admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Continued with library injection attack

Browse Source
This commit is contained in:
h3xduck
2022-06-09 22:57:25 -04:00
parent a46339e912
commit 1595caa8d0
22 changed files with 957 additions and 311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/bibliography/bibliography.bib
View File

@@ -543,6 +543,56 @@ AMD64 Architecture Processor Supplement},
@online{glibc,
title={The GNU C library},
url={https://www.gnu.org/software/libc/}
},
@online{plt_got_technovelty,
title={PLT and GOT - the key to code sharing and dynamic libraries},
author={Ian Wienand},
url={https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html},
date={2011-05-11}
},
@online{plt_got_overlord,
title={GOT and PLT for pwning.},
author={David Tomaschik},
url={https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html},
date={2017-03-19}
},
@manual{elf,
title={ELF},
url={https://wiki.osdev.org/ELF}
},
@online{pie_exploit,
title={Position Independent Code},
url={https://ir0nstone.gitbook.io/notes/types/stack/pie}
},
@online{aslr_pie_intro,
title={aslr/pie intro},
url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro}
},
@online{relro_readhat,
title={Hardening ELF binaries using Relocation Read-Only (RELRO)},
author={Huzaifa Sidhpurwala},
date={2019-01-28},
url={https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro}
},
@online{cet_windows,
title={R.I.P ROP: CET Internals in Windows 20H1},
author={Yarden Shafir, Alex Ionescu},
date={2020-05-01},
url={https://windows-internals.com/cet-on-windows/}
},
@online{cet_linux,
title={Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration},
author={Michael Larabel},
date={2021-07-21},
url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29}
}

69
docs/document.aux
View File

@@ -411,8 +411,9 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection via GOT hijacking}{55}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}\protected@file@percent }
\newlabel{subsection: buf_overflow}{{4.1.1}{56}{Attacks at the stack: buffer overflow}{subsection.4.1.1}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{57}{figure.caption.49}\protected@file@percent }
\newlabel{fig:stack_ret_hij_simple}{{4.1}{57}{Execution hijack overwriting saved rip value.\relax }{figure.caption.49}{}}
\newlabel{code:vuln_overflow}{{4.1}{57}{Program vulnerable to buffer overflow}{lstlisting.4.1}{}}
@@ -434,21 +435,69 @@
\abx@aux@cite{glibc}
\abx@aux@segm{0}{0}{glibc}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.1.3}{62}{ROP with eBPF}{subsection.4.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{62}{figure.caption.53}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.5}{62}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.53}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{63}{figure.caption.54}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.6}{63}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.54}{}}
\abx@aux@cite{elf}
\abx@aux@segm{0}{0}{elf}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{64}{figure.caption.55}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.7}{64}{Stack data is restored and program continues its execution.\relax }{figure.caption.55}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{65}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.4}The ELF format and Lazy Binding}{64}{subsection.4.1.4}\protected@file@percent }
\newlabel{subsection:elf_lazy_binding}{{4.1.4}{64}{The ELF format and Lazy Binding}{subsection.4.1.4}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.56}\protected@file@percent }
\newlabel{table:elf_tools}{{4.1}{65}{Tools used for analysis of ELF programs.\relax }{table.caption.56}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.57}\protected@file@percent }
\newlabel{table:elf_sec_headers}{{4.2}{65}{Tools used for analysis of ELF programs.\relax }{table.caption.57}{}}
\abx@aux@cite{plt_got_overlord}
\abx@aux@segm{0}{0}{plt_got_overlord}
\abx@aux@cite{plt_got_technovelty}
\abx@aux@segm{0}{0}{plt_got_technovelty}
\newlabel{code:lazy_bind_1}{{4.3}{66}{Call to PLT stub seen from objdump}{lstlisting.4.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.3}Call to PLT stub seen from objdump.}{66}{lstlisting.4.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{66}{figure.caption.58}\protected@file@percent }
\newlabel{fig:lazy_bind_2}{{4.8}{66}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.58}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.9}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{66}{figure.caption.59}\protected@file@percent }
\newlabel{fig:lazy_bind_3}{{4.9}{66}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.59}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.10}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{67}{figure.caption.60}\protected@file@percent }
\newlabel{fig:lazy_bind_4}{{4.10}{67}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.60}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.11}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{67}{figure.caption.61}\protected@file@percent }
\newlabel{fig:lazy_bind_5}{{4.11}{67}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.61}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.5}Hardening ELF binaries and possible bypasses}{67}{subsection.4.1.5}\protected@file@percent }
\abx@aux@cite{aslr_pie_intro}
\abx@aux@segm{0}{0}{aslr_pie_intro}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Security features in C compilers used in the study.\relax }}{68}{table.caption.62}\protected@file@percent }
\newlabel{table:compilers}{{4.3}{68}{Security features in C compilers used in the study.\relax }{table.caption.62}{}}
\abx@aux@cite{aslr_pie_intro}
\abx@aux@segm{0}{0}{aslr_pie_intro}
\abx@aux@cite{pie_exploit}
\abx@aux@segm{0}{0}{pie_exploit}
\abx@aux@cite{relro_redhat}
\abx@aux@segm{0}{0}{relro_redhat}
\abx@aux@cite{cet_windows}
\abx@aux@segm{0}{0}{cet_windows}
\abx@aux@cite{cet_linux}
\abx@aux@segm{0}{0}{cet_linux}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.12}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{69}{figure.caption.63}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.12}{69}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.6}Design of our attack}{70}{subsection.4.1.6}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.1.6}{70}{Design of our attack}{subsection.4.1.6}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.13}{\ignorespaces Call to the glibc function, using objdump\relax }}{71}{figure.caption.64}\protected@file@percent }
\newlabel{fig:firstcall}{{4.13}{71}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{72}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{66}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{73}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{67}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.57}{}}
\abx@aux@read@bbl@mdfivesum{ED0DCDE6F36062F4590E740430BED62B}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{74}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.66}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.67}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.67}{}}
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{DAEC68472698FE766A5D65F3ABD46C28}
\abx@aux@read@bblrerun
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
@@ -529,5 +578,11 @@
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{glibc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{elf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{plt_got_overlord}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{plt_got_technovelty}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{aslr_pie_intro}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{92}
\gdef \@abspage@last{100}

