admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Continued with eBPF program types

Browse Source
This commit is contained in:
h3xduck
2022-05-26 21:47:28 -04:00
parent 47be741f04
commit 74e8163791
16 changed files with 576 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/bibliography/bibliography.bib
View File

@@ -271,6 +271,45 @@
@manual{ebpf_helpers,
title={bpf-helpers(7)- Linux manual page},
url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html}
},
@online{xdp_gentle_intro,
title={A Gentle Introduction to XDP},
date={2022-02-03},
url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/},
author={Daniel Lavie}
},
@manual{xdp_manual,
title={XDP actions},
url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html}
},
@online{tc_differences,
title={tc/BPF and XDP/BPF},
url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/},
date={2019-03-13},
author={Hangbin}
},
@online{tc_direct_action,
title={Understanding tc “direct action” mode for BPF},
url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/},
date={2020-04-11},
author={Quentin Monnet}
},
@online{tc_docs_complete,
title={Traffic Control HOWTO},
url={http://linux-ip.net/articles/Traffic-Control-HOWTO/},
author={Martin A. Brown},
date={2006-10-01}
},
@online{tc_ret_list_complete,
title={Linux kernel source tree},
url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h},
indextitle={index : kernel/git/torvalds/linux.git}
}
@@ -281,3 +320,4 @@

49
docs/document.aux
View File

@@ -181,6 +181,7 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}\protected@file@percent }
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{16}{The eBPF ring buffer}{subsection.2.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}\protected@file@percent }
\newlabel{subsection:bpf_syscall}{{2.2.6}{16}{The bpf() syscall}{subsection.2.2.6}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
\newlabel{table:ebpf_syscall}{{2.7}{16}{Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
\abx@aux@cite{ebpf_helpers}
@@ -192,20 +193,47 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}\protected@file@percent }
\newlabel{table:ebpf_prog_types}{{2.8}{17}{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}\protected@file@percent }
\abx@aux@cite{xdp_gentle_intro}
\abx@aux@segm{0}{0}{xdp_gentle_intro}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}\protected@file@percent }
\newlabel{table:ebpf_helpers}{{2.9}{18}{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{19}{chapter.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
\abx@aux@cite{xdp_manual}
\abx@aux@segm{0}{0}{xdp_manual}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
\newlabel{fig:xdp_diag}{{2.8}{19}{Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }{figure.caption.23}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.10}{\ignorespaces Table showing XDP relevant return values.\relax }}{19}{table.caption.24}\protected@file@percent }
\newlabel{table:xdp_actions_av}{{2.10}{19}{Table showing XDP relevant return values.\relax }{table.caption.24}{}}
\abx@aux@cite{tc_differences}
\abx@aux@segm{0}{0}{tc_differences}
\abx@aux@cite{tc_docs_complete}
\abx@aux@segm{0}{0}{tc_docs_complete}
\abx@aux@cite{tc_direct_action}
\abx@aux@segm{0}{0}{tc_direct_action}
\abx@aux@cite{tc_ret_list_complete}
\abx@aux@segm{0}{0}{tc_ret_list_complete}
\abx@aux@cite{tc_ret_list_complete}
\abx@aux@segm{0}{0}{tc_ret_list_complete}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}\protected@file@percent }
\newlabel{table:xdp_helpers}{{2.11}{20}{Table showing relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}\protected@file@percent }
\newlabel{table:tc_actions}{{2.12}{21}{Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
\newlabel{table:tc_helpers}{{2.13}{21}{Table showing relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{21}{section.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{22}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{20}{chapter.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{23}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{21}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{24}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{22}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{B0FAA8A56537935B1DC703B06B60D6C1}
\abx@aux@read@bblrerun
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{25}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{D22502BFD1AA9A775C1BCD405EB9F4D6}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -244,5 +272,12 @@
\abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_maps_kernel}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_syscall}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_helpers}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{xdp_gentle_intro}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{xdp_manual}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_differences}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_docs_complete}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_direct_action}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tc_ret_list_complete}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{40}
\gdef \@abspage@last{45}

