admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 15:43:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Almost finished with SotA section. libbpf remains too get llvm and some functionality explained.

Browse Source
This commit is contained in:
h3xduck
2022-05-27 20:56:36 -04:00
parent 74e8163791
commit 62e8e68dd5
12 changed files with 353 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/bibliography/bibliography.bib
View File

@@ -310,6 +310,30 @@
title={Linux kernel source tree}, title={Linux kernel source tree},
url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h}, url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h},
indextitle={index : kernel/git/torvalds/linux.git} indextitle={index : kernel/git/torvalds/linux.git}
},
@manual{tp_kernel,
title={Using the Linux Kernel Tracepoints},
url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html},
author={Mathieu Desnoyers}
},
@manual{kprobe_manual,
title={Kernel Probes (Kprobes)},
author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu},
url={https://www.kernel.org/doc/html/latest/trace/kprobes.html}
},
@online{kallsyms_kernel,
title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes},
author={Nick Alcock},
date={2021-06-06},
url={https://lwn.net/Articles/862021/}
},
@online{bcc_github,
title={BPF Compiler Collection (BCC)},
url={https://github.com/iovisor/bcc}
} }
@@ -320,4 +344,3 @@

33
docs/document.aux
View File

@@ -107,6 +107,7 @@
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}} \newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
\newlabel{section:modern_ebpf}{{2.2}{11}{Analysis of modern eBPF}{section.2.2}{}}
\abx@aux@cite{brendan_gregg_bpf_book} \abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book} \abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{brendan_gregg_bpf_book} \abx@aux@cite{brendan_gregg_bpf_book}
@@ -218,22 +219,36 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}\protected@file@percent } \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}\protected@file@percent }
\newlabel{table:xdp_helpers}{{2.11}{20}{Table showing relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}} \newlabel{table:xdp_helpers}{{2.11}{20}{Table showing relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}\protected@file@percent }
\abx@aux@cite{tp_kernel}
\abx@aux@segm{0}{0}{tp_kernel}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}\protected@file@percent } \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}\protected@file@percent }
\newlabel{table:tc_actions}{{2.12}{21}{Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}} \newlabel{table:tc_actions}{{2.12}{21}{Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent } \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
\newlabel{table:tc_helpers}{{2.13}{21}{Table showing relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}} \newlabel{table:tc_helpers}{{2.13}{21}{Table showing relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{21}{section.2.4}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{22}{chapter.3}\protected@file@percent } \abx@aux@cite{kprobe_manual}
\abx@aux@segm{0}{0}{kprobe_manual}
\abx@aux@cite{kallsyms_kernel}
\abx@aux@segm{0}{0}{kallsyms_kernel}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.4}Kprobes}{22}{subsection.2.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}\protected@file@percent }
\abx@aux@cite{bcc_github}
\abx@aux@segm{0}{0}{bcc_github}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{25}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{23}{chapter.4}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{26}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{24}{chapter.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{27}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{25}{chapter.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{28}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{D22502BFD1AA9A775C1BCD405EB9F4D6} \abx@aux@read@bbl@mdfivesum{928E85D2BF178C374F78AAE7687D8F1B}
\abx@aux@refcontextdefaultsdone \abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global} \abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -279,5 +294,9 @@
\abx@aux@defaultrefcontext{0}{tc_docs_complete}{none/global//global/global} \abx@aux@defaultrefcontext{0}{tc_docs_complete}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_direct_action}{none/global//global/global} \abx@aux@defaultrefcontext{0}{tc_direct_action}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_ret_list_complete}{none/global//global/global} \abx@aux@defaultrefcontext{0}{tc_ret_list_complete}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tp_kernel}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{kprobe_manual}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{kallsyms_kernel}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bcc_github}{none/global//global/global}
\ttl@finishall \ttl@finishall
\gdef \@abspage@last{45} \gdef \@abspage@last{48}

