Finished buffer overflow subsection

docs/document.aux

@@ -351,22 +351,23 @@
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{39}{figure.caption.37}\protected@file@percent }
 \newlabel{fig:mem_proc_arch}{{3.4}{39}{Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }{figure.caption.37}{}}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}\protected@file@percent }
+\newlabel{subsection:stack}{{3.3.3}{40}{The process stack}{subsection.3.3.3}{}}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{40}{figure.caption.38}\protected@file@percent }
 \newlabel{fig:stack_pres}{{3.5}{40}{Simplified stack representation showing only stack frames.\relax }{figure.caption.38}{}}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}\protected@file@percent }
 \newlabel{table:systemv_abi_other}{{3.5}{40}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.39}{}}
-\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{41}{figure.caption.40}\protected@file@percent }
-\newlabel{fig:stack_ops}{{3.6}{41}{Representation of push and pop operations in the stack.\relax }{figure.caption.40}{}}
-\abx@aux@cite{8664_params_abi_p18}
-\abx@aux@segm{0}{0}{8664_params_abi_p18}
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{42}{figure.caption.40}\protected@file@percent }
+\newlabel{fig:stack_ops}{{3.6}{42}{Representation of push and pop operations in the stack.\relax }{figure.caption.40}{}}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces Stack representation right before starting the function call process.\relax }}{42}{figure.caption.41}\protected@file@percent }
 \newlabel{fig:stack_before}{{3.7}{42}{Stack representation right before starting the function call process.\relax }{figure.caption.41}{}}
-\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{42}{figure.caption.42}\protected@file@percent }
-\newlabel{fig:stack}{{3.8}{42}{Stack representation right after the function preamble.\relax }{figure.caption.42}{}}
+\abx@aux@cite{8664_params_abi_p18}
+\abx@aux@segm{0}{0}{8664_params_abi_p18}
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{43}{figure.caption.42}\protected@file@percent }
+\newlabel{fig:stack}{{3.8}{43}{Stack representation right after the function preamble.\relax }{figure.caption.42}{}}
 \abx@aux@cite{write_helper_non_fault}
 \abx@aux@segm{0}{0}{write_helper_non_fault}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}\protected@file@percent }
-\newlabel{subsection:bpf_probe_write_apps}{{3.3.4}{43}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{44}{subsection.3.3.4}\protected@file@percent }
+\newlabel{subsection:bpf_probe_write_apps}{{3.3.4}{44}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
 \abx@aux@cite{code_vfs_read}
 \abx@aux@segm{0}{0}{code_vfs_read}
 \abx@aux@cite{code_vfs_read}
@@ -375,28 +376,28 @@
 \abx@aux@segm{0}{0}{evil_ebpf_p6974}
 \abx@aux@cite{8664_params_abi_p1922}
 \abx@aux@segm{0}{0}{8664_params_abi_p1922}
-\newlabel{code:vfs_read}{{3.9}{44}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
-\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{44}{lstlisting.3.9}\protected@file@percent }
-\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{45}{figure.caption.43}\protected@file@percent }
-\newlabel{fig:stack_scan_write_tech}{{3.9}{45}{Overview of stack scanning and writing technique.\relax }{figure.caption.43}{}}
-\newlabel{code:stack_scan_write_tech}{{3.10}{45}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
-\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref  {fig:stack_scan_write_tech}.}{45}{lstlisting.3.10}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.5}Conclusion}{46}{subsection.3.3.5}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}\protected@file@percent }
-\newlabel{section:abusing_networking}{{3.4}{46}{Abusing networking programs}{section.3.4}{}}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{47}{subsection.3.4.1}\protected@file@percent }
+\newlabel{code:vfs_read}{{3.9}{45}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
+\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{45}{lstlisting.3.9}\protected@file@percent }
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{46}{figure.caption.43}\protected@file@percent }
+\newlabel{fig:stack_scan_write_tech}{{3.9}{46}{Overview of stack scanning and writing technique.\relax }{figure.caption.43}{}}
+\newlabel{code:stack_scan_write_tech}{{3.10}{46}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
+\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref  {fig:stack_scan_write_tech}.}{46}{lstlisting.3.10}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.5}Conclusion}{47}{subsection.3.3.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{47}{section.3.4}\protected@file@percent }
+\newlabel{section:abusing_networking}{{3.4}{47}{Abusing networking programs}{section.3.4}{}}
 \abx@aux@cite{network_layers}
 \abx@aux@segm{0}{0}{network_layers}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{48}{subsection.3.4.1}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{48}{figure.caption.44}\protected@file@percent }
 \newlabel{fig:frame}{{3.10}{48}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.44}{}}
 \abx@aux@cite{tcp_reliable}
 \abx@aux@segm{0}{0}{tcp_reliable}
-\abx@aux@cite{tcp_handshake}
-\abx@aux@segm{0}{0}{tcp_handshake}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}\protected@file@percent }
 \newlabel{subsection:tcp}{{3.4.2}{49}{Introduction to the TCP protocol}{subsection.3.4.2}{}}
-\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{49}{table.caption.45}\protected@file@percent }
-\newlabel{table:tcp_flags}{{3.6}{49}{Relevant TCP flags and their purpose.\relax }{table.caption.45}{}}
+\abx@aux@cite{tcp_handshake}
+\abx@aux@segm{0}{0}{tcp_handshake}
+\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{50}{table.caption.45}\protected@file@percent }
+\newlabel{table:tcp_flags}{{3.6}{50}{Relevant TCP flags and their purpose.\relax }{table.caption.45}{}}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces TCP 3-way handshake.\relax }}{50}{figure.caption.46}\protected@file@percent }
 \newlabel{fig:tcp_conn}{{3.11}{50}{TCP 3-way handshake.\relax }{figure.caption.46}{}}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.12}{\ignorespaces TCP packet retransmission on timeout.\relax }}{51}{figure.caption.47}\protected@file@percent }
@@ -404,20 +405,30 @@
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.13}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{53}{figure.caption.48}\protected@file@percent }
 \newlabel{fig:tcp_exfiltrate_retrans}{{3.13}{53}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.48}{}}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.4}Conclusion}{54}{subsection.3.4.4}\protected@file@percent }
+\abx@aux@cite{evil_ebpf_p6974}
+\abx@aux@segm{0}{0}{evil_ebpf_p6974}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Introduction to attacks in the stack}{56}{subsection.4.1.1}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{57}{chapter.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}\protected@file@percent }
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{57}{figure.caption.49}\protected@file@percent }
+\newlabel{fig:stack_ret_hij_simple}{{4.1}{57}{Execution hijack overwriting saved rip value.\relax }{figure.caption.49}{}}
+\newlabel{code:vuln_overflow}{{4.1}{57}{Program vulnerable to buffer overflow}{lstlisting.4.1}{}}
+\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.1}Program vulnerable to buffer overflow.}{57}{lstlisting.4.1}\protected@file@percent }
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{58}{figure.caption.50}\protected@file@percent }
+\newlabel{fig:buffer_overflow}{{4.2}{58}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.50}{}}
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{59}{figure.caption.51}\protected@file@percent }
+\newlabel{fig:buffer_overflow_shellcode}{{4.3}{59}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.51}{}}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{60}{chapter.5}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{58}{chapter.6}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{61}{chapter.6}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{59}{chapter.6}\protected@file@percent }
-\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.50}{}}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{62}{chapter.6}\protected@file@percent }
+\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.53}{}}
 \abx@aux@read@bbl@mdfivesum{77A5019A60516627679C213125A49687}
 \abx@aux@refcontextdefaultsdone
 \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
@@ -498,4 +509,4 @@
 \abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
 \ttl@finishall
-\gdef \@abspage@last{83}
+\gdef \@abspage@last{86}

