
|
||||
\newlabel{subsection:stack}{{2.6.3}{31}{The process stack}{subsection.2.6.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{31}{figure.caption.37}\protected@file@percent }
|
||||
\newlabel{fig:stack_pres}{{2.14}{31}{Simplified stack representation showing only stack frames.\relax }{figure.caption.37}{}}
|
||||
\abx@aux@cite{8664_params_abi_p18}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p18}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi_other}{{2.18}{32}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.38}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}\protected@file@percent }
|
||||
\newlabel{fig:stack_ops}{{2.15}{33}{Representation of push and pop operations in the stack.\relax }{figure.caption.39}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}\protected@file@percent }
|
||||
\newlabel{fig:stack_before}{{2.16}{33}{Stack representation right before starting the function call process.\relax }{figure.caption.40}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}\protected@file@percent }
|
||||
\newlabel{fig:stack}{{2.17}{34}{Stack representation right after the function preamble.\relax }{figure.caption.41}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}\protected@file@percent }
|
||||
\newlabel{section:attacks_stack}{{2.7}{35}{Attacks at the stack}{section.2.7}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{35}{subsection.2.7.1}\protected@file@percent }
|
||||
\newlabel{subsection: buf_overflow}{{2.7.1}{35}{Buffer overflow}{subsection.2.7.1}{}}
|
||||
\newlabel{code:vuln_overflow}{{2.1}{35}{Program vulnerable to buffer overflow}{lstlisting.2.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.1}Program vulnerable to buffer overflow.}{35}{lstlisting.2.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.18}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{36}{figure.caption.42}\protected@file@percent }
|
||||
\newlabel{fig:stack_ret_hij_simple}{{2.18}{36}{Execution hijack overwriting saved rip value.\relax }{figure.caption.42}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.19}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{37}{figure.caption.43}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow}{{2.19}{37}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.43}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.20}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{38}{figure.caption.44}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow_shellcode}{{2.20}{38}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.44}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{38}{subsection.2.7.2}\protected@file@percent }
|
||||
\newlabel{subsection:rop}{{2.7.2}{38}{Return oriented programming attacks}{subsection.2.7.2}{}}
|
||||
\abx@aux@cite{rop_prog_finder}
|
||||
\abx@aux@segm{0}{0}{rop_prog_finder}
|
||||
\newlabel{code:rop_ex}{{2.2}{39}{Sample program to run using ROP}{lstlisting.2.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.2}Sample program to run using ROP.}{39}{lstlisting.2.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}\protected@file@percent }
|
||||
\newlabel{fig:rop_compund}{{2.21}{40}{Steps for executing code sample using ROP.\relax }{figure.caption.45}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{40}{section.2.8}\protected@file@percent }
|
||||
\abx@aux@cite{network_layers}
|
||||
\abx@aux@segm{0}{0}{network_layers}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{41}{figure.caption.46}\protected@file@percent }
|
||||
\newlabel{fig:frame}{{2.22}{41}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.46}{}}
|
||||
\abx@aux@cite{tcp_reliable}
|
||||
\abx@aux@segm{0}{0}{tcp_reliable}
|
||||
\abx@aux@cite{tcp_handshake}
|
||||
\abx@aux@segm{0}{0}{tcp_handshake}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{42}{subsection.2.8.2}\protected@file@percent }
|
||||
\newlabel{subsection:tcp}{{2.8.2}{42}{Introduction to the TCP protocol}{subsection.2.8.2}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}\protected@file@percent }
|
||||
\newlabel{table:tcp_flags}{{2.19}{43}{Relevant TCP flags and their purpose.\relax }{table.caption.47}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{43}{figure.caption.48}\protected@file@percent }
|
||||
\newlabel{fig:tcp_conn}{{2.23}{43}{TCP 3-way handshake.\relax }{figure.caption.48}{}}
|
||||
\abx@aux@cite{elf}
|
||||
\abx@aux@segm{0}{0}{elf}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{44}{figure.caption.49}\protected@file@percent }
|
||||
\newlabel{fig:tcp_retransmission}{{2.24}{44}{TCP packet retransmission on timeout.\relax }{figure.caption.49}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.9}ELF binaries}{44}{section.2.9}\protected@file@percent }
|
||||
\newlabel{section:elf}{{2.9}{44}{ELF binaries}{section.2.9}{}}
|
||||
\abx@aux@cite{plt_got_overlord}
|
||||
\abx@aux@segm{0}{0}{plt_got_overlord}
|
||||
\abx@aux@cite{plt_got_technovelty}
|
||||
\abx@aux@segm{0}{0}{plt_got_technovelty}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}\protected@file@percent }
|
||||
\newlabel{subsection:elf_lazy_binding}{{2.9.1}{45}{The ELF format and Lazy Binding}{subsection.2.9.1}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}\protected@file@percent }
|
||||
\newlabel{table:elf_tools}{{2.20}{45}{Tools used for analysis of ELF programs.\relax }{table.caption.50}{}}
|
||||
\newlabel{code:lazy_bind_1}{{2.3}{45}{Call to PLT stub seen from objdump}{lstlisting.2.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.3}Call to PLT stub seen from objdump.}{45}{lstlisting.2.3}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}\protected@file@percent }
|
||||
\newlabel{table:elf_sec_headers}{{2.21}{46}{Tools used for analysis of ELF programs.\relax }{table.caption.51}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{47}{figure.caption.52}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_2}{{2.25}{47}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.52}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_3}{{2.26}{47}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.53}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_4}{{2.27}{47}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.54}{}}
|
||||
\abx@aux@cite{aslr_pie_intro}
|
||||
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_5}{{2.28}{48}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.55}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{48}{subsection.2.9.2}\protected@file@percent }
|
||||
\newlabel{subsection:hardening_elf}{{2.9.2}{48}{Hardening ELF binaries}{subsection.2.9.2}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}\protected@file@percent }
|
||||
\newlabel{table:compilers}{{2.22}{48}{Security features in C compilers used in the study.\relax }{table.caption.56}{}}
|
||||
\abx@aux@cite{aslr_pie_intro}
|
||||
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
||||
\abx@aux@cite{relro_redhat}
|
||||
\abx@aux@segm{0}{0}{relro_redhat}
|
||||
\abx@aux@cite{cet_windows}
|
||||
\abx@aux@segm{0}{0}{cet_windows}
|
||||
\abx@aux@cite{cet_linux}
|
||||
\abx@aux@segm{0}{0}{cet_linux}
|
||||
\abx@aux@cite{proc_fs}
|
||||
\abx@aux@segm{0}{0}{proc_fs}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.10}The proc filesystem}{50}{section.2.10}\protected@file@percent }
|
||||
\newlabel{section:proc_filesystem}{{2.10}{50}{The proc filesystem}{section.2.10}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.23}{\ignorespaces Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }}{50}{table.caption.57}\protected@file@percent }
|
||||
\newlabel{table:yama_values}{{2.23}{50}{Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }{table.caption.57}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.1}/proc/<pid>/maps}{50}{subsection.2.10.1}\protected@file@percent }
|
||||
\newlabel{subsection:proc_maps}{{2.10.1}{50}{/proc/<pid>/maps}{subsection.2.10.1}{}}
|
||||
\abx@aux@cite{proc_fs}
|
||||
\abx@aux@segm{0}{0}{proc_fs}
|
||||
\abx@aux@cite{proc_mem_write}
|
||||
\abx@aux@segm{0}{0}{proc_mem_write}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.29}{\ignorespaces File /proc/<pid>/maps of a sample program.\relax }}{51}{figure.caption.58}\protected@file@percent }
|
||||
\newlabel{fig:proc_maps_sample}{{2.29}{51}{File /proc/<pid>/maps of a sample program.\relax }{figure.caption.58}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.2}/proc/<pid>/mem}{51}{subsection.2.10.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\newlabel{chapter:analysis_offensive_capabilities}{{3}{52}{Analysis of offensive capabilities}{chapter.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}\protected@file@percent }
|
||||
\newlabel{code:format_kprobe}{{3.1}{53}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{53}{lstlisting.3.1}\protected@file@percent }
|
||||
\newlabel{code:format_uprobe}{{3.2}{53}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{53}{lstlisting.3.2}\protected@file@percent }
|
||||
\newlabel{code:format_tracepoint}{{3.3}{53}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{53}{lstlisting.3.3}\protected@file@percent }
|
||||
\newlabel{code:format_ptregs}{{3.4}{53}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{53}{lstlisting.3.4}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.59}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi}{{3.1}{54}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.59}{}}
|
||||
\newlabel{code:sys_enter_read_tp_format}{{3.5}{54}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{54}{lstlisting.3.5}\protected@file@percent }
|
||||
\newlabel{code:sys_enter_read_tp}{{3.6}{55}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{55}{lstlisting.3.6}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_friends_p15}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends_p15}
|
||||
\abx@aux@cite{ebpf_override_return}
|
||||
\abx@aux@segm{0}{0}{ebpf_override_return}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:out_read_bounds}{{3.2.2}{56}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{56}{subsection.3.2.3}\protected@file@percent }
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{fault_injection}
|
||||
\abx@aux@segm{0}{0}{fault_injection}
|
||||
\newlabel{code:override_return_1}{{3.7}{57}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{57}{lstlisting.3.7}\protected@file@percent }
|
||||
\newlabel{code:override_return_2}{{3.8}{57}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{57}{lstlisting.3.8}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Takeaways}{58}{subsection.3.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{58}{Takeaways}{subsection.3.2.5}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}\protected@file@percent }
|
||||
\newlabel{section:mem_corruption}{{3.3}{58}{Memory corruption}{section.3.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{58}{subsection.3.3.1}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{58}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
|
||||
\abx@aux@cite{write_helper_non_fault}
|
||||
\abx@aux@segm{0}{0}{write_helper_non_fault}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\newlabel{code:vfs_read}{{3.9}{59}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{59}{lstlisting.3.9}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi_p1922}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.60}\protected@file@percent }
