admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Continued with offensive capabilities, incorporated security features and started with tracing program features

Browse Source
This commit is contained in:
h3xduck
2022-06-02 19:00:10 -04:00
parent 5d5aafb46d
commit 2c3648a18a
16 changed files with 882 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
docs/bibliography/bibliography.bib
View File

@@ -249,7 +249,7 @@
@online{ebpf_bounded_loops,
title={Bounded loops in BPF for the 5.3 kernel},
url={https://lwn.net/Articles/794934/},
date={2019-06-31},
date={2019-06-30},
author={Marta Rybczynska}
},
@@ -351,6 +351,69 @@
url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html},
author={Andrii Nakryiko},
date={2020-02-19}
},
@manual{ebpf_kernel_flags,
title={Installing BCC: Kernel Configuration},
url={https://github.com/iovisor/bcc/blob/master/INSTALL.md}
},
@manual{ubuntu_caps,
title={capabilities - overview of Linux capabilities},
url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html}
},
@proceedings{evil_ebpf_p9,
institution = {NCC Group},
author = {Jeff Dileo},
organization= {DEFCON 27},
eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
pages={9}
},
@online{ebpf_caps_intro,
title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF},
url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/}
},
@online{ebpf_caps_lwn,
title={capability: introduce CAP\_BPF and CAP\_TRACING},
url={https://lwn.net/Articles/797807/}
},
@online{unprivileged_ebpf,
title={Reconsidering unprivileged BPF},
url={https://lwn.net/Articles/796328/}
},
@online{cve_unpriv_ebpf,
title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability},
url={https://www.openwall.com/lists/oss-security/2022/01/11/4}
},
@online{unpriv_ebpf_ubuntu,
title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM},
url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047}
},
@online{unpriv_ebpf_redhat,
title={CVE-2022-0002},
url={https://access.redhat.com/security/cve/cve-2021-4001}
},
@online{unpriv_ebpf_suse,
title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default},
url={https://www.suse.com/support/kb/doc/?id=000020545}
},
@manual{8664_params_abi,
title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
author={H.J. Lu et al.},
pages={148},
date={2018-01-28},
url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
}
@@ -359,4 +422,3 @@

2
docs/bibliography/texput.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 19:59
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 2 JUN 2022 18:01
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.

73
docs/document.aux
View File

@@ -167,6 +167,7 @@
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}\protected@file@percent }
\newlabel{subsection:ebpf_maps}{{2.2.4}{15}{eBPF maps}{subsection.2.2.4}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Table showing common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Table showing common fields for creating an eBPF map.\relax }{table.caption.18}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
@@ -194,11 +195,13 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}\protected@file@percent }
\newlabel{table:ebpf_prog_types}{{2.8}{17}{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}\protected@file@percent }
\newlabel{subsection:ebpf_helpers}{{2.2.7}{17}{eBPF helpers}{subsection.2.2.7}{}}
\abx@aux@cite{xdp_gentle_intro}
\abx@aux@segm{0}{0}{xdp_gentle_intro}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}\protected@file@percent }
\newlabel{table:ebpf_helpers}{{2.9}{18}{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
\newlabel{section:ebpf_prog_types}{{2.3}{18}{eBPF program types}{section.2.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
\abx@aux@cite{xdp_manual}
\abx@aux@segm{0}{0}{xdp_manual}
@@ -236,13 +239,13 @@
\abx@aux@segm{0}{0}{bcc_github}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}\protected@file@percent }
\abx@aux@cite{libbpf_github}
\abx@aux@segm{0}{0}{libbpf_github}
\abx@aux@cite{libbpf_upstream}
\abx@aux@segm{0}{0}{libbpf_upstream}
\abx@aux@cite{libbpf_core}
\abx@aux@segm{0}{0}{libbpf_core}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{24}{subsection.2.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Sketch of the compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}\protected@file@percent }
\newlabel{fig:libbpf}{{2.9}{25}{Sketch of the compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
@@ -251,17 +254,63 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{28}{chapter.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}\protected@file@percent }
\abx@aux@cite{ubuntu_caps}
\abx@aux@segm{0}{0}{ubuntu_caps}
\abx@aux@cite{evil_ebpf_p9}
\abx@aux@segm{0}{0}{evil_ebpf_p9}
\abx@aux@cite{ebpf_caps_intro}
\abx@aux@segm{0}{0}{ebpf_caps_intro}
\abx@aux@cite{ebpf_caps_lwn}
\abx@aux@segm{0}{0}{ebpf_caps_lwn}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{28}{table.caption.30}\protected@file@percent }
\newlabel{table:ebpf_kernel_flags}{{3.1}{28}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.1}Access control}{28}{subsection.3.1.1}\protected@file@percent }
\abx@aux@cite{unprivileged_ebpf}
\abx@aux@segm{0}{0}{unprivileged_ebpf}
\abx@aux@cite{cve_unpriv_ebpf}
\abx@aux@segm{0}{0}{cve_unpriv_ebpf}
\abx@aux@cite{unpriv_ebpf_ubuntu}
\abx@aux@segm{0}{0}{unpriv_ebpf_ubuntu}
\abx@aux@cite{unpriv_ebpf_suse}
\abx@aux@segm{0}{0}{unpriv_ebpf_suse}
\abx@aux@cite{unpriv_ebpf_redhat}
\abx@aux@segm{0}{0}{unpriv_ebpf_redhat}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Capabilities needed for eBPF.\relax }}{29}{table.caption.31}\protected@file@percent }
\newlabel{table:ebpf_caps_current}{{3.2}{29}{Capabilities needed for eBPF.\relax }{table.caption.31}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.3}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{29}{table.caption.32}\protected@file@percent }
\newlabel{table:unpriv_ebpf_values}{{3.3}{29}{Values for unprivileged eBPF kernel parameter.\relax }{table.caption.32}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}\protected@file@percent }
\newlabel{code:format_kprobe}{{3.1}{30}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{30}{lstlisting.3.1}\protected@file@percent }
\abx@aux@cite{8664_params_abi}
\abx@aux@segm{0}{0}{8664_params_abi}
\newlabel{code:format_uprobe}{{3.2}{31}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{31}{lstlisting.3.2}\protected@file@percent }
\newlabel{code:format_tracepoint}{{3.3}{31}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{31}{lstlisting.3.3}\protected@file@percent }
\newlabel{code:format_ptregs}{{3.4}{31}{Format of struct pt\_regs}{lstlisting.3.4}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{31}{lstlisting.3.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{32}{table.caption.33}\protected@file@percent }
\newlabel{table:systemv_abi}{{3.4}{32}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.33}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}\protected@file@percent }
\newlabel{table:systemv_abi_other}{{3.5}{32}{Other relevant registers in x86\_64 and their purpose.\relax }{table.caption.34}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{32}{section.3.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{32}{subsection.3.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{33}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{29}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{34}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{30}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{35}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{31}{chapter.6}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{0AFB9D19373966AF64A6C0FAEBFB8A46}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{36}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.36}{}}
\abx@aux@read@bbl@mdfivesum{F47E3F72E57DA91BA8A2EEF65A74B9DA}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -314,5 +363,15 @@
\abx@aux@defaultrefcontext{0}{libbpf_github}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{libbpf_upstream}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{libbpf_core}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_lwn}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unprivileged_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{cve_unpriv_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_ubuntu}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{51}
\gdef \@abspage@last{58}

