admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 07:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Elaborated on ebpf architecture. Incoming explanation of JIT compiling

Browse Source
This commit is contained in:
h3xduck
2022-05-24 20:53:00 -04:00
parent 820c9f9401
commit 706198f95b
14 changed files with 423 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/bibliography/bibliography.bib
View File

@@ -141,10 +141,43 @@
},
@manual{tcpdump_page,
title={Tcpdump & Libpcap},
title={Tcpdump and Libpcap},
url={https://www.tcpdump.org}
},
@manual{ebpf_funcs_by_ver,
title={BPF features by Linux Kernel Version},
organization={iovisor},
url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md}
},
@book{brendan_gregg_bpf_book,
title={BPF performance tools},
author={Brendan Gregg},
url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/}
},
@manual{ebpf_inst_set,
title={eBPF instruction set},
url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html}
}
@manual{8664_inst_set_specs,
title={Intel® 64 and IA-32 Architectures Software Developers Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4},
author={Intel},
volume={2A},
pages={507},
urldate={2022-05-13},
url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html}
}
@proceedings{ebpf_starovo_slides,
title={BPF in-kernel virtual machine},
url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
date={2015-02-20},
institution={PLUMgrid}
}

2
docs/bibliography/texput.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 23 MAY 2022 07:12
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:47
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.

44
docs/document.aux
View File

@@ -100,19 +100,44 @@
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{10}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{10}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{8664_inst_set_specs}
\abx@aux@segm{0}{0}{8664_inst_set_specs}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{ebpf_starovo_slides}
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{ebpf_starovo_slides}
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}New eBPF infrastructure}{11}{subsection.2.2.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{12}{chapter.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent }
\newlabel{table:ebpf_history}{{2.2}{11}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}\protected@file@percent }
\newlabel{table:ebpf_inst_format}{{2.3}{11}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.15}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}\protected@file@percent }
\newlabel{table:ebpf_regs}{{2.4}{12}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.16}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{13}{chapter.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{14}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{15}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{B18652840B9A2D8E82575EF61C309813}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{16}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{A0263F600A6B69AA4741D30C7A5AD15D}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -134,5 +159,10 @@
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page8}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_inst_set}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_inst_set_specs}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{32}
\gdef \@abspage@last{33}

145
docs/document.bbl
View File

@@ -23,8 +23,8 @@
\list{institution}{1}{%
{PricewaterhouseCoopers}%
}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labeltitlesource}{title}
\field{title}{Cyber Threats 2021: A year in Retrospect}
\verb{urlraw}
@@ -38,8 +38,8 @@
\list{institution}{1}{%
{Positive Technologies}%
}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labeltitlesource}{title}
\field{day}{3}
\field{month}{11}
@@ -54,8 +54,8 @@
\endverb
\endentry
\entry{ebpf_linux318}{online}{}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{day}{7}
\field{indextitle}{eBPF incorporation in the Linux Kernel 3.18}
\field{month}{12}
@@ -72,8 +72,8 @@
\list{institution}{1}{%
{Pangu Lab}%
}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{day}{23}
\field{month}{2}
@@ -91,8 +91,8 @@
\list{institution}{1}{%
{PricewaterhouseCoopers}%
}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Cyber Threats 2021: A year in Retrospect}
\field{pages}{37}
@@ -105,8 +105,8 @@
\endverb
\endentry
\entry{ebpf_windows}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{day}{7}
\field{month}{12}
@@ -121,8 +121,8 @@
\endverb
\endentry
\entry{ebpf_android}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{eBPF for Windows}
\verb{urlraw}
@@ -321,8 +321,8 @@
\endverb
\endentry
\entry{index_register}{manual}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{title}{Index register}
\verb{urlraw}
@@ -350,8 +350,8 @@
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{3}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -369,8 +369,8 @@
\endverb
\endentry
\entry{bpf_organicprogrammer_analysis}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{3}
@@ -460,7 +460,7 @@
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{title}{Tcpdump & Libpcap}
\field{title}{Tcpdump and Libpcap}
\verb{urlraw}
\verb https://www.tcpdump.org
\endverb
@@ -468,6 +468,109 @@
\verb https://www.tcpdump.org
\endverb
\endentry
\entry{ebpf_funcs_by_ver}{manual}{}
\list{organization}{1}{%
{iovisor}%
}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{title}{BPF features by Linux Kernel Version}
\verb{urlraw}
\verb https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md
\endverb
\verb{url}
\verb https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md
\endverb
\endentry
\entry{brendan_gregg_bpf_book}{book}{}
\name{author}{1}{}{%
{{hash=b45aef384111d7e9dd71b74ba427b5f1}{%
family={Gregg},
familyi={G\bibinitperiod},
given={Brendan},
giveni={B\bibinitperiod}}}%
}
\strng{namehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{fullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{bibnamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorbibnamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{BPF performance tools}
\verb{urlraw}
\verb https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/
\endverb
\verb{url}
\verb https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/
\endverb
\endentry
\entry{ebpf_inst_set}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{title}{eBPF instruction set}
\verb{urlraw}
\verb https://www.kernel.org/doc/html/latest/bpf/instruction-set.html
\endverb
\verb{url}
\verb https://www.kernel.org/doc/html/latest/bpf/instruction-set.html
\endverb
\endentry
\entry{8664_inst_set_specs}{manual}{}
\name{author}{1}{}{%
{{hash=ff97a9fdede09eaf6e1c8ec9f6a61dd5}{%
family={Intel},
familyi={I\bibinitperiod}}}%
}
\strng{namehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{fullhash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{bibnamehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{authorbibnamehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{authornamehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{authorfullhash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{Intel® 64 and IA-32 Architectures Software Developers Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}
\field{urlday}{13}
\field{urlmonth}{5}
\field{urlyear}{2022}
\field{volume}{2A}
\field{urldateera}{ce}
\field{pages}{507}
\range{pages}{1}
\verb{urlraw}
\verb https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
\endverb
\verb{url}
\verb https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
\endverb
\endentry
\entry{ebpf_starovo_slides}{proceedings}{}
\list{institution}{1}{%
{PLUMgrid}%
}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{day}{20}
\field{month}{2}
\field{title}{BPF in-kernel virtual machine}
\field{year}{2015}
\field{dateera}{ce}
\verb{urlraw}
\verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf
\endverb
\verb{url}
\verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

