Fixed some diagrams

2025-12-16 23:33:06 +08:00 · 2022-05-23 08:47:39 -04:00
parent a27543a7a6
commit 820c9f9401
14 changed files with 165 additions and 119 deletions
--- a/docs/bibliography/bibliography.bib
+++ b/docs/bibliography/bibliography.bib
@@ -138,7 +138,12 @@
 	title={Write a Linux packet sniffer from scratch: part two- BPF},
 	date={2022-03-28},
 	url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/}
-}
+},
+
+@manual{tcpdump_page,
+	title={Tcpdump & Libpcap},
+	url={https://www.tcpdump.org}
+},



--- a/docs/bibliography/texput.log
+++ b/docs/bibliography/texput.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  22 MAY 2022 17:16
+This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  23 MAY 2022 07:12
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
--- a/docs/document.aux
+++ b/docs/document.aux
@@ -91,6 +91,8 @@
 \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
 \abx@aux@cite{bpf_bsd_origin_bpf_page1}
 \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
+\abx@aux@cite{tcpdump_page}
+\abx@aux@segm{0}{0}{tcpdump_page}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref  {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
 \newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit  {tcpdump}}{9}{subsection.2.1.5}\protected@file@percent }
@@ -98,17 +100,19 @@
 \newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref  {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit  {tcpdump}.\relax }}{10}{figure.caption.13}\protected@file@percent }
 \newlabel{fig:tcpdump_ex_sol}{{2.6}{10}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{11}{chapter.3}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}New eBPF infrastructure}{11}{subsection.2.2.1}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{12}{chapter.3}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{12}{chapter.4}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{13}{chapter.4}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{13}{chapter.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{14}{chapter.5}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{14}{chapter.5}\protected@file@percent }
-\abx@aux@read@bbl@mdfivesum{87C7875B9C878945D5F672C63ACB5E95}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{15}{chapter.5}\protected@file@percent }
+\abx@aux@read@bbl@mdfivesum{B18652840B9A2D8E82575EF61C309813}
 \abx@aux@refcontextdefaultsdone
 \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -129,5 +133,6 @@
 \abx@aux@defaultrefcontext{0}{bpf_organicprogrammer_analysis}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page8}{none/global//global/global}
+\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
 \ttl@finishall
-\gdef \@abspage@last{31}
+\gdef \@abspage@last{32}
--- a/docs/document.bbl
+++ b/docs/document.bbl
@@ -23,8 +23,8 @@
      \list{institution}{1}{%
        {PricewaterhouseCoopers}%
      }
-      \field{sortinit}{2}
-      \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
+      \field{sortinit}{3}
+      \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
      \field{labeltitlesource}{title}
      \field{title}{Cyber Threats 2021: A year in Retrospect}
      \verb{urlraw}
@@ -38,8 +38,8 @@
      \list{institution}{1}{%
        {Positive Technologies}%
      }
-      \field{sortinit}{3}
-      \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
+      \field{sortinit}{4}
+      \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
      \field{labeltitlesource}{title}
      \field{day}{3}
      \field{month}{11}
@@ -54,8 +54,8 @@
      \endverb
    \endentry
    \entry{ebpf_linux318}{online}{}
-      \field{sortinit}{4}
-      \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
+      \field{sortinit}{5}
+      \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
      \field{day}{7}
      \field{indextitle}{eBPF incorporation in the Linux Kernel 3.18}
      \field{month}{12}
@@ -72,8 +72,8 @@
      \list{institution}{1}{%
        {Pangu Lab}%
      }
-      \field{sortinit}{5}
-      \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
+      \field{sortinit}{6}
+      \field{sortinithash}{7851c86048328b027313775d8fbd2131}
      \field{labeltitlesource}{title}
      \field{day}{23}
      \field{month}{2}
@@ -91,8 +91,8 @@
      \list{institution}{1}{%
        {PricewaterhouseCoopers}%
      }
-      \field{sortinit}{6}
-      \field{sortinithash}{7851c86048328b027313775d8fbd2131}
+      \field{sortinit}{7}
+      \field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
      \field{labeltitlesource}{title}
      \field{title}{Cyber Threats 2021: A year in Retrospect}
      \field{pages}{37}
@@ -105,8 +105,8 @@
      \endverb
    \endentry
    \entry{ebpf_windows}{online}{}
-      \field{sortinit}{7}
-      \field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
+      \field{sortinit}{8}
+      \field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
      \field{labeltitlesource}{title}
      \field{day}{7}
      \field{month}{12}
@@ -121,8 +121,8 @@
      \endverb
    \endentry
    \entry{ebpf_android}{online}{}
-      \field{sortinit}{8}
-      \field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
+      \field{sortinit}{9}
+      \field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
      \field{labeltitlesource}{title}
      \field{title}{eBPF for Windows}
      \verb{urlraw}
@@ -152,8 +152,8 @@
      \strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
      \strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
      \strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
-      \field{sortinit}{9}
-      \field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
+      \field{sortinit}{1}
+      \field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
      \field{labelnamesource}{author}
      \field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
      \verb{urlraw}
@@ -402,8 +402,8 @@
      \strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
      \strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
      \field{extraname}{4}
-      \field{sortinit}{1}
-      \field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
+      \field{sortinit}{2}
+      \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
      \field{labelnamesource}{author}
      \field{labeltitlesource}{title}
      \field{day}{19}
@@ -456,6 +456,18 @@