docs/document.bcf

@@ -2446,6 +2446,7 @@
     <bcf:citekey order="109">network_layers</bcf:citekey>
     <bcf:citekey order="110">tcp_reliable</bcf:citekey>
     <bcf:citekey order="111">tcp_handshake</bcf:citekey>
+    <bcf:citekey order="112">evil_ebpf_p6974</bcf:citekey>
   </bcf:section>
   <!-- SORTING TEMPLATES -->
   <bcf:sortingtemplate name="none">

docs/document.lof

@@ -35,13 +35,13 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {figure}{\numberline {3.5}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{40}{figure.caption.38}%
 \defcounter {refsection}{0}\relax 
-\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{41}{figure.caption.40}%
+\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{42}{figure.caption.40}%
 \defcounter {refsection}{0}\relax 
 \contentsline {figure}{\numberline {3.7}{\ignorespaces Stack representation right before starting the function call process.\relax }}{42}{figure.caption.41}%
 \defcounter {refsection}{0}\relax 
-\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{42}{figure.caption.42}%
+\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{43}{figure.caption.42}%
 \defcounter {refsection}{0}\relax 
-\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{45}{figure.caption.43}%
+\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{46}{figure.caption.43}%
 \defcounter {refsection}{0}\relax 
 \contentsline {figure}{\numberline {3.10}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{48}{figure.caption.44}%
 \defcounter {refsection}{0}\relax 
@@ -53,6 +53,12 @@
 \defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }
 \defcounter {refsection}{0}\relax 
+\contentsline {figure}{\numberline {4.1}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{57}{figure.caption.49}%
+\defcounter {refsection}{0}\relax 
+\contentsline {figure}{\numberline {4.2}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{58}{figure.caption.50}%
+\defcounter {refsection}{0}\relax 
+\contentsline {figure}{\numberline {4.3}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{59}{figure.caption.51}%
+\defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }
 \defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }

docs/document.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  6 JUN 2022 21:52
+This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  7 JUN 2022 12:45
 entering extended mode
  restricted \write18 enabled.
  %&-line parsing enabled.
@@ -1180,13 +1180,13 @@ LaTeX Font Info:    Trying to load font information for U+txsyc on input line 8
 
 (/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyc.fd
 File: utxsyc.fd 2000/12/15 v3.1
-))
+) [10
+
+])
 \tf@lof=\write7
 \openout7 = `document.lof'.
 
- [10
-
-] [11] [12]
+ [11] [12]
 (./document.lot [13
 
 ])
@@ -1211,72 +1211,72 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356
 [3] [4]
 Chapter 2.
 
-LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 412.
+LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 413.
 
-<images//classic_bpf.jpg, id=616, 588.1975pt x 432.61626pt>
+<images//classic_bpf.jpg, id=622, 588.1975pt x 432.61626pt>
 File: images//classic_bpf.jpg Graphic file (type jpg)
 <use images//classic_bpf.jpg>
-Package pdftex.def Info: images//classic_bpf.jpg  used on input line 426.
+Package pdftex.def Info: images//classic_bpf.jpg  used on input line 427.
 (pdftex.def)             Requested size: 341.43306pt x 251.12224pt.
 [5
 
