admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-22 01:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed ebpf verifier

Browse Source
This commit is contained in:
h3xduck
2022-05-26 08:39:45 -04:00
parent a99c3e0f7d
commit 079601ec22
12 changed files with 260 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/bibliography/bibliography.bib
View File

@@ -134,6 +134,11 @@
url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture}
},
@manual{ebpf_io_verification,
title={eBPF Documentation: Verification},
url={https://ebpf.io/what-is-ebpf/#verification}
},
@manual{index_register,
title={Index register},
url={https://gunkies.org/wiki/Index_register}
@@ -216,6 +221,15 @@
pages={14}
},
@proceedings{ebpf_JIT_demystify_page17-22,
title={Demystify eBPF JIT Compiler},
url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
institution={Netronome},
author={Jiong Wang},
date={2018-09-11},
pages={17-22}
},
@book{brendan_gregg_bpf_book_bpf_vm,
title={BPF performance tools},
author={Brendan Gregg},
@@ -225,6 +239,18 @@
@manual{jit_enable_setting,
title={bpf\_jit\_enable},
url={https://sysctl-explorer.net/net/core/bpf_jit_enable/}
},
@manual{ebpf_verifier_kerneldocs,
title={eBPF verifier},
url={https://kernel.org/doc/html/latest/bpf/verifier.html}
},
@online{ebpf_bounded_loops,
title={Bounded loops in BPF for the 5.3 kernel},
url={https://lwn.net/Articles/794934/},
date={2019-06-31},
author={Marta Rybczynska}
}

24
docs/document.aux
View File

@@ -77,6 +77,7 @@
\abx@aux@cite{bpf_organicprogrammer_analysis}
\abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}\protected@file@percent }
\newlabel{subsection:analysis_bpf_filter_prog}{{2.1.3}{7}{Analysis of a BPF filter program}{subsection.2.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent }
\newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
@@ -149,18 +150,24 @@
\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23}
\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}\protected@file@percent }
\abx@aux@cite{ebpf_verifier_kerneldocs}
\abx@aux@segm{0}{0}{ebpf_verifier_kerneldocs}
\abx@aux@cite{ebpf_JIT_demystify_page17-22}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page17-22}
\abx@aux@cite{ebpf_bounded_loops}
\abx@aux@segm{0}{0}{ebpf_bounded_loops}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{16}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{17}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{18}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{18}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{5F7A9629AD8490B1B0F141D5BD6DF521}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{19}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{B46A2B2BB490570F1A9251B9CDF39B97}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -194,5 +201,8 @@
\abx@aux@defaultrefcontext{0}{jit_enable_setting}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides_page23}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book_bpf_vm}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_verifier_kerneldocs}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page17-22}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{36}
\gdef \@abspage@last{37}