171
docs/document.bbl
View File

@@ -180,8 +180,8 @@
\strng{authorbibnamehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{authornamehash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\strng{authorfullhash}{53d4d4da0d1a82f58d57d86ba9635f2c}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
\field{eventtitle}{Bad BPF - Warping reality using eBPF}
\verb{urlraw}
@@ -438,8 +438,8 @@
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{5}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -546,8 +546,8 @@
\strng{authorbibnamehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{authornamehash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\strng{authorfullhash}{ff97a9fdede09eaf6e1c8ec9f6a61dd5}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{Intel® 64 and IA-32 Architectures Software Developers Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}
@@ -702,8 +702,8 @@
\list{institution}{1}{%
{PLUMgrid}%
}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labeltitlesource}{title}
\field{day}{20}
\field{month}{2}
@@ -845,6 +845,161 @@
\verb https://man7.org/linux/man-pages/man2/bpf.2.html
\endverb
\endentry
\entry{ebpf_helpers}{manual}{}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labeltitlesource}{title}
\field{title}{bpf-helpers(7)- Linux manual page}
\verb{urlraw}
\verb https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
\endverb
\verb{url}
\verb https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
\endverb
\endentry
\entry{xdp_gentle_intro}{online}{}
\name{author}{1}{}{%
{{hash=78dcb92591468323e355b4f87108649d}{%
family={Lavie},
familyi={L\bibinitperiod},
given={Daniel},
giveni={D\bibinitperiod}}}%
}
\strng{namehash}{78dcb92591468323e355b4f87108649d}
\strng{fullhash}{78dcb92591468323e355b4f87108649d}
\strng{bibnamehash}{78dcb92591468323e355b4f87108649d}
\strng{authorbibnamehash}{78dcb92591468323e355b4f87108649d}
\strng{authornamehash}{78dcb92591468323e355b4f87108649d}
\strng{authorfullhash}{78dcb92591468323e355b4f87108649d}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{3}
\field{month}{2}
\field{title}{A Gentle Introduction to XDP}
\field{year}{2022}
\field{dateera}{ce}
\verb{urlraw}
\verb https://www.seekret.io/blog/a-gentle-introduction-to-xdp/
\endverb
\verb{url}
\verb https://www.seekret.io/blog/a-gentle-introduction-to-xdp/
\endverb
\endentry
\entry{xdp_manual}{manual}{}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labeltitlesource}{title}
\field{title}{XDP actions}
\verb{urlraw}
\verb https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html
\endverb
\verb{url}
\verb https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html
\endverb
\endentry
\entry{tc_differences}{online}{}
\name{author}{1}{}{%
{{hash=5442e761747b6fce78f695385639556e}{%
family={Hangbin},
familyi={H\bibinitperiod}}}%
}
\strng{namehash}{5442e761747b6fce78f695385639556e}
\strng{fullhash}{5442e761747b6fce78f695385639556e}
\strng{bibnamehash}{5442e761747b6fce78f695385639556e}
\strng{authorbibnamehash}{5442e761747b6fce78f695385639556e}
\strng{authornamehash}{5442e761747b6fce78f695385639556e}
\strng{authorfullhash}{5442e761747b6fce78f695385639556e}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{13}
\field{month}{3}
\field{title}{tc/BPF and XDP/BPF}
\field{year}{2019}
\field{dateera}{ce}
\verb{urlraw}
\verb https://liuhangbin.netlify.app/post/ebpf-and-xdp/
\endverb
\verb{url}
\verb https://liuhangbin.netlify.app/post/ebpf-and-xdp/
\endverb
\endentry
\entry{tc_docs_complete}{online}{}
\name{author}{1}{}{%
{{hash=6f963077bb5e5f5e471047d2f4a2e4e7}{%
family={Brown},
familyi={B\bibinitperiod},
given={Martin\bibnamedelima A.},
giveni={M\bibinitperiod\bibinitdelim A\bibinitperiod}}}%
}
\strng{namehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{fullhash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{bibnamehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{authorbibnamehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{authornamehash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\strng{authorfullhash}{6f963077bb5e5f5e471047d2f4a2e4e7}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{1}
\field{month}{10}
\field{title}{Traffic Control HOWTO}
\field{year}{2006}
\field{dateera}{ce}
\verb{urlraw}
\verb http://linux-ip.net/articles/Traffic-Control-HOWTO/
\endverb
\verb{url}
\verb http://linux-ip.net/articles/Traffic-Control-HOWTO/
\endverb
\endentry
\entry{tc_direct_action}{online}{}
\name{author}{1}{}{%
{{hash=d3c24514dc6326a55dee93eaf9976d63}{%
family={Monnet},
familyi={M\bibinitperiod},
given={Quentin},
giveni={Q\bibinitperiod}}}%
}
\strng{namehash}{d3c24514dc6326a55dee93eaf9976d63}
\strng{fullhash}{d3c24514dc6326a55dee93eaf9976d63}
\strng{bibnamehash}{d3c24514dc6326a55dee93eaf9976d63}
\strng{authorbibnamehash}{d3c24514dc6326a55dee93eaf9976d63}
\strng{authornamehash}{d3c24514dc6326a55dee93eaf9976d63}
\strng{authorfullhash}{d3c24514dc6326a55dee93eaf9976d63}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{4}
\field{title}{Understanding tc “direct action” mode for BPF}
\field{year}{2020}
\field{dateera}{ce}
\verb{urlraw}
\verb https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/
\endverb
\verb{url}
\verb https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/
\endverb
\endentry
\entry{tc_ret_list_complete}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labeltitlesource}{title}
\field{indextitle}{index : kernel/git/torvalds/linux.git}
\field{title}{Linux kernel source tree}
\verb{urlraw}
\verb https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h
\endverb
\verb{url}
\verb https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