 ] [6 <./images//classic_bpf.jpg>]
-<images//cbpf_prog.jpg, id=634, 403.5075pt x 451.6875pt>
+<images//cbpf_prog.jpg, id=640, 403.5075pt x 451.6875pt>
 File: images//cbpf_prog.jpg Graphic file (type jpg)
 <use images//cbpf_prog.jpg>
-Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 453.
+Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 454.
 (pdftex.def)             Requested size: 227.62204pt x 254.80415pt.
  [7 <./images/cBPF_prog.jpg>]
-<images//bpf_instructions.png, id=644, 380.92313pt x 475.27562pt>
+<images//bpf_instructions.png, id=650, 380.92313pt x 475.27562pt>
 File: images//bpf_instructions.png Graphic file (type png)
 <use images//bpf_instructions.png>
-Package pdftex.def Info: images//bpf_instructions.png  used on input line 493.
+Package pdftex.def Info: images//bpf_instructions.png  used on input line 494.
 (pdftex.def)             Requested size: 227.62204pt x 283.99998pt.
  [8 <./images//bpf_instructions.png>]
-<images//bpf_address_mode.png, id=655, 417.05812pt x 313.67188pt>
+<images//bpf_address_mode.png, id=661, 417.05812pt x 313.67188pt>
 File: images//bpf_address_mode.png Graphic file (type png)
 <use images//bpf_address_mode.png>
-Package pdftex.def Info: images//bpf_address_mode.png  used on input line 509.
+Package pdftex.def Info: images//bpf_address_mode.png  used on input line 510.
 (pdftex.def)             Requested size: 227.62204pt x 171.19905pt.
  [9 <./images//bpf_address_mode.png>]
-<images//tcpdump_example.png, id=667, 534.99875pt x 454.69875pt>
+<images//tcpdump_example.png, id=673, 534.99875pt x 454.69875pt>
 File: images//tcpdump_example.png Graphic file (type png)
 <use images//tcpdump_example.png>
-Package pdftex.def Info: images//tcpdump_example.png  used on input line 524.
+Package pdftex.def Info: images//tcpdump_example.png  used on input line 525.
 (pdftex.def)             Requested size: 284.52756pt x 241.82869pt.
-<images//cBPF_prog_ex_sol.png, id=670, 242.9075pt x 321.2pt>
+<images//cBPF_prog_ex_sol.png, id=676, 242.9075pt x 321.2pt>
 File: images//cBPF_prog_ex_sol.png Graphic file (type png)
 <use images//cBPF_prog_ex_sol.png>
-Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 535.
+Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 536.
 (pdftex.def)             Requested size: 170.71652pt x 225.74026pt.
  [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
-<images//ebpf_arch.jpg, id=688, 739.76375pt x 472.76625pt>
+<images//ebpf_arch.jpg, id=694, 739.76375pt x 472.76625pt>
 File: images//ebpf_arch.jpg Graphic file (type jpg)
 <use images//ebpf_arch.jpg>
-Package pdftex.def Info: images//ebpf_arch.jpg  used on input line 574.
+Package pdftex.def Info: images//ebpf_arch.jpg  used on input line 575.
 (pdftex.def)             Requested size: 426.79134pt x 272.75464pt.
  [12 <./images//ebpf_arch.jpg>]
-Overfull \hbox (3.10062pt too wide) in paragraph at lines 601--618
+Overfull \hbox (3.10062pt too wide) in paragraph at lines 602--619
  [][] 
  []
 
 [13]
-Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
+Overfull \hbox (17.02478pt too wide) in paragraph at lines 628--629
 []\T1/txr/m/n/12 Therefore, when us-ing JIT com-pil-ing (a set-ting de-fined by
  the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]],
  []
 
 [14]
-Overfull \hbox (56.55217pt too wide) in paragraph at lines 678--689
+Overfull \hbox (56.55217pt too wide) in paragraph at lines 679--690
  [][] 
  []
 
 
 LaTeX Warning: Reference `table:ebpf_maps' on page 15 undefined on input line 6
-93.
+94.
 
 
-Overfull \hbox (11.26865pt too wide) in paragraph at lines 693--694
+Overfull \hbox (11.26865pt too wide) in paragraph at lines 694--695
 \T1/txr/m/n/12 de-vel-op-ment of our rootkit, we will mainly fo-cus on hash map
 s (BPF_MAP_TYPE_HASH),
  []
@@ -1284,67 +1284,67 @@ s (BPF_MAP_TYPE_HASH),
 [15]
 
 LaTeX Warning: Reference `table:bpf_syscall' on page 16 undefined on input line
- 703.
+ 704.
 
 
-Overfull \hbox (42.01218pt too wide) in paragraph at lines 706--722
+Overfull \hbox (42.01218pt too wide) in paragraph at lines 707--723
  [][] 
  []
 
 [16]
 
-LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 749.
+LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 750.
 
 
 
-Overfull \hbox (13.5802pt too wide) in paragraph at lines 759--789
+Overfull \hbox (13.5802pt too wide) in paragraph at lines 760--790
  [][] 
  []
 
 [17]
-<images//xdp_diag.jpg, id=768, 649.42625pt x 472.76625pt>
+<images//xdp_diag.jpg, id=774, 649.42625pt x 472.76625pt>
 File: images//xdp_diag.jpg Graphic file (type jpg)
 <use images//xdp_diag.jpg>
-Package pdftex.def Info: images//xdp_diag.jpg  used on input line 805.
+Package pdftex.def Info: images//xdp_diag.jpg  used on input line 806.
 (pdftex.def)             Requested size: 426.79134pt x 310.69934pt.
  [18] [19 <./images//xdp_diag.jpg>]
-Overfull \hbox (5.80417pt too wide) in paragraph at lines 868--880
+Overfull \hbox (5.80417pt too wide) in paragraph at lines 869--881
  [][] 
  []
 
 [20] [21] [22] [23]
-<images//libbpf_prog.jpg, id=827, 543.02875pt x 502.87875pt>
+<images//libbpf_prog.jpg, id=833, 543.02875pt x 502.87875pt>
 File: images//libbpf_prog.jpg Graphic file (type jpg)
 <use images//libbpf_prog.jpg>
-Package pdftex.def Info: images//libbpf_prog.jpg  used on input line 978.
+Package pdftex.def Info: images//libbpf_prog.jpg  used on input line 979.
 (pdftex.def)             Requested size: 341.43306pt x 316.20142pt.
  [24]
 
-LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1006.
+LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1007.
 
 [25 <./images//libbpf_prog.jpg>] [26]
 Chapter 3.
 
