admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Continued with memory corruption. Only attacks remaining

Browse Source
This commit is contained in:
h3xduck
2022-06-05 09:01:09 -04:00
parent d4a881540f
commit 3f02cd4996
21 changed files with 548 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/bibliography/bibliography.bib
View File

@@ -461,6 +461,27 @@ to Memory Management in Linux},
url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry},
date={2019-08-19},
author={Doug Breaker}
},
@online{mem_arch_proc,
title={Stack-based Buffer Overflow - Part 1},
url={https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html},
date={2021-05-23},
author={Marcos Sánchez Bajo}
},
@manual{8664_params_abi_p18,
title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
author={H.J. Lu et al.},
pages={18},
date={2018-01-28},
url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},
@online{write_helper_non_fault,
title={probe_write_common_error},
url={https://www.spinics.net/lists/bpf/msg16795.html}
}

2
docs/bibliography/texput.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 2 JUN 2022 18:01
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 4 JUN 2022 11:00
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.

72
docs/document.aux
View File

@@ -158,6 +158,7 @@
\abx@aux@cite{ebpf_bounded_loops}
\abx@aux@segm{0}{0}{ebpf_bounded_loops}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}\protected@file@percent }
\newlabel{subsection:ebpf_verifier}{{2.2.3}{14}{The eBPF verifier}{subsection.2.2.3}{}}
\abx@aux@cite{ebpf_maps_kernel}
\abx@aux@segm{0}{0}{ebpf_maps_kernel}
\abx@aux@cite{bpf_syscall}
@@ -296,12 +297,11 @@
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{31}{lstlisting.3.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{32}{table.caption.33}\protected@file@percent }
\newlabel{table:systemv_abi}{{3.4}{32}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.33}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}\protected@file@percent }
\newlabel{table:systemv_abi_other}{{3.5}{32}{Other relevant registers in x86\_64 and their purpose.\relax }{table.caption.34}{}}
\newlabel{code:sys_enter_read_tp_format}{{3.5}{32}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{32}{lstlisting.3.5}\protected@file@percent }
\newlabel{code:sys_enter_read_tp}{{3.6}{33}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{33}{lstlisting.3.6}\protected@file@percent }
\newlabel{code:sys_enter_read_tp}{{3.6}{32}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{32}{lstlisting.3.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}\protected@file@percent }
\abx@aux@cite{ebpf_friends_p15}
\abx@aux@segm{0}{0}{ebpf_friends_p15}
\abx@aux@cite{ebpf_override_return}
@@ -310,49 +310,68 @@
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{34}{subsection.3.2.2}\protected@file@percent }
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}\protected@file@percent }
\newlabel{code:override_return_1}{{3.7}{34}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.7}\protected@file@percent }
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\newlabel{code:override_return_2}{{3.8}{34}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.8}\protected@file@percent }
\abx@aux@cite{fault_injection}
\abx@aux@segm{0}{0}{fault_injection}
\newlabel{code:override_return_2}{{3.8}{35}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{35}{lstlisting.3.8}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{35}{subsection.3.2.5}\protected@file@percent }
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{mem_page_arch}
\abx@aux@segm{0}{0}{mem_page_arch}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{36}{subsection.3.2.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}\protected@file@percent }
\newlabel{section:mem_corruption}{{3.3}{36}{Memory corruption}{section.3.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Memory management in Linux}{36}{subsection.3.3.1}\protected@file@percent }
\abx@aux@cite{page_faults}
\abx@aux@segm{0}{0}{page_faults}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{37}{figure.caption.35}\protected@file@percent }
\newlabel{fig:mem_arch_pages}{{3.1}{37}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.35}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{38}{figure.caption.36}\protected@file@percent }
\newlabel{fig:mem_major_page_fault}{{3.2}{38}{Major page fault after a page was removed from RAM.\relax }{figure.caption.36}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{38}{figure.caption.37}\protected@file@percent }
\newlabel{fig:mem_minor_page_fault}{{3.3}{38}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.37}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{37}{figure.caption.34}\protected@file@percent }
\newlabel{fig:mem_arch_pages}{{3.1}{37}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.34}{}}
\abx@aux@cite{mem_arch_proc}
\abx@aux@segm{0}{0}{mem_arch_proc}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{38}{figure.caption.35}\protected@file@percent }
\newlabel{fig:mem_major_page_fault}{{3.2}{38}{Major page fault after a page was removed from RAM.\relax }{figure.caption.35}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{38}{figure.caption.36}\protected@file@percent }
\newlabel{fig:mem_minor_page_fault}{{3.3}{38}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.36}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Process virtual memory}{39}{subsection.3.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Accessing user memory}{39}{subsection.3.3.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{40}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{39}{figure.caption.37}\protected@file@percent }
\newlabel{fig:mem_proc_arch}{{3.4}{39}{Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }{figure.caption.37}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{40}{figure.caption.38}\protected@file@percent }
\newlabel{fig:stack_pres}{{3.5}{40}{Simplified stack representation showing only stack frames.\relax }{figure.caption.38}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}\protected@file@percent }
\newlabel{table:systemv_abi_other}{{3.5}{40}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.39}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{41}{figure.caption.40}\protected@file@percent }
\newlabel{fig:stack_ops}{{3.6}{41}{Representation of push and pop operations in the stack.\relax }{figure.caption.40}{}}
\abx@aux@cite{8664_params_abi_p18}
\abx@aux@segm{0}{0}{8664_params_abi_p18}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces Stack representation right before starting the function call process.\relax }}{42}{figure.caption.41}\protected@file@percent }
\newlabel{fig:stack_before}{{3.7}{42}{Stack representation right before starting the function call process.\relax }{figure.caption.41}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{42}{figure.caption.42}\protected@file@percent }
\newlabel{fig:stack}{{3.8}{42}{Stack representation right after the function preamble.\relax }{figure.caption.42}{}}
\abx@aux@cite{write_helper_non_fault}
\abx@aux@segm{0}{0}{write_helper_non_fault}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{45}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{41}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{46}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{42}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{47}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{43}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.39}{}}
\abx@aux@read@bbl@mdfivesum{B5521B82B204530DC3CD5A9274665FC8}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{48}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.44}{}}
\abx@aux@read@bbl@mdfivesum{5BC491FF2560E8B85979411211F855E2}
\abx@aux@read@bblrerun
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -421,5 +440,6 @@
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{65}
\gdef \@abspage@last{70}