53
docs/document.bcf
View File

@@ -2348,28 +2348,37 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata>
<bcf:section number="0">
<bcf:citekey order="3">ransomware_pwc</bcf:citekey>
<bcf:citekey order="4">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="5">ebpf_linux318</bcf:citekey>
<bcf:citekey order="6">bvp47_report</bcf:citekey>
<bcf:citekey order="7">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="8">ebpf_windows</bcf:citekey>
<bcf:citekey order="9">ebpf_android</bcf:citekey>
<bcf:citekey order="10">evil_ebpf</bcf:citekey>
<bcf:citekey order="11">bad_ebpf</bcf:citekey>
<bcf:citekey order="12">ebpf_friends</bcf:citekey>
<bcf:citekey order="13">ebpf_io</bcf:citekey>
<bcf:citekey order="14">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="15">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="16">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="17">index_register</bcf:citekey>
<bcf:citekey order="18">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="19">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="20">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="21">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="22">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="24">tcpdump_page</bcf:citekey>
<bcf:citekey order="6">ransomware_pwc</bcf:citekey>
<bcf:citekey order="7">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="8">ebpf_linux318</bcf:citekey>
<bcf:citekey order="9">bvp47_report</bcf:citekey>
<bcf:citekey order="10">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="11">ebpf_windows</bcf:citekey>
<bcf:citekey order="12">ebpf_android</bcf:citekey>
<bcf:citekey order="13">evil_ebpf</bcf:citekey>
<bcf:citekey order="14">bad_ebpf</bcf:citekey>
<bcf:citekey order="15">ebpf_friends</bcf:citekey>
<bcf:citekey order="16">ebpf_io</bcf:citekey>
<bcf:citekey order="17">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="18">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="19">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="20">index_register</bcf:citekey>
<bcf:citekey order="21">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="22">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="24">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="27">tcpdump_page</bcf:citekey>
<bcf:citekey order="28">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="29">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="30">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="31">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="32">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="33">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="34">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="35">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="36">ebpf_starovo_slides</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