170
docs/document.bbl
View File

@@ -152,6 +152,7 @@
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{extraname}{1}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
@@ -812,14 +813,17 @@
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{30}
\field{month}{6}
\field{title}{Bounded loops in BPF for the 5.3 kernel}
\field{year}{2019}
\field{dateera}{ce}
\verb{urlraw}
\verb https://lwn.net/Articles/794934/
\endverb
\verb{url}
\verb https://lwn.net/Articles/794934/
\endverb
\warn{\item Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring}
\endentry
\entry{ebpf_maps_kernel}{manual}{}
\field{sortinit}{5}
@@ -1149,6 +1153,170 @@
\verb https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html
\endverb
\endentry
\entry{ubuntu_caps}{manual}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{capabilities - overview of Linux capabilities}
\verb{urlraw}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\verb{url}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\endentry
\entry{evil_ebpf_p9}{proceedings}{}
\name{author}{1}{}{%
{{hash=5142e68c748eb70cb619b21160eb7f72}{%
family={Dileo},
familyi={D\bibinitperiod},
given={Jeff},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{NCC Group}%
}
\list{organization}{1}{%
{DEFCON 27}%
}
\strng{namehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{fullhash}{5142e68c748eb70cb619b21160eb7f72}
\strng{bibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{extraname}{2}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\field{pages}{9}
\range{pages}{1}
\verb{urlraw}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\endentry
\entry{ebpf_caps_intro}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}
\verb{urlraw}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\verb{url}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\endentry
\entry{ebpf_caps_lwn}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{capability: introduce CAP\_BPF and CAP\_TRACING}
\verb{urlraw}
\verb https://lwn.net/Articles/797807/
\endverb
\verb{url}
\verb https://lwn.net/Articles/797807/
\endverb
\endentry
\entry{unprivileged_ebpf}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{Reconsidering unprivileged BPF}
\verb{urlraw}
\verb https://lwn.net/Articles/796328/
\endverb
\verb{url}
\verb https://lwn.net/Articles/796328/
\endverb
\endentry
\entry{cve_unpriv_ebpf}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}
\verb{urlraw}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\verb{url}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\endentry
\entry{unpriv_ebpf_ubuntu}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}
\verb{urlraw}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\verb{url}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\endentry
\entry{unpriv_ebpf_suse}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{Security Hardening: Use of eBPF by unprivileged users has been disabled by default}
\verb{urlraw}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\verb{url}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\endentry
\entry{unpriv_ebpf_redhat}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{CVE-2022-0002}
\verb{urlraw}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\verb{url}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\endentry
\entry{8664_params_abi}{manual}{}
\name{author}{1}{}{%
{{hash=871f02558cb7234c22cde24811cf53a7}{%
family={al.},
familyi={a\bibinitperiod},
given={H.J.\bibnamedelimi Lu},
giveni={H\bibinitperiod\bibinitdelim L\bibinitperiod},
prefix={et},
prefixi={e\bibinitperiod}}}%
}
\strng{namehash}{871f02558cb7234c22cde24811cf53a7}
\strng{fullhash}{871f02558cb7234c22cde24811cf53a7}
\strng{bibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorbibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authornamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorfullhash}{871f02558cb7234c22cde24811cf53a7}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{1}
\field{title}{System V Application Binary Interface AMD64 Architecture Processor Supplement}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{148}
\range{pages}{1}
\verb{urlraw}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

10
docs/document.bcf
View File

@@ -2416,6 +2416,16 @@
<bcf:citekey order="78">libbpf_github</bcf:citekey>
<bcf:citekey order="79">libbpf_upstream</bcf:citekey>
<bcf:citekey order="80">libbpf_core</bcf:citekey>
<bcf:citekey order="81">ubuntu_caps</bcf:citekey>
<bcf:citekey order="82">evil_ebpf_p9</bcf:citekey>
<bcf:citekey order="83">ebpf_caps_intro</bcf:citekey>
<bcf:citekey order="84">ebpf_caps_lwn</bcf:citekey>
<bcf:citekey order="85">unprivileged_ebpf</bcf:citekey>
<bcf:citekey order="86">cve_unpriv_ebpf</bcf:citekey>
<bcf:citekey order="87">unpriv_ebpf_ubuntu</bcf:citekey>
<bcf:citekey order="88">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="89">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="90">8664_params_abi</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