62
docs/document.bbl
View File

@@ -121,8 +121,8 @@
\endverb
\endentry
\entry{ebpf_android}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{title}{eBPF for Windows}
\verb{urlraw}
@@ -371,8 +371,8 @@
\endverb
\endentry
\entry{bpf_organicprogrammer_analysis}{online}{}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{3}
@@ -513,8 +513,8 @@
\endverb
\endentry
\entry{ebpf_io_arch}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title}
\field{title}{eBPF Documentation: Loader and verification architecture}
\verb{urlraw}
@@ -670,8 +670,8 @@
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{2}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
@@ -916,8 +916,8 @@
\strng{authorbibnamehash}{5442e761747b6fce78f695385639556e}
\strng{authornamehash}{5442e761747b6fce78f695385639556e}
\strng{authorfullhash}{5442e761747b6fce78f695385639556e}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{13}
@@ -1113,8 +1113,8 @@
\endverb
\endentry
\entry{libbpf_upstream}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{BPF next kernel tree}
\verb{urlraw}
@@ -1273,8 +1273,8 @@
\endverb
\endentry
\entry{unpriv_ebpf_redhat}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{CVE-2022-0002}
\verb{urlraw}
@@ -1411,8 +1411,8 @@
\strng{authorbibnamehash}{47635127541392c1419dbc4a4d3153c6}
\strng{authornamehash}{47635127541392c1419dbc4a4d3153c6}
\strng{authorfullhash}{47635127541392c1419dbc4a4d3153c6}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{1}
@@ -1457,6 +1457,36 @@
\verb https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry
\endverb
\endentry
\entry{mem_arch_proc}{online}{}
\name{author}{1}{}{%
{{hash=c6b49e9e6fbe96fdd89720e842dc0b03}{%
family={Bajo},
familyi={B\bibinitperiod},
given={Marcos\bibnamedelima Sánchez},
giveni={M\bibinitperiod\bibinitdelim S\bibinitperiod}}}%
}
\strng{namehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{fullhash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{bibnamehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{authorbibnamehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{authornamehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{authorfullhash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{23}
\field{month}{5}
\field{title}{Stack-based Buffer Overflow - Part 1}
\field{year}{2021}
\field{dateera}{ce}
\verb{urlraw}
\verb https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html
\endverb
\verb{url}
\verb https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