|
||||
\newlabel{fig:stack_scan_write_tech}{{3.1}{60}{Overview of stack scanning and writing technique.\relax }{figure.caption.60}{}}
|
||||
\newlabel{code:stack_scan_write_tech}{{3.10}{60}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{60}{lstlisting.3.10}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Takeaways}{61}{subsection.3.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}\protected@file@percent }
|
||||
\newlabel{section:abusing_networking}{{3.4}{62}{Abusing networking programs}{section.3.4}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.61}\protected@file@percent }
|
||||
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{64}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.61}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Takeaways}{65}{subsection.3.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{66}{section.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{67}{figure.caption.62}\protected@file@percent }
|
||||
\newlabel{fig:rootkit}{{4.1}{67}{Overview of the rootkit subsystems and components.\relax }{figure.caption.62}{}}
|
||||
\abx@aux@cite{rawtcp_lib}
|
||||
\abx@aux@segm{0}{0}{rawtcp_lib}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{69}{figure.caption.63}\protected@file@percent }
|
||||
\newlabel{fig:rootkit_files}{{4.2}{69}{Rootkit programs and scripts.\relax }{figure.caption.63}{}}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection module}{70}{section.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{70}{subsection.4.2.1}\protected@file@percent }
|
||||
\newlabel{subsection:rop_ebpf}{{4.2.1}{70}{ROP with eBPF}{subsection.4.2.1}{}}
|
||||
\abx@aux@cite{glibc}
|
||||
\abx@aux@segm{0}{0}{glibc}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{71}{figure.caption.64}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_1}{{4.3}{71}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.64}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{72}{figure.caption.65}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_2}{{4.4}{72}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.65}{}}
|
||||
\abx@aux@cite{canary_exploit}
|
||||
\abx@aux@segm{0}{0}{canary_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{73}{figure.caption.66}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_3}{{4.5}{73}{Stack data is restored and program continues its execution.\relax }{figure.caption.66}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{73}{subsection.4.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:hardening_bypass}{{4.2.2}{73}{Bypassing hardening features in ELFs}{subsection.4.2.2}{}}
|
||||
\abx@aux@cite{pie_exploit}
|
||||
\abx@aux@segm{0}{0}{pie_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{74}{figure.caption.67}\protected@file@percent }
|
||||
\newlabel{fig:alsr_offset}{{4.6}{74}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.67}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{75}{subsection.4.2.3}\protected@file@percent }
|
||||
\newlabel{subsection:got_attack}{{4.2.3}{75}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }}{76}{figure.caption.68}\protected@file@percent }
|
||||
\newlabel{fig:lib_stage1}{{4.7}{76}{Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }{figure.caption.68}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces Call to the glibc function, using objdump.\relax }}{76}{figure.caption.69}\protected@file@percent }
|
||||
\newlabel{fig:firstcall}{{4.8}{76}{Call to the glibc function, using objdump.\relax }{figure.caption.69}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.9}{\ignorespaces PLT stub generated with gcc compiler, using objdump.\relax }}{76}{figure.caption.70}\protected@file@percent }
|
||||
\newlabel{fig:plt_gcc}{{4.9}{76}{PLT stub generated with gcc compiler, using objdump.\relax }{figure.caption.70}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.10}{\ignorespaces PLT stub generated with clang compiler, using objdump.\relax }}{77}{figure.caption.71}\protected@file@percent }
|
||||
\newlabel{fig:plt_clang}{{4.10}{77}{PLT stub generated with clang compiler, using objdump.\relax }{figure.caption.71}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.11}{\ignorespaces Timerfd\_settime function at glibc, using objdump.\relax }}{77}{figure.caption.72}\protected@file@percent }
|
||||
\newlabel{fig:settime_glibc}{{4.11}{77}{Timerfd\_settime function at glibc, using objdump.\relax }{figure.caption.72}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Arguments and return value of function \_\_libc\_malloc.\relax }}{77}{table.caption.73}\protected@file@percent }
|
||||
\newlabel{table:libc_malloc}{{4.1}{77}{Arguments and return value of function \_\_libc\_malloc.\relax }{table.caption.73}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Arguments of function \_\_libc\_dlopen\_mode.\relax }}{78}{table.caption.74}\protected@file@percent }
|
||||
\newlabel{table:libc_dlopen_mode}{{4.2}{78}{Arguments of function \_\_libc\_dlopen\_mode.\relax }{table.caption.74}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.12}{\ignorespaces Functions at glibc with ASLR active.\relax }}{78}{figure.caption.75}\protected@file@percent }
|
||||
\newlabel{fig:aslr_bypass_example}{{4.12}{78}{Functions at glibc with ASLR active.\relax }{figure.caption.75}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{81}{chapter.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{81}{section.5.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{81}{section.5.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{82}{chapter.6}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\newlabel{chapter:related_work}{{6}{82}{Related work}{chapter.6}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{83}{chapter.6}\protected@file@percent }
|
||||
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.77}{}}
|
||||
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.78}{}}
|
||||
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.78}{}}
|
||||
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
|
||||
\newlabel{annex:shellcode}{{6}{}{Appendix C - Library injection shellcode}{chapter*.79}{}}
|
||||
\newlabel{code:shellcode}{{6.2}{}{Shellcode for library injection and its opcodes}{lstlisting.6.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.2}Shellcode for library injection and its opcodes.}{}{lstlisting.6.2}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{C88931983EB38C795A3D36AB8548A2C9}
|
||||
\abx@aux@refcontextdefaultsdone
|
||||
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_linux318}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bvp47_report}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpfdoor_pwc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_windows}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_android}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bad_ebpf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_friends}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_io}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_history_opensource}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page2}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page1}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{index_register}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page5}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_organicprogrammer_analysis}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page8}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_io_arch}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_inst_set}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_inst_set_specs}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_JIT}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page13}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page14}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{jit_enable_setting}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides_page23}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book_bpf_vm}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_verifier_kerneldocs}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page17-22}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_maps_kernel}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpf_syscall}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_helpers}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{xdp_gentle_intro}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{xdp_manual}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tc_differences}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tc_docs_complete}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tc_direct_action}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tc_ret_list_complete}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tp_kernel}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{kprobe_manual}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{kallsyms_kernel}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bcc_github}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_github}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_upstream}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_core}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_caps_lwn}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{unprivileged_ebpf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cve_unpriv_ebpf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_ubuntu}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{elf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_overlord}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_technovelty}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{aslr_pie_intro}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{relro_redhat}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_windows}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_linux}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{proc_fs}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{proc_mem_write}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{code_kernel_open}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{code_kernel_syscall}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{write_helper_non_fault}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf_p6974}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rawtcp_lib}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{glibc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
|
||||
\ttl@finishall
|
||||
\gdef \@abspage@last{112}
|
||||
2001
docs/document.bbl
2001
docs/document.bbl
File diff suppressed because it is too large
Load Diff
2485
docs/document.bcf
2485
docs/document.bcf
File diff suppressed because it is too large
Load Diff
@@ -1,111 +0,0 @@
|
||||
[0] Config.pm:311> INFO - This is Biber 2.16
|
||||
[0] Config.pm:314> INFO - Logfile is 'document.blg'
|
||||
[57] biber:340> INFO - === Sun Jun 12, 2022, 19:59:01
|
||||
[69] Biber.pm:415> INFO - Reading 'document.bcf'
|
||||
[147] Biber.pm:952> INFO - Found 92 citekeys in bib section 0
|
||||
[160] Biber.pm:4340> INFO - Processing section 0
|
||||
[169] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
|
||||
[172] bibtex.pm:1689> INFO - LaTeX decoding ...