69
docs/document.blg
View File

@@ -1,35 +1,38 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[60] biber:340> INFO - === Mon May 23, 2022, 08:11:22
[76] Biber.pm:415> INFO - Reading 'document.bcf'
[146] Biber.pm:952> INFO - Found 20 citekeys in bib section 0
[161] Biber.pm:4340> INFO - Processing section 0
[172] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[174] bibtex.pm:1689> INFO - LaTeX decoding ...
[184] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 9, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 15, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 22, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 28, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 35, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 42, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 50, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 58, warning: 1 characters of junk seen at toplevel
[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 65, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 70, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 77, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 85, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 94, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 103, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 112, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 121, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 127, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 132, warning: 1 characters of junk seen at toplevel
[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 143, warning: 1 characters of junk seen at toplevel
[262] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[262] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[262] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[262] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[279] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[284] bbl.pm:757> INFO - Output to document.bbl
[285] Biber.pm:128> INFO - WARNINGS: 19
[59] biber:340> INFO - === Tue May 24, 2022, 20:47:37
[72] Biber.pm:415> INFO - Reading 'document.bcf'
[141] Biber.pm:952> INFO - Found 25 citekeys in bib section 0
[156] Biber.pm:4340> INFO - Processing section 0
[164] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[166] bibtex.pm:1689> INFO - LaTeX decoding ...
[177] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 9, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 15, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 22, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 28, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 35, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 42, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 50, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 58, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 65, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 70, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 77, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 85, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 94, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 103, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 112, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 121, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 127, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 132, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 143, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 148, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 154, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 160, warning: 1 characters of junk seen at toplevel
[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[284] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[284] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[300] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[306] bbl.pm:757> INFO - Output to document.bbl
[307] Biber.pm:128> INFO - WARNINGS: 22

112
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 23 MAY 2022 08:11
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:52
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1210,7 +1210,7 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356
[3] [4]
Chapter 2.
<images//classic_bpf.jpg, id=263, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=278, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 423.
@@ -1218,76 +1218,80 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 423.
[5
<./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=275, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=290, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 450.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[6] [7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=292, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=307, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 490.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=301, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=316, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 506.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
LaTeX Font Info: Font shape `T1/txr/b/it' in size <12> not available
(Font) Font shape `T1/txr/bx/it' tried instead on input line 514.
<images//tcpdump_example.png, id=308, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=323, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 521.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
[9 <./images//bpf_address_mode.png>]
<images//cBPF_prog_ex_sol.png, id=318, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=333, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 532.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>] [11]
Chapter 3.
[12
[10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>]
Overfull \hbox (3.10062pt too wide) in paragraph at lines 586--603
[][]
[]
]
Chapter 4.
[11] [12]
Chapter 3.
[13
]
Chapter 5.
Chapter 4.
[14
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 5
73.
Chapter 5.
[15
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 6
45.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
Overfull \hbox (5.34976pt too wide) in paragraph at lines 574--574
Overfull \hbox (5.34976pt too wide) in paragraph at lines 646--646
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[15
[16
]
! Misplaced alignment tab character &.
<inserted text> Tcpdump &
libpcap
l.574
I can't figure out why you would want to use a tab mark
here. If you just want an ampersand, the remedy is
simple: Just type `I\&' now. But if some right brace
up above has ended a previous alignment prematurely,
you're probably due for more error messages, and you
might try typing `S' now just to see what is salvageable.
Overfull \hbox (6.22696pt too wide) in paragraph at lines 646--646
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
[16] [1
Overfull \hbox (21.24973pt too wide) in paragraph at lines 646--646
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[17] [1
]
@@ -1298,37 +1302,47 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored
<to be read again>
\relax
l.590 \end{document}
l.662 \end{document}
[2
] (./document.aux)
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: E11F11882B461E0C78448E51C0034A6A;1467.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: 260AE7FF5C653A434FB11872FD491CEC;1464
(rerunfilecheck) After: 78EEF05F3FA16DD01514ABFEEF3266FA;1536.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
27301 strings out of 481209
433947 string characters out of 5914747
1169742 words of memory out of 5000000
43735 multiletter control sequences out of 15000+600000
456264 words of font info for 101 fonts, out of 8000000 for 9000
27329 strings out of 481209
434770 string characters out of 5914747
1172582 words of memory out of 5000000
43751 multiletter control sequences out of 15000+600000
456974 words of font info for 103 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,3093s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtxr.pfb></usr/share/texlive/texmf-dist/fonts/type
1/public/txfonts/t1xtt.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helve
tic/uhvb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.p
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/sha
re/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texm
f-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/t
ype1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/
utmri8a.pfb>
Output written on document.pdf (32 pages, 473613 bytes).
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
e1/public/txfonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx
fonts/rtxr.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.
pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/sh
are/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/
texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/
times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.p
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (33 pages, 495134 bytes).
PDF statistics:
466 PDF objects out of 1000 (max. 8388607)
83 named destinations out of 1000 (max. 500000)
523 PDF objects out of 1000 (max. 8388607)
93 named destinations out of 1000 (max. 500000)
213 words of extra memory for PDF output out of 10000 (max. 10000000)

6
docs/document.lot
View File

@@ -7,6 +7,12 @@
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{7}{table.caption.9}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