-Overfull \hbox (15.27466pt too wide) in paragraph at lines 1029--1057
+Overfull \hbox (15.27466pt too wide) in paragraph at lines 1030--1058
  [][] 
  []
 
 [27
 
 ]
-Overfull \hbox (144.2746pt too wide) in paragraph at lines 1069--1070
+Overfull \hbox (144.2746pt too wide) in paragraph at lines 1070--1071
 []\T1/txr/bx/n/12 Unprivileged users \T1/txr/m/n/12 can only load and at-tach e
 BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER[[][]53[][]],
  []
 
 [28]
-Overfull \hbox (33.33205pt too wide) in paragraph at lines 1095--1096
+Overfull \hbox (33.33205pt too wide) in paragraph at lines 1096--1097
 []\T1/txr/m/n/12 Therefore, eBPF net-work pro-grams usu-ally re-quire both CAP_
 BPF and CAP_NET_ADMIN,
  []
 
 [29]
-Overfull \hbox (18.75664pt too wide) in paragraph at lines 1125--1126
+Overfull \hbox (18.75664pt too wide) in paragraph at lines 1126--1127
 \T1/txr/m/n/12 can also ex-plore all the avail-able maps in the sys-tem by us-i
 ng the BPF_MAP_GET_NEXT_ID
  []
@@ -1356,19 +1356,19 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
 File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
 )
 Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
-nput line 1141.
+nput line 1142.
  [30]
 LaTeX Font Info:    Trying to load font information for T1+txtt on input line 1
-141.
+142.
 
 (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
 File: t1txtt.fd 2000/12/15 v3.1
 )
 LaTeX Font Info:    Font shape `T1/txtt/b/n' in size <10> not available
-(Font)              Font shape `T1/txtt/bx/n' tried instead on input line 1143.
+(Font)              Font shape `T1/txtt/bx/n' tried instead on input line 1144.
 
  [31] [32]
-Overfull \hbox (55.2727pt too wide) in paragraph at lines 1285--1286
+Overfull \hbox (55.2727pt too wide) in paragraph at lines 1286--1287
 \T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
 _read_user() and bpf_probe_read_kernel()
  []
@@ -1376,253 +1376,283 @@ _read_user() and bpf_probe_read_kernel()
 [33]
 
 LaTeX Warning: Reference `subsection_bpf_probe_write_apps' on page 34 undefined
- on input line 1289.
+ on input line 1290.
 
 
-Overfull \hbox (47.97661pt too wide) in paragraph at lines 1294--1295
+Overfull \hbox (47.97661pt too wide) in paragraph at lines 1295--1296
 \T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the 
 CON-FIG_BPF_KPROBE_OVERRIDE
  []
 
 [34]
-Overfull \hbox (62.0767pt too wide) in paragraph at lines 1336--1337
+Overfull \hbox (62.0767pt too wide) in paragraph at lines 1337--1338
 \T1/txr/m/n/12 the bounds of func-tion pa-ram-e-ters via the helpers bpf_probe_
 read_user() and bpf_probe_read_kernel().
  []
 
 [35]
-<images//mem_arch_pages.jpg, id=1010, 593.21625pt x 434.62375pt>
+<images//mem_arch_pages.jpg, id=1016, 593.21625pt x 434.62375pt>
 File: images//mem_arch_pages.jpg Graphic file (type jpg)
 <use images//mem_arch_pages.jpg>
-Package pdftex.def Info: images//mem_arch_pages.jpg  used on input line 1349.
+Package pdftex.def Info: images//mem_arch_pages.jpg  used on input line 1350.
 (pdftex.def)             Requested size: 369.88582pt x 271.00914pt.
  [36]
-<images//mem_major_page_fault.jpg, id=1018, 639.38875pt x 425.59pt>
+<images//mem_major_page_fault.jpg, id=1024, 639.38875pt x 425.59pt>
 File: images//mem_major_page_fault.jpg Graphic file (type jpg)
 <use images//mem_major_page_fault.jpg>
 Package pdftex.def Info: images//mem_major_page_fault.jpg  used on input line 1
-359.
+360.
 (pdftex.def)             Requested size: 312.9803pt x 208.32661pt.
  [37 <./images//mem_arch_pages.jpg>]
-<images//mem_minor_page_fault.jpg, id=1025, 654.445pt x 555.07375pt>
+<images//mem_minor_page_fault.jpg, id=1031, 654.445pt x 555.07375pt>
 File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
 <use images//mem_minor_page_fault.jpg>
 Package pdftex.def Info: images//mem_minor_page_fault.jpg  used on input line 1
-367.
+368.
 (pdftex.def)             Requested size: 312.9803pt x 265.45834pt.
-<images//memory.jpg, id=1026, 310.15875pt x 519.9425pt>
+<images//memory.jpg, id=1032, 310.15875pt x 569.12625pt>
 File: images//memory.jpg Graphic file (type jpg)
 <use images//memory.jpg>
-Package pdftex.def Info: images//memory.jpg  used on input line 1378.
-(pdftex.def)             Requested size: 170.71652pt x 286.18347pt.
+Package pdftex.def Info: images//memory.jpg  used on input line 1379.
+(pdftex.def)             Requested size: 170.71652pt x 313.25488pt.
  [38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
  [39 <./images//memory.jpg>]
-<images//stack_pres.jpg, id=1040, 707.64375pt x 283.0575pt>
+<images//stack_pres.jpg, id=1046, 707.64375pt x 283.0575pt>
 File: images//stack_pres.jpg Graphic file (type jpg)
 <use images//stack_pres.jpg>
-Package pdftex.def Info: images//stack_pres.jpg  used on input line 1401.
+Package pdftex.def Info: images//stack_pres.jpg  used on input line 1403.
 (pdftex.def)             Requested size: 398.33858pt x 159.33606pt.
 