147
docs/document.bcf
View File

@@ -2348,94 +2348,97 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata>
<bcf:section number="0">
<bcf:citekey order="13">ransomware_pwc</bcf:citekey>
<bcf:citekey order="14">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="15">ebpf_linux318</bcf:citekey>
<bcf:citekey order="16">bvp47_report</bcf:citekey>
<bcf:citekey order="17">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="18">ebpf_windows</bcf:citekey>
<bcf:citekey order="19">ebpf_android</bcf:citekey>
<bcf:citekey order="20">evil_ebpf</bcf:citekey>
<bcf:citekey order="21">bad_ebpf</bcf:citekey>
<bcf:citekey order="22">ebpf_friends</bcf:citekey>
<bcf:citekey order="23">ebpf_io</bcf:citekey>
<bcf:citekey order="24">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="25">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="27">index_register</bcf:citekey>
<bcf:citekey order="28">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="29">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="30">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="31">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="14">ransomware_pwc</bcf:citekey>
<bcf:citekey order="15">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="16">ebpf_linux318</bcf:citekey>
<bcf:citekey order="17">bvp47_report</bcf:citekey>
<bcf:citekey order="18">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="19">ebpf_windows</bcf:citekey>
<bcf:citekey order="20">ebpf_android</bcf:citekey>
<bcf:citekey order="21">evil_ebpf</bcf:citekey>
<bcf:citekey order="22">bad_ebpf</bcf:citekey>
<bcf:citekey order="23">ebpf_friends</bcf:citekey>
<bcf:citekey order="24">ebpf_io</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="26">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="27">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="28">index_register</bcf:citekey>
<bcf:citekey order="29">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="30">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="31">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="32">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="33">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="34">tcpdump_page</bcf:citekey>
<bcf:citekey order="35">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="33">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="34">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="35">tcpdump_page</bcf:citekey>
<bcf:citekey order="36">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="37">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="37">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="38">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="39">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="40">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="41">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="42">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="39">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="40">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="41">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="42">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="43">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="44">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="45">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="46">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="47">ebpf_JIT</bcf:citekey>
<bcf:citekey order="48">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="50">jit_enable_setting</bcf:citekey>
<bcf:citekey order="51">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="52">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="53">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="54">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="55">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="56">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="57">bpf_syscall</bcf:citekey>
<bcf:citekey order="44">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="45">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="46">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="47">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="48">ebpf_JIT</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="50">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="51">jit_enable_setting</bcf:citekey>
<bcf:citekey order="52">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="53">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="54">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="55">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="56">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="57">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="58">bpf_syscall</bcf:citekey>
<bcf:citekey order="59">bpf_syscall</bcf:citekey>
<bcf:citekey order="60">bpf_syscall</bcf:citekey>
<bcf:citekey order="61">bpf_syscall</bcf:citekey>
<bcf:citekey order="62">bpf_syscall</bcf:citekey>
<bcf:citekey order="63">bpf_syscall</bcf:citekey>
<bcf:citekey order="64">ebpf_helpers</bcf:citekey>
<bcf:citekey order="64">bpf_syscall</bcf:citekey>
<bcf:citekey order="65">ebpf_helpers</bcf:citekey>
<bcf:citekey order="66">ebpf_helpers</bcf:citekey>
<bcf:citekey order="67">xdp_gentle_intro</bcf:citekey>
<bcf:citekey order="68">xdp_manual</bcf:citekey>
<bcf:citekey order="69">tc_differences</bcf:citekey>
<bcf:citekey order="70">tc_docs_complete</bcf:citekey>
<bcf:citekey order="71">tc_direct_action</bcf:citekey>
<bcf:citekey order="72">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="67">ebpf_helpers</bcf:citekey>
<bcf:citekey order="68">xdp_gentle_intro</bcf:citekey>
<bcf:citekey order="69">xdp_manual</bcf:citekey>
<bcf:citekey order="70">tc_differences</bcf:citekey>
<bcf:citekey order="71">tc_docs_complete</bcf:citekey>
<bcf:citekey order="72">tc_direct_action</bcf:citekey>
<bcf:citekey order="73">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="74">tp_kernel</bcf:citekey>
<bcf:citekey order="75">kprobe_manual</bcf:citekey>
<bcf:citekey order="76">kallsyms_kernel</bcf:citekey>
<bcf:citekey order="77">bcc_github</bcf:citekey>
<bcf:citekey order="78">libbpf_github</bcf:citekey>
<bcf:citekey order="79">libbpf_upstream</bcf:citekey>
<bcf:citekey order="80">libbpf_core</bcf:citekey>
<bcf:citekey order="81">ubuntu_caps</bcf:citekey>
<bcf:citekey order="82">evil_ebpf_p9</bcf:citekey>
<bcf:citekey order="83">ebpf_caps_intro</bcf:citekey>
<bcf:citekey order="84">ebpf_caps_lwn</bcf:citekey>
<bcf:citekey order="85">unprivileged_ebpf</bcf:citekey>
<bcf:citekey order="86">cve_unpriv_ebpf</bcf:citekey>
<bcf:citekey order="87">unpriv_ebpf_ubuntu</bcf:citekey>
<bcf:citekey order="88">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="89">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="90">8664_params_abi</bcf:citekey>
<bcf:citekey order="91">ebpf_friends_p15</bcf:citekey>
<bcf:citekey order="92">ebpf_override_return</bcf:citekey>
<bcf:citekey order="93">code_kernel_open</bcf:citekey>
<bcf:citekey order="74">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="75">tp_kernel</bcf:citekey>
<bcf:citekey order="76">kprobe_manual</bcf:citekey>
<bcf:citekey order="77">kallsyms_kernel</bcf:citekey>
<bcf:citekey order="78">bcc_github</bcf:citekey>
<bcf:citekey order="79">libbpf_github</bcf:citekey>
<bcf:citekey order="80">libbpf_upstream</bcf:citekey>
<bcf:citekey order="81">libbpf_core</bcf:citekey>
<bcf:citekey order="82">ubuntu_caps</bcf:citekey>
<bcf:citekey order="83">evil_ebpf_p9</bcf:citekey>
<bcf:citekey order="84">ebpf_caps_intro</bcf:citekey>
<bcf:citekey order="85">ebpf_caps_lwn</bcf:citekey>
<bcf:citekey order="86">unprivileged_ebpf</bcf:citekey>
<bcf:citekey order="87">cve_unpriv_ebpf</bcf:citekey>
<bcf:citekey order="88">unpriv_ebpf_ubuntu</bcf:citekey>
<bcf:citekey order="89">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="90">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="91">8664_params_abi</bcf:citekey>
<bcf:citekey order="92">ebpf_friends_p15</bcf:citekey>
<bcf:citekey order="93">ebpf_override_return</bcf:citekey>
<bcf:citekey order="94">code_kernel_open</bcf:citekey>
<bcf:citekey order="95">code_kernel_open</bcf:citekey>
<bcf:citekey order="96">code_kernel_open</bcf:citekey>
<bcf:citekey order="97">fault_injection</bcf:citekey>
<bcf:citekey order="98">ebpf_helpers</bcf:citekey>
<bcf:citekey order="99">mem_page_arch</bcf:citekey>
<bcf:citekey order="100">page_faults</bcf:citekey>
<bcf:citekey order="97">code_kernel_open</bcf:citekey>
<bcf:citekey order="98">fault_injection</bcf:citekey>
<bcf:citekey order="99">ebpf_helpers</bcf:citekey>
<bcf:citekey order="100">mem_page_arch</bcf:citekey>
<bcf:citekey order="101">page_faults</bcf:citekey>
<bcf:citekey order="102">mem_arch_proc</bcf:citekey>
<bcf:citekey order="103">8664_params_abi_p18</bcf:citekey>
<bcf:citekey order="104">write_helper_non_fault</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