108
docs/document.bbl
View File

@@ -1697,6 +1697,114 @@
\verb https://github.com/JonathanSalwan/ROPgadget
\endverb
\endentry
\entry{glibc}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{The GNU C library}
\verb{urlraw}
\verb https://www.gnu.org/software/libc/
\endverb
\verb{url}
\verb https://www.gnu.org/software/libc/
\endverb
\endentry
\entry{elf}{manual}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{ELF}
\verb{urlraw}
\verb https://wiki.osdev.org/ELF
\endverb
\verb{url}
\verb https://wiki.osdev.org/ELF
\endverb
\endentry
\entry{plt_got_overlord}{online}{}
\name{author}{1}{}{%
{{hash=9724da855997a02e74ee77d11b4d64e2}{%
family={Tomaschik},
familyi={T\bibinitperiod},
given={David},
giveni={D\bibinitperiod}}}%
}
\strng{namehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{fullhash}{9724da855997a02e74ee77d11b4d64e2}
\strng{bibnamehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{authorbibnamehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{authornamehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{authorfullhash}{9724da855997a02e74ee77d11b4d64e2}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{3}
\field{title}{GOT and PLT for pwning.}
\field{year}{2017}
\field{dateera}{ce}
\verb{urlraw}
\verb https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html
\endverb
\verb{url}
\verb https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html
\endverb
\endentry
\entry{plt_got_technovelty}{online}{}
\name{author}{1}{}{%
{{hash=4e4902d108d0796e7e54d06a47cfe1ee}{%
family={Wienand},
familyi={W\bibinitperiod},
given={Ian},
giveni={I\bibinitperiod}}}%
}
\strng{namehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{fullhash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{bibnamehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{authorbibnamehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{authornamehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{authorfullhash}{4e4902d108d0796e7e54d06a47cfe1ee}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{5}
\field{title}{PLT and GOT - the key to code sharing and dynamic libraries}
\field{year}{2011}
\field{dateera}{ce}
\verb{urlraw}
\verb https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html
\endverb
\verb{url}
\verb https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html
\endverb
\endentry
\entry{aslr_pie_intro}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{aslr/pie intro}
\verb{urlraw}
\verb https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro
\endverb
\verb{url}
\verb https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro
\endverb
\endentry
\entry{pie_exploit}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Position Independent Code}
\verb{urlraw}
\verb https://ir0nstone.gitbook.io/notes/types/stack/pie
\endverb
\verb{url}
\verb https://ir0nstone.gitbook.io/notes/types/stack/pie
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

9
docs/document.bcf
View File

@@ -2450,6 +2450,15 @@
<bcf:citekey order="113">rop_prog_finder</bcf:citekey>
<bcf:citekey order="114">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="115">glibc</bcf:citekey>
<bcf:citekey order="116">elf</bcf:citekey>
<bcf:citekey order="117">plt_got_overlord</bcf:citekey>
<bcf:citekey order="118">plt_got_technovelty</bcf:citekey>
<bcf:citekey order="119">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="120">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="121">pie_exploit</bcf:citekey>
<bcf:citekey order="122">relro_redhat</bcf:citekey>
<bcf:citekey order="123">cet_windows</bcf:citekey>
<bcf:citekey order="124">cet_linux</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

200
docs/document.blg
View File

@@ -1,97 +1,103 @@
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[155] biber:340> INFO - === Wed Jun 8, 2022, 07:27:20
[189] Biber.pm:415> INFO - Reading 'document.bcf'
[389] Biber.pm:952> INFO - Found 78 citekeys in bib section 0
[427] Biber.pm:4340> INFO - Processing section 0
[452] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[458] bibtex.pm:1689> INFO - LaTeX decoding ...
[537] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 9, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 15, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 22, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 28, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 35, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 42, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 50, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 58, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 65, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 70, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 77, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 85, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 94, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 103, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 112, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 121, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 127, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 132, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 137, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 142, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 153, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 158, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 164, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 170, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 175, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 184, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 191, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 199, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 206, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 215, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 224, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 233, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 239, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 244, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 249, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 256, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 261, warning: 1 characters of junk seen at toplevel
[888] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 266, warning: 1 characters of junk seen at toplevel
[888] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 271, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 276, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 283, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 288, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 295, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 302, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 309, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 315, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 321, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 327, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 334, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 339, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 344, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 349, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 356, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 361, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 366, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 375, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 380, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 385, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 390, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 395, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 400, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 405, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 410, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 419, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 428, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 433, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 438, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 443, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 449, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 459, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 466, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 473, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 482, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 487, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 492, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 501, warning: 1 characters of junk seen at toplevel
[896] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 508, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 515, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 520, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 529, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 538, warning: 1 characters of junk seen at toplevel
[1031] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[1032] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[1032] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[1032] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[1143] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[1197] bbl.pm:757> INFO - Output to document.bbl
[1198] Biber.pm:128> INFO - WARNINGS: 81
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[58] biber:340> INFO - === Thu Jun 9, 2022, 20:18:28
[70] Biber.pm:415> INFO - Reading 'document.bcf'
[146] Biber.pm:952> INFO - Found 84 citekeys in bib section 0
[160] Biber.pm:4340> INFO - Processing section 0
[170] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[172] bibtex.pm:1689> INFO - LaTeX decoding ...
[203] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 9, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 15, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 22, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 28, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 35, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 42, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 50, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 58, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 65, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 70, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 77, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 85, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 94, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 103, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 112, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 121, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 127, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 132, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 137, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 142, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 153, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 158, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 164, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 170, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 175, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 184, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 191, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 199, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 206, warning: 1 characters of junk seen at toplevel
[404] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 215, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 224, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 233, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 239, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 244, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 249, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 256, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 261, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 266, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 271, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 276, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 283, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 288, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 295, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 302, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 309, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 315, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 321, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 327, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 334, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 339, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 344, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 349, warning: 1 characters of junk seen at toplevel
[405] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 356, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 361, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 366, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 375, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 380, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 385, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 390, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 395, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 400, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 405, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 410, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 419, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 428, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 433, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 438, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 443, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 449, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 459, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 466, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 473, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 482, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 487, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 492, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 501, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 508, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 515, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 520, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 529, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 538, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 543, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 548, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 555, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 562, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 567, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_QNOy/f4d088b3f9f145b5c3058da33afd57d4_14805.utf8, line 572, warning: 1 characters of junk seen at toplevel
[456] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[456] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[456] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[456] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[502] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[521] bbl.pm:757> INFO - Output to document.bbl
[521] Biber.pm:128> INFO - WARNINGS: 87

12
docs/document.lof
View File

@@ -67,6 +67,18 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.7}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{64}{figure.caption.55}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.8}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{66}{figure.caption.58}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.9}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{66}{figure.caption.59}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.10}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{67}{figure.caption.60}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.11}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{67}{figure.caption.61}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.12}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{69}{figure.caption.63}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.13}{\ignorespaces Call to the glibc function, using objdump\relax }}{71}{figure.caption.64}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

