admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed memory corruption and continued with networking programs.

Browse Source
This commit is contained in:
h3xduck
2022-06-05 21:20:23 -04:00
parent 3f02cd4996
commit 55378027ab
16 changed files with 511 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/bibliography/bibliography.bib
View File

@@ -435,7 +435,7 @@ AMD64 Architecture Processor Supplement},
url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192}
},
@online{code_kernel_open,
@online{code_kernel_syscall,
indextitle={Linux kernel source code},
url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233}
},
@@ -480,8 +480,22 @@ AMD64 Architecture Processor Supplement},
},
@online{write_helper_non_fault,
title={probe_write_common_error},
title={probe\_write\_common\_error},
url={https://www.spinics.net/lists/bpf/msg16795.html}
},
@online{code_vfs_read,
indextitle={Linux kernel source code},
url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476}
},
@manual{8664_params_abi_p1922,
title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
author={H.J. Lu et al.},
pages={19-22},
date={2018-01-28},
url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
}

53
docs/document.aux
View File

@@ -204,6 +204,7 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
\newlabel{section:ebpf_prog_types}{{2.3}{18}{eBPF program types}{section.2.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
\newlabel{subsection:xdp}{{2.3.1}{18}{XDP}{subsection.2.3.1}{}}
\abx@aux@cite{xdp_manual}
\abx@aux@segm{0}{0}{xdp_manual}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
@@ -223,6 +224,7 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}\protected@file@percent }
\newlabel{table:xdp_helpers}{{2.11}{20}{Table showing relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}\protected@file@percent }
\newlabel{subsection:tc}{{2.3.2}{20}{Traffic Control}{subsection.2.3.2}{}}
\abx@aux@cite{tp_kernel}
\abx@aux@segm{0}{0}{tp_kernel}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}\protected@file@percent }
@@ -302,6 +304,7 @@
\newlabel{code:sys_enter_read_tp}{{3.6}{32}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{32}{lstlisting.3.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}\protected@file@percent }
\newlabel{subsection:out_read_bounds}{{3.2.2}{33}{Reading memory out of bounds}{subsection.3.2.2}{}}
\abx@aux@cite{ebpf_friends_p15}
\abx@aux@segm{0}{0}{ebpf_friends_p15}
\abx@aux@cite{ebpf_override_return}
@@ -310,19 +313,20 @@
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_syscall}
\abx@aux@segm{0}{0}{code_kernel_syscall}
\abx@aux@cite{code_kernel_syscall}
\abx@aux@segm{0}{0}{code_kernel_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}\protected@file@percent }
\newlabel{code:override_return_1}{{3.7}{34}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.7}\protected@file@percent }
\newlabel{code:override_return_2}{{3.8}{34}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.8}\protected@file@percent }
\newlabel{code:override_return_2}{{3.8}{34}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{34}{lstlisting.3.8}\protected@file@percent }
\abx@aux@cite{fault_injection}
\abx@aux@segm{0}{0}{fault_injection}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{35}{subsection.3.2.5}\protected@file@percent }
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{35}{Conclusion}{subsection.3.2.5}{}}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{mem_page_arch}
@@ -359,19 +363,31 @@
\abx@aux@cite{write_helper_non_fault}
\abx@aux@segm{0}{0}{write_helper_non_fault}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{45}{chapter.4}\protected@file@percent }
\newlabel{subsection_bpf_probe_write_apps}{{3.3.4}{43}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
\abx@aux@cite{code_vfs_read}
\abx@aux@segm{0}{0}{code_vfs_read}
\abx@aux@cite{code_vfs_read}
\abx@aux@segm{0}{0}{code_vfs_read}
\abx@aux@cite{8664_params_abi_p1922}
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
\newlabel{code:vfs_read}{{3.9}{44}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{44}{lstlisting.3.9}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{45}{figure.caption.43}\protected@file@percent }
\newlabel{fig:stack_scan_write_tech}{{3.9}{45}{Overview of stack scanning and writing technique.\relax }{figure.caption.43}{}}
\newlabel{code:stack_scan_write_tech}{{3.10}{45}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{45}{lstlisting.3.10}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.5}Conclusion}{46}{subsection.3.3.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{47}{subsection.3.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{48}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{46}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{49}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{47}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{48}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.44}{}}
\abx@aux@read@bbl@mdfivesum{5BC491FF2560E8B85979411211F855E2}
\abx@aux@read@bblrerun
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{50}{chapter.5}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{5}{}{Appendix A - Bpftool commands}{chapter*.45}{}}
\abx@aux@read@bbl@mdfivesum{070A0F15FB780499B250A471B22B0670}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -437,9 +453,14 @@
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{code_kernel_open}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{code_kernel_syscall}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{write_helper_non_fault}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{70}
\gdef \@abspage@last{73}