      \verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
      \endverb
    \endentry
+    \entry{tcpdump_page}{manual}{}
+      \field{sortinit}{2}
+      \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
+      \field{labeltitlesource}{title}
+      \field{title}{Tcpdump & Libpcap}
+      \verb{urlraw}
+      \verb https://www.tcpdump.org
+      \endverb
+      \verb{url}
+      \verb https://www.tcpdump.org
+      \endverb
+    \endentry
  \enddatalist
 \endrefsection
 \endinput
--- a/docs/document.bcf
+++ b/docs/document.bcf
@@ -2369,6 +2369,7 @@
    <bcf:citekey order="21">bpf_bsd_origin_bpf_page8</bcf:citekey>
    <bcf:citekey order="22">bpf_bsd_origin_bpf_page8</bcf:citekey>
    <bcf:citekey order="23">bpf_bsd_origin_bpf_page1</bcf:citekey>
+    <bcf:citekey order="24">tcpdump_page</bcf:citekey>
  </bcf:section>
  <!-- SORTING TEMPLATES -->
  <bcf:sortingtemplate name="none">
--- a/docs/document.blg
+++ b/docs/document.blg
@@ -1,34 +1,35 @@
 [0] Config.pm:311> INFO - This is Biber 2.16
 [0] Config.pm:314> INFO - Logfile is 'document.blg'
-[57] biber:340> INFO - === Mon May 23, 2022, 05:19:28
-[69] Biber.pm:415> INFO - Reading 'document.bcf'
-[138] Biber.pm:952> INFO - Found 19 citekeys in bib section 0
-[152] Biber.pm:4340> INFO - Processing section 0
-[161] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
-[162] bibtex.pm:1689> INFO - LaTeX decoding ...
-[171] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
-[237] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 9, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 15, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 22, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 28, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 35, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 42, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 50, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 58, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 65, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 70, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 77, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 85, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 94, warning: 1 characters of junk seen at toplevel
-[238] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 103, warning: 1 characters of junk seen at toplevel
-[239] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 112, warning: 1 characters of junk seen at toplevel
-[239] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 121, warning: 1 characters of junk seen at toplevel
-[239] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 127, warning: 1 characters of junk seen at toplevel
-[239] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HDya/f4d088b3f9f145b5c3058da33afd57d4_111283.utf8, line 132, warning: 1 characters of junk seen at toplevel
-[255] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
-[255] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
-[255] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
-[255] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
-[268] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
-[273] bbl.pm:757> INFO - Output to document.bbl
-[273] Biber.pm:128> INFO - WARNINGS: 18
+[60] biber:340> INFO - === Mon May 23, 2022, 08:11:22
+[76] Biber.pm:415> INFO - Reading 'document.bcf'
+[146] Biber.pm:952> INFO - Found 20 citekeys in bib section 0
+[161] Biber.pm:4340> INFO - Processing section 0
+[172] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
+[174] bibtex.pm:1689> INFO - LaTeX decoding ...
+[184] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 9, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 15, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 22, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 28, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 35, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 42, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 50, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 58, warning: 1 characters of junk seen at toplevel
+[243] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 65, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 70, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 77, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 85, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 94, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 103, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 112, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 121, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 127, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 132, warning: 1 characters of junk seen at toplevel
+[244] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Js0w/f4d088b3f9f145b5c3058da33afd57d4_115050.utf8, line 143, warning: 1 characters of junk seen at toplevel
+[262] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
+[262] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
+[262] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
+[262] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
+[279] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
+[284] bbl.pm:757> INFO - Output to document.bbl
+[285] Biber.pm:128> INFO - WARNINGS: 19
--- a/docs/document.log
+++ b/docs/document.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  23 MAY 2022 07:07
+This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  23 MAY 2022 08:11
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
 )
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 11.39996pt on input line 186.
-<images//Portada_Logo.png, id=73, 456.2865pt x 45.99pt>
+<images//Portada_Logo.png, id=85, 456.2865pt x 45.99pt>
 File: images//Portada_Logo.png Graphic file (type png)
 <use images//Portada_Logo.png>
 Package pdftex.def Info: images//Portada_Logo.png  used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 23.63593pt on input line 201.
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 19.70294pt on input line 205.
-<images/creativecommons.png, id=75, 338.76563pt x 118.19156pt>
+<images/creativecommons.png, id=87, 338.76563pt x 118.19156pt>
 File: images/creativecommons.png Graphic file (type png)
 <use images/creativecommons.png>
 Package pdftex.def Info: images/creativecommons.png  used on input line 215.
@@ -1210,71 +1210,84 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356