176
docs/document.blg
View File

@@ -1,87 +1,89 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[67] biber:340> INFO - === Sat Jun 4, 2022, 08:30:51
[83] Biber.pm:415> INFO - Reading 'document.bcf'
[182] Biber.pm:952> INFO - Found 67 citekeys in bib section 0
[198] Biber.pm:4340> INFO - Processing section 0
[209] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[211] bibtex.pm:1689> INFO - LaTeX decoding ...
[238] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[243] Utils.pm:384> WARN - Duplicate entry key: 'code_kernel_open' in file 'bibliography/bibliography.bib', skipping ...
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 9, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 15, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 22, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 28, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 35, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 42, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 50, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 58, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 65, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 70, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 77, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 85, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 94, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 103, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 112, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 121, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 127, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 132, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 137, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 142, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 153, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 158, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 164, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 170, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 175, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 184, warning: 1 characters of junk seen at toplevel
[411] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 191, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 199, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 206, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 215, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 224, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 233, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 239, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 244, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 249, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 256, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 261, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 266, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 271, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 276, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 283, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 288, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 295, warning: 1 characters of junk seen at toplevel
[412] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 302, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 309, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 315, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 321, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 327, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 334, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 339, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 344, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 349, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 356, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 361, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 366, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 375, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 380, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 385, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 390, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 395, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 400, warning: 1 characters of junk seen at toplevel
[413] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 405, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 410, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 419, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 428, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 433, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 438, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 443, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 449, warning: 1 characters of junk seen at toplevel
[414] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HkZb/f4d088b3f9f145b5c3058da33afd57d4_223362.utf8, line 459, warning: 1 characters of junk seen at toplevel
[462] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[462] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[462] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[462] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[501] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[517] bbl.pm:757> INFO - Output to document.bbl
[517] Biber.pm:128> INFO - WARNINGS: 71
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[154] biber:340> INFO - === Sun Jun 5, 2022, 08:34:18
[185] Biber.pm:415> INFO - Reading 'document.bcf'
[372] Biber.pm:952> INFO - Found 68 citekeys in bib section 0
[411] Biber.pm:4340> INFO - Processing section 0
[431] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[435] bibtex.pm:1689> INFO - LaTeX decoding ...
[503] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[513] Utils.pm:384> WARN - Duplicate entry key: 'code_kernel_open' in file 'bibliography/bibliography.bib', skipping ...
[896] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 9, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 15, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 22, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 28, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 35, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 42, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 50, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 58, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 65, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 70, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 77, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 85, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 94, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 103, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 112, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 121, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 127, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 132, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 137, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 142, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 153, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 158, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 164, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 170, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 175, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 184, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 191, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 199, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 206, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 215, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 224, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 233, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 239, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 244, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 249, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 256, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 261, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 266, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 271, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 276, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 283, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 288, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 295, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 302, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 309, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 315, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 321, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 327, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 334, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 339, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 344, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 349, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 356, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 361, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 366, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 375, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 380, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 385, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 390, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 395, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 400, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 405, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 410, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 419, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 428, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 433, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 438, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 443, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 449, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 459, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 466, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 473, warning: 1 characters of junk seen at toplevel
[1017] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[1018] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[1018] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[1018] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[1113] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[1160] bbl.pm:757> INFO - Output to document.bbl
[1161] Biber.pm:128> INFO - WARNINGS: 73

16
docs/document.lof
View File

@@ -25,11 +25,21 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.1}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{37}{figure.caption.35}%
\contentsline {figure}{\numberline {3.1}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{37}{figure.caption.34}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.2}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{38}{figure.caption.36}%
\contentsline {figure}{\numberline {3.2}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{38}{figure.caption.35}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.3}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{38}{figure.caption.37}%
\contentsline {figure}{\numberline {3.3}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{38}{figure.caption.36}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.4}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{39}{figure.caption.37}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.5}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{40}{figure.caption.38}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{41}{figure.caption.40}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.7}{\ignorespaces Stack representation right before starting the function call process.\relax }}{42}{figure.caption.41}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{42}{figure.caption.42}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