116
docs/document.bbl
View File

@@ -152,8 +152,8 @@
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72} \strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72} \strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72} \strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{sortinit}{1} \field{sortinit}{2}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba} \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime} \field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\verb{urlraw} \verb{urlraw}
@@ -402,8 +402,8 @@
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd} \strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd} \strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{4} \field{extraname}{4}
\field{sortinit}{2} \field{sortinit}{3}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed} \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{19} \field{day}{19}
@@ -523,8 +523,8 @@
\endverb \endverb
\endentry \endentry
\entry{ebpf_inst_set}{manual}{} \entry{ebpf_inst_set}{manual}{}
\field{sortinit}{3} \field{sortinit}{4}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9} \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{eBPF instruction set} \field{title}{eBPF instruction set}
\verb{urlraw} \verb{urlraw}
@@ -687,8 +687,8 @@
\endverb \endverb
\endentry \endentry
\entry{jit_enable_setting}{manual}{} \entry{jit_enable_setting}{manual}{}
\field{sortinit}{4} \field{sortinit}{5}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{bpf\_jit\_enable} \field{title}{bpf\_jit\_enable}
\verb{urlraw} \verb{urlraw}
@@ -941,8 +941,8 @@
\strng{authorbibnamehash}{6f963077bb5e5f5e471047d2f4a2e4e7} \strng{authorbibnamehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{authornamehash}{6f963077bb5e5f5e471047d2f4a2e4e7} \strng{authornamehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{authorfullhash}{6f963077bb5e5f5e471047d2f4a2e4e7} \strng{authorfullhash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\field{sortinit}{6} \field{sortinit}{7}
\field{sortinithash}{7851c86048328b027313775d8fbd2131} \field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{1} \field{day}{1}
@@ -1000,6 +1000,102 @@
\verb https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h \verb https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h
\endverb \endverb
\endentry \endentry
\entry{tp_kernel}{manual}{}
\name{author}{1}{}{%
{{hash=5233bec95aa14fa3942f60f8fc369f5a}{%
family={Desnoyers},
familyi={D\bibinitperiod},
given={Mathieu},
giveni={M\bibinitperiod}}}%
}
\strng{namehash}{5233bec95aa14fa3942f60f8fc369f5a}
\strng{fullhash}{5233bec95aa14fa3942f60f8fc369f5a}
\strng{bibnamehash}{5233bec95aa14fa3942f60f8fc369f5a}
\strng{authorbibnamehash}{5233bec95aa14fa3942f60f8fc369f5a}
\strng{authornamehash}{5233bec95aa14fa3942f60f8fc369f5a}
\strng{authorfullhash}{5233bec95aa14fa3942f60f8fc369f5a}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{Using the Linux Kernel Tracepoints}
\verb{urlraw}
\verb https://www.kernel.org/doc/html/latest/trace/tracepoints.html
\endverb
\verb{url}
\verb https://www.kernel.org/doc/html/latest/trace/tracepoints.html
\endverb
\endentry
\entry{kprobe_manual}{manual}{}
\name{author}{1}{}{%
{{hash=2cc2b9c9c507513d2985e72f46781aec}{%
family={Jim\bibnamedelima Keniston},
familyi={J\bibinitperiod\bibinitdelim K\bibinitperiod},
given={Masami\bibnamedelima Hiramatsu},
giveni={M\bibinitperiod\bibinitdelim H\bibinitperiod},
suffix={Prasanna\bibnamedelimb S\bibnamedelima Panchamukhi},
suffixi={P\bibinitperiod\bibinitdelim S\bibinitperiod\bibinitdelim P\bibinitperiod}}}%
}
\strng{namehash}{2cc2b9c9c507513d2985e72f46781aec}
\strng{fullhash}{2cc2b9c9c507513d2985e72f46781aec}
\strng{bibnamehash}{2cc2b9c9c507513d2985e72f46781aec}
\strng{authorbibnamehash}{2cc2b9c9c507513d2985e72f46781aec}
\strng{authornamehash}{2cc2b9c9c507513d2985e72f46781aec}
\strng{authorfullhash}{2cc2b9c9c507513d2985e72f46781aec}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{Kernel Probes (Kprobes)}
\verb{urlraw}
\verb https://www.kernel.org/doc/html/latest/trace/kprobes.html
\endverb
\verb{url}
\verb https://www.kernel.org/doc/html/latest/trace/kprobes.html
\endverb
\endentry
\entry{kallsyms_kernel}{online}{}
\name{author}{1}{}{%
{{hash=d92b805bd53ec71a9ed691daf3c00fcc}{%
family={Alcock},
familyi={A\bibinitperiod},
given={Nick},
giveni={N\bibinitperiod}}}%
}
\strng{namehash}{d92b805bd53ec71a9ed691daf3c00fcc}
\strng{fullhash}{d92b805bd53ec71a9ed691daf3c00fcc}
\strng{bibnamehash}{d92b805bd53ec71a9ed691daf3c00fcc}
\strng{authorbibnamehash}{d92b805bd53ec71a9ed691daf3c00fcc}
\strng{authornamehash}{d92b805bd53ec71a9ed691daf3c00fcc}
\strng{authorfullhash}{d92b805bd53ec71a9ed691daf3c00fcc}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{6}
\field{month}{6}
\field{title}{kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes}
\field{year}{2021}
\field{dateera}{ce}
\verb{urlraw}
\verb https://lwn.net/Articles/862021/
\endverb
\verb{url}
\verb https://lwn.net/Articles/862021/
\endverb
\endentry
\entry{bcc_github}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labeltitlesource}{title}
\field{title}{BPF Compiler Collection (BCC)}
\verb{urlraw}
\verb https://github.com/iovisor/bcc
\endverb
\verb{url}
\verb https://github.com/iovisor/bcc
\endverb
\endentry
\enddatalist \enddatalist
\endrefsection \endrefsection
\endinput \endinput