105
docs/document.bbl
View File

@@ -1300,6 +1300,7 @@
\strng{authorbibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authornamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorfullhash}{871f02558cb7234c22cde24811cf53a7}
\field{extraname}{1}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
@@ -1375,6 +1376,17 @@
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192
\endverb
\endentry
\entry{code_kernel_syscall}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{indextitle}{Linux kernel source code}
\verb{urlraw}
\verb https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233
\endverb
\verb{url}
\verb https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233
\endverb
\endentry
\entry{fault_injection}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
@@ -1487,6 +1499,99 @@
\verb https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html
\endverb
\endentry
\entry{8664_params_abi_p18}{manual}{}
\name{author}{1}{}{%
{{hash=871f02558cb7234c22cde24811cf53a7}{%
family={al.},
familyi={a\bibinitperiod},
given={H.J.\bibnamedelimi Lu},
giveni={H\bibinitperiod\bibinitdelim L\bibinitperiod},
prefix={et},
prefixi={e\bibinitperiod}}}%
}
\strng{namehash}{871f02558cb7234c22cde24811cf53a7}
\strng{fullhash}{871f02558cb7234c22cde24811cf53a7}
\strng{bibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorbibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authornamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorfullhash}{871f02558cb7234c22cde24811cf53a7}
\field{extraname}{2}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{1}
\field{title}{System V Application Binary Interface AMD64 Architecture Processor Supplement}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{18}
\range{pages}{1}
\verb{urlraw}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\endentry
\entry{write_helper_non_fault}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{probe\_write\_common\_error}
\verb{urlraw}
\verb https://www.spinics.net/lists/bpf/msg16795.html
\endverb
\verb{url}
\verb https://www.spinics.net/lists/bpf/msg16795.html
\endverb
\endentry
\entry{code_vfs_read}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{indextitle}{Linux kernel source code}
\verb{urlraw}
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476
\endverb
\verb{url}
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476
\endverb
\endentry
\entry{8664_params_abi_p1922}{manual}{}
\name{author}{1}{}{%
{{hash=871f02558cb7234c22cde24811cf53a7}{%
family={al.},
familyi={a\bibinitperiod},
given={H.J.\bibnamedelimi Lu},
giveni={H\bibinitperiod\bibinitdelim L\bibinitperiod},
prefix={et},
prefixi={e\bibinitperiod}}}%
}
\strng{namehash}{871f02558cb7234c22cde24811cf53a7}
\strng{fullhash}{871f02558cb7234c22cde24811cf53a7}
\strng{bibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorbibnamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authornamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorfullhash}{871f02558cb7234c22cde24811cf53a7}
\field{extraname}{3}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{1}
\field{title}{System V Application Binary Interface AMD64 Architecture Processor Supplement}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{19\bibrangedash 22}
\range{pages}{4}
\verb{urlraw}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

7
docs/document.bcf
View File

@@ -2430,8 +2430,8 @@
<bcf:citekey order="93">ebpf_override_return</bcf:citekey>
<bcf:citekey order="94">code_kernel_open</bcf:citekey>
<bcf:citekey order="95">code_kernel_open</bcf:citekey>
<bcf:citekey order="96">code_kernel_open</bcf:citekey>
<bcf:citekey order="97">code_kernel_open</bcf:citekey>
<bcf:citekey order="96">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="97">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="98">fault_injection</bcf:citekey>
<bcf:citekey order="99">ebpf_helpers</bcf:citekey>
<bcf:citekey order="100">mem_page_arch</bcf:citekey>
@@ -2439,6 +2439,9 @@
<bcf:citekey order="102">mem_arch_proc</bcf:citekey>
<bcf:citekey order="103">8664_params_abi_p18</bcf:citekey>
<bcf:citekey order="104">write_helper_non_fault</bcf:citekey>
<bcf:citekey order="105">code_vfs_read</bcf:citekey>
<bcf:citekey order="106">code_vfs_read</bcf:citekey>
<bcf:citekey order="107">8664_params_abi_p1922</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