103
docs/document.bbl
View File

@@ -23,8 +23,8 @@
\list{institution}{1}{%
{PricewaterhouseCoopers}%
}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{Cyber Threats 2021: A year in Retrospect}
\verb{urlraw}
@@ -38,8 +38,8 @@
\list{institution}{1}{%
{Positive Technologies}%
}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{day}{3}
\field{month}{11}
@@ -54,8 +54,8 @@
\endverb
\endentry
\entry{ebpf_linux318}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{day}{7}
\field{indextitle}{eBPF incorporation in the Linux Kernel 3.18}
\field{month}{12}
@@ -72,8 +72,8 @@
\list{institution}{1}{%
{Pangu Lab}%
}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{day}{23}
\field{month}{2}
@@ -269,8 +269,8 @@
\endverb
\endentry
\entry{ebpf_history_opensource}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{8}
@@ -302,8 +302,8 @@
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{2}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -472,8 +472,8 @@
\list{organization}{1}{%
{iovisor}%
}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{title}{BPF features by Linux Kernel Version}
\verb{urlraw}
@@ -746,6 +746,81 @@
\verb https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code
\endverb
\endentry
\entry{ebpf_verifier_kerneldocs}{manual}{}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title}
\field{title}{eBPF verifier}
\verb{urlraw}
\verb https://kernel.org/doc/html/latest/bpf/verifier.html
\endverb
\verb{url}
\verb https://kernel.org/doc/html/latest/bpf/verifier.html
\endverb
\endentry
\entry{ebpf_JIT_demystify_page17-22}{proceedings}{}
\name{author}{1}{}{%
{{hash=0fcaa32b080db12cbc8b11b27d05ad61}{%
family={Wang},
familyi={W\bibinitperiod},
given={Jiong},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Netronome}%
}
\strng{namehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{fullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{bibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorbibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{3}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{9}
\field{title}{Demystify eBPF JIT Compiler}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{17\bibrangedash 22}
\range{pages}{6}
\verb{urlraw}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\verb{url}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\endentry
\entry{ebpf_bounded_loops}{online}{}
\name{author}{1}{}{%
{{hash=eb58c5db0dc3d52508c642eba949ed28}{%
family={Rybczynska},
familyi={R\bibinitperiod},
given={Marta},
giveni={M\bibinitperiod}}}%
}
\strng{namehash}{eb58c5db0dc3d52508c642eba949ed28}
\strng{fullhash}{eb58c5db0dc3d52508c642eba949ed28}
\strng{bibnamehash}{eb58c5db0dc3d52508c642eba949ed28}
\strng{authorbibnamehash}{eb58c5db0dc3d52508c642eba949ed28}
\strng{authornamehash}{eb58c5db0dc3d52508c642eba949ed28}
\strng{authorfullhash}{eb58c5db0dc3d52508c642eba949ed28}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{Bounded loops in BPF for the 5.3 kernel}
\verb{urlraw}
\verb https://lwn.net/Articles/794934/
\endverb
\verb{url}
\verb https://lwn.net/Articles/794934/
\endverb
\warn{\item Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring}
\endentry
\enddatalist
\endrefsection
\endinput

3
docs/document.bcf
View File

@@ -2388,6 +2388,9 @@
<bcf:citekey order="45">jit_enable_setting</bcf:citekey>
<bcf:citekey order="46">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="47">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="48">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="50">ebpf_bounded_loops</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

99
docs/document.blg
View File

@@ -1,47 +1,52 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[57] biber:340> INFO - === Wed May 25, 2022, 21:58:47
[69] Biber.pm:415> INFO - Reading 'document.bcf'
[139] Biber.pm:952> INFO - Found 32 citekeys in bib section 0
[153] Biber.pm:4340> INFO - Processing section 0
[161] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[163] bibtex.pm:1689> INFO - LaTeX decoding ...
[176] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 9, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 15, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 22, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 28, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 35, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 42, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 50, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 58, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 65, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 70, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 77, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 85, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 94, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 103, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 112, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 121, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 127, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 132, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 137, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 148, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 153, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 159, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 165, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 170, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 179, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 186, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 194, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 201, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 210, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 219, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 225, warning: 1 characters of junk seen at toplevel
[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[291] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[291] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[311] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[320] bbl.pm:757> INFO - Output to document.bbl
[320] Biber.pm:128> INFO - WARNINGS: 31
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[158] biber:340> INFO - === Thu May 26, 2022, 08:37:12
[187] Biber.pm:415> INFO - Reading 'document.bcf'
[384] Biber.pm:952> INFO - Found 35 citekeys in bib section 0
[425] Biber.pm:4340> INFO - Processing section 0
[450] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[454] bibtex.pm:1689> INFO - LaTeX decoding ...
[494] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[694] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 9, warning: 1 characters of junk seen at toplevel
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 15, warning: 1 characters of junk seen at toplevel
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 22, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 28, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 35, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 42, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 50, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 58, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 65, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 70, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 77, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 85, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 94, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 103, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 112, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 121, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 127, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 132, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 137, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 142, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 153, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 158, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 164, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 170, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 175, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 184, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 191, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 199, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 206, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 215, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 224, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 233, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 239, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 244, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 249, warning: 1 characters of junk seen at toplevel
[776] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[776] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[776] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[776] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[831] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[859] bbl.pm:757> INFO - Output to document.bbl
[859] Biber.pm:128> INFO - WARNINGS: 36