271
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 8 JUN 2022 08:51
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 9 JUN 2022 22:56
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=249, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=261, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=251, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=263, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1213,7 +1213,7 @@ Chapter 2.
LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 413.
<images//classic_bpf.jpg, id=644, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=686, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 427.
@@ -1221,36 +1221,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 427.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=662, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=704, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 454.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=673, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=715, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 494.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=683, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=725, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 510.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=695, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=737, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 525.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=698, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=740, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 536.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=716, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=758, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 575.
@@ -1302,7 +1302,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 760--790
[]
[17]
<images//xdp_diag.jpg, id=796, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=838, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 806.
@@ -1313,7 +1313,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 869--881
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=855, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=897, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 979.
@@ -1391,51 +1391,51 @@ read_user() and bpf_probe_read_kernel().
[]
[35]
<images//mem_arch_pages.jpg, id=1038, 593.21625pt x 434.62375pt>
<images//mem_arch_pages.jpg, id=1080, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1350.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[36]
<images//mem_major_page_fault.jpg, id=1046, 639.38875pt x 425.59pt>
<images//mem_major_page_fault.jpg, id=1088, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 1
360.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
[37 <./images//mem_arch_pages.jpg>]
<images//mem_minor_page_fault.jpg, id=1054, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=1096, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 1
368.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
<images//memory.jpg, id=1055, 310.15875pt x 569.12625pt>
<images//memory.jpg, id=1097, 310.15875pt x 569.12625pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 1379.
(pdftex.def) Requested size: 170.71652pt x 313.25488pt.
[38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
[39 <./images//memory.jpg>]
<images//stack_pres.jpg, id=1068, 707.64375pt x 283.0575pt>
<images//stack_pres.jpg, id=1110, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 1403.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[40 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=1077, 524.96124pt x 694.595pt>
<images//stack_ops.jpg, id=1119, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 1437.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
[41]
<images//stack_before.jpg, id=1082, 712.6625pt x 315.1775pt>
<images//stack_before.jpg, id=1124, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 1448.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
<images//stack.jpg, id=1083, 707.64375pt x 381.425pt>
<images//stack.jpg, id=1125, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 1455.
@@ -1447,7 +1447,7 @@ Overfull \hbox (3.09538pt too wide) in paragraph at lines 1499--1500
bpf_probe_read_user()
[]
<images//stack_scan_write_tech.jpg, id=1122, 829.0975pt x 315.1775pt>
<images//stack_scan_write_tech.jpg, id=1164, 829.0975pt x 315.1775pt>
File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
<use images//stack_scan_write_tech.jpg>
Package pdftex.def Info: images//stack_scan_write_tech.jpg used on input line
@@ -1463,14 +1463,14 @@ Overfull \hbox (28.45273pt too wide) in paragraph at lines 1515--1516
LaTeX Warning: Reference `TODO' on page 46 undefined on input line 1537.
[46 <./images//stack_scan_write_tech.jpg>] [47]
<images//frame.jpg, id=1169, 695.59875pt x 705.63625pt>
<images//frame.jpg, id=1211, 695.59875pt x 705.63625pt>
File: images//frame.jpg Graphic file (type jpg)
<use images//frame.jpg>
Package pdftex.def Info: images//frame.jpg used on input line 1573.
(pdftex.def) Requested size: 398.33858pt x 404.07954pt.
[48 <./images//frame.jpg>]
[49]
<images//tcp_conn.jpg, id=1190, 452.69125pt x 405.515pt>
<images//tcp_conn.jpg, id=1232, 452.69125pt x 405.515pt>
File: images//tcp_conn.jpg Graphic file (type jpg)
<use images//tcp_conn.jpg>
Package pdftex.def Info: images//tcp_conn.jpg used on input line 1621.
@@ -1482,14 +1482,14 @@ e-quence of <SYN>, <SYN+ACK>,
[]
[50 <./images//tcp_conn.jpg>]
<images//tcp_retransmission.jpg, id=1197, 523.9575pt x 485.815pt>
<images//tcp_retransmission.jpg, id=1239, 523.9575pt x 485.815pt>
File: images//tcp_retransmission.jpg Graphic file (type jpg)
<use images//tcp_retransmission.jpg>
Package pdftex.def Info: images//tcp_retransmission.jpg used on input line 163
7.
(pdftex.def) Requested size: 341.43306pt x 316.58401pt.
[51 <./images//tcp_retransmission.jpg>] [52]
<images//tcp_exfiltrate_retrans.jpg, id=1214, 633.36626pt x 475.7775pt>
<images//tcp_exfiltrate_retrans.jpg, id=1256, 633.36626pt x 475.7775pt>
File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
<use images//tcp_exfiltrate_retrans.jpg>
Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg used on input line
@@ -1501,19 +1501,19 @@ Chapter 4.
[55
]
<images//stack_ret_hij_simple.jpg, id=1233, 774.895pt x 674.52pt>
<images//stack_ret_hij_simple.jpg, id=1275, 774.895pt x 674.52pt>
File: images//stack_ret_hij_simple.jpg Graphic file (type jpg)
<use images//stack_ret_hij_simple.jpg>
Package pdftex.def Info: images//stack_ret_hij_simple.jpg used on input line 1
730.
(pdftex.def) Requested size: 426.79134pt x 371.51205pt.
[56] [57 <./images//stack_ret_hij_simple.jpg>]
<images//buffer_overflow.jpg, id=1251, 707.64375pt x 343.2825pt>
<images//buffer_overflow.jpg, id=1293, 707.64375pt x 343.2825pt>
File: images//buffer_overflow.jpg Graphic file (type jpg)
<use images//buffer_overflow.jpg>
Package pdftex.def Info: images//buffer_overflow.jpg used on input line 1755.
(pdftex.def) Requested size: 426.79134pt x 207.03964pt.
<images//buffer_overflow_shellcode.jpg, id=1253, 707.64375pt x 379.4175pt>
<images//buffer_overflow_shellcode.jpg, id=1295, 707.64375pt x 379.4175pt>
File: images//buffer_overflow_shellcode.jpg Graphic file (type jpg)
<use images//buffer_overflow_shellcode.jpg>
Package pdftex.def Info: images//buffer_overflow_shellcode.jpg used on input l
@@ -1528,7 +1528,7 @@ LaTeX Warning: Reference `TODO probably an Annex' on page 59 undefined on input
LaTeX Warning: Reference `TODO' on page 59 undefined on input line 1781.
[59 <./images//buffer_overflow_shellcode.jpg>]
<images//ROPcompound.jpg, id=1270, 1296.845pt x 790.955pt>
<images//ROPcompound.jpg, id=1312, 1296.845pt x 790.955pt>
File: images//ROPcompound.jpg Graphic file (type jpg)
<use images//ROPcompound.jpg>
Package pdftex.def Info: images//ROPcompound.jpg used on input line 1803.
@@ -1543,7 +1543,7 @@ Overfull \hbox (28.45273pt too wide) in paragraph at lines 1803--1804
LaTeX Warning: Reference `TODO' on page 61 undefined on input line 1815.
[61 <./images//ROPcompound.jpg>]
<images//rop_evil_ebpf_1.jpg, id=1291, 789.95125pt x 395.4775pt>
<images//rop_evil_ebpf_1.jpg, id=1333, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_1.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_1.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_1.jpg used on input line 1824.
@@ -1552,166 +1552,260 @@ Package pdftex.def Info: images//rop_evil_ebpf_1.jpg used on input line 1824.
LaTeX Warning: Reference `TODO' on page 62 undefined on input line 1831.
LaTeX Warning: Citation 'glibc' on page 62 undefined on input line 1831.
[62 <./images//rop_evil_ebpf_1.jpg>]
Overfull \hbox (4.42868pt too wide) in paragraph at lines 1840--1841
\T1/txr/m/n/12 the orig-i-nal data later) and we pro-ceed to over-write the sta
ck us-ing bpf_probe_write_user(),
[]
<images//rop_evil_ebpf_2.jpg, id=1299, 789.95125pt x 395.4775pt>