180
docs/document.blg
View File

@@ -1,89 +1,91 @@
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[154] biber:340> INFO - === Sun Jun 5, 2022, 08:34:18
[185] Biber.pm:415> INFO - Reading 'document.bcf'
[372] Biber.pm:952> INFO - Found 68 citekeys in bib section 0
[411] Biber.pm:4340> INFO - Processing section 0
[431] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[435] bibtex.pm:1689> INFO - LaTeX decoding ...
[503] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[513] Utils.pm:384> WARN - Duplicate entry key: 'code_kernel_open' in file 'bibliography/bibliography.bib', skipping ...
[896] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 9, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 15, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 22, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 28, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 35, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 42, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 50, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 58, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 65, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 70, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 77, warning: 1 characters of junk seen at toplevel
[898] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 85, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 94, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 103, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 112, warning: 1 characters of junk seen at toplevel
[899] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 121, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 127, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 132, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 137, warning: 1 characters of junk seen at toplevel
[900] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 142, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 153, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 158, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 164, warning: 1 characters of junk seen at toplevel
[901] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 170, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 175, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 184, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 191, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 199, warning: 1 characters of junk seen at toplevel
[902] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 206, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 215, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 224, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 233, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 239, warning: 1 characters of junk seen at toplevel
[903] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 244, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 249, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 256, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 261, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 266, warning: 1 characters of junk seen at toplevel
[904] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 271, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 276, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 283, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 288, warning: 1 characters of junk seen at toplevel
[905] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 295, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 302, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 309, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 315, warning: 1 characters of junk seen at toplevel
[906] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 321, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 327, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 334, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 339, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 344, warning: 1 characters of junk seen at toplevel
[907] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 349, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 356, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 361, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 366, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 375, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 380, warning: 1 characters of junk seen at toplevel
[908] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 385, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 390, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 395, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 400, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 405, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 410, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 419, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 428, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 433, warning: 1 characters of junk seen at toplevel
[909] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 438, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 443, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 449, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 459, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 466, warning: 1 characters of junk seen at toplevel
[910] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_LCOX/f4d088b3f9f145b5c3058da33afd57d4_236327.utf8, line 473, warning: 1 characters of junk seen at toplevel
[1017] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[1018] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[1018] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[1018] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[1113] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[1160] bbl.pm:757> INFO - Output to document.bbl
[1161] Biber.pm:128> INFO - WARNINGS: 73
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[60] biber:340> INFO - === Sun Jun 5, 2022, 18:05:09
[76] Biber.pm:415> INFO - Reading 'document.bcf'
[150] Biber.pm:952> INFO - Found 73 citekeys in bib section 0
[165] Biber.pm:4340> INFO - Processing section 0
[174] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[177] bibtex.pm:1689> INFO - LaTeX decoding ...
[205] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 9, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 15, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 22, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 28, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 35, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 42, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 50, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 58, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 65, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 70, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 77, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 85, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 94, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 103, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 112, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 121, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 127, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 132, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 137, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 142, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 153, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 158, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 164, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 170, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 175, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 184, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 191, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 199, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 206, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 215, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 224, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 233, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 239, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 244, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 249, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 256, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 261, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 266, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 271, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 276, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 283, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 288, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 295, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 302, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 309, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 315, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 321, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 327, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 334, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 339, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 344, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 349, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 356, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 361, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 366, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 375, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 380, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 385, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 390, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 395, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 400, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 405, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 410, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 419, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 428, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 433, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 438, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 443, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 449, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 459, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 466, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 473, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 482, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 487, warning: 1 characters of junk seen at toplevel
[388] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 492, warning: 1 characters of junk seen at toplevel
[431] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[432] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[432] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[432] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[472] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[489] bbl.pm:757> INFO - Output to document.bbl
[489] Biber.pm:128> INFO - WARNINGS: 75

2
docs/document.lof
View File

@@ -41,7 +41,7 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{42}{figure.caption.42}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{45}{figure.caption.43}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