148
docs/document.blg
View File

@@ -1,69 +1,79 @@
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[148] biber:340> INFO - === Sat May 28, 2022, 08:39:03
[183] Biber.pm:415> INFO - Reading 'document.bcf'
[389] Biber.pm:952> INFO - Found 51 citekeys in bib section 0
[427] Biber.pm:4340> INFO - Processing section 0
[450] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[456] bibtex.pm:1689> INFO - LaTeX decoding ...
[512] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[742] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[820] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 9, warning: 1 characters of junk seen at toplevel
[820] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 15, warning: 1 characters of junk seen at toplevel
[820] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 22, warning: 1 characters of junk seen at toplevel
[821] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 28, warning: 1 characters of junk seen at toplevel
[821] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 35, warning: 1 characters of junk seen at toplevel
[821] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 42, warning: 1 characters of junk seen at toplevel
[822] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 50, warning: 1 characters of junk seen at toplevel
[822] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 58, warning: 1 characters of junk seen at toplevel
[822] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 65, warning: 1 characters of junk seen at toplevel
[822] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 70, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 77, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 85, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 94, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 103, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 112, warning: 1 characters of junk seen at toplevel
[823] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 121, warning: 1 characters of junk seen at toplevel
[824] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 127, warning: 1 characters of junk seen at toplevel
[824] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 132, warning: 1 characters of junk seen at toplevel
[824] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 137, warning: 1 characters of junk seen at toplevel
[824] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 142, warning: 1 characters of junk seen at toplevel
[825] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 153, warning: 1 characters of junk seen at toplevel
[825] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 158, warning: 1 characters of junk seen at toplevel
[825] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 164, warning: 1 characters of junk seen at toplevel
[825] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 170, warning: 1 characters of junk seen at toplevel
[825] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 175, warning: 1 characters of junk seen at toplevel
[826] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 184, warning: 1 characters of junk seen at toplevel
[826] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 191, warning: 1 characters of junk seen at toplevel
[826] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 199, warning: 1 characters of junk seen at toplevel
[826] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 206, warning: 1 characters of junk seen at toplevel
[826] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 215, warning: 1 characters of junk seen at toplevel
[827] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 224, warning: 1 characters of junk seen at toplevel
[827] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 233, warning: 1 characters of junk seen at toplevel
[827] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 239, warning: 1 characters of junk seen at toplevel
[827] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 244, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 249, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 256, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 261, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 266, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 271, warning: 1 characters of junk seen at toplevel
[828] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 276, warning: 1 characters of junk seen at toplevel
[829] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 283, warning: 1 characters of junk seen at toplevel
[829] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 288, warning: 1 characters of junk seen at toplevel
[829] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 295, warning: 1 characters of junk seen at toplevel
[829] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 302, warning: 1 characters of junk seen at toplevel
[829] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 309, warning: 1 characters of junk seen at toplevel
[830] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 315, warning: 1 characters of junk seen at toplevel
[830] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 321, warning: 1 characters of junk seen at toplevel
[830] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 327, warning: 1 characters of junk seen at toplevel
[830] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 334, warning: 1 characters of junk seen at toplevel
[830] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 339, warning: 1 characters of junk seen at toplevel
[831] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 344, warning: 1 characters of junk seen at toplevel
[831] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZQaP/f4d088b3f9f145b5c3058da33afd57d4_168752.utf8, line 349, warning: 1 characters of junk seen at toplevel
[916] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[917] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[917] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[917] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[991] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[1026] bbl.pm:757> INFO - Output to document.bbl
[1026] Biber.pm:128> INFO - WARNINGS: 53
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[75] biber:340> INFO - === Thu Jun 2, 2022, 18:58:57
[92] Biber.pm:415> INFO - Reading 'document.bcf'
[173] Biber.pm:952> INFO - Found 61 citekeys in bib section 0
[188] Biber.pm:4340> INFO - Processing section 0
[198] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[202] bibtex.pm:1689> INFO - LaTeX decoding ...
[225] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 9, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 15, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 22, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 28, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 35, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 42, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 50, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 58, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 65, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 70, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 77, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 85, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 94, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 103, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 112, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 121, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 127, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 132, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 137, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 142, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 153, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 158, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 164, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 170, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 175, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 184, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 191, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 199, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 206, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 215, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 224, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 233, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 239, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 244, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 249, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 256, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 261, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 266, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 271, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 276, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 283, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 288, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 295, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 302, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 309, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 315, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 321, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 327, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 334, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 339, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 344, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 349, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 356, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 361, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 366, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 375, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 380, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 385, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 390, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 395, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 400, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 405, warning: 1 characters of junk seen at toplevel
[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 410, warning: 1 characters of junk seen at toplevel
[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[412] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[412] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[460] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[474] bbl.pm:757> INFO - Output to document.bbl
[475] Biber.pm:128> INFO - WARNINGS: 63

