admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 23:53:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Went on with the objectives section

Browse Source
This commit is contained in:
h3xduck
2022-05-21 16:56:05 -04:00
parent b1933069ae
commit 61d141bbb6
13 changed files with 147 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/bibliography/bibliography.bib
View File

@@ -55,6 +55,13 @@
url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf} url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}
}, },
@online{bad_ebpf,
author = {Pat Hogan},
organization= {DEFCON 27},
eventtitle = {Bad BPF - Warping reality using eBPF},
url = {https://www.youtube.com/watch?v=g6SKWT7sROQ}
},
@online{ebpf_windows, @online{ebpf_windows,
title={eBPF incorporation in the Linux Kernel 3.18}, title={eBPF incorporation in the Linux Kernel 3.18},
date={2014-12-07}, date={2014-12-07},

2
docs/bibliography/texput.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 22:23 This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 21 MAY 2022 16:29
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.

19
docs/document.aux
View File

@@ -37,15 +37,17 @@
\abx@aux@segm{0}{0}{bvp47_report} \abx@aux@segm{0}{0}{bvp47_report}
\abx@aux@cite{bpfdoor_pwc} \abx@aux@cite{bpfdoor_pwc}
\abx@aux@segm{0}{0}{bpfdoor_pwc} \abx@aux@segm{0}{0}{bpfdoor_pwc}
\abx@aux@cite{evil_ebpf}
\abx@aux@segm{0}{0}{evil_ebpf}
\abx@aux@cite{ebpf_friends}
\abx@aux@segm{0}{0}{ebpf_friends}
\abx@aux@cite{ebpf_windows} \abx@aux@cite{ebpf_windows}
\abx@aux@segm{0}{0}{ebpf_windows} \abx@aux@segm{0}{0}{ebpf_windows}
\abx@aux@cite{ebpf_android} \abx@aux@cite{ebpf_android}
\abx@aux@segm{0}{0}{ebpf_android} \abx@aux@segm{0}{0}{ebpf_android}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Objectives}{3}{section.1.2}\protected@file@percent } \abx@aux@cite{evil_ebpf}
\abx@aux@segm{0}{0}{evil_ebpf}
\abx@aux@cite{bad_ebpf}
\abx@aux@segm{0}{0}{bad_ebpf}
\abx@aux@cite{ebpf_friends}
\abx@aux@segm{0}{0}{ebpf_friends}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{3}{subsection.1.3.1}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{3}{subsection.1.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{3}{subsection.1.3.2}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{3}{subsection.1.3.2}\protected@file@percent }
@@ -62,16 +64,17 @@
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{8}{chapter.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{8}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{279FACA5324B1AFB51B5FC1A08973172} \abx@aux@read@bbl@mdfivesum{D747C591A940D097CD0716131C9FB28E}
\abx@aux@refcontextdefaultsdone \abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global} \abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_linux318}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_linux318}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bvp47_report}{none/global//global/global} \abx@aux@defaultrefcontext{0}{bvp47_report}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpfdoor_pwc}{none/global//global/global} \abx@aux@defaultrefcontext{0}{bpfdoor_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_friends}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_windows}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_windows}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_android}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_android}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bad_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_friends}{none/global//global/global}
\ttl@finishall \ttl@finishall
\gdef \@abspage@last{24} \gdef \@abspage@last{24}