 [40 <./images//stack_pres.jpg>]
-<images//stack_ops.jpg, id=1049, 524.96124pt x 694.595pt>
+<images//stack_ops.jpg, id=1055, 524.96124pt x 694.595pt>
 File: images//stack_ops.jpg Graphic file (type jpg)
 <use images//stack_ops.jpg>
-Package pdftex.def Info: images//stack_ops.jpg  used on input line 1435.
+Package pdftex.def Info: images//stack_ops.jpg  used on input line 1437.
 (pdftex.def)             Requested size: 284.52756pt x 376.47473pt.
-<images//stack_before.jpg, id=1050, 712.6625pt x 315.1775pt>
+ [41]
+<images//stack_before.jpg, id=1060, 712.6625pt x 315.1775pt>
 File: images//stack_before.jpg Graphic file (type jpg)
 <use images//stack_before.jpg>
-Package pdftex.def Info: images//stack_before.jpg  used on input line 1446.
+Package pdftex.def Info: images//stack_before.jpg  used on input line 1448.
 (pdftex.def)             Requested size: 398.33858pt x 176.16635pt.
- [41 <./images//stack_ops.jpg>]
-<images//stack.jpg, id=1055, 707.64375pt x 381.425pt>
+<images//stack.jpg, id=1061, 707.64375pt x 381.425pt>
 File: images//stack.jpg Graphic file (type jpg)
 <use images//stack.jpg>
-Package pdftex.def Info: images//stack.jpg  used on input line 1453.
+Package pdftex.def Info: images//stack.jpg  used on input line 1455.
 (pdftex.def)             Requested size: 398.33858pt x 214.70816pt.
- [42 <./images//stack_before.jpg> <./images//stack.jpg>] [43]
-Overfull \hbox (3.09538pt too wide) in paragraph at lines 1497--1498
+ [42 <./images//stack_ops.jpg> <./images//stack_before.jpg>] [43 <./images//sta
+ck.jpg>] [44]
+Overfull \hbox (3.09538pt too wide) in paragraph at lines 1499--1500
 \T1/txr/m/n/12 trac-ing pro-grams can read any user mem-ory lo-ca-tion with the
  bpf_probe_read_user()
  []
 
-[44]
-<images//stack_scan_write_tech.jpg, id=1101, 829.0975pt x 315.1775pt>
+<images//stack_scan_write_tech.jpg, id=1100, 829.0975pt x 315.1775pt>
 File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
 <use images//stack_scan_write_tech.jpg>
 Package pdftex.def Info: images//stack_scan_write_tech.jpg  used on input line 
-1513.
+1515.
 (pdftex.def)             Requested size: 455.24408pt x 173.0548pt.
 
-Overfull \hbox (28.45273pt too wide) in paragraph at lines 1513--1514
+Overfull \hbox (28.45273pt too wide) in paragraph at lines 1515--1516
  [][] 
  []
 
+[45]
 
-LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1535.
+LaTeX Warning: Reference `TODO' on page 46 undefined on input line 1537.
 
-[45 <./images//stack_scan_write_tech.jpg>] [46]
-<images//frame.jpg, id=1137, 695.59875pt x 705.63625pt>
+[46 <./images//stack_scan_write_tech.jpg>] [47]
+<images//frame.jpg, id=1147, 695.59875pt x 705.63625pt>
 File: images//frame.jpg Graphic file (type jpg)
 <use images//frame.jpg>
-Package pdftex.def Info: images//frame.jpg  used on input line 1571.
+Package pdftex.def Info: images//frame.jpg  used on input line 1573.
 (pdftex.def)             Requested size: 398.33858pt x 404.07954pt.
- [47] [48 <./images//frame.jpg>]
-<images//tcp_conn.jpg, id=1156, 452.69125pt x 405.515pt>
+ [48 <./images//frame.jpg>]
+[49]
+<images//tcp_conn.jpg, id=1167, 452.69125pt x 405.515pt>
 File: images//tcp_conn.jpg Graphic file (type jpg)
 <use images//tcp_conn.jpg>
-Package pdftex.def Info: images//tcp_conn.jpg  used on input line 1619.
+Package pdftex.def Info: images//tcp_conn.jpg  used on input line 1621.
 (pdftex.def)             Requested size: 341.43306pt x 305.84947pt.
-[49]
-Overfull \hbox (30.78944pt too wide) in paragraph at lines 1624--1625
+
+Overfull \hbox (30.78944pt too wide) in paragraph at lines 1626--1627
 []\T1/txr/m/n/12 As we can ob-serve in the fig-ure, the hosts in-ter-change a s
 e-quence of <SYN>, <SYN+ACK>,
  []
 
-<images//tcp_retransmission.jpg, id=1164, 523.9575pt x 485.815pt>
+[50 <./images//tcp_conn.jpg>]
+<images//tcp_retransmission.jpg, id=1175, 523.9575pt x 485.815pt>
 File: images//tcp_retransmission.jpg Graphic file (type jpg)
 <use images//tcp_retransmission.jpg>
 Package pdftex.def Info: images//tcp_retransmission.jpg  used on input line 163
-5.
+7.
 (pdftex.def)             Requested size: 341.43306pt x 316.58401pt.
-[50 <./images//tcp_conn.jpg>] [51 <./images//tcp_retransmission.jpg>]
-<images//tcp_exfiltrate_retrans.jpg, id=1182, 633.36626pt x 475.7775pt>
+ [51 <./images//tcp_retransmission.jpg>] [52]
+<images//tcp_exfiltrate_retrans.jpg, id=1192, 633.36626pt x 475.7775pt>
 File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
 <use images//tcp_exfiltrate_retrans.jpg>
 Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg  used on input line
- 1672.
+ 1674.
 (pdftex.def)             Requested size: 426.79134pt x 320.60597pt.
- [52]
+
 [53 <./images//tcp_exfiltrate_retrans.jpg>] [54]
 Chapter 4.
 [55
 
-] [56]
+]
+<images//stack_ret_hij_simple.jpg, id=1210, 774.895pt x 674.52pt>
+File: images//stack_ret_hij_simple.jpg Graphic file (type jpg)
+<use images//stack_ret_hij_simple.jpg>
+Package pdftex.def Info: images//stack_ret_hij_simple.jpg  used on input line 1
+730.
+(pdftex.def)             Requested size: 426.79134pt x 371.51205pt.
+ [56] [57 <./images//stack_ret_hij_simple.jpg>]
+<images//buffer_overflow.jpg, id=1229, 707.64375pt x 343.2825pt>
+File: images//buffer_overflow.jpg Graphic file (type jpg)
+<use images//buffer_overflow.jpg>
+Package pdftex.def Info: images//buffer_overflow.jpg  used on input line 1756.
+(pdftex.def)             Requested size: 426.79134pt x 207.03964pt.
+<images//buffer_overflow_shellcode.jpg, id=1231, 707.64375pt x 379.4175pt>
+File: images//buffer_overflow_shellcode.jpg Graphic file (type jpg)
+<use images//buffer_overflow_shellcode.jpg>
+Package pdftex.def Info: images//buffer_overflow_shellcode.jpg  used on input l
+ine 1767.
+(pdftex.def)             Requested size: 426.79134pt x 228.8333pt.
+ [58 <./images//buffer_overflow.jpg>]
+
+LaTeX Warning: Reference `TODO probably an Annex' on page 59 undefined on input
+ line 1772.
+
+
+LaTeX Warning: Reference `TODO' on page 59 undefined on input line 1782.
+
+[59 <./images//buffer_overflow_shellcode.jpg>]
 Chapter 5.
-[57
+[60
 