202
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 5 JUN 2022 08:58
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 5 JUN 2022 21:19
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=209, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=221, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=211, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=223, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1214,7 +1214,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=552, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=572, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1222,36 +1222,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=570, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=590, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=580, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=600, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=590, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=610, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=603, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=623, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=606, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=626, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=624, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=644, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1303,7 +1303,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 759--789
[]
[17]
<images//xdp_diag.jpg, id=704, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=724, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 805.
@@ -1314,7 +1314,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 868--880
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=763, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=783, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 978.
@@ -1369,187 +1369,202 @@ LaTeX Font Info: Font shape `T1/txtt/b/n' in size <10> not available
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 1141.
[31] [32]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1284--1285
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1283--1284
\T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
_read_user() and bpf_probe_read_kernel()
[]
[33]
LaTeX Warning: Reference `TODO' on page 34 undefined on input line 1288.
Overfull \hbox (47.97661pt too wide) in paragraph at lines 1293--1294
Overfull \hbox (47.97661pt too wide) in paragraph at lines 1292--1293
\T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the
CON-FIG_BPF_KPROBE_OVERRIDE
[]
[34]
Overfull \hbox (62.0767pt too wide) in paragraph at lines 1335--1336
Overfull \hbox (62.0767pt too wide) in paragraph at lines 1334--1335
\T1/txr/m/n/12 the bounds of func-tion pa-ram-e-ters via the helpers bpf_probe_
read_user() and bpf_probe_read_kernel().
[]
[35]
<images//mem_arch_pages.jpg, id=945, 593.21625pt x 434.62375pt>
<images//mem_arch_pages.jpg, id=967, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1348.
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1347.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[36]
<images//mem_major_page_fault.jpg, id=953, 639.38875pt x 425.59pt>
<images//mem_major_page_fault.jpg, id=975, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 1
358.
357.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
[37 <./images//mem_arch_pages.jpg>]
<images//mem_minor_page_fault.jpg, id=960, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=982, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 1
366.
365.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
<images//memory.jpg, id=961, 310.15875pt x 519.9425pt>
<images//memory.jpg, id=983, 310.15875pt x 519.9425pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 1376.
(pdftex.def) Requested size: 170.71652pt x 286.18347pt.
[38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
[39 <./images//memory.jpg>]
<images//stack_pres.jpg, id=975, 707.64375pt x 283.0575pt>
<images//stack_pres.jpg, id=997, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 1399.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[40 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=984, 524.96124pt x 694.595pt>
<images//stack_ops.jpg, id=1006, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 1433.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
<images//stack_before.jpg, id=985, 712.6625pt x 315.1775pt>
<images//stack_before.jpg, id=1007, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 1444.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
[41 <./images//stack_ops.jpg>]
<images//stack.jpg, id=990, 707.64375pt x 381.425pt>
<images//stack.jpg, id=1012, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 1451.
(pdftex.def) Requested size: 398.33858pt x 214.70816pt.
[42 <./images//stack_before.jpg> <./images//stack.jpg>] [43]
Overfull \hbox (3.09538pt too wide) in paragraph at lines 1495--1496
\T1/txr/m/n/12 trac-ing pro-grams can read any user mem-ory lo-ca-tion with the
bpf_probe_read_user()
[]
[44]
<images//stack_scan_write_tech.jpg, id=1055, 829.0975pt x 315.1775pt>
File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
<use images//stack_scan_write_tech.jpg>
Package pdftex.def Info: images//stack_scan_write_tech.jpg used on input line
1511.
(pdftex.def) Requested size: 455.24408pt x 173.0548pt.
Overfull \hbox (28.45273pt too wide) in paragraph at lines 1511--1512
[][]
[]
LaTeX Warning: Citation '8664_params_abi_p18' on page 42 undefined on input lin
e 1461.
LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1533.
[42 <./images//stack_before.jpg> <./images//stack.jpg>]
LaTeX Warning: Citation 'write_helper_non_fault' on page 43 undefined on input
line 1479.
[43] [44]
[45 <./images//stack_scan_write_tech.jpg>] [46] [47]
Chapter 4.
[45
[48
]
Chapter 5.
[46
[49
]
Chapter 6.
[47
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1610--1610
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[48
[50
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1610--1610
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1610--1610
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1610--1610
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[49]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1508--1508
[51]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1610--1610
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1610--1610
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[50]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1508--1508
[52]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1610--1610
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1610--1610
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[51]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1508--1508
[53]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1610--1610
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1610--1610
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1610--1610
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
[]
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1610--1610
\T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
mory -[] Management -[] Christoph -[]
[]
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1610--1610
[]\T1/txr/m/n/12 D. Breaker. ^^P Un-der-stand-ing page faults and mem-ory swap
-in/outs.^^Q (Aug. 19, 2019),
[]
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1508--1508
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1610--1610
\T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
[]
[52] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1610--1610
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[54]
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1610--1610
\T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[55] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1560,47 +1575,54 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1568 \end{document}
l.1670 \end{document}
[2
] (./document.aux)
LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: FC2292DDA34492747A3EE632FD835264;3816.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
(biblatex) and rerun LaTeX afterwards.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: D79DA99C79A7C21C04809C7BF087F9C6;4075
(rerunfilecheck) After: 6377ECFD9064550E1372CD631FBAEB79;4030.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
28364 strings out of 481209
451535 string characters out of 5914747
1344799 words of memory out of 5000000
44554 multiletter control sequences out of 15000+600000
28447 strings out of 481209
453201 string characters out of 5914747
1348498 words of memory out of 5000000
44595 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
e1/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx
fonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.p
fb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb></usr/s
hare/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/share/texliv
e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (70 pages, 1111385 bytes).
PDF statistics:
1322 PDF objects out of 1440 (max. 8388607)
304 named destinations out of 1000 (max. 500000)
516 words of extra memory for PDF output out of 10000 (max. 10000000)
pdfTeX warning (dest): name{chapter.6} has been referenced but does not exist
, replaced by a fixed one
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texlive/
texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dist/
fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/type1
/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfo
nts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.pfb
></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb></usr/sha
re/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/share/texlive/
texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
rw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utm
b8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/s
hare/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (73 pages, 1195969 bytes).
PDF statistics:
1426 PDF objects out of 1440 (max. 8388607)
345 named destinations out of 1000 (max. 500000)
545 words of extra memory for PDF output out of 10000 (max. 10000000)

2
docs/document.lot
View File

@@ -48,6 +48,4 @@
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\contentsfinish

10
docs/document.out
View File

@@ -45,7 +45,9 @@
\BOOKMARK [2][-]{subsection.3.3.2}{Process\040virtual\040memory}{section.3.3}% 45
\BOOKMARK [2][-]{subsection.3.3.3}{The\040process\040stack}{section.3.3}% 46
\BOOKMARK [2][-]{subsection.3.3.4}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 47
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 48
\BOOKMARK [0][-]{chapter.5}{Results}{}% 49
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 50
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 51
\BOOKMARK [2][-]{subsection.3.3.5}{Conclusion}{section.3.3}% 48
\BOOKMARK [1][-]{section.3.4}{Abusing\040networking\040programs}{chapter.3}% 49
\BOOKMARK [2][-]{subsection.3.4.1}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 50
\BOOKMARK [0][-]{chapter.4}{Results}{}% 51
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 52
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 53

BIN
docs/document.pdf
View File

Binary file not shown.