200
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 28 MAY 2022 09:22
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 2 JUN 2022 18:58
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1079,14 +1079,7 @@ Package: blx-case-expl3 2020/12/31 v3.16 expl3 case changing code for biblatex
Package biblatex Info: Trying to load bibliographic data...
Package biblatex Info: ... file 'document.bbl' found.
(./document.bbl
Package biblatex Warning: Biber reported the following issues
(biblatex) with 'ebpf_bounded_loops':
(biblatex) - Entry 'ebpf_bounded_loops' (bibliography/bibliograp
hy.bib): Invalid format '2019-06-31' of date field 'date' - ignoring.
)
(./document.bbl)
Package biblatex Info: Reference section=0 on input line 179.
Package biblatex Info: Reference segment=0 on input line 179.
LaTeX Font Info: Trying to load font information for T1+txss on input line 1
@@ -1096,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=149, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=181, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1109,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=151, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=183, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1118,7 +1111,8 @@ LaTeX Font Info: Font shape `T1/txss/b/n' in size <12> not available
(Font) Font shape `T1/txss/bx/n' tried instead on input line 216.
LaTeX Font Info: Font shape `T1/txss/bx/n' will be
(Font) scaled to size 11.39996pt on input line 216.
[1
[1
<./images//Portada_Logo.png> <./images/creativecommons.png>]pdfTeX warning (ex
t4): destination with the same identifier (name{page.i}) has been already used,
@@ -1199,7 +1193,7 @@ File: utxsyc.fd 2000/12/15 v3.1
[12
] [13]
] [13] [14]
Chapter 1.
LaTeX Font Info: Trying to load font information for TS1+txr on input line 3
30.
@@ -1220,7 +1214,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=428, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=491, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1228,36 +1222,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=446, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=509, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=456, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=519, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=466, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=529, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=478, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=542, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=481, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=545, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=500, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=563, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1274,16 +1268,16 @@ Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
[]
[14]
Overfull \hbox (30.83617pt too wide) in paragraph at lines 677--686
Overfull \hbox (56.55217pt too wide) in paragraph at lines 677--688
[][]
[]
LaTeX Warning: Reference `table:ebpf_maps' on page 15 undefined on input line 6
90.
92.
Overfull \hbox (11.26865pt too wide) in paragraph at lines 690--691
Overfull \hbox (11.26865pt too wide) in paragraph at lines 692--693
\T1/txr/m/n/12 de-vel-op-ment of our rootkit, we will mainly fo-cus on hash map
s (BPF_MAP_TYPE_HASH),
[]
@@ -1291,162 +1285,204 @@ s (BPF_MAP_TYPE_HASH),
[15]
LaTeX Warning: Reference `table:bpf_syscall' on page 16 undefined on input line
700.
702.
Overfull \hbox (42.01218pt too wide) in paragraph at lines 703--719
Overfull \hbox (42.01218pt too wide) in paragraph at lines 705--721
[][]
[]
[16]
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 746.
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 748.
Overfull \hbox (13.5802pt too wide) in paragraph at lines 756--784
Overfull \hbox (13.5802pt too wide) in paragraph at lines 758--788
[][]
[]
[17]
<images//xdp_diag.jpg, id=580, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=643, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 800.
Package pdftex.def Info: images//xdp_diag.jpg used on input line 804.
(pdftex.def) Requested size: 426.79134pt x 310.69934pt.
[18] [19 <./images//xdp_diag.jpg>]
Overfull \hbox (5.80417pt too wide) in paragraph at lines 863--875
Overfull \hbox (5.80417pt too wide) in paragraph at lines 867--879
[][]
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=639, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=702, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 966.
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 977.
(pdftex.def) Requested size: 341.43306pt x 316.20142pt.
[24]
LaTeX Warning: Reference `TODO' on page 25 undefined on input line 994.
LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1005.
[25 <./images//libbpf_prog.jpg>] [26]
Chapter 3.
Overfull \hbox (15.27466pt too wide) in paragraph at lines 1029--1057
[][]
[]
[27
]
Overfull \hbox (144.2746pt too wide) in paragraph at lines 1069--1070
[]\T1/txr/bx/n/12 Unprivileged users \T1/txr/m/n/12 can only load and at-tach e
BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER[[][]53[][]],
[]
[28]
Overfull \hbox (33.33205pt too wide) in paragraph at lines 1095--1096
[]\T1/txr/m/n/12 Therefore, eBPF net-work pro-grams usu-ally re-quire both CAP_
BPF and CAP_NET_ADMIN,
[]
[29]
Overfull \hbox (18.75664pt too wide) in paragraph at lines 1125--1126
\T1/txr/m/n/12 can also ex-plore all the avail-able maps in the sys-tem by us-i
ng the BPF_MAP_GET_NEXT_ID
[]
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstmisc.sty
File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
)
Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
nput line 1141.
LaTeX Font Info: Trying to load font information for T1+txtt on input line 1
141.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
) [30]
LaTeX Font Info: Font shape `T1/txtt/b/n' in size <10> not available
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 1143.
[31] [32]
Chapter 4.
[28
[33
]
Chapter 5.
[29
[34
]
Chapter 6.
[30
[35
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 1
031.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1032--1032
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1291--1291
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[31
[36
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1032--1032
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1291--1291
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1032--1032
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1291--1291
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1032--1032
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1291--1291
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[32]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1032--1032
[37]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1291--1291
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1032--1032
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1291--1291
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[33]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1032--1032
[38]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1291--1291
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
[34] [1
]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1291--1291
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
Package caption Warning: Unused \captionsetup[lstlisting] on input line 164.
See the caption package documentation for explanation.
[39]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1291--1291
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored
[40] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
) [1
]pdfTeX warning (ext4): destination with the same identifier (name{page.}) has
been already used, duplicate ignored
<to be read again>
\relax
l.1048 \end{document}
l.1351 \end{document}
[2
] (./document.aux)
LaTeX Warning: There were undefined references.
Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: DDEC2EA0BA9DDEC568FE05D8A7BB7EC7;2555
(rerunfilecheck) After: 82639416354DA222C60093A493D29911;2634.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 986F56F3947BD730EBF6BFF75F31FFDD;3180.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
27509 strings out of 481209
439698 string characters out of 5914747
1181434 words of memory out of 5000000
43856 multiletter control sequences out of 15000+600000
453959 words of font info for 100 fonts, out of 8000000 for 9000
28129 strings out of 481209
447183 string characters out of 5914747
1335757 words of memory out of 5000000
44399 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
88i,12n,90p,1029b,3702s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
e1/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx
fonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.p
fb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/sh
are/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/
texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
rw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a
.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (51 pages, 726289 bytes).
fb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb></usr/s
hare/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/share/texliv
e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (58 pages, 775719 bytes).
PDF statistics:
898 PDF objects out of 1000 (max. 8388607)
168 named destinations out of 1000 (max. 500000)
356 words of extra memory for PDF output out of 10000 (max. 10000000)
1098 PDF objects out of 1200 (max. 8388607)
232 named destinations out of 1000 (max. 500000)
420 words of extra memory for PDF output out of 10000 (max. 10000000)

10
docs/document.lot
View File

@@ -35,6 +35,16 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.1}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{28}{table.caption.30}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.2}{\ignorespaces Capabilities needed for eBPF.\relax }}{29}{table.caption.31}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.3}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{29}{table.caption.32}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.4}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{32}{table.caption.33}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

15
docs/document.out
View File

@@ -31,7 +31,14 @@
\BOOKMARK [2][-]{subsection.2.4.2}{Bpftool}{section.2.4}% 31
\BOOKMARK [2][-]{subsection.2.4.3}{Libbpf}{section.2.4}% 32
\BOOKMARK [0][-]{chapter.3}{Analysis\040of\040offensive\040capabilities}{}% 33
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 34
\BOOKMARK [0][-]{chapter.5}{Results}{}% 35
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 36
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 37
\BOOKMARK [1][-]{section.3.1}{Security\040features\040in\040eBPF}{chapter.3}% 34
\BOOKMARK [2][-]{subsection.3.1.1}{Access\040control}{section.3.1}% 35
\BOOKMARK [2][-]{subsection.3.1.2}{eBPF\040maps\040security}{section.3.1}% 36
\BOOKMARK [1][-]{section.3.2}{Abusing\040tracing\040programs}{chapter.3}% 37
\BOOKMARK [2][-]{subsection.3.2.1}{Access\040to\040function\040arguments}{section.3.2}% 38
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 39
\BOOKMARK [2][-]{subsection.3.3.1}{Accessing\040user\040memory}{section.3.3}% 40
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 41
\BOOKMARK [0][-]{chapter.5}{Results}{}% 42
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 43
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 44