91
docs/document.bcf
View File

@@ -2348,60 +2348,67 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata>
<bcf:section number="0">
<bcf:citekey order="12">ransomware_pwc</bcf:citekey>
<bcf:citekey order="13">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="14">ebpf_linux318</bcf:citekey>
<bcf:citekey order="15">bvp47_report</bcf:citekey>
<bcf:citekey order="16">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="17">ebpf_windows</bcf:citekey>
<bcf:citekey order="18">ebpf_android</bcf:citekey>
<bcf:citekey order="19">evil_ebpf</bcf:citekey>
<bcf:citekey order="20">bad_ebpf</bcf:citekey>
<bcf:citekey order="21">ebpf_friends</bcf:citekey>
<bcf:citekey order="22">ebpf_io</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="24">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="26">index_register</bcf:citekey>
<bcf:citekey order="27">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="28">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="29">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="30">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="13">ransomware_pwc</bcf:citekey>
<bcf:citekey order="14">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="15">ebpf_linux318</bcf:citekey>
<bcf:citekey order="16">bvp47_report</bcf:citekey>
<bcf:citekey order="17">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="18">ebpf_windows</bcf:citekey>
<bcf:citekey order="19">ebpf_android</bcf:citekey>
<bcf:citekey order="20">evil_ebpf</bcf:citekey>
<bcf:citekey order="21">bad_ebpf</bcf:citekey>
<bcf:citekey order="22">ebpf_friends</bcf:citekey>
<bcf:citekey order="23">ebpf_io</bcf:citekey>
<bcf:citekey order="24">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="25">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="27">index_register</bcf:citekey>
<bcf:citekey order="28">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="29">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="30">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="31">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="32">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="33">tcpdump_page</bcf:citekey>
<bcf:citekey order="34">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="32">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="33">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="34">tcpdump_page</bcf:citekey>
<bcf:citekey order="35">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="36">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="36">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="37">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="38">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="39">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="40">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="41">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="38">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="39">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="40">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="41">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="42">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="43">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="44">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="45">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="46">ebpf_JIT</bcf:citekey>
<bcf:citekey order="47">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="48">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="49">jit_enable_setting</bcf:citekey>
<bcf:citekey order="50">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="51">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="52">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="53">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="54">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="55">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="56">bpf_syscall</bcf:citekey>
<bcf:citekey order="43">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="44">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="45">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="46">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="47">ebpf_JIT</bcf:citekey>
<bcf:citekey order="48">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="50">jit_enable_setting</bcf:citekey>
<bcf:citekey order="51">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="52">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="53">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="54">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="55">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="56">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="57">bpf_syscall</bcf:citekey>
<bcf:citekey order="58">bpf_syscall</bcf:citekey>
<bcf:citekey order="59">bpf_syscall</bcf:citekey>
<bcf:citekey order="60">bpf_syscall</bcf:citekey>
<bcf:citekey order="61">bpf_syscall</bcf:citekey>
<bcf:citekey order="62">bpf_syscall</bcf:citekey>
<bcf:citekey order="63">ebpf_helpers</bcf:citekey>
<bcf:citekey order="63">bpf_syscall</bcf:citekey>
<bcf:citekey order="64">ebpf_helpers</bcf:citekey>
<bcf:citekey order="65">ebpf_helpers</bcf:citekey>
<bcf:citekey order="66">ebpf_helpers</bcf:citekey>
<bcf:citekey order="67">xdp_gentle_intro</bcf:citekey>
<bcf:citekey order="68">xdp_manual</bcf:citekey>
<bcf:citekey order="69">tc_differences</bcf:citekey>
<bcf:citekey order="70">tc_docs_complete</bcf:citekey>
<bcf:citekey order="71">tc_direct_action</bcf:citekey>
<bcf:citekey order="72">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="73">tc_ret_list_complete</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