4
docs/document.run.xml
View File

@@ -41,7 +41,7 @@
>
]>
<requests version="1.0">
<internal package="biblatex" priority="9" active="1">
<internal package="biblatex" priority="9" active="0">
<generic>latex</generic>
<provides type="dynamic">
<file>document.bcf</file>
@@ -63,7 +63,7 @@
<file>english.lbx</file>
</requires>
</internal>
<external package="biblatex" priority="5" active="1">
<external package="biblatex" priority="5" active="0">
<generic>biber</generic>
<cmdline>
<binary>biber</binary>

BIN
docs/document.synctex.gz
View File

Binary file not shown.

146
docs/document.tex
View File

@@ -795,7 +795,7 @@ bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\
\section{eBPF program types} \label{section:ebpf_prog_types}
In the previous subsection \ref{subsection:bpf_syscall} we introduced the new types of eBPF programs that are supported and that we will be developing for our offensive analysis. In this section, we will analyse in greater detail how eBPF is integrated in the Linux kernel in order to support these new functionalities.
\subsection{XDP}
\subsection{XDP} \label{subsection:xdp}
eXpress Data Path (XDP) programs are a novel type of eBPF program that allows for the lowest-latency traffic filtering and monitoring in the whole Linux kernel. In order to load an XDP program, a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_XDP must be issued.
These programs are directly attached to the Network Interface Controller (NIC) driver, and thus they can process the packet before any other module\cite{xdp_gentle_intro}.
@@ -849,7 +849,7 @@ bpf\_xdp\_adjust\_tail() & Enlarges or reduces the extension of a packet, by mov
\end{table}
\subsection{Traffic Control}
\subsection{Traffic Control} \label{subsection:tc}
Traffic Control (TC) programs are also indicated for networking instrumentation. Similarly to XDP, their module is positioned before entering the overall network processing of the kernel. However, as it can be observed in figure \ref{fig:xdp_diag}, they differ in some aspects:
\begin{itemize}
\item TC programs receive a network buffer with metadata (in the figure, \textit{sk\_buff}) about the packet in it. This renders TC programs less ideal than XDP for performing large packet modifications (like new headers), but at the same time the additional metadata fields make it easier to locate and modify specific packet fields\cite{tc_differences}.
@@ -1231,7 +1231,6 @@ rax & Return value\\
\label{table:systemv_abi}
\end{table}
In the case of tracepoints, we can see in code snippet \ref{code:format_tracepoint} that it receives a \textit{struct sys\_read\_enter\_ctx*}. This struct must be manually defined, as explained in \ref{subsection:tracepoints}, by looking at the file \textit{/sys/kernel/debug/tracing/events/syscalls/sys\_enter\_read/format}. Code snippet \ref{code:sys_enter_read_tp} shows the format of the struct.
\begin{lstlisting}[language=C, caption={Format for parameters in sys\_enter\_read specified at the format file.}, label={code:sys_enter_read_tp_format}]
@@ -1280,12 +1279,12 @@ Usually, since many function arguments are pointers to user or kernel addresses
These helpers, previously introduced in table \ref{table:ebpf_helpers}, enable to read an arbitrary number of bytes from an user or kernel address respectively, allowing us to extract the information pointed by the parameters received by eBPF programs.
\subsection{Reading memory out of bounds}
\subsection{Reading memory out of bounds} \label{subsection:out_read_bounds}
As we introduced in the previous subsection, the bpf\_probe\_read\_user() and bpf\_probe\_read\_kernel() helpers can be used to access memory of pointers received as parameters in the hooked functions.
However, although in general the eBPF verifier attempts to reject illegal memory accesses, it does not prevent a malicious program from passing an arbitrary memory address (in kernel or user space) to the above helpers. This means that an eBPF program can potentially read any address in user or kernel space, (as long as it is marked as readable in the corresponding memory pages). Furthermore, an attacker can locate specific data structures and memory sections by taking the function parameter as a reference point in memory.
A particularly relevant case (which we will later use for our rootkit) involves accessing user memory via the parameters of tracepoints attached at system calls. Provided the nature of syscalls, whose purpose is to communicate user and kernel space, all parameters received will belong to the user space, and therefore any pointer passed will be an address in user memory. This enables an eBPF program to get a foothold into the virtual address space of the process calling the syscall, which it can proceed to scan looking for data or specific instructions. This technique will be further elaborated in section \ref{TODO}.
A particularly relevant case (which we will later use for our rootkit) involves accessing user memory via the parameters of tracepoints attached at system calls. Provided the nature of syscalls, whose purpose is to communicate user and kernel space, all parameters received will belong to the user space, and therefore any pointer passed will be an address in user memory. This enables an eBPF program to get a foothold into the virtual address space of the process calling the syscall, which it can proceed to scan looking for data or specific instructions. This technique will be further elaborated in section \ref{subsection_bpf_probe_write_apps}.
\subsection{Overriding function return values}
A potentially dangerous functionality in eBPF tracing programs is the ability to modify the return value of kernel functions\cite{ebpf_friends_p15}\cite{ebpf_override_return}. This can be done via the eBPF helper bpf\_override\_return, and it works exclusively from kretprobes.
@@ -1301,7 +1300,7 @@ SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
}
\end{lstlisting}
\begin{lstlisting}[language=C, caption={Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite{code_kernel_open}}, label={code:override_return_2}]