 ]
 Chapter 6.
-[58
+[61
 
 ]
-Overfull \hbox (5.34976pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (5.34976pt too wide) in paragraph at lines 1817--1817
 \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect 
 / yir -[] cyber -[] threats -[]
  []
 
-[59
+[62
 
 
 ]
-Overfull \hbox (6.22696pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (6.22696pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
 -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
  []
 
 
-Overfull \hbox (7.34976pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (7.34976pt too wide) in paragraph at lines 1817--1817
 [][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
 -[] verification -[] architecture$[][]\T1/txr/m/n/12 . 
  []
 
 
-Overfull \hbox (21.24973pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (21.24973pt too wide) in paragraph at lines 1817--1817
 \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
 mmit _ 2015feb20 .
  []
 
-[60]
-Overfull \hbox (9.14975pt too wide) in paragraph at lines 1752--1752
+[63]
+Overfull \hbox (9.14975pt too wide) in paragraph at lines 1817--1817
 \T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
  2C % 20i ,[] %20other %
  []
 
 
-Overfull \hbox (6.49615pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (6.49615pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/n/12 D. Lavie. ^^P  A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
 022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
  []
 
-[61]
-Overfull \hbox (0.76683pt too wide) in paragraph at lines 1752--1752
+[64]
+Overfull \hbox (0.76683pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/n/12 ^^P  Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
 $\T1/txtt/m/n/12 https : / / kernel . googlesource .
  []
 
 
-Overfull \hbox (14.49278pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (14.49278pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
 12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
  []
 
-[62]
-Overfull \hbox (53.32059pt too wide) in paragraph at lines 1752--1752
+[65]
+Overfull \hbox (53.32059pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line]. 
 Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (33.3497pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (33.3497pt too wide) in paragraph at lines 1817--1817
 \T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
 vain % 20Afchain %
  []
 
 
-Overfull \hbox (9.33742pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (9.33742pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
 ndation . org / wp -[] content / uploads /
  []
 
 
-Overfull \hbox (18.44974pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (18.44974pt too wide) in paragraph at lines 1817--1817
 \T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
 mory -[] Management -[] Christoph -[]
  []
 
 
-Overfull \hbox (5.92503pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (5.92503pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/n/12 D. Breaker. ^^P  Un-der-stand-ing page faults and mem-ory swap
 -in/outs.^^Q (Aug. 19, 2019),
  []
 
 
-Overfull \hbox (40.56133pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (40.56133pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
 xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
  []
 
 
-Overfull \hbox (47.32059pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (47.32059pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
 vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
-[63]
-Overfull \hbox (11.10025pt too wide) in paragraph at lines 1752--1752
+[66]
+Overfull \hbox (11.10025pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/n/12 DE-F-CON 27, pp. 69^^U74. [On-line]. Avail-able: [][]$\T1/txtt/m
 /n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (39.98859pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (39.98859pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
 il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (21.2149pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (21.2149pt too wide) in paragraph at lines 1817--1817
 \T1/txr/m/n/12 line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / www . plixer
  . com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 . 
  []
 
 
-Overfull \hbox (4.29944pt too wide) in paragraph at lines 1752--1752
+Overfull \hbox (4.29944pt too wide) in paragraph at lines 1817--1817
 []\T1/txr/m/n/12 ^^P  Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
 2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
  []
 
-[64] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
+[67] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
 File: lstlang1.sty 2020/03/24 1.8d listings language file
 )
 (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1633,24 +1663,30 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
 been already used, duplicate ignored
 <to be read again> 
                    \relax 
-l.1812 \end{document}
+l.1877 \end{document}
                       [2
 
 ] (./document.aux)
 
 LaTeX Warning: There were undefined references.
 
-Package rerunfilecheck Info: File `document.out' has not changed.
-(rerunfilecheck)             Checksum: 0534197E5E0256674903E8AAF25F54B0;4578.
+
+Package rerunfilecheck Warning: File `document.out' has changed.
+(rerunfilecheck)                Rerun to get outlines right
+(rerunfilecheck)                or use package `bookmark'.
+
+Package rerunfilecheck Info: Checksums for `document.out':
+(rerunfilecheck)             Before: 5294F3D5A17A6EC3C46845D3EEAB2EF6;4593
+(rerunfilecheck)             After:  7F97C08A6EE704EC164C376D592ADDCD;4579.
 Package logreq Info: Writing requests to 'document.run.xml'.
 \openout1 = `document.run.xml'.
 
  ) 
 Here is how much of TeX's memory you used:
- 28520 strings out of 481209
- 454854 string characters out of 5914747
- 1353349 words of memory out of 5000000
- 44638 multiletter control sequences out of 15000+600000
+ 28578 strings out of 481209
+ 455998 string characters out of 5914747
+ 1354008 words of memory out of 5000000
+ 44676 multiletter control sequences out of 15000+600000
  459242 words of font info for 106 fonts, out of 8000000 for 9000
  36 hyphenation exceptions out of 8191
  88i,12n,90p,1029b,3693s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1666,9 +1702,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
 /urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
 tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
 /share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on document.pdf (83 pages, 1445236 bytes).
+Output written on document.pdf (86 pages, 1639730 bytes).
 PDF statistics:
- 1548 PDF objects out of 1728 (max. 8388607)
- 372 named destinations out of 1000 (max. 500000)
- 605 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 1592 PDF objects out of 1728 (max. 8388607)
+ 389 named destinations out of 1000 (max. 500000)
+ 620 words of extra memory for PDF output out of 10000 (max. 10000000)
 