202
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 4 JUN 2022 08:55
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 5 JUN 2022 08:58
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=205, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=209, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=207, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=211, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1214,7 +1214,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=534, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=552, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1222,36 +1222,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=552, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=570, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=562, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=580, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=572, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=590, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=585, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=603, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=588, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=606, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=606, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=624, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1268,16 +1268,16 @@ Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
[]
[14]
Overfull \hbox (56.55217pt too wide) in paragraph at lines 677--688
Overfull \hbox (56.55217pt too wide) in paragraph at lines 678--689
[][]
[]
LaTeX Warning: Reference `table:ebpf_maps' on page 15 undefined on input line 6
92.
93.
Overfull \hbox (11.26865pt too wide) in paragraph at lines 692--693
Overfull \hbox (11.26865pt too wide) in paragraph at lines 693--694
\T1/txr/m/n/12 de-vel-op-ment of our rootkit, we will mainly fo-cus on hash map
s (BPF_MAP_TYPE_HASH),
[]
@@ -1285,67 +1285,67 @@ s (BPF_MAP_TYPE_HASH),
[15]
LaTeX Warning: Reference `table:bpf_syscall' on page 16 undefined on input line
702.
703.
Overfull \hbox (42.01218pt too wide) in paragraph at lines 705--721
Overfull \hbox (42.01218pt too wide) in paragraph at lines 706--722
[][]
[]
[16]
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 748.
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 749.
Overfull \hbox (13.5802pt too wide) in paragraph at lines 758--788
Overfull \hbox (13.5802pt too wide) in paragraph at lines 759--789
[][]
[]
[17]
<images//xdp_diag.jpg, id=686, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=704, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 804.
Package pdftex.def Info: images//xdp_diag.jpg used on input line 805.
(pdftex.def) Requested size: 426.79134pt x 310.69934pt.
[18] [19 <./images//xdp_diag.jpg>]
Overfull \hbox (5.80417pt too wide) in paragraph at lines 867--879
Overfull \hbox (5.80417pt too wide) in paragraph at lines 868--880
[][]
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=745, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=763, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 977.
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 978.
(pdftex.def) Requested size: 341.43306pt x 316.20142pt.
[24]
LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1005.
LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1006.
[25 <./images//libbpf_prog.jpg>] [26]
Chapter 3.
Overfull \hbox (15.27466pt too wide) in paragraph at lines 1029--1057
Overfull \hbox (15.27466pt too wide) in paragraph at lines 1027--1055
[][]
[]
[27
]
Overfull \hbox (144.2746pt too wide) in paragraph at lines 1069--1070
Overfull \hbox (144.2746pt too wide) in paragraph at lines 1067--1068
[]\T1/txr/bx/n/12 Unprivileged users \T1/txr/m/n/12 can only load and at-tach e
BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER[[][]53[][]],
[]
[28]
Overfull \hbox (33.33205pt too wide) in paragraph at lines 1095--1096
Overfull \hbox (33.33205pt too wide) in paragraph at lines 1093--1094
[]\T1/txr/m/n/12 Therefore, eBPF net-work pro-grams usu-ally re-quire both CAP_
BPF and CAP_NET_ADMIN,
[]
[29]
Overfull \hbox (18.75664pt too wide) in paragraph at lines 1125--1126
Overfull \hbox (18.75664pt too wide) in paragraph at lines 1123--1124
\T1/txr/m/n/12 can also ex-plore all the avail-able maps in the sys-tem by us-i
ng the BPF_MAP_GET_NEXT_ID
[]
@@ -1357,152 +1357,199 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
)
Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
nput line 1141.
nput line 1139.
[30]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 1
141.
139.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txtt/b/n' in size <10> not available
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 1143.
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 1141.
[31] [32] [33]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1303--1304
[31] [32]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1284--1285
\T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
_read_user() and bpf_probe_read_kernel()
[]
[33]
LaTeX Warning: Reference `TODO' on page 34 undefined on input line 1307.
LaTeX Warning: Reference `TODO' on page 34 undefined on input line 1288.
Overfull \hbox (47.97661pt too wide) in paragraph at lines 1312--1313
Overfull \hbox (47.97661pt too wide) in paragraph at lines 1293--1294
\T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the
CON-FIG_BPF_KPROBE_OVERRIDE
[]
[34] [35]
Overfull \hbox (62.0767pt too wide) in paragraph at lines 1354--1355
[34]
Overfull \hbox (62.0767pt too wide) in paragraph at lines 1335--1336
\T1/txr/m/n/12 the bounds of func-tion pa-ram-e-ters via the helpers bpf_probe_
read_user() and bpf_probe_read_kernel().
[]
<images//mem_arch_pages.jpg, id=928, 593.21625pt x 434.62375pt>
[35]
<images//mem_arch_pages.jpg, id=945, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1367.
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1348.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[36]
<images//mem_major_page_fault.jpg, id=936, 639.38875pt x 425.59pt>
[36]
<images//mem_major_page_fault.jpg, id=953, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 1
377.
358.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
[37 <./images//mem_arch_pages.jpg>]
<images//mem_minor_page_fault.jpg, id=943, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=960, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 1
385.
366.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
<images//memory.jpg, id=961, 310.15875pt x 519.9425pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 1376.
(pdftex.def) Requested size: 170.71652pt x 286.18347pt.
[38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
[39]
[39 <./images//memory.jpg>]
<images//stack_pres.jpg, id=975, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 1399.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[40 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=984, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 1433.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
<images//stack_before.jpg, id=985, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 1444.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
[41 <./images//stack_ops.jpg>]
<images//stack.jpg, id=990, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 1451.
(pdftex.def) Requested size: 398.33858pt x 214.70816pt.
LaTeX Warning: Citation '8664_params_abi_p18' on page 42 undefined on input lin
e 1461.
[42 <./images//stack_before.jpg> <./images//stack.jpg>]
LaTeX Warning: Citation 'write_helper_non_fault' on page 43 undefined on input
line 1479.
[43] [44]
Chapter 4.
[40
[45
]
Chapter 5.
[41
[46
]
Chapter 6.
[42
[47
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1508--1508
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[43
[48
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1508--1508
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1508--1508
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1508--1508
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[44]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1424--1424
[49]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1508--1508
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1508--1508
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[45]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1424--1424
[50]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1508--1508
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1508--1508
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[46]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1424--1424
[51]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1508--1508
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1508--1508
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1508--1508
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
[]
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1508--1508
\T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
mory -[] Management -[] Christoph -[]
[]
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1424--1424
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1508--1508
[]\T1/txr/m/n/12 D. Breaker. ^^P Un-der-stand-ing page faults and mem-ory swap
-in/outs.^^Q (Aug. 19, 2019),
[]
[47] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1508--1508
\T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
[]
[52] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1513,7 +1560,7 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1484 \end{document}
l.1568 \end{document}
[2
] (./document.aux)
@@ -1521,16 +1568,21 @@ l.1484 \end{document}
LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 0B819AE1968F9045C84BF50A3A681D42;3703.
(rerunfilecheck) Checksum: FC2292DDA34492747A3EE632FD835264;3816.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
(biblatex) and rerun LaTeX afterwards.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
28299 strings out of 481209
450407 string characters out of 5914747
1343041 words of memory out of 5000000
44512 multiletter control sequences out of 15000+600000
28364 strings out of 481209
451535 string characters out of 5914747
1344799 words of memory out of 5000000
44554 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1546,9 +1598,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (65 pages, 944826 bytes).
Output written on document.pdf (70 pages, 1111385 bytes).
PDF statistics:
1258 PDF objects out of 1440 (max. 8388607)
286 named destinations out of 1000 (max. 500000)
483 words of extra memory for PDF output out of 10000 (max. 10000000)
1322 PDF objects out of 1440 (max. 8388607)
304 named destinations out of 1000 (max. 500000)
516 words of extra memory for PDF output out of 10000 (max. 10000000)