92
docs/document.bbl
View File

@@ -104,6 +104,34 @@
\verb https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf \verb https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
\endverb \endverb
\endentry \endentry
\entry{ebpf_windows}{online}{}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labeltitlesource}{title}
\field{day}{7}
\field{month}{12}
\field{title}{eBPF incorporation in the Linux Kernel 3.18}
\field{year}{2014}
\field{dateera}{ce}
\verb{urlraw}
\verb https://kernelnewbies.org/Linux_3.18
\endverb
\verb{url}
\verb https://kernelnewbies.org/Linux_3.18
\endverb
\endentry
\entry{ebpf_android}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labeltitlesource}{title}
\field{title}{eBPF for Windows}
\verb{urlraw}
\verb https://source.android.com/devices/architecture/kernel/bpf
\endverb
\verb{url}
\verb https://source.android.com/devices/architecture/kernel/bpf
\endverb
\endentry
\entry{evil_ebpf}{proceedings}{} \entry{evil_ebpf}{proceedings}{}
\name{author}{1}{}{% \name{author}{1}{}{%
{{hash=5142e68c748eb70cb619b21160eb7f72}{% {{hash=5142e68c748eb70cb619b21160eb7f72}{%
@@ -124,8 +152,8 @@
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72} \strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72} \strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72} \strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{sortinit}{6} \field{sortinit}{8}
\field{sortinithash}{7851c86048328b027313775d8fbd2131} \field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime} \field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\verb{urlraw} \verb{urlraw}
@@ -135,6 +163,34 @@
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf \verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb \endverb
\endentry \endentry
\entry{bad_ebpf}{online}{}
\name{author}{1}{}{%
{{hash=53d4d4da0d1a82f58d57d86ba9635f2c}{%
family={Hogan},
familyi={H\bibinitperiod},
given={Pat},
giveni={P\bibinitperiod}}}%
}
\list{organization}{1}{%
{DEFCON 27}%
}
\strng{namehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{fullhash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{bibnamehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{authorbibnamehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{authornamehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{authorfullhash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{eventtitle}{Bad BPF - Warping reality using eBPF}
\verb{urlraw}
\verb https://www.youtube.com/watch?v=g6SKWT7sROQ
\endverb
\verb{url}
\verb https://www.youtube.com/watch?v=g6SKWT7sROQ
\endverb
\endentry
\entry{ebpf_friends}{proceedings}{} \entry{ebpf_friends}{proceedings}{}
\name{author}{1}{}{% \name{author}{1}{}{%
{{hash=2994fc802c0b46f7289cf001e2c26cfe}{% {{hash=2994fc802c0b46f7289cf001e2c26cfe}{%
@@ -155,8 +211,8 @@
\strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe}
\field{sortinit}{7} \field{sortinit}{1}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e} \field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{eventtitle}{Cyber Threats 2021: A year in Retrospect} \field{eventtitle}{Cyber Threats 2021: A year in Retrospect}
\verb{urlraw} \verb{urlraw}
@@ -166,34 +222,6 @@
\verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf \verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf
\endverb \endverb
\endentry \endentry
\entry{ebpf_windows}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{day}{7}
\field{month}{12}
\field{title}{eBPF incorporation in the Linux Kernel 3.18}
\field{year}{2014}
\field{dateera}{ce}
\verb{urlraw}
\verb https://kernelnewbies.org/Linux_3.18
\endverb
\verb{url}
\verb https://kernelnewbies.org/Linux_3.18
\endverb
\endentry
\entry{ebpf_android}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{eBPF for Windows}
\verb{urlraw}
\verb https://source.android.com/devices/architecture/kernel/bpf
\endverb
\verb{url}
\verb https://source.android.com/devices/architecture/kernel/bpf
\endverb
\endentry
\enddatalist \enddatalist
\endrefsection \endrefsection
\endinput \endinput

9
docs/document.bcf
View File

@@ -2353,10 +2353,11 @@
<bcf:citekey order="3">ebpf_linux318</bcf:citekey> <bcf:citekey order="3">ebpf_linux318</bcf:citekey>
<bcf:citekey order="4">bvp47_report</bcf:citekey> <bcf:citekey order="4">bvp47_report</bcf:citekey>
<bcf:citekey order="5">bpfdoor_pwc</bcf:citekey> <bcf:citekey order="5">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="6">evil_ebpf</bcf:citekey> <bcf:citekey order="6">ebpf_windows</bcf:citekey>
<bcf:citekey order="7">ebpf_friends</bcf:citekey> <bcf:citekey order="7">ebpf_android</bcf:citekey>
<bcf:citekey order="8">ebpf_windows</bcf:citekey> <bcf:citekey order="8">evil_ebpf</bcf:citekey>
<bcf:citekey order="9">ebpf_android</bcf:citekey> <bcf:citekey order="9">bad_ebpf</bcf:citekey>
<bcf:citekey order="10">ebpf_friends</bcf:citekey>
</bcf:section> </bcf:section>
<!-- SORTING TEMPLATES --> <!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none"> <bcf:sortingtemplate name="none">