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

335
docs/document.tex
View File

@@ -164,7 +164,7 @@ hmargin=3cm
\captionsetup[lstlisting]{font=small, labelsep=period}
\lstset{style=estilo}
\renewcommand{\lstlistingname}{\uppercase{Código}}
\renewcommand{\lstlistingname}{\uppercase{Code}}
% IEEE BIBLIOGRAPHY
\usepackage[backend=biber, style=ieee, isbn=false,sortcites, maxbibnames=5, minbibnames=1]{biblatex}
@@ -356,9 +356,9 @@ Subsequent talks on 2021 by Pat Hogan at DEFCON 29\cite{bad_ebpf}, and by Guilla
Taking the previous research into account, and on the basis of common functionality we described to be usually incorporated at rootkits, the objectives of our research on eBPF is set to be on the following topics:
\begin{itemize}
\item Analysing eBPF's possibilities when hooking system calls and kernel functions.
\item Learning eBPF's potential to read/write arbitrary memory.
\item Exploring networking capabilities with eBPF packet filters.
\item Analysing eBPF's possibilities when hooking system calls and kernel functions.
\end{itemize}
The knowledge gathered by the previous three pillars will be then used as a basis for building our rootkit. We will present attack vectors and techniques different than the ones presented in previous research, although inevitably we will also tackle common points, which will be clearly indicated and on which we will try to perform further research. In essence, our eBPF-based rootkit aims at:
@@ -651,10 +651,10 @@ These checks are performed by two main algorithms:
\item Simulate execution flow by starting on the first instruction and following each possible path, observing at each instruction the state of every register and of the stack.
\end{itemize}
\subsection{eBPF maps}
\subsection{eBPF maps} \label{subsection:ebpf_maps}
An eBPF map is a generic storage for eBPF programs used to share data between user and kernel space, to maintain persistent data between eBPF calls and to share information between multiple eBPF programs\cite{ebpf_maps_kernel}.
A map consists of a key + value tuple. Both fields can have an arbitrary data type, the map only needs to know the length of the key and the value field at its creation\cite{bpf_syscall}. Programs can lookup or delete elements in the map by specifying its key, and insert new ones by supplying the element value and they key to store it with.
A map consists of a key + value tuple. Both fields can have an arbitrary data type, the map only needs to know the length of the key and the value field at its creation\cite{bpf_syscall}. Programs can open maps by specifying their ID, and lookup or delete elements in the map by specifying its key, also insert new ones by supplying the element value and they key to store it with.
Therefore, creating a map requires a struct with the following fields:
@@ -681,6 +681,8 @@ TYPE & DESCRIPTION\\
BPF\_MAP\_TYPE\_HASH & A hast table-like storage, elements are stored in tuples.\\
BPF\_MAP\_TYPE\_ARRAY & Elements are stored in an array.\\
BPF\_MAP\_TYPE\_RINGBUF & Map providing alerts from kernel to user space, covered in subsection \ref{subsection:bpf_ring_buf}\\
BPF\_MAP\_TYPE\_PROG\_ARRAY & Stores descriptors of eBPF programs\\
\hline
\hline
\end{tabular}
\caption{Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite{bpf_syscall}}
@@ -702,16 +704,16 @@ The main operations that can be issued are described in table \ref{table:bpf_sys
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{5cm}|>{\centering\arraybackslash}p{5cm}|}
\hline
COMMAND & ATTRIBUTE & DESCRIPTION\\
COMMAND & ATTRIBUTES & DESCRIPTION\\
\hline
\hline
BPF\_MAP\_CREATE & Struct with map info as defined in table \ref{table:ebpf_map_struct} & Create a new map\\
\hline
BPF\_MAP\_LOOKUP\_ELEM & Struct with key to search in the map & Get the element on the map with an specific key\\
BPF\_MAP\_LOOKUP\_ELEM & Map ID, and struct with key to search in the map & Get the element on the map with an specific key\\
\hline
BPF\_MAP\_UPDATE\_ELEM & Struct with key and new value & Update the element of an specific key with a new value\\
BPF\_MAP\_UPDATE\_ELEM & Map ID, and struct with key and new value & Update the element of an specific key with a new value\\
\hline
BPF\_MAP\_DELETE\_ELEM & Struct with key to search in the map & Delete the element on the map with an specific key\\
BPF\_MAP\_DELETE\_ELEM & Map ID and struct with key to search in the map & Delete the element on the map with an specific key\\
\hline
BPF\_PROG\_LOAD & Struct describing the type of eBPF program to load & Load an eBPF program in the kernel\\
\hline
@@ -745,7 +747,7 @@ BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events usi
In section \ref{section:TODO}, we will proceed to analyse in detail the different program types and what capabilities` they offer.
\subsection{eBPF helpers}
\subsection{eBPF helpers} \label{subsection:ebpf_helpers}
Our last component to cover of the eBPF architecture are the eBPF helpers. Since eBPF programs have limited accessibility to kernel functions (which kernel modules commonly have free access to), the eBPF system offers a set of limited functions called helpers\cite{ebpf_helpers}, which are used by eBPF programs to perform certain actions and interact with the context on which they are run. The list of helpers a program can call varies between eBPF program types, since different programs run in different contexts.
It is important to highlight that, just like commands issued via the bpf() syscall can only be issued from the user space, eBPF helpers correspond to the kernel-side of eBPF program exclusively. Note that we will also find a symmetric correspondence to those functions of the bpf() syscall related to map operations (since these are accessible both from user and kernel space).
@@ -780,6 +782,8 @@ bpf\_override\_return() & Override return value of a probed function\\
\hline
bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify to subscribers\\
\hline
bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\
\hline
\end{tabular}
\caption{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.}
\label{table:ebpf_helpers}
@@ -787,7 +791,7 @@ bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify
% Is this the best title?
\section{eBPF program types}
\section{eBPF program types} \label{section:ebpf_prog_types}
In the previous subsection \ref{subsection:bpf_syscall} we introduced the new types of eBPF programs that are supported and that we will be developing for our offensive analysis. In this section, we will analyse in greater detail how eBPF is integrated in the Linux kernel in order to support these new functionalities.
\subsection{XDP}
@@ -915,9 +919,9 @@ Also, note that the probe functions that are called when hitting a tracepoint re
In eBPF, a program can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_TRACEPOINT, specifying which is the function with the tracepoint to attach to and an arbitrary function probe to call when it is hit. This function probe is defined by the user in the eBPF program submitted to the kernel.
\subsection{Kprobes}
Kprobes are another tracing technology of the Linux kernel whose functionality has been become available to eBPF programs. Similarly to tracepoints, kprobes enable to hook a probe function, with the only difference that it is attached to an arbitrary instruction in the kernel, rather than to a function\cite{kprobe_manual}. It does not require that kernel developers specifically mark a function to be probed, but rather kprobes can be attached to any instruction, with a short list of blacklisted exceptions.
Kprobes are another tracing technology of the Linux kernel whose functionality has been become available to eBPF programs. Similarly to tracepoints, kprobes enable to hook functions in the kernel, with the only difference that it is dynamically attached to any arbitrary function, rather than to a set of predefined positions\cite{kprobe_manual}. It does not require that kernel developers specifically mark a function to be probed, but rather kprobes can be attached to any instruction, with a short list of blacklisted exceptions.
As it happened with tracepoints, the probed functions have access to the parameters received by the function at which the instructions is attached to. Also, the kernel maintains a list of kernel symbols (addresses) which are relevant for tracing and that offer us insight into which functions we can probe. It can be visited under the file \textit{/proc/kallsyms}, which exports symbols of kernel functions and loaded kernel modules\cite{kallsyms_kernel}.