2
docs/document.lot
View File

@@ -43,7 +43,7 @@
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.4}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{32}{table.caption.33}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}%
\contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

11
docs/document.out
View File

@@ -43,8 +43,9 @@
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 43
\BOOKMARK [2][-]{subsection.3.3.1}{Memory\040management\040in\040Linux}{section.3.3}% 44
\BOOKMARK [2][-]{subsection.3.3.2}{Process\040virtual\040memory}{section.3.3}% 45
\BOOKMARK [2][-]{subsection.3.3.3}{Accessing\040user\040memory}{section.3.3}% 46
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 47
\BOOKMARK [0][-]{chapter.5}{Results}{}% 48
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 49
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 50
\BOOKMARK [2][-]{subsection.3.3.3}{The\040process\040stack}{section.3.3}% 46
\BOOKMARK [2][-]{subsection.3.3.4}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 47
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 48
\BOOKMARK [0][-]{chapter.5}{Results}{}% 49
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 50
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 51

BIN
docs/document.pdf
View File

Binary file not shown.

4
docs/document.run.xml
View File

@@ -41,7 +41,7 @@
>
]>
<requests version="1.0">
<internal package="biblatex" priority="9" active="0">
<internal package="biblatex" priority="9" active="1">
<generic>latex</generic>
<provides type="dynamic">
<file>document.bcf</file>
@@ -63,7 +63,7 @@
<file>english.lbx</file>
</requires>
</internal>
<external package="biblatex" priority="5" active="0">
<external package="biblatex" priority="5" active="1">
<generic>biber</generic>
<cmdline>
<binary>biber</binary>

BIN
docs/document.synctex.gz
View File

Binary file not shown.