 [3] [4]
 Chapter 2.
-<images//classic_bpf.jpg, id=245, 588.1975pt x 432.61626pt>
+<images//classic_bpf.jpg, id=263, 588.1975pt x 432.61626pt>
 File: images//classic_bpf.jpg Graphic file (type jpg)
 <use images//classic_bpf.jpg>
-Package pdftex.def Info: images//classic_bpf.jpg  used on input line 416.
+Package pdftex.def Info: images//classic_bpf.jpg  used on input line 423.
 (pdftex.def)             Requested size: 341.43306pt x 251.12224pt.
 [5

 <./images//classic_bpf.jpg>]
-<images//cbpf_prog.jpg, id=257, 403.5075pt x 451.6875pt>
+<images//cbpf_prog.jpg, id=275, 403.5075pt x 451.6875pt>
 File: images//cbpf_prog.jpg Graphic file (type jpg)
 <use images//cbpf_prog.jpg>
-Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 443.
+Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 450.
 (pdftex.def)             Requested size: 227.62204pt x 254.80415pt.
 [6] [7 <./images/cBPF_prog.jpg>]
-<images//bpf_instructions.png, id=274, 380.92313pt x 475.27562pt>
+<images//bpf_instructions.png, id=292, 380.92313pt x 475.27562pt>
 File: images//bpf_instructions.png Graphic file (type png)
 <use images//bpf_instructions.png>
-Package pdftex.def Info: images//bpf_instructions.png  used on input line 483.
+Package pdftex.def Info: images//bpf_instructions.png  used on input line 490.
 (pdftex.def)             Requested size: 227.62204pt x 283.99998pt.
 [8 <./images//bpf_instructions.png>]
-<images//bpf_address_mode.png, id=283, 417.05812pt x 313.67188pt>
+<images//bpf_address_mode.png, id=301, 417.05812pt x 313.67188pt>
 File: images//bpf_address_mode.png Graphic file (type png)
 <use images//bpf_address_mode.png>
-Package pdftex.def Info: images//bpf_address_mode.png  used on input line 499.
+Package pdftex.def Info: images//bpf_address_mode.png  used on input line 506.
 (pdftex.def)             Requested size: 227.62204pt x 171.19905pt.
 LaTeX Font Info:    Font shape `T1/txr/b/it' in size <12> not available
-(Font)              Font shape `T1/txr/bx/it' tried instead on input line 507.
-<images//tcpdump_example.png, id=289, 534.99875pt x 454.69875pt>
+(Font)              Font shape `T1/txr/bx/it' tried instead on input line 514.
+<images//tcpdump_example.png, id=308, 534.99875pt x 454.69875pt>
 File: images//tcpdump_example.png Graphic file (type png)
 <use images//tcpdump_example.png>
-Package pdftex.def Info: images//tcpdump_example.png  used on input line 514.
+Package pdftex.def Info: images//tcpdump_example.png  used on input line 521.
 (pdftex.def)             Requested size: 284.52756pt x 241.82869pt.
 [9 <./images//bpf_address_mode.png>]
-<images//cBPF_prog_ex_sol.png, id=299, 320.19624pt x 321.2pt>
+<images//cBPF_prog_ex_sol.png, id=318, 242.9075pt x 321.2pt>
 File: images//cBPF_prog_ex_sol.png Graphic file (type png)
 <use images//cBPF_prog_ex_sol.png>
-Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 525.
-(pdftex.def)             Requested size: 227.62204pt x 228.33786pt.
- [10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>]
+Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 532.
+(pdftex.def)             Requested size: 170.71652pt x 225.74026pt.
+ [10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>] [11]
 Chapter 3.
-[11
-
-]
-Chapter 4.
 [12