As it happened with tracepoints, the probe functions have access to the parameters of the original hooked function. Also, the kernel maintains a list of kernel symbols (addresses) which are relevant for tracing and that offer us insight into which functions we can probe. It can be visited under the file \textit{/proc/kallsyms}, which exports symbols of kernel functions and loaded kernel modules\cite{kallsyms_kernel}.
Also similarly, since tracepoints could be found in their \textit{enter} and \textit{exit} variations, kprobes have their counterpart, name kretprobes, which call the hooked probe once a return instruction is reached after the hooked symbol. This means that a kretprobe hooked to a kernel function will call the probe function once it exits.
@@ -926,6 +930,13 @@ In eBPF, a program can issue a bpf() syscall with the command BPF\_PROG\_LOAD an
\subsection{Uprobes}
Uprobes is the last of the main tracing technologies which has been become accessible to eBPF programs. They are the counterparts of Kprobes, allowing for tracing the execution of an specific instruction in the user space, instead of in the kernel. When the exeuction flow reaches a hooked instruction, a probe function is run.
For setting an uprobe on an specific instruction of a program, we need to know three components:
\begin{itemize}
\item The name of the program.
\item The address of the function where the instruction is contained.
\item The offset at which the specific instruction is placed from the start of the function.
\end{itemize}
Similarly to kprobes, uprobes have access to the parameters received by the hooked function. Also, the complementary uretprobes also exist, running the probe function once the hooked function returns.
In eBPF, programs can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_UPROBE, specifying the function with the uprobe to attach to and an arbitrary function probe to call when it is hit. This function probe is also defined by the user in the eBPF program submitted to the kernel.
@@ -1000,11 +1011,259 @@ Note that the BPF skeleton also offers further granularity at the time of dealin
\chapter{Analysis of offensive capabilities}
In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture.
In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture. As with every technology, a prior deep understanding is fundamental for discussing its security implications.
Therefore, given the previous background, this chapter is dedicated to an analysis in detail of the security implications of a malicious use of eBPF. For this, we will firstly explore the security features incorporated in the eBPF system. Then, we will revise previous research to identify the fundamental pillars onto which malware can build their functionality. As we mentioned during the project goals, these main topics of research will be the following:
\begin{itemize}
\item Analysing eBPF's possibilities when hooking system calls and kernel functions.
\item Learning eBPF's potential to read/write arbitrary memory.
\item Exploring networking capabilities with eBPF packet filters.
\end{itemize}
Finally, we will study in detail some of the malicious applications that previous researchers have proposed to take advantage of these capabilities of eBPF. In the next chapter, we will proceed to elaborate on these ideas, find new purposes and design our own rootkit.
\section{Security features in eBPF}
As we shown in section \ref{section:modern_ebpf}, eBPF has been an active part of the Linux kernel from its 3.18 version. However, as with many other components of the kernel, its availability to the user depends on the parameters with which the kernel has been compiled. Specifically, eBPF is only available to kernels compiled with the flags specified in table \ref{table:ebpf_kernel_flags}.
\begin{table}[H]
\begin{tabular}{|c|c|>{\centering\arraybackslash}p{8cm}|}
\hline
Flag & Value & Description\\
\hline
\hline
\multicolumn{1}{|c|}{CONFIG\_BPF} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Basic BPF compilation (mandatory)}\\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_BPF\_SYSCALL} & \multicolumn{1}{|c|}{m} & \\
\hline
\multicolumn{1}{|c|}{CONFIG\_NET\_ACT\_BPF} & \multicolumn{1}{|c|}{m} & \multirow{2}{*}{Traffic Control functionality}\\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_NET\_CLS\_BPF} & \multicolumn{1}{|c|}{y} & \\
\hline
\multicolumn{1}{|c|}{CONFIG\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Enable JIT compliation}\\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_HAVE\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \\
\hline
\multicolumn{1}{|c|}{CONFIG\_BPF\_EVENTS} & \multicolumn{1}{|c|}{y} & \multirow{4}{*}{Enable kprobes, uprobes and tracepoints}\\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_KPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_UPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\
\cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_TRACING} & \multicolumn{1}{|c|}{y} & \\
\hline
CONFIG\_XDP\_SOCKETS & y & Enable XDP\\
\hline
\end{tabular}
\caption{Kernel compilation flags for eBPF.}
\label{table:ebpf_kernel_flags}
\end{table}
The above table is based on BCC's documentation\ref{table:ebpf_kernel_flags}, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in Annex \ref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF.
\subsection{Access control}
It must be noted that, similarly to kernel modules, loading an eBPF program requires privileged access in the system. In old kernel versions, this means either an user having full root permissions, or having the Linux capability\cite{ubuntu_caps} CAP\_SYS\_ADMIN. Therefore, there existed two main options:
%Should we explain what is a capability?
\begin{itemize}
\item \textbf{Privileged users} can load any kind of eBPF program and use any functionality.
\item \textbf{Unprivileged users} can only load and attach eBPF programs of type BPF\_PROG\_TYPE\_SOCKET\_FILTER\cite{evil_ebpf_p9}, offering the very limited functionality of filtering packets received on a socket.
\end{itemize}
More recently, in an effort to further granulate the permissions needed for loading, attaching and running eBPF programs, CAP\_SYS\_ADMIN has been substituted by more specific capabilities\cite{ebpf_caps_intro}\cite{ebpf_caps_lwn}. The current system is therefore described in table \ref{table:ebpf_caps_current}.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Capabilities & eBPF functionality\\
\hline
\hline
No capabilities & Load and attach BPF\_PROG\_TYPE\_SOCKET\_FILTER, load BPF\_PROG\_TYPE\_CGROUP\_SKB programs.\\
\hline
CAP\_BPF & Load (but not attach) any type of program, create most types of eBPF map and access them if their id is known\\
\hline
CAP\_NET\_ADMIN & Attach networking programs (Traffic Control, XDP, ...)\\
\hline
CAP\_PERFMON & Attaching kprobes, uprobes and tracepoints. Read access to kernel memory.\\
\hline
CAP\_SYS\_ADMIN & Privileged eBPF. Includes iterating over eBPF maps, and CAP\_BPF, CAP\_NET\_ADMIN, CAP\_PERFMON functionalities.\\
\hline
\end{tabular}
\caption{Capabilities needed for eBPF.}
\label{table:ebpf_caps_current}
\end{table}
Therefore, eBPF network programs usually require both CAP\_BPF and CAP\_NET\_ADMIN, whilst tracing programs require CAP\_BPF and CAP\_PERFMON. CAP\_SYS\_ADMIN still remains as the (non-preferred) capability to assign to eBPF programs with complete access in the system.
Although for a long time there have existed efforts towards enhancing unprivileged eBPF, it remains a worrying feature\cite{unprivileged_ebpf}. The main issue is that the verifier must be prepared to detect any attempt to extract kernel memory access or user memory modification by unprivileged eBPF programs, which is a complex task. In fact, there have existed numerous security vulnerabilities which allow for privilege escalation using eBPF, that is, execution of privileged eBPF programs by exploiting vulnerabilities in unprivileged eBPF\cite{cve_unpriv_ebpf}.
This influx of security vulnerabilities leads to the recent inclusion of an attribute into the kernel which allows for setting whether unprivileged eBPF is allowed in the system or not. This parameter is named \textit{kernel.unprivileged\_bpf\_disabled}, its values can be seen in table \ref{table:unpriv_ebpf_values}.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Value & Meaning\\
\hline
\hline
0 & Unprivileged eBPF is enabled.\\
\hline
1 & Unprivileged eBPF is disabled. A system reboot is needed to enable it after changing this value.\\
\hline
2 & Unprivileged eBPF is disabled. A system reboot is not needed to enable it after changing this value.\\