|
||||
[206] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 9, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 15, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 22, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 28, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 35, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 42, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 50, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 58, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 65, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 70, warning: 1 characters of junk seen at toplevel
|
||||
[417] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 77, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 85, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 94, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 103, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 112, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 121, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 130, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 136, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 141, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 146, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 151, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 162, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 167, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 173, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 179, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 184, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 193, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 200, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 208, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 215, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 224, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 233, warning: 1 characters of junk seen at toplevel
|
||||
[418] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 242, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 248, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 253, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 258, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 265, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 270, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 275, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 280, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 285, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 292, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 297, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 304, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 311, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 318, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 324, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 330, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 336, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 343, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 348, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 353, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 358, warning: 1 characters of junk seen at toplevel
|
||||
[419] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 365, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 370, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 375, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 384, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 389, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 394, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 399, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 404, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 409, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 414, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 419, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 428, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 437, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 442, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 447, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 452, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 458, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 468, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 475, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 482, warning: 1 characters of junk seen at toplevel
|
||||
[420] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 491, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 496, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 501, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 510, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 517, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 524, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 529, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 538, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 547, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 552, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 557, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 564, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 571, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 576, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 581, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 586, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 593, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 600, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 607, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 612, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 618, warning: 1 characters of junk seen at toplevel
|
||||
[421] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_lkNM/f4d088b3f9f145b5c3058da33afd57d4_7066.utf8, line 623, warning: 1 characters of junk seen at toplevel
|
||||
[475] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
|
||||
[475] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
|
||||
[475] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
|
||||
[475] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
|
||||
[521] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
|
||||
[541] bbl.pm:757> INFO - Output to document.bbl
|
||||
[541] Biber.pm:128> INFO - WARNINGS: 95
|
||||
@@ -1,273 +0,0 @@
|
||||
# Fdb version 3
|
||||
["biber document"] 1655033977 "document.bcf" "document.bbl" "document" 1655035060
|
||||
"bibliography/bibliography.bib" 1655035048 18430 177b878d10dd97fdcc8937e99ad0727c ""
|
||||
"document.bcf" 1655035030 112916 05490f4de56d62d39a634dbc315966a7 "pdflatex"
|
||||
(generated)
|
||||
"document.bbl"
|
||||
"document.blg"
|
||||
["pdflatex"] 1655035060 "document.tex" "document.pdf" "document" 1655035060
|
||||
"/etc/texmf/web2c/texmf.cnf" 1651100307 475 c0e671620eb5563b2130f56340a5fde8 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc" 1165713224 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/map/fontname/texfonts.map" 1577235249 3524 cb3e574dea2d1052e39280babc910dc8 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr12.tfm" 1136768653 1288 655e228510b4c2a1abe905c368440826 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtcxi.tfm" 1136768653 1448 dc0698441d5ba2c7e36c4762c89d2a6f ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtcxr.tfm" 1136768653 1368 7af309acf53bb727783600185f629f47 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxb.tfm" 1136768653 1020 c53143d3e3747b5c1149bd9a5ecd7b55 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxbss.tfm" 1136768653 952 8af6d4411025237a8a19c5fe76c48519 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxi.tfm" 1136768653 1048 a97cff5f6b833b712079817ce7a40d4c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxmi.tfm" 1136768653 1056 e2202af076e43d03fc17f87e104021b0 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxphvb.tfm" 1136768653 4548 1ffa7e4f8cec4f54428bd6e887feff07 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxphvr.tfm" 1136768653 4748 767b775b8de19d97ba9256ce2b48e057 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxphvro.tfm" 1136768653 4964 9484ade2f7ca166fd2b0a8266351209c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxptmb.tfm" 1136768653 4572 2c370d27bbb031f7592de9d41dc8cfca ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxptmr.tfm" 1136768653 4452 0fd0a792eaab7113e4d4f1b941ff0367 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxptmri.tfm" 1136768653 4640 ce59980bcbe9e6236fab46d0b5212c7e ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxr.tfm" 1136768653 1004 c0e991f864f31f017ea4ff9e451b76d4 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxss.tfm" 1136768653 952 9553fec7f8724dea5f23bcd5d8725907 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/rtxsssl.tfm" 1136768653 1012 8cc6548f651cb7d6018c40ec4a405a18 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xb.tfm" 1136768653 6892 772bf8e6c154137db8568fa8a47a6ceb ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xbss.tfm" 1136768653 6700 9f7ab5807b4ea0f94f86ef51654456a0 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xbtt.tfm" 1136768653 1436 f00b2a275be56a8355f5c3b07a5a7a4c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xi.tfm" 1136768653 6956 cab20301c4a0fe2075f774c8a2433c5d ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xr.tfm" 1136768653 6716 6d25a377562601272906e3bfe6b2817a ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xss.tfm" 1136768653 7096 d4068737d849c31bd955cec162cc9c1f ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xsssl.tfm" 1136768653 7320 