49
docs/document.blg
View File

@@ -1,25 +1,26 @@
[0] Config.pm:311> INFO - This is Biber 2.16 [0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg' [1] Config.pm:314> INFO - Logfile is 'document.blg'
[57] biber:340> INFO - === Fri May 20, 2022, 22:57:51 [148] biber:340> INFO - === Sat May 21, 2022, 16:49:21
[69] Biber.pm:415> INFO - Reading 'document.bcf' [182] Biber.pm:415> INFO - Reading 'document.bcf'
[136] Biber.pm:952> INFO - Found 9 citekeys in bib section 0 [353] Biber.pm:952> INFO - Found 10 citekeys in bib section 0
[150] Biber.pm:4340> INFO - Processing section 0 [393] Biber.pm:4340> INFO - Processing section 0
[159] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0 [415] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[160] bibtex.pm:1689> INFO - LaTeX decoding ... [418] bibtex.pm:1689> INFO - LaTeX decoding ...
[166] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib' [433] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 9, warning: 1 characters of junk seen at toplevel [522] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 9, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 15, warning: 1 characters of junk seen at toplevel [522] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 15, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 22, warning: 1 characters of junk seen at toplevel [523] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 22, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 28, warning: 1 characters of junk seen at toplevel [523] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 28, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 35, warning: 1 characters of junk seen at toplevel [523] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 35, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 42, warning: 1 characters of junk seen at toplevel [523] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 42, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 50, warning: 1 characters of junk seen at toplevel [524] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 50, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 58, warning: 1 characters of junk seen at toplevel [524] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 58, warning: 1 characters of junk seen at toplevel
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 63, warning: 1 characters of junk seen at toplevel [524] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 65, warning: 1 characters of junk seen at toplevel
[211] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable' [524] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_s9YY/f4d088b3f9f145b5c3058da33afd57d4_96431.utf8, line 70, warning: 1 characters of junk seen at toplevel
[211] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized' [553] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[211] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US' [553] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[211] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US' [553] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[220] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8' [554] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[222] bbl.pm:757> INFO - Output to document.bbl [580] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[222] Biber.pm:128> INFO - WARNINGS: 9 [587] bbl.pm:757> INFO - Output to document.bbl
[588] Biber.pm:128> INFO - WARNINGS: 10

38
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 22:57 This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 21 MAY 2022 16:55
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -1190,43 +1190,43 @@ Chapter 5.
] ]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 3 LaTeX Font Info: Trying to load font information for T1+txtt on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1 File: t1txtt.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Trying to load font information for OT1+txr on input line 3 LaTeX Font Info: Trying to load font information for OT1+txr on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/ot1txr.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/ot1txr.fd
File: ot1txr.fd 2000/12/15 v3.1 File: ot1txr.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Trying to load font information for U+txsya on input line 3 LaTeX Font Info: Trying to load font information for U+txsya on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsya.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsya.fd
File: utxsya.fd 2000/12/15 v3.1 File: utxsya.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Trying to load font information for U+txsyb on input line 3 LaTeX Font Info: Trying to load font information for U+txsyb on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyb.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyb.fd
File: utxsyb.fd 2000/12/15 v3.1 File: utxsyb.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Trying to load font information for U+txmia on input line 3 LaTeX Font Info: Trying to load font information for U+txmia on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxmia.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxmia.fd
File: utxmia.fd 2000/12/15 v3.1 File: utxmia.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Trying to load font information for U+txsyc on input line 3 LaTeX Font Info: Trying to load font information for U+txsyc on input line 3
83. 89.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyc.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyc.fd
File: utxsyc.fd 2000/12/15 v3.1 File: utxsyc.fd 2000/12/15 v3.1
) )
Overfull \hbox (2.7712pt too wide) in paragraph at lines 384--384 Overfull \hbox (5.34976pt too wide) in paragraph at lines 390--390
[]\T1/txr/m/n/12 ^^P Cy-ber threats 2021: A year in ret-ro-spect,^^Q Price-wa- \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
ter-house-C-oop-ers. [On-line]. Avail- / yir -[] cyber -[] threats -[]
[] []
[8 [8
@@ -1247,21 +1247,21 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored een already used, duplicate ignored
<to be read again> <to be read again>
\relax \relax
l.400 \end{document} l.406 \end{document}
[2 [2
] (./document.aux) ] (./document.aux)
Package rerunfilecheck Info: File `document.out' has not changed. Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 22937790BEE0F30769157DC04627A687;645. (rerunfilecheck) Checksum: 029B6DE53007DA8B33AC812D93231EF1;656.
Package logreq Info: Writing requests to 'document.run.xml'. Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'. \openout1 = `document.run.xml'.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
27168 strings out of 481209 27171 strings out of 481209
430663 string characters out of 5914747 430760 string characters out of 5914747
1165085 words of memory out of 5000000 1166131 words of memory out of 5000000
43654 multiletter control sequences out of 15000+600000 43656 multiletter control sequences out of 15000+600000
444100 words of font info for 89 fonts, out of 8000000 for 9000 444100 words of font info for 89 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191 36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,2369s stack positions out of 5000i,500n,10000p,200000b,80000s 88i,11n,90p,1029b,2369s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1273,9 +1273,9 @@ tic/uhvb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.p
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/sha fb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/sha
re/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texm re/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texm
f-dist/fonts/type1/urw/times/utmr8a.pfb> f-dist/fonts/type1/urw/times/utmr8a.pfb>
Output written on document.pdf (24 pages, 157809 bytes). Output written on document.pdf (24 pages, 161550 bytes).
PDF statistics: PDF statistics:
274 PDF objects out of 1000 (max. 8388607) 280 PDF objects out of 1000 (max. 8388607)
48 named destinations out of 1000 (max. 500000) 49 named destinations out of 1000 (max. 500000)
111 words of extra memory for PDF output out of 10000 (max. 10000000) 111 words of extra memory for PDF output out of 10000 (max. 10000000)