113
docs/document.blg
View File

@@ -1,55 +1,62 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[58] biber:340> INFO - === Thu May 26, 2022, 14:35:25
[72] Biber.pm:415> INFO - Reading 'document.bcf'
[142] Biber.pm:952> INFO - Found 37 citekeys in bib section 0
[157] Biber.pm:4340> INFO - Processing section 0
[166] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[167] bibtex.pm:1689> INFO - LaTeX decoding ...
[183] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[278] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 9, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 15, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 22, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 28, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 35, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 42, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 50, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 58, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 65, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 70, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 77, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 85, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 94, warning: 1 characters of junk seen at toplevel
[281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 103, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 112, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 121, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 127, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 132, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 137, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 142, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 153, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 158, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 164, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 170, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 175, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 184, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 191, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 199, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 206, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 215, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 224, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 233, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 239, warning: 1 characters of junk seen at toplevel
[282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 244, warning: 1 characters of junk seen at toplevel
[283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 249, warning: 1 characters of junk seen at toplevel
[283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 256, warning: 1 characters of junk seen at toplevel
[283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 261, warning: 1 characters of junk seen at toplevel
[283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 266, warning: 1 characters of junk seen at toplevel
[308] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[309] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[309] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[309] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[332] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[341] bbl.pm:757> INFO - Output to document.bbl
[341] Biber.pm:128> INFO - WARNINGS: 39
[60] biber:340> INFO - === Thu May 26, 2022, 21:27:57
[75] Biber.pm:415> INFO - Reading 'document.bcf'
[148] Biber.pm:952> INFO - Found 44 citekeys in bib section 0
[164] Biber.pm:4340> INFO - Processing section 0
[174] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[176] bibtex.pm:1689> INFO - LaTeX decoding ...
[194] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[292] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 9, warning: 1 characters of junk seen at toplevel
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 15, warning: 1 characters of junk seen at toplevel
[315] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 22, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 28, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 35, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 42, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 50, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 58, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 65, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 70, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 77, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 85, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 94, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 103, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 112, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 121, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 127, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 132, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 137, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 142, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 153, warning: 1 characters of junk seen at toplevel
[316] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 158, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 164, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 170, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 175, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 184, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 191, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 199, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 206, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 215, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 224, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 233, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 239, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 244, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 249, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 256, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 261, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 266, warning: 1 characters of junk seen at toplevel
[317] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 271, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 276, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 283, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 288, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 295, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 302, warning: 1 characters of junk seen at toplevel
[318] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_04am/f4d088b3f9f145b5c3058da33afd57d4_151633.utf8, line 309, warning: 1 characters of junk seen at toplevel
[348] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[349] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[349] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[349] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[375] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[385] bbl.pm:757> INFO - Output to document.bbl
[386] Biber.pm:128> INFO - WARNINGS: 46

2
docs/document.lof
View File

@@ -19,6 +19,8 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.8}{\ignorespaces Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }}{19}{figure.caption.23}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