\begin{lstlisting}[language=C, caption={Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite{code_kernel_syscall}}, label={code:override_return_2}]
#define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
#ifndef __SYSCALL_DEFINEx
#define __SYSCALL_DEFINEx(x, name, ...)\
@@ -1326,7 +1325,7 @@ Another eBPF helper that is subject to malicious purposes is bpf\_send\_signal.
Therefore, this helper can be used to forcefully terminate running user processes, by sending the SIGKILL signal. In this way, combined with the observability into the parameters received at a function call, malicious eBPF can kill and deactivate processes to favour its malicious purposes.
\subsection{Conclusion}
\subsection{Conclusion} \label{subsection:tracing_attacks_conclusion}
As a summary, a malicious eBPF program loaded and attached as a tracing program undermines the existing trust between user programs and the kernel space.
Its ability to access sensitive data in function parameters and reading arbitrary memory can lead to gathering extensive information on the running processes of a system, whilst the malicious use of eBPF helpers enables the modification of the data passed to the user space from the kernel, and the control over which programs are allowed to be running on the system.
@@ -1371,6 +1370,7 @@ As we can observe in the figure, each virtual page is related to one physical pa
\subsection{Process virtual memory}
In the previous subsection we have studied that each process disposes of a virtual address space. We will now describe how this virtual memory is organized in a Linux system.
%TODO Add the .data section here
\begin{figure}[H]
\centering
\includegraphics[width=6cm]{memory.jpg}
@@ -1456,36 +1456,138 @@ As we mentioned, the stack stores function parameters, return addresses and loca
\begin{enumerate}
\item The function arguments are pushed into the stack. We can see them in the stack in reverse order.
\item The function is called:
\subitem The value of register rip is pushed into the stack, so that it is saved for when the function exists. We can see it on the figure as 'ret'.
\subitem The value of rip changes to point to the first instruction of the called function.
\begin{enumerate}
\item The value of register rip is pushed into the stack, so that it is saved for when the function exists. We can see it on the figure as 'ret'.
\item The value of rip changes to point to the first instruction of the called function.
\item We execute what is called as the \textit{function preamble}\cite{8664_params_abi_p18}, which prepares the stack frame for the called function:
\subitem The value of rbp is pushed into the stack, so that we can restore the previous stack frame when the function exits. We can see it on the figure as the 'saved frame pointer'.
\subitem The value of rsp is moved into rbp. Therefore, now rbp points to the end of the previous stack frame.
\subitem The value of rsp is usually decremented (since the stack needs to go to lower memory addresses) so that we allocate some space for function variables.
\item The value of rbp is pushed into the stack, so that we can restore the previous stack frame when the function exits. We can see it on the figure as the 'saved frame pointer'.
\item The value of rsp is moved into rbp. Therefore, now rbp points to the end of the previous stack frame.
\item The value of rsp is usually decremented (since the stack needs to go to lower memory addresses) so that we allocate some space for function variables.
\end{enumerate}
\item The function instructions are executed. The stack may be further modified, but on its end rsp must point to the same address of the beginning. Register rbp always keeps pointing to the end of the stack.
\item We execute what is called as the \textit{function epilogue}, which removes the stack frame and restores the original function:
\subitem The value of rbp is moved into rsp, so that rsp points to the start of the previous stack frame. All data allocated in the previous stack frame is considered to be free.
\subitem The value of the saved frame pointer is popped and stored into rbp, so that rbp now points to the start of the previous stack frame.
\subitem The value of the saved rip value is popped into register rip, so that the next instruction to execute is the instruction right after the function call.
\begin{enumerate}
\item The value of rbp is moved into rsp, so that rsp points to the start of the previous stack frame. All data allocated in the previous stack frame is considered to be free.
\item The value of the saved frame pointer is popped and stored into rbp, so that rbp now points to the start of the previous stack frame.
\item The value of the saved rip value is popped into register rip, so that the next instruction to execute is the instruction right after the function call.
\end{enumerate}
\item Since the function arguments where pushed into the stack, they are popped now.
\end{enumerate}
\subsection{Attacks and limitations of bpf\_probe\_write\_user()}
\subsection{Attacks and limitations of bpf\_probe\_write\_user()} \label{subsection_bpf_probe_write_apps}
Provided the background into memory architecture and the stack operation, we will now study the offensive capabilities of the bpf\_probe\_write\_user() helper and which restrictions are imposed into its use by eBPF programs.
The bpf\_probe\_write\_user() helper, when used from a tracing eBPF program, can write into any memory address in the user space of the process responsible from calling the hooked function. However, the write operation fails if:
The bpf\_probe\_write\_user() helper, when used from a tracing eBPF program, can write into any memory address in the user space of the process responsible from calling the hooked function. However, the write operation fails has some restrictions:
\begin{itemize}
\item{The memory space pointed by the address is marked as non-writeable by the user space process. For instance, if we try to write into the .text section, the helpers fails because this section is only marked as readable and executable (for protection reasons).} Therefore, the process must indicate a writeable flag in the memory section for the helper to succeed.