4
docs/document.bcf
View File

@@ -2409,6 +2409,10 @@
<bcf:citekey order="71">tc_direct_action</bcf:citekey> <bcf:citekey order="71">tc_direct_action</bcf:citekey>
<bcf:citekey order="72">tc_ret_list_complete</bcf:citekey> <bcf:citekey order="72">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="73">tc_ret_list_complete</bcf:citekey> <bcf:citekey order="73">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="74">tp_kernel</bcf:citekey>
<bcf:citekey order="75">kprobe_manual</bcf:citekey>
<bcf:citekey order="76">kallsyms_kernel</bcf:citekey>
<bcf:citekey order="77">bcc_github</bcf:citekey>
</bcf:section> </bcf:section>
<!-- SORTING TEMPLATES --> <!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none"> <bcf:sortingtemplate name="none">

124
docs/document.blg
View File

@@ -1,62 +1,66 @@
[0] Config.pm:311> INFO - This is Biber 2.16 [0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg' [0] Config.pm:314> INFO - Logfile is 'document.blg'
[60] biber:340> INFO - === Thu May 26, 2022, 21:27:57 [66] biber:340> INFO - === Fri May 27, 2022, 19:34:53
[75] Biber.pm:415> INFO - Reading 'document.bcf' [82] Biber.pm:415> INFO - Reading 'document.bcf'
[148] Biber.pm:952> INFO - Found 44 citekeys in bib section 0 [155] Biber.pm:952> INFO - Found 48 citekeys in bib section 0
[164] Biber.pm:4340> INFO - Processing section 0 [169] Biber.pm:4340> INFO - Processing section 0
[174] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0 [180] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[176] bibtex.pm:1689> INFO - LaTeX decoding ... [182] bibtex.pm:1689> INFO - LaTeX decoding ...
[194] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib' [202] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[292] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring [307] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 9, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 9, warning: 1 characters of junk seen at toplevel
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 15, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 15, warning: 1 characters of junk seen at toplevel
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 22, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 22, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 28, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 28, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 35, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 35, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 42, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 42, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 50, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 50, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 58, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 58, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 65, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 65, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 70, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 70, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 77, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 77, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 85, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 85, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 94, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 94, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 103, warning: 1 characters of junk seen at toplevel [339] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 103, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 112, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 112, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 121, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 121, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 127, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 127, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 132, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 132, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 137, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 137, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 142, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 142, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 153, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 153, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 158, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 158, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 164, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 164, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 170, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 170, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 175, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 175, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 184, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 184, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 191, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 191, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 199, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 199, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 206, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 206, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 215, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 215, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 224, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 224, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 233, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 233, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 239, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 239, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 244, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 244, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 249, warning: 1 characters of junk seen at toplevel [340] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 249, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 256, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 256, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 261, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 261, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 266, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 266, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 271, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 271, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 276, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 276, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 283, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 283, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 288, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 288, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 295, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 295, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 302, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 302, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 309, warning: 1 characters of junk seen at toplevel [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 309, warning: 1 characters of junk seen at toplevel
[348] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable' [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 315, warning: 1 characters of junk seen at toplevel
[349] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized' [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 321, warning: 1 characters of junk seen at toplevel
[349] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US' [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 327, warning: 1 characters of junk seen at toplevel
[349] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US' [341] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_pgMm/f4d088b3f9f145b5c3058da33afd57d4_162505.utf8, line 334, warning: 1 characters of junk seen at toplevel
[375] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8' [375] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[385] bbl.pm:757> INFO - Output to document.bbl [375] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[386] Biber.pm:128> INFO - WARNINGS: 46 [376] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[376] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[404] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[416] bbl.pm:757> INFO - Output to document.bbl
[416] Biber.pm:128> INFO - WARNINGS: 50