125
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 15:20
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 21:44
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1096,7 +1096,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=109, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=125, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1109,7 +1109,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=111, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=127, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1150,13 +1150,13 @@ s been already used, duplicate ignored
<to be read again>
\relax
l.279 \tableofcontents
[6] (./document.toc)
[6] (./document.toc [7
])
\tf@toc=\write6
\openout6 = `document.toc'.
[7
] [8] (./document.lof
[8] [9] (./document.lof
LaTeX Font Info: Trying to load font information for OT1+txr on input line 8
.
@@ -1190,16 +1190,16 @@ File: utxsyc.fd 2000/12/15 v3.1
\tf@lof=\write7
\openout7 = `document.lof'.
[9
[10
] [10]
] [11]
(./document.lot)
\tf@lot=\write8
\openout8 = `document.lot'.
[11
[12
] [12]
] [13]
Chapter 1.
LaTeX Font Info: Trying to load font information for TS1+txr on input line 3
30.
@@ -1220,7 +1220,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=343, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=387, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1228,36 +1228,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=362, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=405, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=372, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=415, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=382, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=425, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=394, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=437, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=397, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=440, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=416, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=459, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1304,78 +1304,78 @@ LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 746.
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 749.
Overfull \hbox (34.64395pt too wide) in paragraph at lines 749--750
\T1/txr/m/n/12 have free ac-cess to), the eBPF sys-tem of-fers a set of lim-ite
d func-tions called helpers[],
[]
Overfull \hbox (13.5802pt too wide) in paragraph at lines 756--784
[][]
[]
[17]
<images//xdp_diag.jpg, id=539, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 800.
(pdftex.def) Requested size: 426.79134pt x 310.69934pt.
[18] [19 <./images//xdp_diag.jpg>]
Overfull \hbox (5.80417pt too wide) in paragraph at lines 863--875
[][]
[]
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 784.
LaTeX Font Info: Font shape `T1/txr/b/n' in size <10.95> not available
(Font) Font shape `T1/txr/bx/n' tried instead on input line 784.
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 784.
[17] [18]
[20] [21]
Chapter 3.
[19
[22
]
Chapter 4.
[20
[23
]
Chapter 5.
[21
[24
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 8
30.
LaTeX Font Info: Trying to load font information for T1+txtt on input line 9
57.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
Overfull \hbox (5.34976pt too wide) in paragraph at lines 831--831
Overfull \hbox (5.34976pt too wide) in paragraph at lines 958--958
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[22
[25
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 831--831
Overfull \hbox (6.22696pt too wide) in paragraph at lines 958--958
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 831--831
Overfull \hbox (7.34976pt too wide) in paragraph at lines 958--958
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 831--831
Overfull \hbox (21.24973pt too wide) in paragraph at lines 958--958
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[23]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 831--831
[26]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 958--958
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
[24] [1
Overfull \hbox (6.49615pt too wide) in paragraph at lines 958--958
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[27] [28] [1
]
@@ -1386,7 +1386,7 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored
<to be read again>
\relax
l.847 \end{document}
l.974 \end{document}
[2
] (./document.aux)
@@ -1394,24 +1394,19 @@ l.847 \end{document}
LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 64ACDA339F3877D1BEB5B5524019D5C5;1913.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
(biblatex) and rerun LaTeX afterwards.
(rerunfilecheck) Checksum: E5138CE4A4FC0333EA6AC0A0168DC432;2190.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
27408 strings out of 481209
437163 string characters out of 5914747
1177845 words of memory out of 5000000
43800 multiletter control sequences out of 15000+600000
457008 words of font info for 103 fonts, out of 8000000 for 9000
27457 strings out of 481209
438434 string characters out of 5914747
1180810 words of memory out of 5000000
43827 multiletter control sequences out of 15000+600000
453959 words of font info for 100 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,3095s stack positions out of 5000i,500n,10000p,200000b,80000s
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
@@ -1423,9 +1418,9 @@ texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
rw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a
.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (40 pages, 593575 bytes).
Output written on document.pdf (45 pages, 661173 bytes).
PDF statistics:
691 PDF objects out of 1000 (max. 8388607)
123 named destinations out of 1000 (max. 500000)
266 words of extra memory for PDF output out of 10000 (max. 10000000)
796 PDF objects out of 1000 (max. 8388607)
146 named destinations out of 1000 (max. 500000)
303 words of extra memory for PDF output out of 10000 (max. 10000000)

8
docs/document.lot
View File

@@ -23,6 +23,14 @@
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.10}{\ignorespaces Table showing XDP relevant return values.\relax }}{19}{table.caption.24}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

12
docs/document.out
View File

@@ -20,7 +20,11 @@
\BOOKMARK [2][-]{subsection.2.2.5}{The\040eBPF\040ring\040buffer}{section.2.2}% 20
\BOOKMARK [2][-]{subsection.2.2.6}{The\040bpf\(\)\040syscall}{section.2.2}% 21
\BOOKMARK [2][-]{subsection.2.2.7}{eBPF\040helpers}{section.2.2}% 22
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 23
\BOOKMARK [0][-]{chapter.4}{Results}{}% 24
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 25
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 26
\BOOKMARK [1][-]{section.2.3}{eBPF\040program\040types}{chapter.2}% 23
\BOOKMARK [2][-]{subsection.2.3.1}{XDP}{section.2.3}% 24
\BOOKMARK [2][-]{subsection.2.3.2}{Traffic\040Control}{section.2.3}% 25
\BOOKMARK [1][-]{section.2.4}{Developing\040eBPF\040programs}{chapter.2}% 26
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 27
\BOOKMARK [0][-]{chapter.4}{Results}{}% 28
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 29
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 30

BIN
docs/document.pdf
View File

Binary file not shown.