<images//rop_evil_ebpf_2.jpg, id=1342, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_2.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_2.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_2.jpg used on input line 1844.
(pdftex.def) Requested size: 426.79134pt x 213.66933pt.
LaTeX Warning: Reference `subsection:rop' on page 63 undefined on input line 18
49.
[63 <./images//rop_evil_ebpf_2.jpg>]
LaTeX Warning: Reference `fig:rop_evil_ebpf_3' on page 64 undefined on input li
ne 1851.
<images//rop_evil_ebpf_3.jpg, id=1307, 789.95125pt x 369.38pt>
<images//rop_evil_ebpf_3.jpg, id=1353, 789.95125pt x 369.38pt>
File: images//rop_evil_ebpf_3.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_3.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_3.jpg used on input line 1855.
(pdftex.def) Requested size: 426.79134pt x 199.5693pt.
[64 <./images//rop_evil_ebpf_3.jpg>]
[64 <./images//rop_evil_ebpf_3.jpg>]
Overfull \hbox (1.1025pt too wide) in paragraph at lines 1895--1896
[]|\T1/txr/m/n/12 Permissions|
[]
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1904--1904
[]|\T1/txr/m/n/12 .got.plt|
[]
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1906--1906
[]|\T1/txr/m/n/12 .plt.got|
[]
LaTeX Warning: Reference `TODO' on page 65 undefined on input line 1919.
[65]
Overfull \hbox (26.32735pt too wide) in paragraph at lines 1925--1926
\T1/txr/m/n/12 stub (in the .plt sec-tion) is called. Snip-pet [][]4.3[][] show
s a call to the func-tion timerfd_settime,
[]
<images//sch_gdb_plt.png, id=1373, 1040.88875pt x 146.5475pt>
File: images//sch_gdb_plt.png Graphic file (type png)
<use images//sch_gdb_plt.png>
Package pdftex.def Info: images//sch_gdb_plt.png used on input line 1938.
(pdftex.def) Requested size: 441.01772pt x 62.09065pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1938--1939
[][]
[]
<images//sch_gdb_got_prev.png, id=1374, 529.98pt x 39.14626pt>
File: images//sch_gdb_got_prev.png Graphic file (type png)
<use images//sch_gdb_got_prev.png>
Package pdftex.def Info: images//sch_gdb_got_prev.png used on input line 1945.
(pdftex.def) Requested size: 441.01772pt x 32.57559pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1945--1946
[][]
[]
[66 <./images//sch_gdb_plt.png> <./images//sch_gdb_got_prev.png>]
<images//sch_gdb_got_after.png, id=1395, 532.99126pt x 41.15375pt>
File: images//sch_gdb_got_after.png Graphic file (type png)
<use images//sch_gdb_got_after.png>
Package pdftex.def Info: images//sch_gdb_got_after.png used on input line 1954
.
(pdftex.def) Requested size: 441.01772pt x 34.05334pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1954--1955
[][]
[]
<images//sch_glibc_func.png, id=1396, 585.18625pt x 89.33376pt>
File: images//sch_glibc_func.png Graphic file (type png)
<use images//sch_glibc_func.png>
Package pdftex.def Info: images//sch_glibc_func.png used on input line 1961.
(pdftex.def) Requested size: 441.01772pt x 67.32729pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1961--1962
[][]
[]
[67 <./images//sch_gdb_got_after.png> <./images//sch_glibc_func.png>]
LaTeX Warning: Reference `table:aslr_offset' on page 68 undefined on input line
2008.
<images//aslr_offset.jpg, id=1408, 597.23125pt x 273.02pt>
File: images//aslr_offset.jpg Graphic file (type jpg)
<use images//aslr_offset.jpg>
Package pdftex.def Info: images//aslr_offset.jpg used on input line 2013.
(pdftex.def) Requested size: 369.88582pt x 169.0915pt.
[68]
LaTeX Warning: Citation 'relro_redhat' on page 69 undefined on input line 2026.
LaTeX Warning: Citation 'cet_windows' on page 69 undefined on input line 2032.
LaTeX Warning: Citation 'cet_linux' on page 69 undefined on input line 2032.
[69 <./images//aslr_offset.jpg>]
Overfull \hbox (0.26146pt too wide) in paragraph at lines 2042--2043
[]\T1/txr/m/n/12 This tech-nique works both in com-pil-ers with low hard-en-ing
fe-tau-res by de-fault (Clang)
[]
Overfull \hbox (38.05193pt too wide) in paragraph at lines 2046--2048
\T1/txr/m/n/12 We load and at-tach a tra-ce-point eBPF pro-gram at the \T1/txr/
m/it/12 en-ter \T1/txr/m/n/12 po-si-tion of syscall sys_timerfd_settime.
[]
<images//sch_firstcall.png, id=1425, 643.40375pt x 91.34125pt>
File: images//sch_firstcall.png Graphic file (type png)
<use images//sch_firstcall.png>
Package pdftex.def Info: images//sch_firstcall.png used on input line 2056.
(pdftex.def) Requested size: 369.88582pt x 52.51244pt.
[70] [71 <./images//sch_firstcall.png>]
Chapter 5.
[65
[72
]
Chapter 6.
[66
[73
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (5.34976pt too wide) in paragraph at lines 2102--2102
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[67
[74
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (6.22696pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (7.34976pt too wide) in paragraph at lines 2102--2102
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (21.24973pt too wide) in paragraph at lines 2102--2102
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[68]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1898--1898
[75]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 2102--2102
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (6.49615pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[69]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1898--1898
[76]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (14.49278pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[70]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1898--1898
[77]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (33.3497pt too wide) in paragraph at lines 2102--2102
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (9.33742pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
[]
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (18.44974pt too wide) in paragraph at lines 2102--2102
\T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
mory -[] Management -[] Christoph -[]
[]
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (5.92503pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/n/12 D. Breaker. ^^P Un-der-stand-ing page faults and mem-ory swap
-in/outs.^^Q (Aug. 19, 2019),
[]
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (40.56133pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
[]
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (47.32059pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[71]
Overfull \hbox (11.10025pt too wide) in paragraph at lines 1898--1898
[78]
Overfull \hbox (11.10025pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/n/12 DE-F-CON 27, pp. 69^^U74. [On-line]. Avail-able: [][]$\T1/txtt/m
/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (39.98859pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (21.2149pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (21.2149pt too wide) in paragraph at lines 2102--2102
\T1/txr/m/n/12 line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / www . plixer
. com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (4.29944pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (4.29944pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/n/12 ^^P Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
Overfull \hbox (18.27475pt too wide) in paragraph at lines 1898--1898
Overfull \hbox (18.27475pt too wide) in paragraph at lines 2102--2102
[]\T1/txr/m/n/12 ^^P Rop-gad-get tool.^^Q (), [On-line]. Avail-able: [][]$\T1/
txtt/m/n/12 https : / / github . com / JonathanSalwan /
[]
[72] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
[79] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1722,18 +1816,21 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1958 \end{document}
[2
l.2205 [18]
.eh_frame_hdr PROGBITS 00000000004020a8 000020a8
[1
] (./document.aux)
]pdfTeX warning (ext4): destination with the same identifier (name{page.}) has
been already used, duplicate ignored
<to be read again>
\relax
l.2252 \end{document}
[2] (./document.aux)
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 542EF2AE9E1F050EEFB8CF77859493DE;4750.
(rerunfilecheck) Checksum: 4E37FDD1973E38DDD66887454329F958;5045.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
@@ -1744,10 +1841,10 @@ Package logreq Info: Writing requests to 'document.run.xml'.
)
Here is how much of TeX's memory you used:
28637 strings out of 481209
457167 string characters out of 5914747
1354862 words of memory out of 5000000
44709 multiletter control sequences out of 15000+600000
29132 strings out of 481209
463847 string characters out of 5914747
1625209 words of memory out of 5000000
45076 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3693s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1763,9 +1860,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (92 pages, 2058830 bytes).
Output written on document.pdf (100 pages, 2207026 bytes).
PDF statistics:
1667 PDF objects out of 1728 (max. 8388607)
411 named destinations out of 1000 (max. 500000)
656 words of extra memory for PDF output out of 10000 (max. 10000000)
1915 PDF objects out of 2073 (max. 8388607)
533 named destinations out of 1000 (max. 500000)
710 words of extra memory for PDF output out of 10000 (max. 10000000)