62
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 21:59
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 08:37
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1079,7 +1079,14 @@ Package: blx-case-expl3 2020/12/31 v3.16 expl3 case changing code for biblatex
Package biblatex Info: Trying to load bibliographic data...
Package biblatex Info: ... file 'document.bbl' found.
(./document.bbl)
(./document.bbl
Package biblatex Warning: Biber reported the following issues
(biblatex) with 'ebpf_bounded_loops':
(biblatex) - Entry 'ebpf_bounded_loops' (bibliography/bibliograp
hy.bib): Invalid format '2019-06-31' of date field 'date' - ignoring.
)
Package biblatex Info: Reference section=0 on input line 179.
Package biblatex Info: Reference segment=0 on input line 179.
LaTeX Font Info: Trying to load font information for T1+txss on input line 1
@@ -1111,7 +1118,6 @@ LaTeX Font Info: Font shape `T1/txss/b/n' in size <12> not available
(Font) Font shape `T1/txss/bx/n' tried instead on input line 216.
LaTeX Font Info: Font shape `T1/txss/bx/n' will be
(Font) scaled to size 11.39996pt on input line 216.
[1
<./images//Portada_Logo.png> <./images/creativecommons.png>]pdfTeX warning (ex
@@ -1269,57 +1275,57 @@ Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]],
[]
[14]
[14] [15]
Chapter 3.
[15
]
Chapter 4.
[16
]
Chapter 5.
Chapter 4.
[17
]
Chapter 5.
[18
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 6
76.
97.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
Overfull \hbox (5.34976pt too wide) in paragraph at lines 677--677
Overfull \hbox (5.34976pt too wide) in paragraph at lines 698--698
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[18
[19
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 677--677
Overfull \hbox (6.22696pt too wide) in paragraph at lines 698--698
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 677--677
Overfull \hbox (7.34976pt too wide) in paragraph at lines 698--698
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 677--677
Overfull \hbox (21.24973pt too wide) in paragraph at lines 698--698
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[19]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 677--677
[20]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 698--698
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
[20] [1
[21] [1
]
@@ -1330,7 +1336,7 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored
<to be read again>
\relax
l.693 \end{document}
l.714 \end{document}
[2
] (./document.aux)
@@ -1338,19 +1344,19 @@ l.693 \end{document}
LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 66497A77734FDFAA905ECBF53B99BCD1;1610.
(rerunfilecheck) Checksum: 1F4132EC47FF9B036E3940F1818CC401;1613.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
27367 strings out of 481209
436043 string characters out of 5914747
1175417 words of memory out of 5000000
43776 multiletter control sequences out of 15000+600000
27378 strings out of 481209
436516 string characters out of 5914747
1175713 words of memory out of 5000000
43783 multiletter control sequences out of 15000+600000
456974 words of font info for 103 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,3093s stack positions out of 5000i,500n,10000p,200000b,80000s
88i,11n,90p,1029b,3095s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
@@ -1362,9 +1368,9 @@ texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/
times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.p
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (36 pages, 573346 bytes).
Output written on document.pdf (37 pages, 578756 bytes).
PDF statistics:
591 PDF objects out of 1000 (max. 8388607)
105 named destinations out of 1000 (max. 500000)
613 PDF objects out of 1000 (max. 8388607)
109 named destinations out of 1000 (max. 500000)
234 words of extra memory for PDF output out of 10000 (max. 10000000)

2
docs/document.out
View File

@@ -15,7 +15,7 @@
\BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15
\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 16
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17
\BOOKMARK [2][-]{subsection.2.2.3}{eBPF\040architecture}{section.2.2}% 18
\BOOKMARK [2][-]{subsection.2.2.3}{The\040eBPF\040verifier}{section.2.2}% 18
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 19
\BOOKMARK [0][-]{chapter.4}{Results}{}% 20
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 21