 ]
-Chapter 5.
+Chapter 4.
 [13

+]
+Chapter 5.
+[14
+
 ]
 LaTeX Font Info:    Trying to load font information for T1+txtt on input line 5
-64.
+73.
 (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
 File: t1txtt.fd 2000/12/15 v3.1
 )
-Overfull \hbox (5.34976pt too wide) in paragraph at lines 565--565
+Overfull \hbox (5.34976pt too wide) in paragraph at lines 574--574
 \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect 
 / yir -[] cyber -[] threats -[]
 []

-[14
+[15


-] [15] [1
+]
+! Misplaced alignment tab character &.
+<inserted text> Tcpdump &
+                          libpcap
+l.574 
+      
+I can't figure out why you would want to use a tab mark
+here. If you just want an ampersand, the remedy is
+simple: Just type `I\&' now. But if some right brace
+up above has ended a previous alignment prematurely,
+you're probably due for more error messages, and you
+might try typing `S' now just to see what is salvageable.
+
+[16] [1

 ]

@@ -1285,30 +1298,24 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
 een already used, duplicate ignored
 <to be read again> 
                   \relax 
-l.581 \end{document}
+l.590 \end{document}
                     [2

 ] (./document.aux)
-
-Package rerunfilecheck Warning: File `document.out' has changed.
-(rerunfilecheck)                Rerun to get outlines right
-(rerunfilecheck)                or use package `bookmark'.
-
-Package rerunfilecheck Info: Checksums for `document.out':
-(rerunfilecheck)             Before: A6577BD8B13F5EB107CFC8B7036FD0A0;1199
-(rerunfilecheck)             After:  527B694ACE0F160609707BF4E9568D31;1305.
+Package rerunfilecheck Info: File `document.out' has not changed.
+(rerunfilecheck)             Checksum: E11F11882B461E0C78448E51C0034A6A;1467.
 Package logreq Info: Writing requests to 'document.run.xml'.
 \openout1 = `document.run.xml'.

 ) 
 Here is how much of TeX's memory you used:
- 27292 strings out of 481209
- 433755 string characters out of 5914747
- 1169713 words of memory out of 5000000
- 43730 multiletter control sequences out of 15000+600000
+ 27301 strings out of 481209
+ 433947 string characters out of 5914747
+ 1169742 words of memory out of 5000000
+ 43735 multiletter control sequences out of 15000+600000
 456264 words of font info for 101 fonts, out of 8000000 for 9000
 36 hyphenation exceptions out of 8191
- 88i,11n,90p,1029b,3095s stack positions out of 5000i,500n,10000p,200000b,80000s
+ 88i,11n,90p,1029b,3093s stack positions out of 5000i,500n,10000p,200000b,80000s
 {/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
 e/texmf-dist/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dis
 t/fonts/type1/public/txfonts/rtxr.pfb></usr/share/texlive/texmf-dist/fonts/type
@@ -1319,9 +1326,9 @@ re/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texm
 f-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/t
 ype1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/
 utmri8a.pfb>
-Output written on document.pdf (31 pages, 470997 bytes).
+Output written on document.pdf (32 pages, 473613 bytes).
 PDF statistics:
- 442 PDF objects out of 1000 (max. 8388607)
- 79 named destinations out of 1000 (max. 500000)
- 189 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 466 PDF objects out of 1000 (max. 8388607)
+ 83 named destinations out of 1000 (max. 500000)
+ 213 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/docs/document.out
+++ b/docs/document.out
@@ -12,7 +12,9 @@
 \BOOKMARK [2][-]{subsection.2.1.3}{Analysis\040of\040a\040BPF\040filter\040program}{section.2.1}% 12
 \BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13
 \BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040-\040tcpdump}{section.2.1}% 14
-\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 15
-\BOOKMARK [0][-]{chapter.4}{Results}{}% 16
-\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 17
-\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 18
+\BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15
+\BOOKMARK [2][-]{subsection.2.2.1}{New\040eBPF\040infrastructure}{section.2.2}% 16
+\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 17
+\BOOKMARK [0][-]{chapter.4}{Results}{}% 18
+\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 19
+\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 20
--- a/docs/document.pdf
+++ b/docs/document.pdf
--- a/docs/document.synctex.gz
+++ b/docs/document.synctex.gz
--- a/docs/document.tex
+++ b/docs/document.tex
@@ -371,6 +371,13 @@ The knowledge gathered by the previous three pillars will be then used as a basi
 \
 \end{itemize}