2
docs/document.out
View File

@@ -1,6 +1,6 @@
\BOOKMARK [0][-]{chapter.1}{Introduction}{}% 1 \BOOKMARK [0][-]{chapter.1}{Introduction}{}% 1
\BOOKMARK [1][-]{section.1.1}{Motivation}{chapter.1}% 2 \BOOKMARK [1][-]{section.1.1}{Motivation}{chapter.1}% 2
\BOOKMARK [1][-]{section.1.2}{Objectives}{chapter.1}% 3 \BOOKMARK [1][-]{section.1.2}{Project\040objectives}{chapter.1}% 3
\BOOKMARK [1][-]{section.1.3}{Regulatory\040framework}{chapter.1}% 4 \BOOKMARK [1][-]{section.1.3}{Regulatory\040framework}{chapter.1}% 4
\BOOKMARK [2][-]{subsection.1.3.1}{Social\040and\040economic\040environment}{section.1.3}% 5 \BOOKMARK [2][-]{subsection.1.3.1}{Social\040and\040economic\040environment}{section.1.3}% 5
\BOOKMARK [2][-]{subsection.1.3.2}{Budget}{section.1.3}% 6 \BOOKMARK [2][-]{subsection.1.3.2}{Budget}{section.1.3}% 6

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

18
docs/document.tex
View File

@@ -310,7 +310,7 @@ hmargin=3cm
\chapter{Introduction} \chapter{Introduction}
\section{Motivation} \section{Motivation}
%M-> Slightly long, but it summarizes and presents the ideas in order: %M-> SA bit long, but it summarizes and presents the ideas and background needed to understand the topic in order:
% Main idea: Malware keeps evolving -> % Main idea: Malware keeps evolving ->
% -> Relevance of innovating and researching on the new techniques -> % -> Relevance of innovating and researching on the new techniques ->
% -> Relevance of stealth software in targeted attacks-> % -> Relevance of stealth software in targeted attacks->
@@ -321,7 +321,7 @@ As the efforts of the computer security community grow to protect increasingly c
In contrast with ransomware incidents, which remained the most significant and common cyber threat faced by organizations on 2021\cite{ransomware_pwc}, another powerful class of malware called rootkits is found considerably more infrequently, yet it is usually associated to high-profile targeted attacks that lead to greatly impactful consequences. In contrast with ransomware incidents, which remained the most significant and common cyber threat faced by organizations on 2021\cite{ransomware_pwc}, another powerful class of malware called rootkits is found considerably more infrequently, yet it is usually associated to high-profile targeted attacks that lead to greatly impactful consequences.
A rootkit is a piece of computer software characterized for its advanced stealth capabilities. Once it is installed on a system it remains invisible to the host, usually hiding its related processes and files from the user, while at the same time performing the malicious operations for which it was designed. Most common operations include storing keystrokes, sniffing network traffic, exfiltrating sensible data from the user or the system, or actively modifying the data at the infected device. The other characteristic functionality is that rootkits seek to achieve persistence on the infected hosts, with the purpose of being launched again after a system reboot, without further user interaction. A rootkit is a piece of computer software characterized for its advanced stealth capabilities. Once it is installed on a system it remains invisible to the host, usually hiding its related processes and files from the user, while at the same time performing the malicious operations for which it was designed. Common operations include storing keystrokes, sniffing network traffic, exfiltrating sensitive information from the user or the system, or actively modifying critical data at the infected device. The other characteristic functionality is that rootkits seek to achieve persistence on the infected hosts, meaning that they keep running on the system even after a system reboot, without further user interaction or the need of a new compromise.
The techniques used for achieving both of these functionalities depend on the type of rootkit developed, a classification usually made depending on the level of privileges on which the rootkit operates in the system. The techniques used for achieving both of these functionalities depend on the type of rootkit developed, a classification usually made depending on the level of privileges on which the rootkit operates in the system.
\begin{itemize} \begin{itemize}
@@ -333,19 +333,25 @@ Common techniques used for the development of their malicious activities include