\item{The memory page is served with a minor or major page fault. As we saw in section \ref{subsection:ebpf_verifier}, eBPF programs are restricted from executing any sleeping or blocking operations, to prevent hanging the kernel. Therefore, since during a page fault the operating system needs to block the execution and write into the page table or retrieve data from the secondary disk, bpf\_probe\_write\_user() is defined as a non-faulting helper\cite{write_helper_non_fault}, meaning that if it needs to issue a page fault for accessing data, it will just return and fail.}
\item{The operation fails if the memory space pointed by the address is marked as non-writeable by the user space process. For instance, if we try to write into the .text section, the helpers fails because this section is only marked as readable and executable (for protection reasons).} Therefore, the process must indicate a writeable flag in the memory section for the helper to succeed.
\item{The operation fails if the memory page is served with a minor or major page fault. As we saw in section \ref{subsection:ebpf_verifier}, eBPF programs are restricted from executing any sleeping or blocking operations, to prevent hanging the kernel. Therefore, since during a page fault the operating system needs to block the execution and write into the page table or retrieve data from the secondary disk, bpf\_probe\_write\_user() is defined as a non-faulting helper\cite{write_helper_non_fault}, meaning that instead of issuing a page fault for accessing data, it will just return and fail.}
\item{Each time the helper is called, an alert message is written into the kernel logs, alerting that a potentially dangerous eBPF program is making use of the helper. Note that this message appears when the eBPF program is attached, and not each time the helper is called. This will be particularly relevant since we will be able to bypass this alert by taking advantage of this.}
\end{itemize}
Although we will not be able to modify kernel memory or the instructions of a program, this eBPF helper opens a range of possible attacks:
\begin{itemize}
\item Modify any of the arguments with which a system call is called (either with a tracepoint or a kprobe). Therefore, a malicious program can hijack any call to the kernel with its own arguments.
\item Modify user-provided arguments in kernel functions. When reading kernel code, we can find that data provided by the user is marked with the keyword \textit{\_\_user}. For instance, an internal kernel function in a nested call of the system call sys\_read receives an user buffer:
\begin{lstlisting}[language=C, caption={Definition of kernel function vfs\_read. \cite{code_vfs_read}}, label={code:vfs_read}]
ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
\end{lstlisting}
Then, if we attach a kprobe to vfs\_read, we would be able to modify the value of the buffer.
\item Modify process memory by taking function parameters as a reference and scanning the stack. This technique, first introduced in section \ref{subsection:out_read_bounds} when we mentioned that tracing programs can read any user memory location with the bpf\_probe\_read\_user() helper, consists of:
\begin{enumerate}
\item Take an user-passed parameter received on a tracing program. The parameter must be a pointer to a memory location (such as a pointer to a buffer), so that we can use that memory address as the reference point in user space. According to the x86\_64 documentation, this parameter will be stored in the stack\cite{8664_params_abi_p1922}, so we will receive an stack address.
\item Locate the target data which we aim to write. There are two main methods for this:
\begin{itemize}
\item Sequentially read the stack, using bpf\_probe\_read\_user(), until we locate the bytes we are looking for. This requires knowing which data we want to overwrite.
\item By previously reverse engineering the user program, we can calculate the offset at which an specific data section will be stored in virtual memory with respect to the reference address we received as a parameter.
\end{itemize}
\item Overwrite the memory buffer using bpf\_probe\_write\_user().
\end{enumerate}
\end{itemize}
Figure \ref{fig:stack_scan_write_tech} illustrates a high-level overview of the stack scanning technique previously described:
\begin{figure}[H]
\centering
\includegraphics[width=16cm]{stack_scan_write_tech.jpg}
\caption{Overview of stack scanning and writing technique.}
\label{fig:stack_scan_write_tech}
\end{figure}
The above figure shows process memory executing a program similar to the following:
\begin{lstlisting}[language=C, caption={Sample program being executed on figure \ref{fig:stack_scan_write_tech}.}, label={code:stack_scan_write_tech}]
void func(char* a, char* b, char* c){
int fd = open("FILE", 0);
write(fd, a, 1);
}
int main(){
char a[] = "AAA";
char b[] = "BBB";
char c[] = "CCC";
func(a, b, c);
}
\end{lstlisting}
In the figure, we can clearly observe how the technique is used to overwrite an specific buffer. The attacker goal is to overwrite buffer \textit{c} with some other bytes, but the kprobe program only has direct access to buffer \textit{a}:
\begin{enumerate}
\item By reverse engineering the program (we will see how this process works in section \ref{TODO}) we notice that buffer \textit{c} is stored 8 bytes lower on the stack than buffer \textit{a}.
\item When register rip points to the write() instruction, the processor executes the instruction and a system call is issued to sys\_write().
\item The kprobe eBPF program hooked to the syscall hijacks the program execution. Since it has access to the memory address of buffer \textit{a} and it knows the relative position of buffer \textit{c}, it writes to that location whatever it wants (e.g.: "DDD") with the bpf\_probe\_write\_user() helper.
\item The eBPF program ends and the control flow goes back to the system call. It ends its execution successfully, and returns a value to the user space. The result of the program is that 1 byte has been written into file "FILE", and that buffer \textit{c} now contains "DDD".