6
docs/document.lot
View File

@@ -49,6 +49,12 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {4.1}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.56}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {4.2}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.57}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {4.3}{\ignorespaces Security features in C compilers used in the study.\relax }}{68}{table.caption.62}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

11
docs/document.out
View File

@@ -52,10 +52,13 @@
\BOOKMARK [2][-]{subsection.3.4.3}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 52
\BOOKMARK [2][-]{subsection.3.4.4}{Conclusion}{section.3.4}% 53
\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 54
\BOOKMARK [1][-]{section.4.1}{Library\040injection\040via\040.GOT\040hijacking}{chapter.4}% 55
\BOOKMARK [1][-]{section.4.1}{Library\040injection\040via\040GOT\040hijacking}{chapter.4}% 55
\BOOKMARK [2][-]{subsection.4.1.1}{Attacks\040at\040the\040stack:\040buffer\040overflow}{section.4.1}% 56
\BOOKMARK [2][-]{subsection.4.1.2}{Return\040oriented\040programming\040attacks}{section.4.1}% 57
\BOOKMARK [2][-]{subsection.4.1.3}{ROP\040with\040eBPF}{section.4.1}% 58
\BOOKMARK [0][-]{chapter.5}{Results}{}% 59
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 60
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 61
\BOOKMARK [2][-]{subsection.4.1.4}{The\040ELF\040format\040and\040Lazy\040Binding}{section.4.1}% 59
\BOOKMARK [2][-]{subsection.4.1.5}{Hardening\040ELF\040binaries\040and\040possible\040bypasses}{section.4.1}% 60
\BOOKMARK [2][-]{subsection.4.1.6}{Design\040of\040our\040attack}{section.4.1}% 61
\BOOKMARK [0][-]{chapter.5}{Results}{}% 62
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 63
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 64