80
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 21:44 This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 27 MAY 2022 20:55
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -1096,7 +1096,7 @@ File: t1txss.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Font shape `T1/txss/m/n' will be LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186. (Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=125, 456.2865pt x 45.99pt> <images//Portada_Logo.png, id=149, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png) File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png> <use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190. Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1109,7 +1109,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201. (Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205. (Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=127, 338.76563pt x 118.19156pt> <images/creativecommons.png, id=151, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png) File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png> <use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215. Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1220,7 +1220,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412. defined on input line 412.
<images//classic_bpf.jpg, id=387, 588.1975pt x 432.61626pt> <images//classic_bpf.jpg, id=423, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg) File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg> <use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426. Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1228,36 +1228,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5 [5
] [6 <./images//classic_bpf.jpg>] ] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=405, 403.5075pt x 451.6875pt> <images//cbpf_prog.jpg, id=441, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg) File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg> <use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453. Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt. (pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>] [7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=415, 380.92313pt x 475.27562pt> <images//bpf_instructions.png, id=451, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png) File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png> <use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493. Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt. (pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>] [8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=425, 417.05812pt x 313.67188pt> <images//bpf_address_mode.png, id=461, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png) File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png> <use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509. Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt. (pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>] [9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=437, 534.99875pt x 454.69875pt> <images//tcpdump_example.png, id=473, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png) File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png> <use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524. Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt. (pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=440, 242.9075pt x 321.2pt> <images//cBPF_prog_ex_sol.png, id=476, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png) File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png> <use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535. Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt. (pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>] [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=459, 739.76375pt x 472.76625pt> <images//ebpf_arch.jpg, id=495, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg) File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg> <use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574. Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1309,7 +1309,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 756--784
[] []
[17] [17]
<images//xdp_diag.jpg, id=539, 649.42625pt x 472.76625pt> <images//xdp_diag.jpg, id=575, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg) File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg> <use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 800. Package pdftex.def Info: images//xdp_diag.jpg used on input line 800.
@@ -1319,63 +1319,63 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 863--875
[][] [][]
[] []
[20] [21] [20] [21] [22] [23] [24]
Chapter 3. Chapter 3.
[22 [25
] ]
Chapter 4. Chapter 4.
[23 [26
] ]
Chapter 5. Chapter 5.
[24 [27
] ]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 9 LaTeX Font Info: Trying to load font information for T1+txtt on input line 1
57. 001.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1 File: t1txtt.fd 2000/12/15 v3.1
) )
Overfull \hbox (5.34976pt too wide) in paragraph at lines 958--958 Overfull \hbox (5.34976pt too wide) in paragraph at lines 1002--1002
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[] / yir -[] cyber -[] threats -[]
[] []
[25 [28
] ]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 958--958 Overfull \hbox (6.22696pt too wide) in paragraph at lines 1002--1002
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github . -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[] []
Overfull \hbox (7.34976pt too wide) in paragraph at lines 958--958 Overfull \hbox (7.34976pt too wide) in paragraph at lines 1002--1002
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[] [][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 . -[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[] []
Overfull \hbox (21.24973pt too wide) in paragraph at lines 958--958 Overfull \hbox (21.24973pt too wide) in paragraph at lines 1002--1002
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 . mmit _ 2015feb20 .
[] []
[26] [29]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 958--958 Overfull \hbox (9.14975pt too wide) in paragraph at lines 1002--1002
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code % \T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other % 2C % 20i ,[] %20other %
[] []
Overfull \hbox (6.49615pt too wide) in paragraph at lines 958--958 Overfull \hbox (6.49615pt too wide) in paragraph at lines 1002--1002
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2 []\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : 022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[] []
[27] [28] [1 [30] [31] [1
] ]
@@ -1386,24 +1386,30 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored een already used, duplicate ignored
<to be read again> <to be read again>
\relax \relax
l.974 \end{document} l.1018 \end{document}
[2 [2
] (./document.aux) ] (./document.aux)
LaTeX Warning: There were undefined references. LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: E5138CE4A4FC0333EA6AC0A0168DC432;2190. Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: 76D08850B9857529ABB9875381AE8D26;2555
(rerunfilecheck) After: DDEC2EA0BA9DDEC568FE05D8A7BB7EC7;2555.
Package logreq Info: Writing requests to 'document.run.xml'. Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'. \openout1 = `document.run.xml'.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
27457 strings out of 481209 27485 strings out of 481209
438434 string characters out of 5914747 439113 string characters out of 5914747
1180810 words of memory out of 5000000 1181078 words of memory out of 5000000
43827 multiletter control sequences out of 15000+600000 43842 multiletter control sequences out of 15000+600000
453959 words of font info for 100 fonts, out of 8000000 for 9000 453959 words of font info for 100 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191 36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s 88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1418,9 +1424,9 @@ texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
rw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a rw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a
.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb> .pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (45 pages, 661173 bytes). Output written on document.pdf (48 pages, 676250 bytes).
PDF statistics: PDF statistics:
796 PDF objects out of 1000 (max. 8388607) 863 PDF objects out of 1000 (max. 8388607)
146 named destinations out of 1000 (max. 500000) 159 named destinations out of 1000 (max. 500000)
303 words of extra memory for PDF output out of 10000 (max. 10000000) 351 words of extra memory for PDF output out of 10000 (max. 10000000)