132
docs/document.tex
View File

@@ -629,7 +629,7 @@ Therefore, when using JIT compiling (a setting defined by the variable \textit{b
The programs developed during this project will always have JIT compiling active.
\subsection{The eBPF verifier}
\subsection{The eBPF verifier} \label{subsection:ebpf_verifier}
We introduced in figure \ref{fig:ebpf_architecture} the presence of the so-called eBPF verifier. Provided that we will be loading programs in the kernel from user space, these programs need to be checked for safety before being valid to be executed.
The verifier performs a series of tests which every eBPF program must pass in order to be accepted. Otherwise, user programs could leak privileged data, result in kernel memory corruption, or hang the kernel in an infinite loop, between others. Therefore, the verifier limits multiple aspects of eBPF programs so that they are restricted to the intended functionality, whilst at the same time offering a reasonable amount of freedom to the developer.
@@ -639,6 +639,7 @@ The following are the most relevant checks that the verifier performs in eBPF pr
\item Tests for ensuring overall control flow safety:
\subitem No loops allowed (bounded loops accepted since kernel version 5.3\cite{ebpf_bounded_loops}.
\subitem Function call and jumps safety to known, reachable functions.
\subitem Sleep and blocking operations not allowed (to prevent hanging the kernel).
\item Tests for individual instructions:
\subitem Divisions by zero and invalid shift operations.
\subitem Invalid stack access and invalid out-of-bound access to data structures.
@@ -1007,9 +1008,6 @@ Note that the BPF skeleton also offers further granularity at the time of dealin
\chapter{Analysis of offensive capabilities}
In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture. As with every technology, a prior deep understanding is fundamental for discussing its security implications.
@@ -1181,7 +1179,7 @@ struct pt_regs {
};
\end{lstlisting}
By observing the value of the registers, we are able to extract the parameters of the original hooked function. This can be done by using the System V AMD64 ABI\cite{8664_params_abi}, the calling convention used in Linux. Depending on whether we are in the kernel or in user space, the registers used to store the values of the function arguments are different. Table \ref{table:systemv_abi} summarizes these two interfaces. Some other relevant registers are also displayed as a reference in table \ref{table:systemv_abi_other}.
By observing the value of the registers, we are able to extract the parameters of the original hooked function. This can be done by using the System V AMD64 ABI\cite{8664_params_abi}, the calling convention used in Linux. Depending on whether we are in the kernel or in user space, the registers used to store the values of the function arguments are different. Table \ref{table:systemv_abi} summarizes these two interfaces.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
@@ -1234,23 +1232,6 @@ rax & Return value\\
\end{table}
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Register & Purpose\\
\hline
\hline
rip & Instruction Pointer - Memory address of the next instruction to execute\\
\hline
rsp & Stack Pointer - Memory address where next stack operation takes place\\
\hline
rbp & Base/Frame Pointer - Memory address of the start of the stack frame\\
\hline
\end{tabular}
\caption{Other relevant registers in x86\_64 and their purpose.}
\label{table:systemv_abi_other}
\end{table}
In the case of tracepoints, we can see in code snippet \ref{code:format_tracepoint} that it receives a \textit{struct sys\_read\_enter\_ctx*}. This struct must be manually defined, as explained in \ref{subsection:tracepoints}, by looking at the file \textit{/sys/kernel/debug/tracing/events/syscalls/sys\_enter\_read/format}. Code snippet \ref{code:sys_enter_read_tp} shows the format of the struct.
\begin{lstlisting}[language=C, caption={Format for parameters in sys\_enter\_read specified at the format file.}, label={code:sys_enter_read_tp_format}]
@@ -1388,12 +1369,115 @@ As we can observe in the figure, each virtual page is related to one physical pa
\end{figure}
\subsection{Process virtual memory}
In the previous subsection we have studied that each process disposes of a virtual address space. We will now describe how this virtual memory is organized, since it will be necessary to understand the implication
In the previous subsection we have studied that each process disposes of a virtual address space. We will now describe how this virtual memory is organized in a Linux system.
\begin{figure}[H]
\centering
\includegraphics[width=6cm]{memory.jpg}
\caption{Virtual memory architecture of a process\cite{mem_arch_proc}.}
\label{fig:mem_proc_arch}
\end{figure}
Figure \ref{fig:mem_proc_arch} describes how virtual memory is distributed within a process in the x86\_64 architecture. As we can observe, it is partitioned into multiple sections:
\begin{itemize}
\item Lower and upper memory addresses are reserved for the kernel.
\item A section where shared libraries code is stored.
\item A .text section, which contains the code of the program being run.
\item A .bss section, which contains global static variables.
\item The heap, a section which grows from lower to higher memory addresses, and which contains memory dynamically allocated by the program.
\item The stack, a section which grows from higher to lower memory addresses, towards the heap. It is a Last In First Out (LIFO) structure used to store local variables, function parameters and return addresses.
\item Right at the start of the stack we can find the arguments with which the programs has been executed.
\end{itemize}
\subsection{The process stack}
Between all the sections we identified in a process virtual memory, the stack will be particularly relevant during our research. We will therefore study it now in detail.
Firstly, we will present how the stack is structured, and which operations can be executed on it. Figure \ref{fig:stack_pres} presents a stack during the execution of a program. Table \ref{table:systemv_abi_other} explains the purpose of the most relevant registers related to the stack and program execution:
\begin{figure}[H]
\centering
\includegraphics[width=14cm]{stack_pres.jpg}
\caption{Simplified stack representation showing only stack frames.}
\label{fig:stack_pres}
\end{figure}
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Register & Purpose\\
\hline
\hline
rip & Instruction Pointer - Memory address of the next instruction to execute\\
\hline
rsp & Stack Pointer - Memory address where next stack operation takes place\\
\hline
rbp & Base/Frame Pointer - Memory address of the start of the stack frame\\
\hline
\end{tabular}
\caption{Relevant registers in x86\_64 for the stack and control flow and their purpose.}
\label{table:systemv_abi_other}
\end{table}
As it can be observed in figure \ref{fig:stack_pres}, the stack grows towards lower memory addresses, and it is organized in stack frames, delimited by the registers rsp and rbp. An stack frame is a division of the stack which contains all the data (variables, call arguments...) belonging to a single function execution. When a function is exited, its stack frame is removed, and if a function calls a nested function, then its stack frame is preserved and a new stack frame is inserted into the stack.