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

32
docs/document.tex
View File

@@ -409,7 +409,7 @@ The rootkit will work in a fresh-install of a Linux system with the following ch
% I WILL NOT INCLUDE A ROOTKIT BACKGROUND, considering that a deep study of that is not fully relevant for us. I explained what it is, its two main types (should we include bootkits, maybe?) and its relation with eBPF in the introduction, since it is needed to introduce the overall context. Should we do otherwise?
This chapter is dedicated to an study of the eBPF technology. Firstly, we will analyse its origins, understanding what it is and how it works, and discuss the reasons why it is a necessary component of the Linux kernel today. Afterwards, we will cover the main features of eBPF in detail. Finally, an study of the existing alternatives for developing eBPF applications will be also included.
Although during our discussion of the offensive capabilities of eBPF in section\ref{section:analysis_offensive_capabilities} we use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it.
Although during our discussion of the offensive capabilities of eBPF in section\ref{section:analysis_offensive_capabilities} we will use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it.
\section{eBPF history - Classic BPF}
% Is it ok to have sections / chapters without individual intros?
@@ -441,7 +441,7 @@ In a technical level, BPF comprises both the BPF filter programs developed by th
\end{itemize}
\subsection{Analysis of a BPF filter program}
\subsection{Analysis of a BPF filter program} \label{subsection:analysis_bpf_filter_prog}
As we mentioned in section \ref{section:bpf_vm}, the components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function:
\begin{itemize}
\item If it returns \textit{true}, the kernel copies the packet to the application.
@@ -629,8 +629,32 @@ Therefore, when using JIT compiling (a setting defined by the variable \textit{b
The programs developed during this project will always have JIT compiling active.
\subsection{eBPF architecture}
Provided the instruction set architecture (ISA) described in section
\subsection{The eBPF verifier}
We introduced in figure \ref{fig:ebpf_architecture} the presence of the so-called eBPF verifier. Provided that we will be loading programs in the kernel from user space, these programs need to be checked for safety before being valid to be executed.
The verifier performs a series of tests which every eBPF program must pass in order to be accepted. Otherwise, user programs could leak privileged data, result in kernel memory corruption, or hang the kernel in an infinite loop, between others. Therefore, the verifier limits multiple aspects of eBPF programs so that they are restricted to the intended functionality, whilst at the same time offering a reasonable amount of freedom to the developer.
The following are the most relevant checks that the verifier performs in eBPF programs\cite{ebpf_verifier_kerneldocs}\cite{ebpf_JIT_demystify_page17-22}:
\begin{itemize}
\item Tests for ensuring overall control flow safety:
\subitem No loops allowed (bounded loops accepted since kernel version 5.3\cite{ebpf_bounded_loops}.
\subitem Function call and jumps safety to known, reachable functions.
\item Tests for individual instructions:
\subitem Divisions by zero and invalid shift operations.
\subitem Invalid stack access and invalid out-of-bound access to data structures.
\subitem Reads from uninitialized registers and corruption of pointers.
\end{itemize}
These checks are performed by two main algorithms:
\begin{itemize}
\item Build a graph representing the eBPF instructions (similar to the one shown in section \ref{subsection:analysis_bpf_filter_prog}. Check that it is in fact a direct acyclic graph (DAG), meaning that the verifier prevents loops and unreachable instructions.
\item Simulate execution flow by starting on the first instruction and following each possible path, observing at each instruction the state of every register and of the stack.
\end{itemize}
\subsection{eBPF maps}

10
docs/document.toc
View File

@@ -35,13 +35,13 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}%
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}%
\contentsline {chapter}{\numberline {3}Methods??}{16}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}%
\contentsline {chapter}{\numberline {4}Results}{17}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}%
\contentsline {chapter}{\numberline {5}Conclusion and future work}{18}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{18}{chapter.5}%
\contentsline {chapter}{Bibliography}{19}{chapter.5}%
\contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-25T21:59:30-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-25T21:59:30-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-25T21:59:30-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-05-26T08:37:14-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-26T08:37:14-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-26T08:37:14-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:AED25E85-D80C-CF5E-E310-D04CC694E463</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:4B646A0C-EF73-31AE-E3CE-25CCB1559897</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>