11
docs/document.out
View File

@@ -13,8 +13,9 @@
\BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13
\BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040-\040tcpdump}{section.2.1}% 14
\BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15
\BOOKMARK [2][-]{subsection.2.2.1}{New\040eBPF\040infrastructure}{section.2.2}% 16
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 17
\BOOKMARK [0][-]{chapter.4}{Results}{}% 18
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 19
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 20
\BOOKMARK [2][-]{subsection.2.2.1}{Architecture\040of\040eBPF}{section.2.2}% 16
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 18
\BOOKMARK [0][-]{chapter.4}{Results}{}% 19
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 20
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 21

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

76
docs/document.tex
View File

@@ -535,8 +535,77 @@ In the example, using the \textit{jf} and \textit{jt} fields, we can label the n
\end{figure}
\section{Analysis of modern eBPF}
\subsection{New eBPF infrastructure}
Since the addition of classic BPF in the Linux kernel, multiple improvements were added. On
\subsection{Architecture of eBPF}
The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today.
\begin{table}[H]
\begin{tabular}{|c|c|c|}
\hline
Description & Kernel version & Year\\
\hline
\hline
\textit{BPF}: First addition in the kernel & 2.1.75 & 1997\\
\textit{BPF+}: New JIT assembler & 3.0 & 2011\\
\textit{eBPF}: Added eBPF support & 3.15 & 2014\\
\textit New bpf() syscall & 3.18 & 2014\\
\textit eBPF for sockets & 3.19 & 2015\\
\textit Introduction of eBPF maps & 3.19 & 2015\\
\textit eBPF attached to kprobes & 4.1 & 2015\\
\textit Introduction of Traffic Control & 4.5 & 2016\\
\textit eBPF attached to tracepoints & 4.7 & 2016\\
\textit Introduction of XDP & 4.8 & 2016\\
\hline
\end{tabular}
\caption{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite{ebpf_funcs_by_ver}.}
\label{table:ebpf_history}
\end{table}
As it can be observed in the table above, the main breakthrough happened in the 3.15 version, where Alexei Starovoitov, along with Daniel Borkmann, decided to expand the capabilities of BPF by remodelling the BPF instruction set and overall architecture\cite{brendan_gregg_bpf_book}.
\begin{table}[H]
\begin{tabular}{|c|c|c|c|c|c|}
\hline
& IMM & OFF & SRC & DST & OPCODE \\
\hline
BITS & 32 & 16 & 4 & 4 & 8\\
\hline
\end{tabular}
\caption{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.}
\label{table:ebpf_inst_format}
\end{table}
Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}.
%Should I talk about assembly or this more in detail?
With respect to the BPF VM registers, they get extended from 32 to 64 bits of length, and the number of registers is incremented to 10, instead of the original accumulator and index registers. These registers are also adapted to be similar to those in assembly, as it is shown in table \ref{table:ebpf_regs}.
\begin{table}[H]
\begin{tabular}{|c|c|m{21em}|}
\hline
eBPF register & x86\_64 register & Purpose\\
\hline
r0 & rax & Return value from functions and exit value of eBPF programs\\
r1 & rdi & Function call argument 1\\
r2 & rsi & Function call argument 2\\
r3 & rdx & Function call argument 3\\
r4 & rcx & Function call argument 4\\
r5 & r8 & Function call argument 5\\
r6 & rbx & Callee saved register, value preserved between calls\\
r7 & r13 & Callee saved register, value preserved between calls\\
r8 & r14 & Callee saved register, value preserved between calls\\
r9 & r15 & Callee saved register, value preserved between calls\\
r10 & rbp & Frame pointer for stack, read only\\
\hline
\end{tabular}
\caption{Table showing eBPF registers and their purpose in the BPF VM.\cite{ebpf_inst_set}\cite{ebpf_starovo_slides}.}
\label{table:ebpf_regs}
\end{table}
\subsection{JIT compilation}
The p
@@ -549,6 +618,9 @@ Since the addition of classic BPF in the Linux kernel, multiple improvements wer
%TODO Talk about the difference between having always on BPF and always on kernel modules
\chapter{Methods??}
%M-> Following the particular TFG we discussed and also others, it looks like the main chapter(s) varies name depending on the TFG topic. Also is there a prefered way to distribute this?

12
docs/document.toc
View File

@@ -31,13 +31,15 @@
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.1}New eBPF infrastructure}{11}{subsection.2.2.1}%
\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{12}{chapter.3}%
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{13}{chapter.4}%
\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{14}{chapter.5}%
\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{15}{chapter.5}%
\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{16}{chapter.5}%
\contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-23T08:11:24-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-23T08:11:24-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-23T08:11:24-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-05-24T20:52:21-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-24T20:52:21-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-24T20:52:21-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:90D3789F-A773-CB9C-625E-C127C19C8414</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:7FB75CFF-80A8-7F24-B8F1-755FFABF2F4A</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>