docs/document.lot

@@ -45,7 +45,7 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}%
 \defcounter {refsection}{0}\relax 
-\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{49}{table.caption.45}%
+\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{50}{table.caption.45}%
 \defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }
 \defcounter {refsection}{0}\relax 

docs/document.out

@@ -53,7 +53,7 @@
 \BOOKMARK [2][-]{subsection.3.4.4}{Conclusion}{section.3.4}% 53
 \BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 54
 \BOOKMARK [1][-]{section.4.1}{Library\040injection\040via\040.GOT\040hijacking}{chapter.4}% 55
-\BOOKMARK [2][-]{subsection.4.1.1}{Introduction\040to\040attacks\040in\040the\040stack}{section.4.1}% 56
+\BOOKMARK [2][-]{subsection.4.1.1}{Attacks\040at\040the\040stack:\040buffer\040overflow}{section.4.1}% 56
 \BOOKMARK [0][-]{chapter.5}{Results}{}% 57
 \BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 58
 \BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 59

docs/document.tex

@@ -385,6 +385,7 @@ The rootkit will work in a fresh-install of a Linux system with the following ch
 
 \subsection{Social and economic environment}
 %M-> Mentioned talking about community outreach and its role under pentesting
+%TODO Talk about the difference between having always on BPF and always on kernel modules, BPF is consider "safe" in production while it's almost as dangerous (I think this might fit here)
 
 %TODO - Leaving this for the end
 
@@ -1385,13 +1386,14 @@ Figure \ref{fig:mem_proc_arch} describes how virtual memory is distributed withi
 \item Lower and upper memory addresses are reserved for the kernel.
 \item A section where shared libraries code is stored.
 \item A .text section, which contains the code of the program being run.
-\item A .bss section, which contains global static variables.
+\item A .data section, containing initialized static and global variables.
+\item A .bss section, which contains global and static variables which are unitialized or initialized to zero.
 \item The heap, a section which grows from lower to higher memory addresses, and which contains memory dynamically allocated by the program.
 \item The stack, a section which grows from higher to lower memory addresses, towards the heap. It is a Last In First Out (LIFO) structure used to store local variables, function parameters and return addresses.
 \item Right at the start of the stack we can find the arguments with which the programs has been executed.
 \end{itemize}
 
-\subsection{The process stack}
+\subsection{The process stack} \label{subsection:stack}
 Between all the sections we identified in a process virtual memory, the stack will be particularly relevant during our research. We will therefore study it now in detail. 
 
 Firstly, we will present how the stack is structured, and which operations can be executed on it. Figure \ref{fig:stack_pres} presents a stack during the execution of a program. Table \ref{table:systemv_abi_other} explains the purpose of the most relevant registers related to the stack and program execution:
@@ -1708,13 +1710,77 @@ Taking as a basis these capabilities, this chapter is now dedicated to a compreh
 We will be exploring each functionality individually, presenting the necessary background on each of them, and offering a final comprehensive view on how each of the systems work.
 
 \section{Library injection via .GOT hijacking}
-In this section, we will discuss how to hijack an user process running in the system so that it executes arbitrary code instructed from an eBPF program. For this, we will be injecting a library which will be executed by taking advantage of the architecture of an executable program (the .GOT section in ELFs) and using the stack scanning technique covered in section \ref{subsection:bpf_probe_write_apps}. This injection will be stealthy(it must not crash the process), and will be able to hijack privileged programs such as systemd, so that the code is executed as root.
+In this section, we will discuss how to hijack an user process running in the system so that it executes arbitrary code instructed from an eBPF program. For this, we will be injecting a library which will be executed by taking advantage of the architecture of an executable program (the .GOT section in ELFs) and using the stack scanning technique covered in section \ref{subsection:bpf_probe_write_apps}. This injection will be stealthy (it must not crash the process), and will be able to hijack privileged programs such as systemd, so that the code is executed as root.
 
 We will also research how to circumvent the protections which modern compilers have set in order to prevent similar attacks (when performed without eBPF).
 