\hline
\end{tabular}
\caption{Values for unprivileged eBPF kernel parameter.}
\label{table:unpriv_ebpf_values}
\end{table}
Nowadays, most Linux distributions have set value 1 to this parameter, therefore disallowing unprivileged eBPF completely. These include Ubuntu\cite{unpriv_ebpf_ubuntu}, Suse Linux\cite{unpriv_ebpf_suse} or Red Hat Linux\cite{unpriv_ebpf_redhat}, between others.
\subsection{eBPF maps security}
In table \ref{table:ebpf_caps_current}, we observed that only programs with CAP\_SYS\_ADMIN are allowed to iterate over eBPF maps. The reason why this is restricted to privileged programs is because it is functionality that is a potential security vulnerability, which we will now proceed to analyse.
In subsection \ref{subsection:ebpf_maps} we mentioned that eBPF maps are opened by specifying an ID (which works similarly to the typical file descriptors), while in table \ref{table:ebpf_map_types} we showed that, for performing operations over eBPF maps using the bpf() syscall, the map ID must be specified too.
Map IDs are known by a program after creating the eBPF map, however, a program can also explore all the available maps in the system by using the BPF\_MAP\_GET\_NEXT\_ID operation in the bpf() syscall, which allows for iterating through a complete hidden list of all the maps created. This means that privileged programs can find and have read and write access to any eBPF map used by any program in the system.
Therefore, a malicious privileged eBPF program can access and modify other programs' maps, which can lead to:
\begin{itemize}
\item Modify data used for the program operation. This is the case for maps which mainly store data structures, such as BPF\_MAP\_TYPE\_HASH.
\item Modify the program control flow, altering the instructions executed by an eBPF program. This can be achieved if a program is using the bpf\_tail\_call() helper (introduced in table \ref{table:ebpf_helpers}) which is taking data from a map storing eBPF programs (BPF\_MAP\_TYPE\_PROG\_ARRAY, introduced in table \ref{table:ebpf_map_types}).
\end{itemize}
\section{Abusing tracing programs}
eBPF tracing programs (kprobes, uprobes and tracepoints) are hooked to specific points in the kernel or in the user space, and call probe functions once the flow of execution reaches the instruction to which they are attached. This section details the main security concerns regarding this type of programs.
\subsection{Access to function arguments}
As we saw in section \ref{section:ebpf_prog_types}, tracing programs receive as a parameter those arguments with which the hooked function originally was called. The next code snippets show the format in which they are received when using libbpf (Note that libbpf also included macros that offer an alternative format, but the parameters are the same).
\begin{lstlisting}[language=C, caption={Probe function for a kprobe on the kernel function vfs\_write.}, label={code:format_kprobe}]
SEC("kprobe/vfs_write")
int kprobe_vfs_write(struct pt_regs* ctx){
\end{lstlisting}
\begin{lstlisting}[language=C, caption={Probe function for an uprobe, execute\_command is defined from user space.}, label={code:format_uprobe}]
SEC("uprobe/execute_command")
int uprobe_execute_command(struct pt_regs *ctx){
\end{lstlisting}
\begin{lstlisting}[language=C, caption={Probe function for a tracepoint on the start of the syscall sys\_read.}, label={code:format_tracepoint}]
SEC("tp/syscalls/sys_enter_read")
int tp_sys_enter_read(struct sys_read_enter_ctx *ctx) {
\end{lstlisting}
In code snippets \ref{code:format_kprobe} and \ref{code:format_uprobe} we can identify that the parameters are passed to kprobe and uprobe programs as a pointer to a \textit{struct pt\_regs*}. This struct contains as many attributes as registers exist in the system architecture, in our case x86\_64. Therefore, on each probe function, we will receive the state of the registers at the original hooked function. This explains the format of the \textit{struct pt\_regs}, shown in code snippet \ref{code:format_ptregs}:
\begin{lstlisting}[language=C, caption={Format of struct pt\_regs.}, label={code:format_ptregs}]
struct pt_regs {
long unsigned int r15;
long unsigned int r14;
long unsigned int r13;
long unsigned int r12;
long unsigned int bp;
long unsigned int bx;
long unsigned int r11;
long unsigned int r10;
long unsigned int r9;
long unsigned int r8;
long unsigned int ax;
long unsigned int cx;
long unsigned int dx;
long unsigned int si;
long unsigned int di;
long unsigned int orig_ax;
long unsigned int ip;
long unsigned int cs;
long unsigned int flags;
long unsigned int sp;
long unsigned int ss;
};
\end{lstlisting}
By observing the value of the registers, we are able to extract the parameters of the original hooked function. This can be done by using the System V AMD64 ABI\cite{8664_params_abi}, the calling convention used in Linux. Depending on whether we are in the kernel or in user space, the registers used are different to store the values of the function arguments. Table \ref{table:systemv_abi} summarizes these two interfaces. Some other relevant registers are also displayed as a reference in table \ref{table:systemv_abi_other}.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline
Register & Purpose\\
\hline
\hline
rdi & 1st argument\\
\hline
rsi & 2nd argument\\
\hline
rdx & 3rd argument\\
\hline
rcx & 4th argument\\
\hline
r8 & 5th argument\\
\hline
r9 & 6th argument\\
\hline
rax & Return value\\
\hline
\end{tabular}
\quad
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline
Register & Purpose\\
\hline
\hline
rdi & 1st argument\\
\hline
rsi & 2nd argument\\
\hline
rdx & 3rd argument\\
\hline
r10 & 4th argument\\
\hline
r8 & 5th argument\\
\hline
r9 & 6th argument\\
\hline
rax & Return value\\
\hline
\end{tabular}
\caption{Argument passing convention of registers for function calls in user and kernel space respectively.}
\label{table:systemv_abi}
\end{table}
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Register & Purpose\\
\hline
\hline
rip & Instruction Pointer - Memory address of the next instruction to execute\\
\hline
rsp & Stack Pointer - Memory address where next stack operation takes place\\
\hline
rbp & Base/Frame Pointer - Memory address of the start of the stack frame\\
\hline
\end{tabular}
\caption{Other relevant registers in x86\_64 and their purpose.}
\label{table:systemv_abi_other}
\end{table}
%TODO Talk about the difference between having always on BPF and always on kernel modules
\section{Memory corruption}
Privileged malicious eBPF programs (or those with the CAP\_BPF + CAP\_PERFMON capabilities) have the potential to get:
\begin{itemize}
\item Read and write access in user memory.
\item Read-only access in kernel memory.
\end{itemize}
\subsection{Accessing user memory}
%TODO Talk about the difference between having always on BPF and always on kernel modules (maybe this is better in the introduction)
\chapter{Methods??}
@@ -1039,10 +1298,54 @@ In the previous chapter, we detailed which functionalities eBPF offers and studi
%M-> Mentioned putting some demos and PoCs here...
%
\chapter* {Appendix A}
%Including bpftool commands here to be referenced. Is it a good idea?
\chapter* {Appendix A - Bpftool commands} \label{annex:bpftool_flags_kernel}
\pagenumbering{gobble} % Las páginas de los anexos no se numeran
\section*{eBPF-related kernel compilation flags}
\begin{lstlisting}[language=bash]
$ bpftool feature
\end{lstlisting}
\begin{verbatim}
CONFIG_BPF is set to y
CONFIG_BPF_SYSCALL is set to y
CONFIG_HAVE_EBPF_JIT is set to y
CONFIG_BPF_JIT is set to y
CONFIG_BPF_JIT_ALWAYS_ON is set to y
CONFIG_CGROUPS is set to y
CONFIG_CGROUP_BPF is set to y
CONFIG_CGROUP_NET_CLASSID is set to y
CONFIG_SOCK_CGROUP_DATA is set to y
CONFIG_BPF_EVENTS is set to y
CONFIG_KPROBE_EVENTS is set to y
CONFIG_UPROBE_EVENTS is set to y
CONFIG_TRACING is set to y
CONFIG_FTRACE_SYSCALLS is set to y
CONFIG_FUNCTION_ERROR_INJECTION is set to y
CONFIG_BPF_KPROBE_OVERRIDE is set to y
CONFIG_NET is set to y
CONFIG_XDP_SOCKETS is set to y
CONFIG_LWTUNNEL_BPF is set to y
CONFIG_NET_ACT_BPF is set to m
CONFIG_NET_CLS_BPF is set to m
CONFIG_NET_CLS_ACT is set to y
CONFIG_NET_SCH_INGRESS is set to m
CONFIG_XFRM is set to y
CONFIG_IP_ROUTE_CLASSID is set to y
CONFIG_IPV6_SEG6_BPF is set to y
CONFIG_BPF_LIRC_MODE2 is not set
CONFIG_BPF_STREAM_PARSER is set to y
CONFIG_NETFILTER_XT_MATCH_BPF is set to m
CONFIG_BPFILTER is set to y
CONFIG_BPFILTER_UMH is set to m
CONFIG_TEST_BPF is set to m
CONFIG_HZ is set to 250
\end{verbatim}
\chapter* {Appendix B}
\end{document}
\end{document}