442528840b39263f05b2bb9418cb055c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/t1xtt.tfm" 1136768653 1384 8943063000d26272532f74ca134dfecd ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/tcxi.tfm" 1136768653 1584 f7a2838338e782052f0de0fc45c1740c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/tcxr.tfm" 1136768653 1468 26982ed5d4aefc6c98ed466c7d6869d8 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txex.tfm" 1136768653 1080 b674b4ba143004461509a754a0984b67 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txexa.tfm" 1136768653 688 f56006d6e56f46e63d9f63252958b828 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txi.tfm" 1136768653 2584 cf4a6a7c2a518d47468fe29ef0913ba0 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txmi.tfm" 1232065820 1944 f854e259cb2839e49d4aa2949544a6e1 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txmia.tfm" 1136768653 1180 72784d0ee5a983fba99a0986b31b0493 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txr.tfm" 1136768653 2408 aec793a3c45e495f7ad15b227c91f508 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txsy.tfm" 1136768653 1268 1d124f224979493f8fd017a7597ea1cd ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txsya.tfm" 1136768653 972 2c9ffac4bbd20f91c01aaef9bf3f8710 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txsyb.tfm" 1136768653 988 098ca7e8cc5647b9ac21b82dbdce1f01 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/tfm/public/txfonts/txsyc.tfm" 1136768653 1084 75e807e9e71f7a312e4e1187dce5e93b ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb" 1136849748 14910 452a1524b0b6aca73bffd0ee2ad31c2e ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtcxr.pfb" 1136849748 14606 238072bd1ce11e3dff8451a5a2608194 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxb.pfb" 1136849748 6330 bdd610a36762742dd8a518bf9f97b968 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxi.pfb" 1136849748 6787 30821c47455d94d84f9e6f5bfecd086a ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.pfb" 1136849748 6339 e2b78706efdc360ee6aec9b6e20211a7 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb" 1136849748 26580 8886cc7827569e05fd10df25f221aef6 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb" 1136849748 26301 f08b3c26ea42c3177a262c2ac37d6a91 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb" 1136849748 35941 f27169cc74234d5bd5e4cca5abafaabb ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb" 1136849748 44648 23115b2a545ebfe2c526c3ca99db8b95 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb" 1136849748 44729 811d6c62865936705a31c797a1d5dada ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb" 1136849748 46026 6dab18b61c907687b520c72847215a68 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb" 1136849748 45458 a3faba884469519614ca56ba5f6b1de1 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xb.vf" 1136768653 2144 bab2875eda5b2344ea7b1db74ccc03a4 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xbss.vf" 1136768653 2140 53a6b204134ca23b688a5eb135473f18 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xi.vf" 1136768653 2120 35084608d79b6b13dd746dfcffe98243 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xr.vf" 1136768653 2140 99e5b3a34695df6221a167ffa8b498d6 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xss.vf" 1136768653 2140 1f9dbe1be7b322ce3d2dc5796a8e88ed ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/t1xsssl.vf" 1136768653 2148 3b03d03d82cf6e8c21b92d2903f15dc8 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/tcxi.vf" 1136768653 988 94d927596240fbacbfb7297449727f1c ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/tcxr.vf" 1136768653 988 4f41b8c123e4537adb7f2dbb638d2981 ""
|
||||
"/usr/share/texlive/texmf-dist/fonts/vf/public/txfonts/txmi.vf" 1232065820 960 cfcc9d587b40b769f64408b3ca115941 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii" 1461363279 71627 94eb9990bed73c364d7f53f960cc8c5b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/atbegshi/atbegshi.sty" 1575674566 24708 5584a51a7101caf7e6bbf1fc27d8f7b1 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/babel-english/english.ldf" 1496785618 7008 9ff5fdcc865b01beca2b0fe4a46231d4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/babel/babel.def" 1611697649 117888 66b7eb0f9cd7bd253f76713fb2e2ee4a ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/babel/babel.sty" 1611697649 37868 ba045e7d3943071ea1a8258e20cd3f09 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/babel/txtbabel.def" 1611697649 5230 84624d139fa443f96294434bccf82f8c ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/bigintcalc/bigintcalc.sty" 1576625341 40635 c40361e206be584d448876bba8a64a3b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/bitset/bitset.sty" 1576016050 33961 6b5c75130e435b2bfdb9f480a09a39f9 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/colorprofiles/FOGRA39L_coated.icc" 1539117195 121368 39eb6a29ff4335f7d0a8899500482fe4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/colorprofiles/colorprofiles.sty" 1541456952 2125 d32d20ebbbf64901515ba49e82d21ba5 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/colorprofiles/colorprofiles.tex" 1540240449 2039 ecc159cffd8e7060ebf413ca9a088220 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/colorprofiles/sRGB.icc" 1539117195 3268 22507a113159a716194bbc7c9ad1ba93 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/etexcmds/etexcmds.sty" 1576625273 7734 b98cbb34c81f667027c1e3ebdbfce34b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/gettitlestring/gettitlestring.sty" 1576625223 8371 9d55b8bd010bc717624922fb3477d92e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/iftex/ifluatex.sty" 1572645307 492 1994775aa15b0d1289725a0b1bbc2d4c ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/iftex/ifpdf.sty" 1572645307 480 5778104efadad304ced77548ca2184b1 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/iftex/iftex.sty" 1583617216 6501 4011d89d9621e0b0901138815ba5ff29 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/iftex/ifvtex.sty" 1572645307 1057 525c2192b5febbd8c1f662c9468335bb ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/iftex/ifxetex.sty" 1572645307 488 4565444a3e75e59cb2702dc42e18f482 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/infwarerr/infwarerr.sty" 1575499628 8356 7bbb2c2373aa810be568c29e333da8ed ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/intcalc/intcalc.sty" 1576625065 31769 002a487f55041f8e805cfbf6385ffd97 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/kvdefinekeys/kvdefinekeys.sty" 1576878844 5412 d5a2436094cd7be85769db90f29250a6 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/kvsetkeys/kvsetkeys.sty" 1576624944 13807 952b0226d4efca026f0e19dd266dcc22 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty" 1600895880 17859 4409f8f50cd365c68e684407e5350b1b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/pdfescape/pdfescape.sty" 1576015897 19007 15924f7228aca6c6d184b115f4baa231 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/pdftex/glyphtounicode.tex" 1353199370 216747 92ec6cf8e39216b4894417b5aa6f057a ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/pdftexcmds/pdftexcmds.sty" 1593379760 20089 80423eac55aa175305d35b49e04fe23b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/stringenc/se-pdfdoc.def" 1575152242 5108 8920602307ea1294ccbce2300c7c6ccb ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/stringenc/stringenc.sty" 1575152242 21514 b7557edcee22835ef6b03ede1802dad4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/generic/uniquecounter/uniquecounter.sty" 1576624663 7008 f92eaa0a3872ed622bbf538217cd2ab7 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amscls/amsthm.sty" 1591045760 12594 0d51ac3a545aaaa555021326ff22a6cc ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amsfonts.sty" 1359763108 5949 3f3fd50a8cc94c3d4cbf4fc66cd3df1c ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amssymb.sty" 1359763108 13829 94730e64147574077f8ecfea9bb69af4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsbsy.sty" 1523134290 2211 ca7ce284ab93c8eecdc6029dc5ccbd73 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsgen.sty" 1523134290 4161 7f6eb9092061a11f87d08ed13515b48d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsmath.sty" 1601675358 87353 2c21ff5f2e32e1bf714e600924d810db ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsopn.sty" 1523134290 4116 32e6abd27229755a83a8b7f18e583890 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/amsmath/amstext.sty" 1523134290 2432 8ff93b1137020e8f21930562a874ae66 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/atveryend/atveryend.sty" 1576191570 19336 ce7ae9438967282886b3b036cfad1e4d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/auxhook/auxhook.sty" 1576625391 3935 57aa3c3e203a5c2effb4d2bd2efbc323 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/atbegshi-ltx.sty" 1609451599 2973 00085839f5881178c538db5970d3c38e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/atveryend-ltx.sty" 1610149055 2596 b3a02e33035865e9f0457e064d436fb8 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/everyshi-ltx.sty" 1609451599 2591 72e18a6b9972c5f1da2a52bd5a4f860c ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/fontenc.sty" 1601675358 4947 8cb7717f0cc771eca0fda15160c7fee9 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/ifthen.sty" 1580683321 5159 892429808d9e0e2b3548aaefd9a06ed0 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/inputenc.sty" 1601675358 5050 0d3b77275060ca09a40635b830c3c904 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/report.cls" 1601675358 23204 74c91ecbcc47161218f25d9d0651c0f7 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/base/size12.clo" 