16
docs/document.out
View File

@@ -23,8 +23,14 @@
\BOOKMARK [1][-]{section.2.3}{eBPF\040program\040types}{chapter.2}% 23 \BOOKMARK [1][-]{section.2.3}{eBPF\040program\040types}{chapter.2}% 23
\BOOKMARK [2][-]{subsection.2.3.1}{XDP}{section.2.3}% 24 \BOOKMARK [2][-]{subsection.2.3.1}{XDP}{section.2.3}% 24
\BOOKMARK [2][-]{subsection.2.3.2}{Traffic\040Control}{section.2.3}% 25 \BOOKMARK [2][-]{subsection.2.3.2}{Traffic\040Control}{section.2.3}% 25
\BOOKMARK [1][-]{section.2.4}{Developing\040eBPF\040programs}{chapter.2}% 26 \BOOKMARK [2][-]{subsection.2.3.3}{Tracepoints}{section.2.3}% 26
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 27 \BOOKMARK [2][-]{subsection.2.3.4}{Kprobes}{section.2.3}% 27
\BOOKMARK [0][-]{chapter.4}{Results}{}% 28 \BOOKMARK [2][-]{subsection.2.3.5}{Uprobes}{section.2.3}% 28
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 29 \BOOKMARK [1][-]{section.2.4}{Developing\040eBPF\040programs}{chapter.2}% 29
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 30 \BOOKMARK [2][-]{subsection.2.4.1}{BCC}{section.2.4}% 30
\BOOKMARK [2][-]{subsection.2.4.2}{Bpftool}{section.2.4}% 31
\BOOKMARK [2][-]{subsection.2.4.3}{Libbpf}{section.2.4}% 32
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 33
\BOOKMARK [0][-]{chapter.4}{Results}{}% 34
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 35
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 36