These rootkits are usually the most attractive (and difficult to build) option for a malicious actor, but the installation of a kernel rootkit requires of a complete previous compromise of the system, meaning that administrator or root privileges must have been already achieved by the attacker, commonly by the execution of an exploit or a local installation of a privileged user. These rootkits are usually the most attractive (and difficult to build) option for a malicious actor, but the installation of a kernel rootkit requires of a complete previous compromise of the system, meaning that administrator or root privileges must have been already achieved by the attacker, commonly by the execution of an exploit or a local installation of a privileged user.
\end{itemize} \end{itemize}
Historically, kernel-mode rootkits have been tightly associated with espionage activities on governments and research institutes by Advanced Persistent Threat (APT) groups\cite{rootkit_ptsecurity}, state-sponsored or criminal organizations specialized on long-term operations to gather intelligence and gain unauthorized persistent access to computer systems. Although rootkits' functionality is tailored for each specific attack, a common set of techniques and procedures can be identified being used by these organizations. However, during the last years, a new technology called eBPF has been found to be the target of the latest innovation on the development of rootkits. Historically, kernel-mode rootkits have been tightly associated with espionage activities on governments and research institutes by Advanced Persistent Threat (APT) groups\cite{rootkit_ptsecurity}, state-sponsored or criminal organizations specialized on long-term operations to gather intelligence and gain unauthorized persistent access to computer systems. Although rootkits' functionality is tailored for each specific attack, a common set of techniques and procedures can be identified being used by these organizations. However, during the last years, a new technology called eBPF has been found to be the heart of the latest innovation on the development of rootkits.
%Yes, I am not mentioning that eBPF comes from "Extended Berkeley Packet %Filters here since apparently it is no longer considered an acronym, we'll %tackle that on the history section
eBPF is a technology incorporated in the 3.18 version of the Linux kernel\cite{ebpf_linux318}, which provides the possibility of running code in the kernel without the need of loading a kernel module. Programs are created in a restrictive version of the C language and compiled into eBPF bytecode, which is loaded into the kernel via a new bpf() system call. After a mandatory step of verification by the kernel in which the code is checked to be safe to run, the bytecode is compiled into native machine instructions. These programs can then get access to kernel-exclusive functionalities including network traffic filtering, system calls hooking or tracing. eBPF is a technology incorporated in the 3.18 version of the Linux kernel\cite{ebpf_linux318}, which provides the possibility of running code in the kernel without the need of loading a kernel module. Programs are created in a restrictive version of the C language and compiled into eBPF bytecode, which is loaded into the kernel via a new bpf() system call. After a mandatory step of verification by the kernel in which the code is checked to be safe to run, the bytecode is compiled into native machine instructions. These programs can then get access to kernel-exclusive functionalities including network traffic filtering, system calls hooking or tracing.
Although eBPF has built an outstanding environment for the creation of networking and tracing tools, its ability to run kernel programs without the need to load a kernel module has attracted the attention of multiple APTs. In fact, on February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that remained unnoticed from 2013 that uses eBPF for its networking functionality and that infected telecommunications, scientific and military systems worldwide\cite{bvp47_report}. More recently, PwC reports about a China-based threat actor that has targeted telecommunications systems with a eBPF-based backdoor\cite{bpfdoor_pwc}. Although eBPF has built an outstanding environment for the creation of networking and tracing tools, its ability to run kernel programs without the need to load a kernel module has attracted the attention of multiple APTs. On February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that remained unnoticed since 2013 that uses eBPF for its networking functionality and that infected military and telecommunications systems worldwide\cite{bvp47_report}. Also on 2022, PwC reports about a China-based threat actor that has targeted telecommunications systems with a eBPF-based backdoor\cite{bpfdoor_pwc}.