1601675358 8450 6fd3588c0e9d06f6f56c6cf4f7246466 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex-ieee/ieee.bbx" 1609279230 19746 659d48d97159c52941881e9f1bfb212b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex-ieee/ieee.cbx" 1609279230 4084 144de2f1ea3c6d81f25226a1d17dd762 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/bbx/numeric-comp.bbx" 1342308459 92 7cdbb04a1e32fba0fbb91b6e6d123497 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/bbx/numeric.bbx" 1609451401 1818 9ed166ac0a9204a8ebe450ca09db5dde ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/bbx/standard.bbx" 1609451401 25680 409c3f3d570418bc545e8065bebd0688 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/biblatex.cfg" 1342308459 69 249fa6df04d948e51b6d5c67bea30c42 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/biblatex.def" 1609451401 91946 e09bee3cd84fdc4250d6c8ee794f6a70 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/biblatex.sty" 1609451401 506356 ad896deba0d157daf8e7a259dbff05c8 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/blx-case-expl3.sty" 1609451401 8433 72f8188742e7214b7068f345cd0287ac ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/blx-compat.def" 1609451401 13379 ae6b07c49ed3315284c100c6d2572fab ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/blx-dm.def" 1609451401 32359 780383f3a2aaa99ffa09ced7a3363e81 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/cbx/numeric-comp.cbx" 1597957911 10374 3e59136b31c5373f571c7fd91d551da1 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/biblatex/lbx/english.lbx" 1609451401 38558 7b6b5c4f86b076362a57cfdb9255a6c6 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/caption/caption.sty" 1603745920 51746 e89c4da670ba533e6ab38e045ce6d1d9 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/caption/caption3.sty" 1603745920 67929 d50ae850e1d9604065e8337a75a41029 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/chngcntr/chngcntr.sty" 1525297854 4336 84bc4a8edb126e69abec1a67dc0c36cf ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/colortbl/colortbl.sty" 1579991017 10793 d0af3aa11e27ae35ba4685b17597b122 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/csquotes/csquotes.cfg" 1429144587 7068 06f8d141725d114847527a66439066b6 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/csquotes/csquotes.def" 1609884275 20781 3b6db3c90061bfd8febbc13564777847 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/csquotes/csquotes.sty" 1609884275 62512 52e9defd5096aff5aaf6a48571b466f7 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty" 1579991033 13886 d1306dcf79a944f6988e688c1785f9ce ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/etoolbox/etoolbox.sty" 1601931149 46845 3b58f70c6e861a13d927bff09d35ecbc ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/everyshi/everyshi.sty" 1606256234 2368 ef01f98551a0f54407358b67f8a6c5e1 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/fancyhdr/fancyhdr.sty" 1609797564 17084 8c1abc8567028945d60a2f6d71e86091 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/floatrow/floatrow.sty" 1249478946 60013 31ae5968a4a3fc2e332dd6a87f8e924b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/geometry/geometry.sty" 1578002852 41601 9cf6c5257b1bc7af01a58859749dd37a ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg" 1459978653 1213 620bba36b25224fa9b7e1ccb4ecb76fd ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/graphics.cfg" 1465944070 1224 978390e9c2234eab29404bc21b268d1e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def" 1601931164 19103 48d29b6e2a64cb717117ef65f107b404 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/color.sty" 1601675358 7102 5b27b7e61091c6128cd6300e21704e4b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty" 1601675358 18272 a8c6a275b34ab6717ceeb8fa04b104e2 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty" 1601675358 7919 20fdfdd783821971c55bc8ee918cbe63 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty" 1580683321 2590 e3b24ff953e5b58d924f163d25380312 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/rotating.sty" 1580683321 6982 df2e03ed1b101065d688af501de0405d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty" 1580683321 3976 d7fa7d81d2870d509d25b17d0245e735 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/grfext/grfext.sty" 1575499774 7133 b94bbacbee6e4fdccdc7f810b2aec370 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hycolor/hycolor.sty" 1580250785 17914 4c28a13fc3d975e6e81c9bea1d697276 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/hluatex.def" 1589664343 51510 4c6a1d1d230f9dc04992fe072da4f6ec ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/hpdftex.def" 1589664343 50570 2e81797743231d9037b0cbe3436d74ba ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref.sty" 1589664343 236775 8ab18a05f69e6caef423fa59cb0af03b ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/nameref.sty" 1579642962 13244 0070bcab7b5a88187847128d22faf4d8 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/pd1enc.def" 1589664343 14134 c11767c54bd7ecab56984ee4e4e3158c ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/psdextra.def" 1589664343 37413 24bf1f3d888481de03e455827285155e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/hyperref/puenc.def" 1589664343 122447 8dcff5c67ff7f0649f41dc4abc99887f ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/kvoptions/kvoptions.sty" 1602274869 22521 d2fceb764a442a2001d257ef11db7618 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def" 1611959857 27097 58278863d97b10ab86e334b8da33df7a ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/l3kernel/expl3.sty" 1610315378 6209 031757bc8d0350c53dd99ad8ae4875eb ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/l3packages/xparse/xparse-generic.tex" 1589555814 80141 edbf9289c99ff37db17116af7a3a423f ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/l3packages/xparse/xparse.sty" 1603832142 5905 c6eb253894f4e808af476e034b49df36 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg" 1279039959 678 4792914a8f45be57bb98413425e4c7af ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/letltxmacro/letltxmacro.sty" 1575499565 5766 13a9e8766c47f30327caf893ece86ac8 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/listings/listings.cfg" 1585170648 1830 e31effa752c61538383451ae21332364 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/listings/listings.sty" 1585170648 80964 64e57373f36316e4a09b517cbf1aba2e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty" 1585170648 204271 bae5b2d457283e99567249c1990510be ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/listings/lstmisc.sty" 1585170648 77022 ee25ce086f4a79d8cf73bac6f94c02a5 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/logreq/logreq.def" 1284153563 1620 fb1c32b818f2058eca187e5c41dfae77 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/logreq/logreq.sty" 1284153563 6187 b27afc771af565d3a9ff1ca7d16d0d46 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/multirow/multirow.sty" 1611959532 6149 c6cd26d0cd8e83d8ecf4b81e1460a8be ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/8bit.def" 1431552887 5962 2aa7a2da2d9394f9da33cf2a55c50b0a ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/AdobeColorProfiles.tex" 1544134469 18025 2a8c02d866533f30ba38e1fc80d41d5e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/glyphtounicode-cmr.tex" 1544134469 12650 63d8297b6f8c541fcf26e81843ce886e ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/glyphtounicode-ntx.tex" 1552341685 12106 cf8ee425ea5c6dcd1e8f6a7a78988e72 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/l8u-penc.def" 1544134469 173899 c019d28cc75c9b7ff01d114ccb8449bd ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/pdfa.xmp" 1544134469 16698 20710d2986efbe933f27bcaccba16f92 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/pdfx/pdfx.sty" 1552341685 109591 fbc1db3d28e53e6589d1cf9c8bf1eb1d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/refcount/refcount.sty" 1576624809 9878 9e94e8fa600d95f9c7731bb21dfb67a4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/rerunfilecheck/rerunfilecheck.sty" 1575674187 9715 b051d5b493d9fe5f4bc251462d039e5f ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/titlesec/titlesec.sty" 1571259403 48596 2b6a95da931c07a430b1a61904aaa42d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/titlesec/titletoc.sty" 1571259403 16867 48b0a882b3e08147593c7c0476d9c2e2 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/tools/array.sty" 1601675358 12675 9a7bbb9e485cd81cdcc1d56212b088ff ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/omltxmi.fd" 1137111002 492 e7f8afe4428797548d4301de03a1b15f ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/omstxsy.fd" 1137111002 329 6ac7e19535b9f1d64e4d8e3f77dc30a3 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/omxtxex.fd" 1137111002 312 11fe1916b0a13a81a05234a6fc7f8738 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/ot1txr.fd" 1137111002 1271 4e3afbd8e832f2f9c7f064894e6e68e4 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txr.fd" 1137111002 1242 cbf8a0d4f750f9833a0bfb05fb39f1cb ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txss.fd" 1137111002 1362 13e59690199f58f0836298f1c5f460eb ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd" 1137111002 1324 7b6c95370a64cd8c7620cbefefb53dba ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/ts1txr.fd" 1137111002 1278 7b91d84c3d8b7d0dd9e34d557ca00ff0 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/txfonts.sty" 1206746551 50381 d367461010070c7a491b1f6979ab2062 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxexa.fd" 1137111002 310 1b00b0b05685b816e4c6caccce437e0d ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxmia.fd" 1137111002 334 87436a82076ca2e35cd305f852507afc ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsya.fd" 1137111002 310 cee07e4964749ccbc77d84fc49726a79 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyb.fd" 1137111002 310 8c5467c8932c259af51b0f116c9734bd ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyc.fd" 1137111002 310 4b5d6fe830337242ef847b3bff48ba21 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/url/url.sty" 1388531844 12796 8edb7d69a20b857904dd0ea757c14ec9 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/xcolor/xcolor.sty" 1463002160 55589 34128738f682d033422ca125f82e5d62 ""