4
docs/document.run.xml
View File

@@ -41,7 +41,7 @@
>
]>
<requests version="1.0">
<internal package="biblatex" priority="9" active="1">
<internal package="biblatex" priority="9" active="0">
<generic>latex</generic>
<provides type="dynamic">
<file>document.bcf</file>
@@ -63,7 +63,7 @@
<file>english.lbx</file>
</requires>
</internal>
<external package="biblatex" priority="5" active="1">
<external package="biblatex" priority="5" active="0">
<generic>biber</generic>
<cmdline>
<binary>biber</binary>

BIN
docs/document.synctex.gz
View File

Binary file not shown.

127
docs/document.tex
View File

@@ -694,7 +694,7 @@ eBPF ring buffers are a special kind of eBPF maps, providing a one-way direction
%TODO DIAGRAM OF A TYPICAL RING BUFFER
\subsection{The bpf() syscall}
\subsection{The bpf() syscall} \label{subsection:bpf_syscall}
The bpf() syscall is used to issue commands from user space to kernel space in eBPF programs. This syscall is multiplexor, meaning that it can perform a great range of actions, changing its behaviour depending on the parameters.
The main operations that can be issued are described in table \ref{table:bpf_syscall}:
@@ -786,6 +786,131 @@ bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify
\end{table}
% Is this the best title?
\section{eBPF program types}
In the previous subsection \ref{subsection:bpf_syscall} we introduced the new types of eBPF programs that are supported and that we will be developing for our offensive analysis. In this section, we will analyse in greater detail how eBPF is integrated in the Linux kernel in order to support these new functionalities.
\subsection{XDP}
eXpress Data Path (XDP) programs are a novel type of eBPF program that allows for the lowest-latency traffic filtering and monitoring in the whole Linux kernel. In order to load an XDP program, a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_XDP must be issued.
These programs are directly attached to the Network Interface Controller (NIC) driver, and thus they can process the packet before any other module\cite{xdp_gentle_intro}.
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{xdp_diag.jpg}
% Either this caption, or change the text afterwards. I still need to know whether to put the long explanation here or on the paragraph, it gets repetitive.
\caption{Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.}
\label{fig:xdp_diag}
\end{figure}
Figure \ref{fig:xdp_diag} shows how XDP is integrated in the network processing of the Linux kernel. After receiving a raw packet (in the figure, \textit{xdp\_md}, which consists on the raw bytes plus some very basic metadata about the packet) from the incoming traffic, XDP program can perform the following actions\cite{xdp_manual}:
\begin{itemize}
\item Analyse the data between the packet buffer bounds.
\item Modify the packet contents, and modify the packet length.
\item Decide between one of the actions displayed in table \ref{table:xdp_actions_av}.
\end{itemize}
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
ACTION & DESCRIPTION\\
\hline
\hline
XDP\_PASS & Let packet proceed with operated modifications on it.\\
\hline
XDP\_TX & Return the packet at the same NIC it was received from. Packet modifications are kept.\\
\hline
XDP\_DROP & Drops the packet completely, kernel networking will not be notified.\\
\hline
\end{tabular}
\caption{Table showing XDP relevant return values.}
\label{table:xdp_actions_av}
\end{table}
Some of the XDP-exclusive eBPF helpers we will be discussing in later sections are shown in table \ref{table:xdp_helpers}.
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
\hline
\hline
bpf\_xdp\_adjust\_head() & Enlarges or reduces the extension of a packet, by moving the address of its first byte.\\
\hline
bpf\_xdp\_adjust\_tail() & Enlarges or reduces the extension of a packet, by moving the address of its last byte.\\
\hline
\end{tabular}
\caption{Table showing relevant XDP-exclusive eBPF helpers.}
\label{table:xdp_helpers}
\end{table}
\subsection{Traffic Control}
Traffic Control (TC) programs are also indicated for networking instrumentation. Similarly to XDP, their module is positioned before entering the overall network processing of the kernel. However, as it can be observed in figure \ref{fig:xdp_diag}, they differ in some aspects:
\begin{itemize}
\item TC programs receive a network buffer with metadata (in the figure, \textit{sk\_buff}) about the packet in it. This renders TC programs less ideal than XDP for performing large packet modifications (like new headers), but at the same time the additional metadata fields make it easier to locate and modify specific packet fields\cite{tc_differences}.