-This technique has some advantages and disadvantages to the one described by Jeff Dileo at DEFCON 27, which we will briefly cover before presenting ours. A comparison between them will also be offered.
+This technique has some advantages and disadvantages to the one described by Jeff Dileo at DEFCON 27\cite{evil_ebpf_p6974}, which we will briefly cover before presenting ours. A comparison between them will also be offered.
+
+\subsection{Attacks at the stack: buffer overflow}
+In section \ref{subsection:stack}, we studied how the stack works and which is the process that a program follows in order to call a function. As we saw in figure \ref{fig:stack}, the processor pushes into the stack several data which is used to restore the context of the original function once the called function exits. These pushed arguments included:
+\begin{itemize}
+\item The arguments with which the function is being called (if they need to be passed in the stack, such as byte arrays).
+\item The original value of the rip register (ret), to restore the execution on the original function.
+\item The original value of the rbp register (sfp), to restore the frame pointer of the original stack frame.
+\end{itemize}
+
+Although this process is simple enough, it opens the possibility for an attacker to easily hijack the flow of execution if it can modify the value of ret, as it is shown in figure \ref{fig:stack_ret_hij_simple}:
+\begin{figure}[H]
+	\centering
+	\includegraphics[width=15cm]{stack_ret_hij_simple.jpg}
+	\caption{Execution hijack overwriting saved rip value.}
+	\label{fig:stack_ret_hij_simple}
+\end{figure}
+
+In the figure, we can observe how, during the execution of the called function, the attacker overwrites the value of ret in the stack. Once the function exists, as we explained in section \ref{subsection:stack}, during the function epilogue the value of ret will be popped and moved into rip, so that the execution is directed to the original next instruction. However, because the value was modified, the attacker controls which instructions are executed next.
+
+Attackers have historically used multiple techniques to overwrite the ret value in the stack, being the stack buffer overflow one of the most popular. In this technique, an attacker takes advantage of a program receiving an user value stored in a buffer whose capacity is smaller of that of the supplied value. Code snippet \ref{code:vuln_overflow} shows an example of a vulnerable program:
+
+\begin{lstlisting}[language=C, caption={Program vulnerable to buffer overflow.}, label={code:vuln_overflow}]
+#include <string.h>
+void foo(char *bar){ // bar may be larger than 12 characters
+   char buffer[12];
+   strcpy(buffer, bar); //no bounds checking 
+}
+
+int main(int argc, char *argv[]){
+   foo(argv[1]);
+   return 0;
+}
+\end{lstlisting}
+
+During the execution of the above program, since the char array \textit{buffer} is a buffer of length 12 stored in the stack, then if the value of \textit{bar} is larger than 12 bytes it will overflow the allocated space in the stack. This is usually the case of using unsafe functions for processing user input such as strcpy(), which does not check whether the array fits in the buffer. Figure \ref{fig:buffer_overflow} shows how the overflow happens in the stack.
+
+\begin{figure}[H]
+	\centering
+	\includegraphics[width=15cm]{buffer_overflow.jpg}
+	\caption{Stack buffer overflow overwriting ret value.}
+	\label{fig:buffer_overflow}
+\end{figure}
+
+As we can observe in the figure, the new data written into the buffer has also overwritten other fields which were pushed into the stack, such as sfp and ret, resulting in changing the flow of execution once the function exists.
+
+Usually, an attacker exploiting a program vulnerable to stack buffer overflow is interested in running arbitrary (malicious) code. For this, the attacker follows the process shown in figure \ref{fig:buffer_overflow_shellcode}:
+
+\begin{figure}[H]
+	\centering
+	\includegraphics[width=15cm]{buffer_overflow_shellcode.jpg}
+	\caption{Executing arbitrary code exploiting a buffer overflow vulnerability.}
+	\label{fig:buffer_overflow_shellcode}
+\end{figure}
+
+As we can observe in the figure, the attacker will take advantage of the buffer overflow to overwrite not only ret, but also the rest of the current stack frame and sfp with malicious code. This code is known as shellcode, consisting on instruction opcodes (machine assembly instructions translated to their representation in hexadecimal values) which the processor will execute. We will briefly explain how to write shellcode in section \ref{TODO probably an Annex}. Therefore, in this technique the attacker will:
+\begin{itemize}
+\item Introduce a byte array that overflows the buffer, consisting on SHELLCODE + the address of the buffer.
+\begin{itemize}
+	\item The shellcode overwrites the buffer and all data until ret.
+	\item ret is overwritten by the value of the address where the buffer starts.
+\end{itemize}
+\item When the function exits and ret is popped from the stack, the register rip will now point to the address of the buffer at the stack, processing the stack data as instructions part of a program. The malicious code will be executed.
+\end{itemize}
+
+By using eBPF, we should in principle be able to overwrite the stack, inject shellcode, overwrite ret and then execute our malicious code. However, the classic buffer overflow is one of the oldest techniques in binary exploitation, and thus numerous protections have historically been incorporated and thus the attack presented here does not work work in modern systems any more. One of the protections is  the prohibition of executing code from the stack. By marking the stack as non-executable, in the case of rip pointing to an address in the stack any malicious code will not be ran, even if an application was vulnerable to a buffer overflow. We will explain more in detail the main protections that nowadays are incorporated in modern systems in section \ref{TODO}.
 
-\subsection{Introduction to attacks in the stack}
 
 
 
@@ -1727,7 +1793,6 @@ This technique has some advantages and disadvantages to the one described by Jef
 
 
 
-%TODO Talk about the difference between having always on BPF and always on kernel modules (maybe this is better in the introduction)
 
 
 

docs/document.toc

@@ -93,29 +93,29 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}%
+\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{44}{subsection.3.3.4}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {3.3.5}Conclusion}{46}{subsection.3.3.5}%
+\contentsline {subsection}{\numberline {3.3.5}Conclusion}{47}{subsection.3.3.5}%
 \defcounter {refsection}{0}\relax 
-\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}%
+\contentsline {section}{\numberline {3.4}Abusing networking programs}{47}{section.3.4}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{47}{subsection.3.4.1}%
+\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{48}{subsection.3.4.1}%
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}%
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}%
+\contentsline {subsection}{\numberline {3.4.4}Conclusion}{54}{subsection.3.4.4}%
 \defcounter {refsection}{0}\relax 
 \contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}%
 \defcounter {refsection}{0}\relax 
 \contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {4.1.1}Introduction to attacks in the stack}{56}{subsection.4.1.1}%
+\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {5}Results}{57}{chapter.5}%
+\contentsline {chapter}{\numberline {5}Results}{60}{chapter.5}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {6}Conclusion and future work}{58}{chapter.6}%
+\contentsline {chapter}{\numberline {6}Conclusion and future work}{61}{chapter.6}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{Bibliography}{59}{chapter.6}%
+\contentsline {chapter}{Bibliography}{62}{chapter.6}%
 \contentsfinish 

docs/pdfa.xmpi

@@ -73,15 +73,15 @@
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> 
    <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> 
-   <xmp:ModifyDate>2022-06-06T21:52:46-04:00</xmp:ModifyDate> 
-   <xmp:CreateDate>2022-06-06T21:52:46-04:00</xmp:CreateDate> 
-   <xmp:MetadataDate>2022-06-06T21:52:46-04:00</xmp:MetadataDate> 
+   <xmp:ModifyDate>2022-06-07T12:45:09-04:00</xmp:ModifyDate> 
+   <xmp:CreateDate>2022-06-07T12:45:09-04:00</xmp:CreateDate> 
+   <xmp:MetadataDate>2022-06-07T12:45:09-04:00</xmp:MetadataDate> 
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> 
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> 
    <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> 
-   <xmpMM:InstanceID>uuid:94CDBB45-6A30-6CCE-B5DD-1D475DAA515D</xmpMM:InstanceID> 
+   <xmpMM:InstanceID>uuid:F42E26B8-7248-CA5C-5651-8E1F5F7A10AB</xmpMM:InstanceID> 
   </rdf:Description> 
  </rdf:RDF> 
 </x:xmpmeta>