|
||||
"/usr/share/texlive/texmf-dist/tex/latex/xmpincl/xmpincl.sty" 1210504720 2846 ba6fcee8a9557055874a16b76a0c5f4b ""
|
||||
"/usr/share/texlive/texmf-dist/web2c/texmf.cnf" 1613593815 38841 799d1dd9682a55ce442e10c99777ecc1 ""
|
||||
"/usr/share/texmf/web2c/texmf.cnf" 1613593815 38841 799d1dd9682a55ce442e10c99777ecc1 ""
|
||||
"/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map" 1651100317 128028 f533b797fba58d231669ea19e894e23e ""
|
||||
"/var/lib/texmf/web2c/pdftex/pdflatex.fmt" 1651100326 1334284 230f0b70f00981bccbdb458564f1009e ""
|
||||
"chapters/annex.tex" 1654942022 7244 529cbb32d3e651576b8b59f587b12ca7 ""
|
||||
"chapters/chapter1.tex" 1654942427 11443 47a32930700b882ae00123de9261e211 ""
|
||||
"chapters/chapter2.tex" 1654979192 89509 2f1924ef75a8fa0f5d49e777ad921305 ""
|
||||
"chapters/chapter3.tex" 1654979454 32862 389955387b3f2b0401c89199fbd811d0 ""
|
||||
"chapters/chapter4.tex" 1655035016 22079 0217c7f2a7786208e4d6c266473cda8b ""
|
||||
"chapters/chapter5.tex" 1654966992 81 44003c0d65e545a114628ca35b603084 ""
|
||||
"chapters/chapter6.tex" 1654967052 143 6ba964fe2a782e2ffb7aa2315fbb4183 ""
|
||||
"document.aux" 1655035030 61616 4008edbae5e661cb9588353acd9afdad "pdflatex"
|
||||
"document.bbl" 1655033979 76366 6af5917e230bae3b7774793a68864f65 "biber document"
|
||||
"document.lof" 1655035030 7503 372bb7c74e6ff547ead2b5bf10241868 "pdflatex"
|
||||
"document.lot" 1655035030 4986 06b1b121a2f2db5a8da4c43a2e7db872 "pdflatex"
|
||||
"document.out" 1655035030 5573 9bd1500b472001dfe82f052359b713f2 "pdflatex"
|
||||
"document.run.xml" 1655035030 2445 b409c18254f7f5782630d13a05948f21 "pdflatex"
|
||||
"document.tex" 1654968406 6713 eb3647ce32b19002e48c2c97d8fb2840 ""
|
||||
"document.toc" 1655035030 9021 e44f14684fee4149c95935d775f09954 "pdflatex"
|
||||
"images//Portada_Logo.png" 1651111039 22996 c527860321fd85a49ffef78eb664cfb0 ""
|
||||
"images//ROPcompound.jpg" 1654626518 189399 440667572df7b1c6adea87e1316fdedd ""
|
||||
"images//aslr_offset.jpg" 1654821383 24380 09a1b8196c0d4095853e0abbc94fde03 ""
|
||||
"images//bpf_address_mode.png" 1653295904 120159 3b61bb23c08976d443e2209f5feef027 ""
|
||||
"images//bpf_instructions.png" 1653295887 87235 e2e9ebd3abbf4217b218593154586119 ""
|
||||
"images//buffer_overflow.jpg" 1654613585 33233 234ad1a2a4578fdcf964f37d7032a589 ""
|
||||
"images//buffer_overflow_shellcode.jpg" 1654618293 45561 e57c00ba99ba0b80368cdc0aa64101ff ""
|
||||
"images//cBPF_prog_ex_sol.png" 1653307584 18612 5639fbf3851c7aefb0ab2f0d747d39e4 ""
|
||||
"images//classic_bpf.jpg" 1653251787 32269 cb640fa8b95ef6388c3c400ff34c08f0 ""
|
||||
"images//ebpf_arch.jpg" 1653529995 60229 575955dd95319abfdfe746dc0da29d14 ""
|
||||
"images//frame.jpg" 1654533510 102536 baf3b44ff116a7448c5d35e25e7eda97 ""
|
||||
"images//libbpf_prog.jpg" 1653741812 40113 69ec9fd9f1dfded5f622ae05141130a9 ""
|
||||
"images//mem_arch_pages.jpg" 1654343079 46103 3b6ed2f695590d91d1ce517a7518ba14 ""
|
||||
"images//mem_major_page_fault.jpg" 1654345015 34926 900a506f60da0b26c50f0ec9daa9b295 ""
|
||||
"images//mem_minor_page_fault.jpg" 1654345021 49534 278ecdf64e412a950f4d809dfea89dc9 ""
|
||||
"images//memory.jpg" 1654594805 26028 033e8d676afa0c083a4f3b90a6784395 ""
|
||||
"images//rootkit.jpg" 1655000354 177203 7184f9a9a8eab7aa201bf27f112e27e7 ""
|
||||
"images//rootkit_files.jpg" 1655034484 66866 8e0c6b46084e7abbb184c929f32ee2ee ""
|
||||
"images//rop_evil_ebpf_1.jpg" 1654690993 80272 893c8a309177ea30436b1cb0e0a4f3ba ""
|
||||
"images//rop_evil_ebpf_2.jpg" 1654691288 72075 f0114fb8746bb65ea72a81a9679fa908 ""
|
||||
"images//rop_evil_ebpf_3.jpg" 1654692503 58582 2a0db73e0ff01342847ed343d4f7319b ""
|
||||
"images//sch_firstcall.png" 1654828322 19347 58cc1ca504090e433ec03e2bcdc1dd91 ""
|
||||
"images//sch_gdb_got_after.png" 1654802017 8525 d7df884a144a977c8e070c4056c50a17 ""
|
||||
"images//sch_gdb_got_prev.png" 1654801658 7756 9b217037d291e83cadef8d77809bc139 ""
|
||||
"images//sch_gdb_plt.png" 1654800731 45200 a5e1aa28ce6e0d6cc4f11867d24f0878 ""
|
||||
"images//sch_glibc_func.png" 1654802737 24202 c6b923d8354ca57c6350b66ee21b4eef ""
|
||||
"images//stack.jpg" 1654430376 30015 ebcf3f3c62c8155291ef4aa1b05eb653 ""
|
||||
"images//stack_before.jpg" 1654430798 17097 0dc9f22472a2102f109b99907037aa7a ""
|
||||
"images//stack_ops.jpg" 1654428621 55409 345bc5b1d0950544bc7335b3f4e05912 ""
|
||||
"images//stack_pres.jpg" 1654424859 23003 259a6a4815d4424ca6d882bc71ce84f6 ""
|
||||
"images//stack_ret_hij_simple.jpg" 1654594575 101721 a311e1bef2e2c6740f21a25c4889372f ""
|
||||
"images//stack_scan_write_tech.jpg" 1654464032 61226 fc4f89080b9a91d93f5bd49f7e00897a ""
|
||||
"images//tcp_conn.jpg" 1654543456 30833 0823efc5e1ea3d9eba2edf6ede288273 ""
|
||||
"images//tcp_exfiltrate_retrans.jpg" 1654558715 42839 2a5972a5a88efc5905fcc081dec5cfae ""
|
||||
"images//tcp_retransmission.jpg" 1654549976 42205 caa4b3bc55b46b4ad80f3e1b0f5df520 ""
|
||||
"images//tcpdump_example.png" 1653302033 71021 900c1544b6afc012fb7b3448e2e237e3 ""
|
||||
"images//xdp_diag.jpg" 1653602902 43089 4e9dfc5caf229d9d24a8459475c563f4 ""
|
||||
"images/cBPF_prog.jpg" 1653294568 37580 becaaa0d8a6a16353948a17c8ecd2bb8 ""
|
||||
"images/creativecommons.png" 1651111039 20748 2d1005dcab1cdcb889ee17a8f3b8cbcb ""
|
||||
"pdfa.xmpi" 1655035061 5042 ecb3d9c8c507cff3a5352640f1a206b5 "pdflatex"
|
||||
(generated)
|
||||
"document.toc"
|
||||
"document.aux"
|
||||
"document.log"
|
||||
"document.run.xml"
|
||||
"document.pdf"
|
||||
"document.bcf"
|
||||
"document.lof"
|
||||
"pdfa.xmpi"
|
||||
"document.out"
|
||||
"document.lot"
|
||||
1574
docs/document.fls
1574
docs/document.fls
File diff suppressed because it is too large
Load Diff
@@ -1,101 +0,0 @@
|
||||
\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax
|
||||
\babel@toc {english}{}
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.3}{\ignorespaces Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }}{9}{figure.caption.10}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{31}{figure.caption.37}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.18}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{36}{figure.caption.42}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.19}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{37}{figure.caption.43}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.20}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{38}{figure.caption.44}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{41}{figure.caption.46}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{43}{figure.caption.48}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{44}{figure.caption.49}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{47}{figure.caption.52}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {2.29}{\ignorespaces File /proc/<pid>/maps of a sample program.\relax }}{51}{figure.caption.58}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.60}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.61}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{67}{figure.caption.62}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{69}{figure.caption.63}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{71}{figure.caption.64}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{72}{figure.caption.65}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{73}{figure.caption.66}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{74}{figure.caption.67}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.7}{\ignorespaces Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }}{76}{figure.caption.68}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.8}{\ignorespaces Call to the glibc function, using objdump.\relax }}{76}{figure.caption.69}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.9}{\ignorespaces PLT stub generated with gcc compiler, using objdump.\relax }}{76}{figure.caption.70}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.10}{\ignorespaces PLT stub generated with clang compiler, using objdump.\relax }}{77}{figure.caption.71}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.11}{\ignorespaces Timerfd\_settime function at glibc, using objdump.\relax }}{77}{figure.caption.72}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {figure}{\numberline {4.12}{\ignorespaces Functions at glibc with ASLR active.\relax }}{78}{figure.caption.75}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\contentsfinish
|
||||
2836
docs/document.log
2836
docs/document.log
File diff suppressed because it is too large
Load Diff
@@ -1,67 +0,0 @@
|
||||
\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax
|
||||
\babel@toc {english}{}