Taking all the previous background into account, and attending to the previous work on this matter by Jeff Dileo from NCC Group at DEFCON 27\cite{evil_ebpf} and by Guillaume Fournier and Sylvain Afchainthe from Datadog at DEFCON 29\cite{ebpf_friends}, we can confidently claim that there is a growing interest on researching the capabilities of eBPF in the context of offensive security, in particular given its potential on becoming a common component of modern rootkits. Additionally, there currently exists official efforts to extend the eBPF technology into Windows\cite{ebpf_windows} and Android systems\cite{ebpf_android}, which extends the mentioned risks to new platforms. Moreover, there currently exists official efforts to extend the eBPF technology into Windows\cite{ebpf_windows} and Android systems\cite{ebpf_android}, which spreads the mentioned risks to new platforms. Therefore, we can confidently claim that there is a growing interest on researching the capabilities of eBPF in the context of offensive security, in particular given its potential on becoming a common component found of modern rootkits. This knowledge would be valuable to the computer security community, both in the context of pen-testing and for analysts which need to know about the latest trends in malware to prepare their defences.
\section{Project objectives}
The main objective of this project is to compile a comprehensive report of the capabilities in the eBPF technology that could be weaponized by a malicious actor. In particular, we will be focusing on functionalities present in the Linux platform, given the maturity of eBPF on these environments and which therefore offers a wider range of possibilities. We will be approaching this study from a threat actor perspective, meaning that we will develop an eBPF-based rootkit which shows these capabilities live in a current Linux system, including simple proof of concepts (PoC) showing an specific feature, but also by building a realistic rootkit system which weaponizes these PoCs and operates malicious activities.
%According to the library guide, previous research should be around here. %Is it the best place tho?
Before narrowing down our objectives and selecting an specific list of rootkit capabilities to emulate using eBPF, we need to take into account previous research. The work on this matter by Jeff Dileo from NCC Group at DEFCON 27\cite{evil_ebpf} is particularly relevant, setting the first basis of eBPF ability to overwrite userland data, highlighting the possibility of overwriting the memory of a running process and executing arbitrary code on it.
Subsequent talks on 2021 by Pat Hogan at DEFCON 29\cite{bad_ebpf} and by Guillaume Fournier and Sylvain Afchainthe from Datadog at DEFCON 29\cite{ebpf_friends} research deeper on eBPF's ability to behave like a rootkit. In particular, Hogan shows how eBPF can be used to hide the rootkit's presence from the user and to modify data at system calls, whilst Fournier and Afchainthe built the first instance of a backdoor with command-and-control(C2) capabilities, enabling to communicate with the malicious eBPF program by sending network packets to the compromised machine.
\section{Objectives} Taking the previous research into account, and on the basis of common functionality usually we described to be usually incorporated at rootkits, the objectives of our research on eBPF is set to be on the following topics:
\section{Regulatory framework} \section{Regulatory framework}
%MARCOS-> Is this the appropiate place? Looking at other TFGs it is sometimes here and others in a final chapter %MARCOS-> Is this the appropiate place? Looking at other TFGs it is sometimes here and others in a final chapter

2
docs/document.toc
View File

@@ -5,7 +5,7 @@
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}% \contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {1.2}Objectives}{3}{section.1.2}% \contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}% \contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-20T22:57:53-04:00</xmp:ModifyDate> <xmp:ModifyDate>2022-05-21T16:55:20-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-20T22:57:53-04:00</xmp:CreateDate> <xmp:CreateDate>2022-05-21T16:55:20-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-20T22:57:53-04:00</xmp:MetadataDate> <xmp:MetadataDate>2022-05-21T16:55:20-04:00</xmp:MetadataDate>
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:7FB03FB0-B3AA-C9EA-5AC6-57FBAE6526E0</xmpMM:InstanceID> <xmpMM:InstanceID>uuid:359875B8-13BC-D4EA-AE90-1C5D9D70EC50</xmpMM:InstanceID>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
</x:xmpmeta> </x:xmpmeta>