\item TC programs can be attached to the \textit{ingress} or \textit{egress} points, meaning that an eBPF program can operate not only over incoming traffic, but also over the outgoing packets.
\end{itemize}
With respect to how TC programs operate, the Traffic Control system in Linux is greatly complex and would require a complete section by itself. In fact, it was already a complete system before the appearance of eBPF. Full documentation can be found at \cite{tc_docs_complete}. For this document, we will explain the overall process needed to load a TC program\cite{tc_direct_action}:
\begin{enumerate}
\item The TC program defines a so-called queuing discipline (qdisc), a packet scheduler that issues packets in a FIFO order as soon as they are received. This qdisc will be attached to an specific network interface (e.g.: wlan0).
\item Our TC eBPF program is attached to the qdisc. It will work as a filter, being run for every of the packets dispatched by the qdisc.
\end{enumerate}
Similarly to XDP, the TC eBPF programs can decide an action to be executed on a packet by specifying a return value. These actions are almost analogous to the ones in XDP, as it can be observed in table \ref{table:tc_actions}.
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
ACTION & DESCRIPTION\\
\hline
\hline
TC\_ACT\_OK & Let packet proceed with operated modifications on it.\\
\hline
TC\_ACT\_RECLASSIFY & Return the packet to the back of the qdisc scheduling queue.\\
\hline
TC\_ACT\_SHOT & Drops the packet completely, kernel networking will not be notified.\\
\hline
\end{tabular}
\caption{Table showing TC relevant return values. Full list can be consulted at \cite{tc_ret_list_complete}.}
\label{table:tc_actions}
\end{table}
Finally, as in XDP, there exist a list of useful BPF helpers that will be relevant for the creation of our rootkit. They are shown in table \ref{table:tc_helpers}.
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
\hline
\hline
bpf\_l3\_csum\_replace() & Recomputes the network layer 3 (e.g.: IP) checksum of the packet.\\
\hline
bpf\_l4\_csum\_replace() & Recomputes the network layer 4 (e.g: TCP) checksum of the packet.\\
\hline
bpf\_skb\_store\_bytes() & Write a data buffer into the packet.\\
\hline
bpf\_skb\_pull\_data() & Reads a sequence of packet bytes into a buffer.\\
\hline
bpf\_skb\_change\_head() & (Only) enlarges the extension of a packet, by moving the address of its first byte.\\
\hline
bpf\_skb\_change\_tail() & Enlarges or reduces the extension of a packet, by moving the address of its last byte.\\
\hline
\hline
\end{tabular}
\caption{Table showing relevant TC-exclusive eBPF helpers.}
\label{table:tc_helpers}
\end{table}
%ADD HOOKING SUBSECTION
% Is this the best title?
\section{Developing eBPF programs}
In the previous sections, we discussed the overall architecture of the eBPF system which is now an integral part of the Linux kernel. We also studied the process which a piece of eBPF bytecode follows in order to be accepted in the kernel. However, for an eBPF developer, programming bytecode is not an easy task, therefore an additional layer of abstraction was needed.
Nowadays, there exist multiple popular alternatives for writing eBPF programs. We will overview which they are and proceed to analyse in further detail the option that we will use for the development of our rootkit.
%TODO Continue, I decided to keep this separate for now

16
docs/document.toc
View File

@@ -45,11 +45,19 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{19}{chapter.3}%
\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{20}{chapter.4}%
\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{21}{chapter.5}%
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{22}{chapter.5}%
\contentsline {section}{\numberline {2.4}Developing eBPF programs}{21}{section.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{22}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{23}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{24}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{25}{chapter.5}%
\contentsfinish

BIN
docs/images/xdp_diag.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-26T15:20:31-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-26T15:20:31-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-26T15:20:31-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-05-26T21:44:53-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-26T21:44:53-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-26T21:44:53-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:63BE8BF9-C164-486C-D049-AC9DA0AFDF0D</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:391EE317-632F-F294-EDDB-9501854E37E5</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>