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

310
docs/document.tex
View File

@@ -1692,7 +1692,7 @@ Ultimately, the capabilities discussed in this section unlock complete freedom f
%TODO maybe a conclusion for this section?
%Maybe not the best title
%Maybe not the best title. "Design of malicious eBPF applications" may be better fitted?
\chapter{Design of a malicious eBPF rootkit}
In the previous chapter, we discussed the functionality of eBPF programs from a security standpoint, detailing which helpers and program types are particularly useful for developing malicious programs, and analysing some techniques (stack scanning, overwriting packets together with TCP retransmissions) which helps us circumvent some of the restrictions of eBPF and find new attack vectors.
@@ -1703,20 +1703,20 @@ Taking as a basis these capabilities, this chapter is now dedicated to a compreh
\item Tampering with user data at system calls, resulting in running malware-like programs and for other malicious purposes.
\item Achieving stealth, hiding rootkit-related files from the user.
\item Achieving rootkit persistence, the rootkit should run after a complete system reboot.
\
\end{itemize}
%TODO maybe this is the place to mention that, on top of those, explaining some of the DEFCON techniques will be done too. Im particular interested on the one of hiding the kernel log message of bpf_probe_write_user and on ROP.
We will be exploring each functionality individually, presenting the necessary background on each of them, and offering a final comprehensive view on how each of the systems work.
\section{Library injection via .GOT hijacking}
In this section, we will discuss how to hijack an user process running in the system so that it executes arbitrary code instructed from an eBPF program. For this, we will be injecting a library which will be executed by taking advantage of the architecture of an executable program (the .GOT section in ELFs) and using the stack scanning technique covered in section \ref{subsection:bpf_probe_write_apps}. This injection will be stealthy (it must not crash the process), and will be able to hijack privileged programs such as systemd, so that the code is executed as root.
\section{Library injection via GOT hijacking}
In this section, we will discuss how to hijack an user process running in the system so that it executes arbitrary code instructed from an eBPF program. For this, we will be injecting a library which will be executed by taking advantage of the architecture of an executable program (the GOT section in ELFs) and using the stack scanning technique covered in section \ref{subsection:bpf_probe_write_apps}. This injection will be stealthy (it must not crash the process), and will be able to hijack privileged programs such as systemd, so that the code is executed as root.
We will also research how to circumvent the protections which modern compilers have set in order to prevent similar attacks (when performed without eBPF).
This technique has some advantages and disadvantages to the one described by Jeff Dileo at DEFCON 27\cite{evil_ebpf_p6974}, which we will briefly cover before presenting ours. A comparison between them will also be offered.
\subsection{Attacks at the stack: buffer overflow}
\subsection{Attacks at the stack: buffer overflow} \label{subsection: buf_overflow}
In section \ref{subsection:stack}, we studied how the stack works and which is the process that a program follows in order to call a function. As we saw in figure \ref{fig:stack}, the processor pushes into the stack several data which is used to restore the context of the original function once the called function exits. These pushed arguments included:
\begin{itemize}
\item The arguments with which the function is being called (if they need to be passed in the stack, such as byte arrays).
@@ -1816,8 +1816,8 @@ After this step, the return instruction will be executed. Note that, at this poi
\end{enumerate}
\subsection{ROP with eBPF}
In 2019, Jeff Dileo presented in DEFCON 27 the first technique to achieve arbitrary code execution using eBPF\cite{evil_ebpf_p6974}. For this, he used the ROP technique we have described previously to inject malicious code into a process. We will present an overview on his technique, in order to later compare it to ours and find advantages and disadvantages. Note that this is a summary and some aspects have been simplified, however we will present the whole process during the explanation of our own technique.
\subsection{ROP with eBPF} \label{subsection:rop_ebpf}
In 2019, Jeff Dileo presented in DEFCON 27 the first technique to achieve arbitrary code execution using eBPF\cite{evil_ebpf_p6974}. For this, he used the ROP technique we have described previously to inject malicious code into a process. We will present an overview on his technique, in order to later compare it to the one we will develop for our rootkit, and find advantages and disadvantages. Note that this is a summary and some aspects have been simplified, however we will present the whole process during the explanation of our own technique.
\begin{figure}[H]
\centering
@@ -1860,6 +1860,210 @@ Once the attacker has finished executing the injected code, the stack must be re
As we can see, eBPF writes back the original stack and thus the execution can continue. Note that, in practice, some final gadgets must also be executed in order to restore the state of rip and rsp, the stack data for this is written in the free memory zone, so that it does not need to be removed.
%ALL OR PARTS OF THIS SECTION MAY GO TO AN ANNEX, I'm leaving it here just for now
\subsection{The ELF format and Lazy Binding} \label{subsection:elf_lazy_binding}
This section details the Executable and Linkable Format (ELF)\cite{elf}, the format in which we find executable files in Linux systems (between other types). We will perform an analysis from a security standpoint, that is, mainly oriented to describe the most relevant sections and the permissions incorporated into them. We will also focus on several of these sections which will be relevant for designing our attack.
Note that, during all examples shown in this section, we will be using a sample program that has been compiled using Clang/LLVM: TODO %TODO How do I explain which progrm it is? It is an example I developed, src/helpers/simple_timer.c. Shoud I write the code somewhere? Seems excesive
Table \ref{table:elf_tools} shows the main tools we will use during this analysis:
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{3cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Tool & Purposes\\
\hline
\hline
Readelf & Display information about ELF files\\
\hline
Objdump & Display information about object files, mainly used for decompiling programs\\
\hline
GDB & The GNU Project Debugger, allows for debugging programs during runtime\\
\hline
GDB-peda & The Python Exploit Development Assistance for GDB, allows for multiple advanced operations that ease exploit development, such as showing register values, the stack state or memory information. It works as a plugin for GDB.\\
\hline
\end{tabular}
\caption{Tools used for analysis of ELF programs.}
\label{table:elf_tools}
\end{table}
Firstly, we will analyse the main sections we can find in an executable. The command and complete list of headers can be found in Annex \ref{annexsec:readelf_sec_headers}. The most relevant sections are described in table \ref{table:elf_sec_headers}:
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{1cm}|>{\centering\arraybackslash}p{9cm}|>{\centering\arraybackslash}p{2cm}|}
\hline
Tool & Purpose & Permissions\\
\hline
\hline
.init & Contains instructions executed before the \textit{main} function of the program & Alloc, Executable\\
\hline
.plt & Procedure Linkage Table (PLT), contains code stubs that use the addresses at .got.plt for jumping to position-independent code & Alloc, Executable\\
\hline
.got & Global Offset Table (GOT), it contains addresses of global variables and functions once the linker resolves them at runtime & Alloc, Writable\\
\hline
.got.plt & A subset of .got section separated from .got with some compilers, it contains only the target addresses of position-independent code once the linker loads them at runtime, used by .plt section. & Alloc, Writable\\
\hline
.plt.got & Generated depending on compiler options, it is a PLT section which does not use lazy binding. & Alloc, Executable\\
\hline
.text & Stores executable instructions. & Alloc, Executable\\
\hline
.data & Contains initialized static and global variables. & Alloc, Writable\\
\hline
.bss & Contains global and static variables which are unitialized or initialized to zero. & Alloc, Writable\\
\hline
\end{tabular}
\caption{Tools used for analysis of ELF programs.}
\label{table:elf_sec_headers}
\end{table}
As it can be observed in table \ref{table:elf_sec_headers}, we can find that all sections have the Alloc flag, meaning they will be loaded into process memory during runtime (see table \ref{TODO}, they have not been shown in previous diagrams for simpleness).
Apart from those we already discussed, we can find the GOT and PLT sections, whose purpose is to support Position Independent Code (PIC), that is, instructions whose address in virtual memory is not hardcoded by the compiler into the executable, but rather they are not known until resolved at runtime. This is usually the case of shared libraries (such as glibc, which as we described in \ref{subsection:rop_ebpf}, it offers an standatd API for calling system calls), which can be loaded into virtual memory starting at any address\cite{plt_got_overlord}.
Therefore, in order to call a function of a shared library, the dynamic linker follows a process called 'Lazy binding'\cite{plt_got_technovelty}:
\begin{enumerate}
\item From the .text section, instead of calling a direct absolute address as usual, a PLT stub (in the .plt section) is called. Snippet \ref{code:lazy_bind_1} shows a call to the function timerfd\_settime, implemented by the shared library glibc and thus using a PLT:
\begin{lstlisting}[language=C, caption={Call to PLT stub seen from objdump.}, label={code:lazy_bind_1}]
$ objdump -d simple_timer
4014cb: b9 00 00 00 00 mov $0x0,%ecx
4014d0: be 01 00 00 00 mov $0x1,%esi
4014d5: 89 c7 mov %eax,%edi
4014d7: e8 44 fc ff ff call 401120 <timerfd_settime@plt>
\end{lstlisting}
\item In the PLT stub, the flow of execution jumps to an address which is stored in the GOT section, which is the absolute address of the function at glibc. This address must be written there by the dynamic linker but, according to lazy binding, the first time to call this function the linker has not calculated that address yet.
\begin{figure}[H]
\centering
\includegraphics[width=15.5cm]{sch_gdb_plt.png}
\caption{PLT stub for timerfd\_settime, seen from gdb-peda.}
\label{fig:lazy_bind_2}
\end{figure}
\begin{figure}[H]
\centering
\includegraphics[width=15.5cm]{sch_gdb_got_prev.png}
\caption{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.}
\label{fig:lazy_bind_3}
\end{figure}
\item As we can see in figures \ref{fig:lazy_bind_2} and \ref{fig:lazy_bind_3}, the PLT stub calls address 0x4010a0, which leads to a dynamic linking routine, which proceeds to write the address into the GOT section and jump back to the start of the PLT stub. This time, the memory address at GOT to which the PLT jumps is already loaded with the address to the function at the shared library, as shown by figure \ref{fig:lazy_bind_4}.
\begin{figure}[H]
\centering
\includegraphics[width=15.5cm]{sch_gdb_got_after.png}
\caption{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.}
\label{fig:lazy_bind_4}
\end{figure}
\begin{figure}[H]
\centering
\includegraphics[width=15.5cm]{sch_glibc_func.png}
\caption{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.}
\label{fig:lazy_bind_5}
\end{figure}
\end{enumerate}
Therefore, in essence, when using lazy binding the dynamic linker will individually load into GOT the addresses of the functions at the shared libraries, during the first time they are called in the program. After that, the address will remain in the GOT section and will be used by the PLT for all subsequent calls.
The reason lazy binding matters to us is because, as we will explain section \ref{subsection:got_attack}, the GOT section is actually writable from an eBPF program using bpf\_probe\_write\_user(). This is because this section specifically must be writeable at runtime for the dynamic linker to store the address once they are resolved. Therefore, even if we cannot write into the .text section from this helper, we still can modify the GOT section from eBPF, redirecting the address at which the PLT jumps, and thus controlling the flow of execution in the program.
\subsection{Hardening ELF binaries and possible bypasses}