\end{enumerate}
\subsection{Conclusion}
As a summary, the bpf\_probe\_write\_user() helper is one of the main attack vectors for malicious eBPF programs. Although it does contain some restrictions, its ability to overwrite any user parameter enables it to, in practice, execute arbitrary code by hijacking that of others. When it is combined with tracing programs' ability to read memory out of bounds, it unlocks a wide range of attacks, since any writeable section of the process memory is a possible target.
Therefore, if on the conclusion of section \ref{subsection:tracing_attacks_conclusion} we discussed that the ability to change the return value of kernel functions and kill processes hinders the trust between the user and kernel space (since what the kernel returns may not be a correct result), then the ability to directly overwrite process data is a complete disrupt of trust in any of the data in the user space itself, since it is subject to the control of a malicious eBPF program.
Moreover, in the next sections we will discuss how we can create advanced attacks on the basis of the background and techniques previously discussed. We will research further into which sections of a process memory are writeable and whether they can lead to new attack vectors.
\section{Abusing networking programs}
The final main piece of a malicious eBPF program comes from taking advantage of the networking capabilities of TC and XDP programs. As we mentioned during sections \ref{subsection:xdp} and \ref{subsection:tc}, these type of programs have access to network traffic:
\begin{itemize}
\item Traffic Control programs can be placed either on egress or ingress traffic, and receive a struct \textit{sk\_buff}, containing the packet bytes and meta data that helps operating on it.
\item External Data Path programs can only be attached to ingress traffic, but in turn they receive the packet before any kernel processing (as a struct \textit{xdp\_md}) being able to access the raw data directly.
\end{itemize}
Networking eBPF programs not only have read access to the network packets, but also write access:
\begin{itemize}
\item XDP programs can directly modify the raw packet via memcpy() operations. They can also increment or reduce the size of the packet by any of its ends (adding bytes before the head or after the packet tail). This is done via the multiple helpers previously presented on table \ref{table:xdp_helpers}.
\item TC programs can also modify the packet via the helpers presented on table \ref{table:tc_helpers}. The packet can be expanded or reduced via these eBPF helpers too.
\end{itemize}
Apart from write access to the packet, the other critical feature of networking programs is their ability to drop packets. As we presented in tables \ref{table:xdp_actions_av} and \ref{table:tc_actions}, this can be achieved by returning specific values.
\subsection{Attacks and limitations of networking programs}
Multiple restrictions exist on network eBPF programs:
\begin{itemize}
\item Read and write access to the packet is heavily controlled by the eBPF verifier. It is not possible to read or write data out of bounds. Extreme care must also be taken before attempting to read any data inside the packet, since the verifier first requires making lots of checks beforehand. For any access to take place, the program must first classify the packet according to the network protocol it belongs, and later check that every header of every network layer is well defined (e.g: Ethernet, IP and TCP). Only after that, the headers can be modified.
If the program also wants to modify the packet payload, then it must be checked to be between the bounds of the packet and well defined according to the packet headers. Also, after using any of the helpers that enlarge or reduce the size of the packet, all check operations must be repeated again before any subsequent operation.
Finally, note that after any modification in the packet, some network protocols (such as IP and TCP) require to recalculate their checksum fields.
\item XDP and TC programs are not able to create packets, they can only operate over existing traffic.
\end{itemize}
%TODO talk about TCP connection and its repeating packets.
% Talk about attacks.
% Conclusion of the section.
%TODO Talk about the difference between having always on BPF and always on kernel modules (maybe this is better in the introduction)
\chapter{Methods??}
%M-> Following the particular TFG we discussed and also others, it looks like the main chapter(s) varies name depending on the TFG topic. Also is there a prefered way to distribute this?
\chapter{Results}

12
docs/document.toc
View File

@@ -95,11 +95,15 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Methods??}{45}{chapter.4}%
\contentsline {subsection}{\numberline {3.3.5}Conclusion}{46}{subsection.3.3.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{46}{chapter.5}%
\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{47}{chapter.6}%
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{47}{subsection.3.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{48}{chapter.6}%
\contentsline {chapter}{\numberline {4}Results}{48}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{49}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{50}{chapter.5}%
\contentsfinish

BIN
docs/images/stack_scan_write_tech.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-05T08:58:56-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-05T08:58:56-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-05T08:58:56-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-05T21:19:01-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-05T21:19:01-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-05T21:19:01-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:197F6A4D-9D31-F3B4-AF01-BB1C4A02FCC7</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:62AED33B-11F7-1F15-2F84-24FCCE82AC8A</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>