24
docs/document.toc
View File

@@ -61,17 +61,31 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}%
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{24}{subsection.2.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Methods??}{28}{chapter.4}%
\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{29}{chapter.5}%
\contentsline {subsection}{\numberline {3.1.1}Access control}{28}{subsection.3.1.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{30}{chapter.6}%
\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{31}{chapter.6}%
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.3}Memory corruption}{32}{section.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{32}{subsection.3.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Methods??}{33}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{34}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{35}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{36}{chapter.6}%
\contentsfinish

BIN
docs/images/kprobe_format.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.2 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-28T09:22:42-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-28T09:22:42-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-28T09:22:42-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-02T18:58:59-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-02T18:58:59-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-02T18:58:59-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:92026A8C-AD85-D789-AE50-AA095A27EE48</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:3F9C98B7-9F3F-22FB-04E4-95C2B6B88512</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>

24
src/user/include/modules/module_manager.c
View File

@@ -53,6 +53,18 @@ int setup_all_modules(){
module_config_attr_t attr = module_config_attr;
int ret;
//FS (File system)
if(config.fs_module.all == ON){
ret = attach_fs_all(attr.skel);
}else{
if(config.fs_module.tp_sys_enter_read == ON) ret = attach_tp_sys_enter_read(attr.skel);
if(config.fs_module.tp_sys_exit_read == ON) ret = attach_tp_sys_exit_read(attr.skel);
if(config.fs_module.tp_sys_enter_openat == ON) ret = attach_tp_sys_enter_openat(attr.skel);
if(config.fs_module.tp_sys_enter_getdents64 == ON) ret = attach_tp_sys_enter_getdents64(attr.skel);
if(config.fs_module.tp_sys_exit_getdents64 == ON) ret = attach_tp_sys_exit_getdents64(attr.skel);
}
if(ret!=0) return -1;
//XDP
if(config.xdp_module.all == ON){
ret = attach_xdp_all(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
@@ -69,18 +81,6 @@ int setup_all_modules(){
}
if(ret!=0) return -1;
//FS (File system)
if(config.fs_module.all == ON){
ret = attach_fs_all(attr.skel);
}else{
if(config.fs_module.tp_sys_enter_read == ON) ret = attach_tp_sys_enter_read(attr.skel);
if(config.fs_module.tp_sys_exit_read == ON) ret = attach_tp_sys_exit_read(attr.skel);
if(config.fs_module.tp_sys_enter_openat == ON) ret = attach_tp_sys_enter_openat(attr.skel);
if(config.fs_module.tp_sys_enter_getdents64 == ON) ret = attach_tp_sys_enter_getdents64(attr.skel);
if(config.fs_module.tp_sys_exit_getdents64 == ON) ret = attach_tp_sys_exit_getdents64(attr.skel);
}
if(ret!=0) return -1;
//EXEC
if(config.exec_module.all == ON){
ret = attach_exec_all(attr.skel);