During the previous section, we have discussed how lazy binding works and how introduced how it could be exploited, and presented multiple of the classic attacks at the stack such as buffer overflow and ROP. However, during the years multiple hardening measures have been introduced into modern compilers, which attempt to mitigate these and other techniques. We will now present them so that, during the design of our rootkit, we can adapt to all of these.
Table \ref{table:compilers} shows the compilers that we will be considering during this study. We will be exclusively looking at those security features that are included by default.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{5cm}|>{\centering\arraybackslash}p{8cm}|}
\hline
Compiler & Security features by default\\
\hline
\hline
Clang/LLVM 12.0.0 (2021) & Stack canaries, DEP/NX\\
\hline
GCC 10.3.0 (2021) & Stack canaries, DEP/NX, PIE, Full RELRO\\
\hline
\end{tabular}
\caption{Security features in C compilers used in the study.}
\label{table:compilers}
\end{table}
\textbf{Stack canaries}
Stack canaries are random data that is pushed into the stack before calling potentially dangerous functions (such as strcpy()) that attempts to prevent attacks at the stack by ensuring that their value is the same before and after the execution of the called function.
If a stack canary is present and a buffer overflow happened, it would overwrite the value of the canary, therefore alerting of the attack, in which case the processor halts the execution of the program.
In order to bypass a canary, an attacker must ensure that it is not overwritten, or that the value of the canary remains in the same position and with the same value once the function that was called returns.
\textbf{DEP/NX}\\
Data Execution Prevention, also known as No Execute, is the option of marking the stack as non executable. This prevents, as we explained in section \ref{subsection: buf_overflow}, the possibility of executing injected shellcode in the stack after modifying the value of the saved rip.
The creation of advanced techniques like ROP is one reaction to this mitigation, that circumvents this protection.
\textbf{ASLR}\\
Address Space Layout Randomization is a technique that randomizes the addresses on the heap, stack and libraries, so that an attacker cannot rely on known addresses during exploitation (e.g: libraries are loaded at a different memory address each time the program is run, so ROP gadgets change their position)\cite{aslr_pie_intro}.
In order to bypass ASLR, attackers must take into account that, although the address at which, for instance, a library is loaded is random, the internal structure of the library remains unchanged, with all symbols in the same relative position, as figure \ref{table:aslr_offset} shows.
%TODO Add the .data section here
\begin{figure}[H]
\centering
\includegraphics[width=13cm]{aslr_offset.jpg}
\caption{Two runs of the same executable using ASLR, showing a library and two symbols.}
\label{fig:alsr_offset}
\end{figure}
As we can observe in the figure, although glibc is loaded at a different base address each run, the offset between the functions it implements, malloc() and free(), remains constant. Therefore, a method for bypassing ASLR is to achieve information about the absolute address of any symbol, which can then easily lead to knowing any other if an attacker decompiles the executable and calculates the offset between a pair of addresses where one is known.
\textbf{PIE}\\
Position Independent Executable is a mitigation introduced to reduce the ability of an attacker to locate symbols in virtual memory by randomizing the base address at which the program itself (including the .text section) is loaded. This base address determines an offset which is added to all memory addresses in the code, so that each instruction is located at an address + this offset. Therefore, all jumps are made using relative addresses.\cite{aslr_pie_intro}\cite{pie_exploit}.
Similarly to ASLR, the internal structure of each section is maintained, therefore if an attacker is able to leak the meaning of some section, it is possible to calculate the rest.
\textbf{RELRO}\\
Relocation Read-Only is a hardening technique that mitigates the possibility of an attacker overwriting the GOT section, as we explained at section \ref{subsection:elf_lazy_binding}. In order to achieve the lazy binding process is substituted by the linker resolving all entries in the GOT section right after the beginning of the execution, and then marking the .got section as read-only. Two settings for RELRO are the most widespread, either Partial RELRO (which only marks sections of the .got section not related to the PLT as read-only, leaving .got.plt writeable) or Full RELRO (which marks the .got section as read-only completely). Binaries with only Partial RELRO are still non-secure, as the address at which the PLT section jumps can still be overwriten (including from eBPF)\cite{relro_redhat}.
Bypassing Full RELRO, however, stops any attempt of GOT hijacking, unless an attacker finds an alternative method for writting into the virtual memory of a process that bypassed the read-only flag. We will use one of these methods for our rootkit.
\textbf{Intel CET}\\
Intel Control-flow Enforcement Technology is a hardening feature fully incorporated in Windows 10 systems \cite{cet_windows} and a work in progress in Linux\cite{cet_linux}. Its purpose is to defeat ROP attacks and other derivates (e.g: Jump-oriented programming, JOP), by adding a strict kernel-supported control of the return addresses and strong restrictions over jump and call instructions.
In Linux, the kernel will support a hidden 'shadow stack' that will save the return addresses for each call. This prevents modifying the saved value of rip in the stack, since the kernel would realise that the flow of execution has been modified. We can also find that modern compilers (such as GCC 10.3.0) already generate Intel CET-related instructions such as \textit{endbr64}, whose purpose is to be placed at the start of functions, marking that as the only address to which an indirect jump can land (otherwise, jumps will be rejected if not landing at \textit{endbr64}).
As mentioned, we will not consider this feature since it is not active in the Linux kernel.
%TODO Not the best title
\subsection{Design of our attack} \label{subsection:got_attack}
Taking all the previous background into stack attacks, ELF's lazy binding and hardening features for binaries, we will now present the exploitation technique that our rootkit will use to inject a malicious library into a running process, using the GOT hijacking technique that we analysed. The rootkit will inject the library only after the second time that an specific syscall is called by a process (since the first time we will wait for GOT addresses to be loaded by the dynamic linker).
This technique works both in compilers with low hardening fetaures by default (Clang) and also on a compiler with all of them active (GCC), see table \ref{table:compilers}. We will present it by steps and, on each one, detail the different existing methods depending on the compiler features.
For this research work, we will be performing this attack on processes that make use either the system call sys\_openat or sys\_timerfd\_settime, which are called by the standard library glibc.
\textbf{Stage 1: eBPF tracing and scan the stack}\\
We load and attach a tracepoint eBPF program at the \textit{enter} position of syscall sys\_timerfd\_settime. Firstly we must ensure that the process calling the tracepoint is one of the processes to hijack.
We will then proceed with the stack scanning technique, as we explained in section \ref{subsection:bpf_probe_write_apps}. In this case, the algorithm will go as follows:
\begin{enumerate}
\item Take one of the syscall parameters and scan forward in the scan. For each iteration, we must check if the data at the stack corresponds to the saved rip:
\begin{enumerate}
\item Check that the previous instruction is a call instruction, by checking the instruction length and opcodes (call instructions always start with e8, and the length is 5 bytes, see figure \ref{fig:firstcall}).
\begin{figure}[H]
\centering
\includegraphics[width=13cm]{sch_firstcall.png}
\caption{Call to the glibc function, using objdump}
\label{fig:firstcall}
\end{figure}
\item Now that we know we localized a call instruction, we take the address at which it jumps. That should be an address in a PLT stub.
\item We analyze the instruction at the PLT stub. If the program was compiled with GCC, it will be an \textit{endbr64} instruction followed by the PLT jump instruction using the address at GOT (since it generates Intel CET-compatible programs, see table \ref{table:compilers}). Otherwise, if using Clang, the first instruction is the PLT jump.
%TODO Continue
\end{enumerate}
\end{enumerate}
@@ -1952,7 +2156,97 @@ CONFIG_HZ is set to 250
\end{verbatim}
\chapter* {Appendix B}
\chapter* {Appendix B - Readelf commands} \label{annex:readelf_commands}
\pagenumbering{gobble} % Las páginas de los anexos no se numeran
\section*{Section headers in ELF file} \label{annexsec:readelf_sec_headers}
\begin{lstlisting}[language=bash, caption={List of ELF section headers with readelf tool of a program compiled with GCC.}, label={code:elf_sections}]
$ readelf -S simple_timer
There are 36 section headers, starting at offset 0x4120:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000400318 00000318
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.gnu.pr[...] NOTE 0000000000400338 00000338
0000000000000030 0000000000000000 A 0 0 8
[ 3] .note.gnu.bu[...] NOTE 0000000000400368 00000368
0000000000000024 0000000000000000 A 0 0 4
[ 4] .note.ABI-tag NOTE 000000000040038c 0000038c
0000000000000020 0000000000000000 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000000004003b0 000003b0
000000000000001c 0000000000000000 A 6 0 8
[ 6] .dynsym DYNSYM 00000000004003d0 000003d0
0000000000000108 0000000000000018 A 7 1 8
[ 7] .dynstr STRTAB 00000000004004d8 000004d8
00000000000000ad 0000000000000000 A 0 0 1
[ 8] .gnu.version VERSYM 0000000000400586 00000586
0000000000000016 0000000000000002 A 6 0 2
[ 9] .gnu.version_r VERNEED 00000000004005a0 000005a0
0000000000000050 0000000000000000 A 7 1 8
[10] .rela.dyn RELA 00000000004005f0 000005f0
0000000000000030 0000000000000018 A 6 0 8
[11] .rela.plt RELA 0000000000400620 00000620
00000000000000c0 0000000000000018 AI 6 24 8
[12] .init PROGBITS 0000000000401000 00001000
000000000000001b 0000000000000000 AX 0 0 4
[13] .plt PROGBITS 0000000000401020 00001020
0000000000000090 0000000000000010 AX 0 0 16
[14] .plt.sec PROGBITS 00000000004010b0 000010b0
0000000000000080 0000000000000010 AX 0 0 16
[15] .text PROGBITS 0000000000401130 00001130
00000000000004c5 0000000000000000 AX 0 0 16
[16] .fini PROGBITS 00000000004015f8 000015f8
000000000000000d 0000000000000000 AX 0 0 4
[17] .rodata PROGBITS 0000000000402000 00002000
00000000000000a5 0000000000000000 A 0 0 8
[18] .eh_frame_hdr PROGBITS 00000000004020a8 000020a8
000000000000004c 0000000000000000 A 0 0 4
[19] .eh_frame PROGBITS 00000000004020f8 000020f8
0000000000000120 0000000000000000 A 0 0 8
[20] .init_array INIT_ARRAY 0000000000403e10 00002e10
0000000000000008 0000000000000008 WA 0 0 8
[21] .fini_array FINI_ARRAY 0000000000403e18 00002e18
0000000000000008 0000000000000008 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000403e20 00002e20
00000000000001d0 0000000000000010 WA 7 0 8
[23] .got PROGBITS 0000000000403ff0 00002ff0
0000000000000010 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000404000 00003000
0000000000000058 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000404058 00003058
0000000000000014 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000404070 0000306c
0000000000000020 0000000000000000 WA 0 0 16
[27] .comment PROGBITS 0000000000000000 0000306c
0000000000000025 0000000000000001 MS 0 0 1
[28] .debug_aranges PROGBITS 0000000000000000 00003091
0000000000000030 0000000000000000 0 0 1
[29] .debug_info PROGBITS 0000000000000000 000030c1
0000000000000295 0000000000000000 0 0 1
[30] .debug_abbrev PROGBITS 0000000000000000 00003356
00000000000000fd 0000000000000000 0 0 1
[31] .debug_line PROGBITS 0000000000000000 00003453
000000000000024d 0000000000000000 0 0 1
[32] .debug_str PROGBITS 0000000000000000 000036a0
00000000000001f5 0000000000000001 MS 0 0 1
[33] .symtab SYMTAB 0000000000000000 00003898
0000000000000480 0000000000000018 34 22 8
[34] .strtab STRTAB 0000000000000000 00003d18
00000000000002a2 0000000000000000 0 0 1
[35] .shstrtab STRTAB 0000000000000000 00003fba
000000000000015f 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
l (large), p (processor specific)
\end{lstlisting}
\end{document}