As table \ref{table:systemv_abi_other} explains, the rbp and rsp registers are used for keeping track of the starting and final position of the current stack frame respectively. We can see in figure \ref{fig:stack_pres} that their value is a memory address pointing to their stack positions. On the other hand, the rip register does not point to the stack, but rather to the .text section (see figure \ref{fig:mem_proc_arch}), where it points to the next instruction to be executed. However, as we will now see, its value must also be stored in the stack frame when a nested function is called, since after the nested function exits we need to restore the execution in the same instruction of the original function.
As with any LIFO structure, the stack supports two main operations: \textit{push} and \textit{pop}. In the x86\_64 architecture, it operates with chunks of data of either 16, 32 or 64 bytes.
\begin{itemize}
\item A \textbf{push} operation writes data in the free memory pointed by register rsp. It then moves the value of rsp to point to the new end of the stack.
\item A \textbf{pop} operation moves the value of rsp by 16, 32 or 64 bytes, and reads the data previously saved in that position.
\end{itemize}
\begin{figure}[H]
\centering
\includegraphics[width=10cm]{stack_ops.jpg}
\caption{Representation of push and pop operations in the stack.}
\label{fig:stack_ops}
\end{figure}
As we mentioned, the stack stores function parameters, return addresses and local variables inside a stack frame. We will now study how the processor uses the stack in order to call, execute, and exit a function. To illustrate this process, we will simulate the execution of function \lstinline{func(char* a, char* b, char* c)} \lstinline{}:
\subsection{Accessing user memory}
\begin{figure}[H]
\centering
\includegraphics[width=14cm]{stack_before.jpg}
\caption{Stack representation right before starting the function call process.}
\label{fig:stack_before}
\end{figure}
\begin{figure}[H]
\centering
\includegraphics[width=14cm]{stack.jpg}
\caption{Stack representation right after the function preamble.}
\label{fig:stack}
\end{figure}
\begin{enumerate}
\item The function arguments are pushed into the stack. We can see them in the stack in reverse order.
\item The function is called:
\subitem The value of register rip is pushed into the stack, so that it is saved for when the function exists. We can see it on the figure as 'ret'.
\subitem The value of rip changes to point to the first instruction of the called function.
\item We execute what is called as the \textit{function preamble}\cite{8664_params_abi_p18}, which prepares the stack frame for the called function:
\subitem The value of rbp is pushed into the stack, so that we can restore the previous stack frame when the function exits. We can see it on the figure as the 'saved frame pointer'.
\subitem The value of rsp is moved into rbp. Therefore, now rbp points to the end of the previous stack frame.
\subitem The value of rsp is usually decremented (since the stack needs to go to lower memory addresses) so that we allocate some space for function variables.
\item The function instructions are executed. The stack may be further modified, but on its end rsp must point to the same address of the beginning. Register rbp always keeps pointing to the end of the stack.
\item We execute what is called as the \textit{function epilogue}, which removes the stack frame and restores the original function:
\subitem The value of rbp is moved into rsp, so that rsp points to the start of the previous stack frame. All data allocated in the previous stack frame is considered to be free.
\subitem The value of the saved frame pointer is popped and stored into rbp, so that rbp now points to the start of the previous stack frame.
\subitem The value of the saved rip value is popped into register rip, so that the next instruction to execute is the instruction right after the function call.
\item Since the function arguments where pushed into the stack, they are popped now.
\end{enumerate}
\subsection{Attacks and limitations of bpf\_probe\_write\_user()}
Provided the background into memory architecture and the stack operation, we will now study the offensive capabilities of the bpf\_probe\_write\_user() helper and which restrictions are imposed into its use by eBPF programs.
The bpf\_probe\_write\_user() helper, when used from a tracing eBPF program, can write into any memory address in the user space of the process responsible from calling the hooked function. However, the write operation fails if:
\begin{itemize}
\item{The memory space pointed by the address is marked as non-writeable by the user space process. For instance, if we try to write into the .text section, the helpers fails because this section is only marked as readable and executable (for protection reasons).} Therefore, the process must indicate a writeable flag in the memory section for the helper to succeed.
\item{The memory page is served with a minor or major page fault. As we saw in section \ref{subsection:ebpf_verifier}, eBPF programs are restricted from executing any sleeping or blocking operations, to prevent hanging the kernel. Therefore, since during a page fault the operating system needs to block the execution and write into the page table or retrieve data from the secondary disk, bpf\_probe\_write\_user() is defined as a non-faulting helper\cite{write_helper_non_fault}, meaning that if it needs to issue a page fault for accessing data, it will just return and fail.}
\end{itemize}
%TODO Talk about the difference between having always on BPF and always on kernel modules (maybe this is better in the introduction)

16
docs/document.toc
View File

@@ -77,13 +77,13 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{34}{subsection.3.2.2}%
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{36}{subsection.3.2.5}%
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{35}{subsection.3.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}%
\defcounter {refsection}{0}\relax
@@ -91,13 +91,15 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.2}Process virtual memory}{39}{subsection.3.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.3}Accessing user memory}{39}{subsection.3.3.3}%
\contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Methods??}{40}{chapter.4}%
\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{41}{chapter.5}%
\contentsline {chapter}{\numberline {4}Methods??}{45}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{42}{chapter.6}%
\contentsline {chapter}{\numberline {5}Results}{46}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{43}{chapter.6}%
\contentsline {chapter}{\numberline {6}Conclusion and future work}{47}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{48}{chapter.6}%
\contentsfinish

BIN
docs/images/memory.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
docs/images/stack.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
docs/images/stack_before.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
docs/images/stack_ops.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
docs/images/stack_pres.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-04T08:55:07-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-04T08:55:07-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-04T08:55:07-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-05T08:58:56-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-05T08:58:56-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-05T08:58:56-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:020726B4-C48C-816C-5701-957C8A5C3B53</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:197F6A4D-9D31-F3B4-AF01-BB1C4A02FCC7</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>