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

60
docs/document.tex
View File

@@ -537,7 +537,7 @@ In the example, using the \textit{jf} and \textit{jt} fields, we can label the n
\label{fig:tcpdump_ex_sol} \label{fig:tcpdump_ex_sol}
\end{figure} \end{figure}
\section{Analysis of modern eBPF} \section{Analysis of modern eBPF} \label{section:modern_ebpf}
This section discusses the current state of modern eBPF in the Linux kernel. By building on the previous architecture described in classic BPF, we will be able to provide a comprehensive picture of the underlying infrastructure in which eBPF relies today. This section discusses the current state of modern eBPF in the Linux kernel. By building on the previous architecture described in classic BPF, we will be able to provide a comprehensive picture of the underlying infrastructure in which eBPF relies today.
The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Similarly to how BPF filters were included in the networking module of the Linux kernel, we will now study the necessary changes made in the kernel to support these new program types. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today. The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Similarly to how BPF filters were included in the networking module of the Linux kernel, we will now study the necessary changes made in the kernel to support these new program types. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today.
@@ -853,7 +853,7 @@ Traffic Control (TC) programs are also indicated for networking instrumentation.
With respect to how TC programs operate, the Traffic Control system in Linux is greatly complex and would require a complete section by itself. In fact, it was already a complete system before the appearance of eBPF. Full documentation can be found at \cite{tc_docs_complete}. For this document, we will explain the overall process needed to load a TC program\cite{tc_direct_action}: With respect to how TC programs operate, the Traffic Control system in Linux is greatly complex and would require a complete section by itself. In fact, it was already a complete system before the appearance of eBPF. Full documentation can be found at \cite{tc_docs_complete}. For this document, we will explain the overall process needed to load a TC program\cite{tc_direct_action}:
\begin{enumerate} \begin{enumerate}
\item The TC program defines a so-called queuing discipline (qdisc), a packet scheduler that issues packets in a FIFO order as soon as they are received. This qdisc will be attached to an specific network interface (e.g.: wlan0). \item The TC program defines a so-called queuing discipline (qdisc), a packet scheduler that issues packets in a First-In-First-Out (FIFO) order as soon as they are received. This qdisc will be attached to an specific network interface (e.g.: wlan0).
\item Our TC eBPF program is attached to the qdisc. It will work as a filter, being run for every of the packets dispatched by the qdisc. \item Our TC eBPF program is attached to the qdisc. It will work as a filter, being run for every of the packets dispatched by the qdisc.
\end{enumerate} \end{enumerate}
@@ -876,7 +876,7 @@ TC\_ACT\_SHOT & Drops the packet completely, kernel networking will not be notif
\label{table:tc_actions} \label{table:tc_actions}
\end{table} \end{table}
Finally, as in XDP, there exist a list of useful BPF helpers that will be relevant for the creation of our rootkit. They are shown in table \ref{table:tc_helpers}. Finally, as in XDP, there exists a list of useful BPF helpers that will be relevant for the creation of our rootkit. They are shown in table \ref{table:tc_helpers}.
\begin{table}[H] \begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|} \begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline \hline
@@ -901,16 +901,62 @@ bpf\_skb\_change\_tail() & Enlarges or reduces the extension of a packet, by mov
\label{table:tc_helpers} \label{table:tc_helpers}
\end{table} \end{table}
%ADD HOOKING SUBSECTION
%TODO This section might benefit from some diagrams, maybe. It was a bit to extense already, so skipping it from now
\subsection{Tracepoints}