14
docs/document.toc
View File

@@ -109,7 +109,7 @@
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}%
\contentsline {section}{\numberline {4.1}Library injection via GOT hijacking}{55}{section.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}%
\defcounter {refsection}{0}\relax
@@ -117,9 +117,15 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{65}{chapter.5}%
\contentsline {subsection}{\numberline {4.1.4}The ELF format and Lazy Binding}{64}{subsection.4.1.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{66}{chapter.6}%
\contentsline {subsection}{\numberline {4.1.5}Hardening ELF binaries and possible bypasses}{67}{subsection.4.1.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{67}{chapter.6}%
\contentsline {subsection}{\numberline {4.1.6}Design of our attack}{70}{subsection.4.1.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{72}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{73}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{74}{chapter.6}%
\contentsfinish

BIN
docs/images/aslr_offset.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
docs/images/sch_firstcall.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/images/sch_gdb_got_after.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

BIN
docs/images/sch_gdb_got_prev.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.6 KiB

BIN
docs/images/sch_gdb_plt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
docs/images/sch_glibc_func.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-08T08:51:58-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-08T08:51:58-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-08T08:51:58-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-09T22:56:16-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-09T22:56:16-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-09T22:56:16-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:67E0605E-9AD5-2C9E-F626-78177DE1F15D</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:B0F4602A-0208-8815-2371-500CE5249122</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>

198
src/helpers/.gdb_history
View File

@@ -1,102 +1,3 @@
ni
q
b *(main+446)
r
si
ni
si
q
r
q
b *(main+446)
r
si
ni
si
ni
si
si
si
si
display $fs
display $fs:0x28
q
b *(main+446)
r
si
ni
q
b *(main+446)
r
si
si
ni
si
ni
si
q
b *(main+446)
r
si
q
b *(main+446)
r
si
ni
si
si
ni
q
r
q
b *(main+446)
r
si
c
q
r
r
q
b *(main+446)
r
si
ni
si
ni
si
q
b *(main+446)
r
si
ni
q
b *(main+446)
r
si
q
b *(main+446)
r
si
ni
si
ni
si
q
b *(main+446)
r
si
ni
si
q
b *(main+446)
r
si
q
checksec
q
checksec
q
checksec
q
checksec
q
@@ -254,3 +155,102 @@ fin
si
ni
q
l main
disass main
b <main+186>
b main+186
b *(main+186)
r
si
si
exit
q
b *(main+186)
r
si
q
b *(main+186)
got
q
b *(main+186)
r
si
q
li main
disass main
b *(main+186)
r
si
q
disass main
b *(main+186)
r
si
i/20
x/20i
x/20i 0x404050
x/20x 0x404050
x/5x 0x404050
x/4x 0x404050
x/4i 0x404050
x/4x 0x404050
x/4i 0x4010a0
x/20i 0x4010a0
x/20i 0x401020
x/20i 0x404010
x/20x 0x404010
x/20x 0x404030
x/20i 0x404030
x/20i 0x401030
help
context
x/20x 0x404050
x/4x 0x404050
x/x 0x404050
b 0x401120
b *0x401120
r
si
x/x 0x404050
c
x/x 0x404050
x/5i 0x00007ffff7edd560
x/4i 0x00007ffff7edd560
q
checksec
q
checksec
b *(main+186)
r
r
r
r
q
b *(main+186)
r
q
r
b *(main+186)
r
r
r
r
r
q
r
b *(main+186)
r
q
b *(main+186)
r
q
b *(main+186)
r
q
q
b *(main+186)
r
si
q
r
q

2
src/helpers/peda-session-simple_timer.txt
View File

@@ -1,2 +1,2 @@
break *(main+446)
break *(main+186)