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.16}{\ignorespaces Capabilities needed for eBPF.\relax }}{27}{table.caption.31}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.17}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{27}{table.caption.32}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {2.23}{\ignorespaces Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }}{50}{table.caption.57}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.59}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {4.1}{\ignorespaces Arguments and return value of function \_\_libc\_malloc.\relax }}{77}{table.caption.73}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {table}{\numberline {4.2}{\ignorespaces Arguments of function \_\_libc\_dlopen\_mode.\relax }}{78}{table.caption.74}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\defcounter {refsection}{0}\relax
|
||||
\addvspace {10\p@ }
|
||||
\contentsfinish
|
||||
@@ -1,76 +0,0 @@
|
||||
\BOOKMARK [0][-]{chapter.1}{Introduction}{}% 1
|
||||
\BOOKMARK [1][-]{section.1.1}{Motivation}{chapter.1}% 2
|
||||
\BOOKMARK [1][-]{section.1.2}{Project\040objectives}{chapter.1}% 3
|
||||
\BOOKMARK [1][-]{section.1.3}{Regulatory\040framework}{chapter.1}% 4
|
||||
\BOOKMARK [2][-]{subsection.1.3.1}{Social\040and\040economic\040environment}{section.1.3}% 5
|
||||
\BOOKMARK [2][-]{subsection.1.3.2}{Budget}{section.1.3}% 6
|
||||
\BOOKMARK [1][-]{section.1.4}{Structure\040of\040the\040document}{chapter.1}% 7
|
||||
\BOOKMARK [1][-]{section.1.5}{Code\040availability}{chapter.1}% 8
|
||||
\BOOKMARK [0][-]{chapter.2}{Background}{}% 9
|
||||
\BOOKMARK [1][-]{section.2.1}{BPF}{chapter.2}% 10
|
||||
\BOOKMARK [2][-]{subsection.2.1.1}{Introduction\040to\040the\040BPF\040system}{section.2.1}% 11
|
||||
\BOOKMARK [2][-]{subsection.2.1.2}{The\040BPF\040virtual\040machine}{section.2.1}% 12
|
||||
\BOOKMARK [2][-]{subsection.2.1.3}{Analysis\040of\040a\040BPF\040filter\040program}{section.2.1}% 13
|
||||
\BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 14
|
||||
\BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040with\040tcpdump}{section.2.1}% 15
|
||||
\BOOKMARK [1][-]{section.2.2}{Modern\040eBPF}{chapter.2}% 16
|
||||
\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 17
|
||||
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 18
|
||||
\BOOKMARK [2][-]{subsection.2.2.3}{The\040eBPF\040verifier}{section.2.2}% 19
|
||||
\BOOKMARK [2][-]{subsection.2.2.4}{eBPF\040maps}{section.2.2}% 20
|
||||
\BOOKMARK [2][-]{subsection.2.2.5}{The\040eBPF\040ring\040buffer}{section.2.2}% 21
|
||||
\BOOKMARK [2][-]{subsection.2.2.6}{The\040bpf\(\)\040syscall}{section.2.2}% 22
|
||||
\BOOKMARK [2][-]{subsection.2.2.7}{eBPF\040helpers}{section.2.2}% 23
|
||||
\BOOKMARK [1][-]{section.2.3}{eBPF\040program\040types}{chapter.2}% 24
|
||||
\BOOKMARK [2][-]{subsection.2.3.1}{XDP}{section.2.3}% 25
|
||||
\BOOKMARK [2][-]{subsection.2.3.2}{Traffic\040Control}{section.2.3}% 26
|
||||
\BOOKMARK [2][-]{subsection.2.3.3}{Tracepoints}{section.2.3}% 27
|
||||
\BOOKMARK [2][-]{subsection.2.3.4}{Kprobes}{section.2.3}% 28
|
||||
\BOOKMARK [2][-]{subsection.2.3.5}{Uprobes}{section.2.3}% 29
|
||||
\BOOKMARK [1][-]{section.2.4}{Developing\040eBPF\040programs}{chapter.2}% 30
|
||||
\BOOKMARK [2][-]{subsection.2.4.1}{BCC}{section.2.4}% 31
|
||||
\BOOKMARK [2][-]{subsection.2.4.2}{Bpftool}{section.2.4}% 32
|
||||
\BOOKMARK [2][-]{subsection.2.4.3}{Libbpf}{section.2.4}% 33
|
||||
\BOOKMARK [1][-]{section.2.5}{Security\040features\040in\040eBPF}{chapter.2}% 34
|
||||
\BOOKMARK [2][-]{subsection.2.5.1}{Access\040control}{section.2.5}% 35
|
||||
\BOOKMARK [1][-]{section.2.6}{Memory\040management\040in\040Linux}{chapter.2}% 36
|
||||
\BOOKMARK [2][-]{subsection.2.6.1}{Memory\040pages\040and\040faults}{section.2.6}% 37
|
||||
\BOOKMARK [2][-]{subsection.2.6.2}{Process\040virtual\040memory}{section.2.6}% 38
|
||||
\BOOKMARK [2][-]{subsection.2.6.3}{The\040process\040stack}{section.2.6}% 39
|
||||
\BOOKMARK [1][-]{section.2.7}{Attacks\040at\040the\040stack}{chapter.2}% 40
|
||||
\BOOKMARK [2][-]{subsection.2.7.1}{Buffer\040overflow}{section.2.7}% 41
|
||||
\BOOKMARK [2][-]{subsection.2.7.2}{Return\040oriented\040programming\040attacks}{section.2.7}% 42
|
||||
\BOOKMARK [1][-]{section.2.8}{Networking\040fundamentals\040in\040Linux}{chapter.2}% 43
|
||||
\BOOKMARK [2][-]{subsection.2.8.1}{An\040overview\040on\040the\040network\040layer}{section.2.8}% 44
|
||||
\BOOKMARK [2][-]{subsection.2.8.2}{Introduction\040to\040the\040TCP\040protocol}{section.2.8}% 45
|
||||
\BOOKMARK [1][-]{section.2.9}{ELF\040binaries}{chapter.2}% 46
|
||||
\BOOKMARK [2][-]{subsection.2.9.1}{The\040ELF\040format\040and\040Lazy\040Binding}{section.2.9}% 47
|
||||
\BOOKMARK [2][-]{subsection.2.9.2}{Hardening\040ELF\040binaries}{section.2.9}% 48
|
||||
\BOOKMARK [1][-]{section.2.10}{The\040proc\040filesystem}{chapter.2}% 49
|
||||
\BOOKMARK [2][-]{subsection.2.10.1}{/proc/<pid>/maps}{section.2.10}% 50
|
||||
\BOOKMARK [2][-]{subsection.2.10.2}{/proc/<pid>/mem}{section.2.10}% 51
|
||||
\BOOKMARK [0][-]{chapter.3}{Analysis\040of\040offensive\040capabilities}{}% 52
|
||||
\BOOKMARK [1][-]{section.3.1}{eBPF\040maps\040security}{chapter.3}% 53
|
||||
\BOOKMARK [1][-]{section.3.2}{Abusing\040tracing\040programs}{chapter.3}% 54
|
||||
\BOOKMARK [2][-]{subsection.3.2.1}{Access\040to\040function\040arguments}{section.3.2}% 55
|
||||
\BOOKMARK [2][-]{subsection.3.2.2}{Reading\040memory\040out\040of\040bounds}{section.3.2}% 56
|
||||
\BOOKMARK [2][-]{subsection.3.2.3}{Overriding\040function\040return\040values}{section.3.2}% 57
|
||||
\BOOKMARK [2][-]{subsection.3.2.4}{Sending\040signals\040to\040user\040programs}{section.3.2}% 58
|
||||
\BOOKMARK [2][-]{subsection.3.2.5}{Takeaways}{section.3.2}% 59
|
||||
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 60
|
||||
\BOOKMARK [2][-]{subsection.3.3.1}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 61
|
||||
\BOOKMARK [2][-]{subsection.3.3.2}{Takeaways}{section.3.3}% 62
|
||||
\BOOKMARK [1][-]{section.3.4}{Abusing\040networking\040programs}{chapter.3}% 63
|
||||
\BOOKMARK [2][-]{subsection.3.4.1}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 64
|
||||
\BOOKMARK [2][-]{subsection.3.4.2}{Takeaways}{section.3.4}% 65
|
||||
\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 66
|
||||
\BOOKMARK [1][-]{section.4.1}{Rootkit\040architecture}{chapter.4}% 67
|
||||
\BOOKMARK [1][-]{section.4.2}{Library\040injection\040module}{chapter.4}% 68
|
||||
\BOOKMARK [2][-]{subsection.4.2.1}{ROP\040with\040eBPF}{section.4.2}% 69
|
||||
\BOOKMARK [2][-]{subsection.4.2.2}{Bypassing\040hardening\040features\040in\040ELFs}{section.4.2}% 70
|
||||
\BOOKMARK [2][-]{subsection.4.2.3}{Library\040injection\040via\040GOT\040hijacking}{section.4.2}% 71
|
||||
\BOOKMARK [0][-]{chapter.5}{Evaluation}{}% 72
|
||||
\BOOKMARK [1][-]{section.5.1}{Developed\040capabilities}{chapter.5}% 73
|
||||
\BOOKMARK [1][-]{section.5.2}{Rootkit\040use\040cases}{chapter.5}% 74
|
||||
\BOOKMARK [0][-]{chapter.6}{Related\040work}{}% 75
|
||||
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 76
|
||||
@@ -1,88 +0,0 @@
|
||||
<?xml version="1.0" standalone="yes"?>
|
||||
<!-- logreq request file -->
|
||||
<!-- logreq version 1.0 / dtd version 1.0 -->
|
||||
<!-- Do not edit this file! -->
|
||||
<!DOCTYPE requests [
|
||||
<!ELEMENT requests (internal | external)*>
|
||||
<!ELEMENT internal (generic, (provides | requires)*)>
|
||||
<!ELEMENT external (generic, cmdline?, input?, output?, (provides | requires)*)>
|
||||
<!ELEMENT cmdline (binary, (option | infile | outfile)*)>
|
||||
<!ELEMENT input (file)+>
|
||||
<!ELEMENT output (file)+>
|
||||
<!ELEMENT provides (file)+>
|
||||
<!ELEMENT requires (file)+>
|
||||
<!ELEMENT generic (#PCDATA)>
|
||||
<!ELEMENT binary (#PCDATA)>
|
||||
<!ELEMENT option (#PCDATA)>
|
||||
<!ELEMENT infile (#PCDATA)>
|
||||
<!ELEMENT outfile (#PCDATA)>
|
||||
<!ELEMENT file (#PCDATA)>
|
||||
<!ATTLIST requests
|
||||
version CDATA #REQUIRED
|
||||
>
|
||||
<!ATTLIST internal
|
||||
package CDATA #REQUIRED
|
||||
priority (9) #REQUIRED
|
||||
active (0 | 1) #REQUIRED
|
||||
>
|
||||
<!ATTLIST external
|
||||
package CDATA #REQUIRED
|
||||
priority (1 | 2 | 3 | 4 | 5 | 6 | 7 | 8) #REQUIRED
|
||||
active (0 | 1) #REQUIRED
|
||||
>
|
||||
<!ATTLIST provides
|
||||
type (static | dynamic | editable) #REQUIRED
|
||||
>
|
||||
<!ATTLIST requires
|
||||
type (static | dynamic | editable) #REQUIRED
|
||||
>
|
||||
<!ATTLIST file
|
||||
type CDATA #IMPLIED
|
||||
>
|
||||
]>
|
||||
<requests version="1.0">
|
||||
<internal package="biblatex" priority="9" active="0">
|
||||
<generic>latex</generic>
|
||||
<provides type="dynamic">
|
||||
<file>document.bcf</file>
|
||||
</provides>
|
||||
<requires type="dynamic">
|
||||
<file>document.bbl</file>
|
||||
</requires>
|
||||
<requires type="static">
|
||||
<file>blx-dm.def</file>
|
||||
<file>blx-compat.def</file>
|
||||
<file>biblatex.def</file>
|
||||
<file>standard.bbx</file>
|
||||
<file>numeric.bbx</file>
|
||||
<file>numeric-comp.bbx</file>
|
||||
<file>ieee.bbx</file>
|
||||
<file>numeric-comp.cbx</file>
|
||||
<file>ieee.cbx</file>
|
||||
<file>biblatex.cfg</file>
|
||||
<file>english.lbx</file>
|
||||
</requires>
|
||||
</internal>
|
||||
<external package="biblatex" priority="5" active="0">
|
||||
<generic>biber</generic>
|
||||
<cmdline>
|
||||
<binary>biber</binary>
|
||||
<infile>document</infile>
|
||||
</cmdline>
|
||||
<input>
|
||||
<file>document.bcf</file>
|
||||
</input>
|
||||
<output>
|
||||
<file>document.bbl</file>
|
||||
</output>
|
||||
<provides type="dynamic">
|
||||
<file>document.bbl</file>
|
||||
</provides>
|
||||
<requires type="dynamic">
|
||||
<file>document.bcf</file>
|
||||
</requires>
|
||||
<requires type="editable">
|
||||
<file>bibliography/bibliography.bib</file>
|
||||
</requires>
|
||||
</external>
|
||||
</requests>
|
||||
Binary file not shown.