Tracepoints are a technology in the Linux kernel that allows to hook functions in the kernel, connecting a 'probe': a function that is executed every time the hooked function is called\cite{tp_kernel}. These tracepoints are set statically during kernel development, meaning that for a function to be hooked, it needs to have been previously marked with a tracepoint statement indicating its traceability. At the same time, this limits the number of tracepoints available.
The list of tracepoint events available depends on the kernel version and can be visited under the directory \textit{/sys/kernel/debug/tracing/events}.
It is particularly relevant for our later research that most of the system calls incorporate a tracepoint, both when they are called (\textit{enter} tracepoint) and when they are exited (\textit{exit} tracepoints). This means that, for a system call sys\_open, both the tracepoint sys\_enter\_open and sys\_exit\_open are available.
Also, note that the probe functions that are called when hitting a tracepoint receive some parameters related to the context on which the tracepoint is located. In the case of syscalls, these include the parameters with which the syscall was called (only for \textit{enter} syscalls, \textit{exit} ones will only have access to the return value). The exact parameters and their format which a probe function receives can be visited in the file \textit{/sys/kernel/debug/tracing/events/<subsystem>/<tracepoint>/format}. In the previous example with sys\_enter\_open, this is \textit{/sys/kernel/debug/tracing/events/syscalls/sys\_enter\_open/format}.
In eBPF, a program can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_TRACEPOINT, specifying which is the function with the tracepoint to attach to and an arbitrary function probe to call when it is hit. This function probe is defined by the user in the eBPF program submitted to the kernel.
\subsection{Kprobes}
Kprobes are another tracing technology of the Linux kernel whose functionality has been become available to eBPF programs. Similarly to tracepoints, kprobes enable to hook a probe function, with the only difference that it is attached to an arbitrary instruction in the kernel, rather than to a function\cite{kprobe_manual}. It does not require that kernel developers specifically mark a function to be probed, but rather kprobes can be attached to any instruction, with a short list of blacklisted exceptions.
As it happened with tracepoints, the probed functions have access to the parameters received by the function at which the instructions is attached to. Also, the kernel maintains a list of kernel symbols (addresses) which are relevant for tracing and that offer us insight into which functions we can probe. It can be visited under the file \textit{/proc/kallsyms}, which exports symbols of kernel functions and loaded kernel modules\cite{kallsyms_kernel}.
Also similarly, since tracepoints could be found in their \textit{enter} and \textit{exit} variations, kprobes have their counterpart, name kretprobes, which call the hooked probe once a return instruction is reached after the hooked symbol. This means that a kretprobe hooked to a kernel function will call the probe function once it exits.
In eBPF, a program can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_KPROBE, specifying which is the function with the kprobe to attach to and an arbitrary function probe to call when it is hit. This function probe is defined by the user in the eBPF program submitted to the kernel.
\subsection{Uprobes}
Uprobes is the last of the main tracing technologies which has been become accessible to eBPF programs. They are the counterparts of Kprobes, allowing for tracing the execution of an specific instruction in the user space, instead of in the kernel. When the exeuction flow reaches a hooked instruction, a probe function is run.
Similarly to kprobes, uprobes have access to the parameters received by the hooked function. Also, the complementary uretprobes also exist, running the probe function once the hooked function returns.
In eBPF, programs can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_UPROBE, specifying the function with the uprobe to attach to and an arbitrary function probe to call when it is hit. This function probe is also defined by the user in the eBPF program submitted to the kernel.
% Is this the best title? % Is this the best title?
\section{Developing eBPF programs} \section{Developing eBPF programs}
In the previous sections, we discussed the overall architecture of the eBPF system which is now an integral part of the Linux kernel. We also studied the process which a piece of eBPF bytecode follows in order to be accepted in the kernel. However, for an eBPF developer, programming bytecode is not an easy task, therefore an additional layer of abstraction was needed. In section \ref{section:modern_ebpf}, we discussed the overall architecture of the eBPF system which is now an integral part of the Linux kernel. We also studied the process which a piece of eBPF bytecode follows in order to be accepted in the kernel. However, for an eBPF developer, programming bytecode and working with bpf() calls natively is not an easy task, therefore an additional layer of abstraction was needed.
Nowadays, there exist multiple popular alternatives for writing eBPF programs. We will overview which they are and proceed to analyse in further detail the option that we will use for the development of our rootkit. Nowadays, there exist multiple popular alternatives for writing and running eBPF programs. We will overview which they are and proceed to analyse in further detail the option that we will use for the development of our rootkit.
%TODO Continue, I decided to keep this separate for now
\subsection{BCC}
BPF Compiler Collection (BCC) is one of the first and well-known toolkits for eBPF programming available\cite{bcc_github}. It allows to include eBPF code into user programs. These programs are developed in python, and the eBPF code is embedded as a plain string. An example of a BCC program is included in %TODO ANNEX???
Although BCC offers a wide range of tools to easy the development of eBPF programs, we found it not to be the most appropriate for our large-scale eBPF project. This was in particular due to the feature of eBPF programs being stored as a python string, which leads to difficult scalability, poor development experience given that programming errors are detected at runtime (once the python program issues the compilation of the string), and simply better features from competing libraries.
\subsection{Bpftool}
bpftool is not a development framework like BCC, but one of the most relevant tools for eBPF program development. Some of its functionalities include:
\begin{itemize}
\item Loading eBPF programs.
\item List running eBPF programs.
\item Dumping bytecode from live eBPF programs.
\item Extract program statistics and data from programs.
\item List and operate over eBPF maps.
\end{itemize}
Although we will not be covering bpftool during our overview on the constructed eBPF rootkit, it was used extensively during the development and became a key tool for debugging eBPF programs, particularly to peek data at eBPF maps during runtime.
\subsection{Libbpf}
libbpf is a library for loading and interacting with eBPF programs.
%TALK ABOUT LLVM

22
docs/document.toc
View File

@@ -51,13 +51,25 @@
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}% \contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.4}Developing eBPF programs}{21}{section.2.4}% \contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{22}{chapter.3}% \contentsline {subsection}{\numberline {2.3.4}Kprobes}{22}{subsection.2.3.4}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{23}{chapter.4}% \contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{24}{chapter.5}% \contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{25}{chapter.5}% \contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{25}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{26}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{27}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{28}{chapter.5}%
\contentsfinish \contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-26T21:44:53-04:00</xmp:ModifyDate> <xmp:ModifyDate>2022-05-27T20:55:19-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-26T21:44:53-04:00</xmp:CreateDate> <xmp:CreateDate>2022-05-27T20:55:19-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-26T21:44:53-04:00</xmp:MetadataDate> <xmp:MetadataDate>2022-05-27T20:55:19-04:00</xmp:MetadataDate>
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:391EE317-632F-F294-EDDB-9501854E37E5</xmpMM:InstanceID> <xmpMM:InstanceID>uuid:CC8B3B7C-9432-4546-CAC0-7B6658EFD634</xmpMM:InstanceID>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
</x:xmpmeta> </x:xmpmeta>