@@ -1,155 +0,0 @@
|
||||
\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax
|
||||
\babel@toc {english}{}
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.3}Regulatory framework}{4}{section.1.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.5}Code availability}{4}{section.1.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.1}BPF}{5}{section.2.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{8}{subsection.2.1.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.2}Modern eBPF}{10}{section.2.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{12}{subsection.2.2.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{13}{subsection.2.2.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{14}{subsection.2.2.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{15}{subsection.2.2.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{15}{subsection.2.2.6}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{15}{subsection.2.2.7}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{18}{subsection.2.3.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{20}{subsection.2.3.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.3.4}Kprobes}{21}{subsection.2.3.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.5}Security features in eBPF}{26}{section.2.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.6}Memory management in Linux}{28}{section.2.6}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{29}{subsection.2.6.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.6.3}The process stack}{31}{subsection.2.6.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{35}{subsection.2.7.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{38}{subsection.2.7.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{40}{section.2.8}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{42}{subsection.2.8.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.9}ELF binaries}{44}{section.2.9}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{48}{subsection.2.9.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {2.10}The proc filesystem}{50}{section.2.10}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.10.1}/proc/<pid>/maps}{50}{subsection.2.10.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {2.10.2}/proc/<pid>/mem}{51}{subsection.2.10.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{56}{subsection.3.2.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.2.5}Takeaways}{58}{subsection.3.2.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{58}{subsection.3.3.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.3.2}Takeaways}{61}{subsection.3.3.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {3.4.2}Takeaways}{65}{subsection.3.4.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {4.1}Rootkit architecture}{66}{section.4.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {4.2}Library injection module}{70}{section.4.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{70}{subsection.4.2.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{73}{subsection.4.2.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{75}{subsection.4.2.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {5}Evaluation}{81}{chapter.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {5.1}Developed capabilities}{81}{section.5.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {5.2}Rootkit use cases}{81}{section.5.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {6}Related work}{82}{chapter.6}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{Bibliography}{83}{chapter.6}%
|
||||
\contentsfinish
|
||||
@@ -1,92 +0,0 @@
|
||||
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d' ?>
|
||||
|
||||
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39">
|
||||
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
|
||||
<rdf:Description rdf:about=""
|
||||
xmlns:pdfaExtension="http://www.aiim.org/pdfa/ns/extension/"
|
||||
xmlns:pdfaSchema="http://www.aiim.org/pdfa/ns/schema#"
|
||||
xmlns:pdfaProperty="http://www.aiim.org/pdfa/ns/property#"
|
||||
>
|
||||
<pdfaExtension:schemas>
|
||||
<rdf:Bag>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaSchema:namespaceURI>http://ns.adobe.com/pdfx/1.3/</pdfaSchema:namespaceURI>
|
||||
<pdfaSchema:prefix>pdfx</pdfaSchema:prefix>
|
||||
<pdfaSchema:schema>PDF/X Schema</pdfaSchema:schema>
|
||||
<pdfaSchema:property><rdf:Seq>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaProperty:category>external</pdfaProperty:category>
|
||||
<pdfaProperty:description>URL to an online version or preprint</pdfaProperty:description>
|
||||
<pdfaProperty:name>AuthoritativeDomain</pdfaProperty:name>
|
||||
<pdfaProperty:valueType>Text</pdfaProperty:valueType>
|
||||
</rdf:li></rdf:Seq>
|
||||
</pdfaSchema:property>
|
||||
</rdf:li>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaSchema:namespaceURI>http://www.aiim.org/pdfua/ns/id/</pdfaSchema:namespaceURI>
|
||||
<pdfaSchema:prefix>pdfuaid</pdfaSchema:prefix>
|
||||
<pdfaSchema:schema>PDF/UA ID Schema</pdfaSchema:schema>
|
||||
<pdfaSchema:property><rdf:Seq>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaProperty:category>internal</pdfaProperty:category>
|
||||
<pdfaProperty:description>Part of PDF/UA standard</pdfaProperty:description>
|
||||
<pdfaProperty:name>part</pdfaProperty:name>
|
||||
<pdfaProperty:valueType>Integer</pdfaProperty:valueType>
|
||||
</rdf:li></rdf:Seq>
|
||||
</pdfaSchema:property>
|
||||
</rdf:li>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaSchema:schema>PRISM metadata</pdfaSchema:schema>
|
||||
<pdfaSchema:namespaceURI>http://prismstandard.org/namespaces/basic/2.2/</pdfaSchema:namespaceURI>
|
||||
<pdfaSchema:prefix>prism</pdfaSchema:prefix>
|
||||
<pdfaSchema:property><rdf:Seq>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaProperty:name>aggregationType</pdfaProperty:name>
|
||||
<pdfaProperty:valueType>Text</pdfaProperty:valueType>
|
||||
<pdfaProperty:category>external</pdfaProperty:category>
|
||||
<pdfaProperty:description>The type of publication. If defined, must be one of book, catalog, feed, journal, magazine, manual, newsletter, pamphlet.</pdfaProperty:description>
|
||||
</rdf:li>
|
||||
<rdf:li rdf:parseType="Resource">
|
||||
<pdfaProperty:name>url</pdfaProperty:name>
|
||||
<pdfaProperty:valueType>URL</pdfaProperty:valueType>
|
||||
<pdfaProperty:category>external</pdfaProperty:category>
|
||||
<pdfaProperty:description>URL for the article or unit of content</pdfaProperty:description>
|
||||
</rdf:li>
|
||||
</rdf:Seq></pdfaSchema:property>
|
||||
</rdf:li>
|
||||
</rdf:Bag>
|
||||
</pdfaExtension:schemas>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
|
||||
<pdf:Producer>pdfTeX</pdf:Producer>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:dc="http://purl.org/dc/elements/1.1/">
|
||||
<dc:format>application/pdf</dc:format>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:prism="http://prismstandard.org/namespaces/basic/2.2/">
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:pdfx="http://ns.adobe.com/pdfx/1.3/">
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:pdfaid="http://www.aiim.org/pdfa/ns/id/">
|
||||
<pdfaid:part>1</pdfaid:part>
|
||||
<pdfaid:conformance>B</pdfaid:conformance>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
|
||||
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
|
||||
<xmp:ModifyDate>2022-06-12T22:29:59-04:00</xmp:ModifyDate>
|
||||
<xmp:CreateDate>2022-06-12T22:29:59-04:00</xmp:CreateDate>
|
||||
<xmp:MetadataDate>2022-06-12T22:29:59-04:00</xmp:MetadataDate>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
|
||||
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
|
||||
<xmpMM:InstanceID>uuid:A8053261-511A-41B6-CD06-38084AF40198</xmpMM:InstanceID>
|
||||
</rdf:Description>
|
||||
</rdf:RDF>
|
||||
</x:xmpmeta>
|
||||
|
||||
|
||||
|
||||
|
||||
<?xpacket end='w'?>
|
||||
Reference in New Issue
Block a user