+The rootkit will work in a fresh-install of a Linux system with the following characteristics:
+\begin{itemize}
+%Maybe a table for this?
+\item Distribution: Ubuntu 21.04.
+\item Kernel version: 5.11.0-49.
+\end{itemize} 
+
 \section{Regulatory framework}
 %MARCOS-> Is this the appropiate place? Looking at other TFGs it is sometimes here and others in a final chapter

@@ -505,7 +512,7 @@ The column \textit{addr modes} in figure \ref{fig:bpf_instructions} describes ho


 \subsection{An example of BPF filter - \textit{tcpdump}}
-At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment\cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump}.
+At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment\cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump}\cite{tcpdump_page}.

 \textit{tcpdump} is a command-line tool that enables to capture and analyse the network traffic going through the system. It works by setting filters on a network interface, so that it shows the packets that are accepted by the filter. Still today, \textit{tcpdump} uses BPF for the filter implementation. We will now show an example of BPF code used by \textit{tcpdump} to implement a simple filter:

@@ -518,16 +525,18 @@ At the time, by filtering packets before they are handled by the kernel instead

 Figure \ref{fig:bpf_tcpdump_example} shows how tcpdump sets a filter to display traffic directed to all interfaces (\textit{-i any}) directed to port 80. Flag \textit{-d} instructs tcpdump to display BPF bytecode.

-In the example, we can clearly label the nodes of the CFG. Figure \ref{fig:tcpdump_ex_sol} is the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for.
+In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} is the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port.

 \begin{figure}[H]
 	\centering
-	\includegraphics[width=8cm]{cBPF_prog_ex_sol.png}
+	\includegraphics[width=6cm]{cBPF_prog_ex_sol.png}
 	\caption{Shortest path in the CFG described in the example of figure \ref{fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit{tcpdump}.}
 	\label{fig:tcpdump_ex_sol}
 \end{figure}

-
+\section{Analysis of modern eBPF}
+\subsection{New eBPF infrastructure}
+Since the addition of classic BPF in the Linux kernel, multiple improvements were added. On 



--- a/docs/document.toc
+++ b/docs/document.toc
@@ -29,11 +29,15 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{9}{subsection.2.1.5}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {3}Methods??}{11}{chapter.3}%
+\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {4}Results}{12}{chapter.4}%
+\contentsline {subsection}{\numberline {2.2.1}New eBPF infrastructure}{11}{subsection.2.2.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {5}Conclusion and future work}{13}{chapter.5}%
+\contentsline {chapter}{\numberline {3}Methods??}{12}{chapter.3}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{Bibliography}{14}{chapter.5}%
+\contentsline {chapter}{\numberline {4}Results}{13}{chapter.4}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{\numberline {5}Conclusion and future work}{14}{chapter.5}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{Bibliography}{15}{chapter.5}%
 \contentsfinish 
--- a/docs/images/cBPF_prog_ex_sol.png
+++ b/docs/images/cBPF_prog_ex_sol.png
--- a/docs/pdfa.xmpi
+++ b/docs/pdfa.xmpi
@@ -73,15 +73,15 @@
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> 
   <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> 
-   <xmp:ModifyDate>2022-05-23T07:07:52-04:00</xmp:ModifyDate> 
-   <xmp:CreateDate>2022-05-23T07:07:52-04:00</xmp:CreateDate> 
-   <xmp:MetadataDate>2022-05-23T07:07:52-04:00</xmp:MetadataDate> 
+   <xmp:ModifyDate>2022-05-23T08:11:24-04:00</xmp:ModifyDate> 
+   <xmp:CreateDate>2022-05-23T08:11:24-04:00</xmp:CreateDate> 
+   <xmp:MetadataDate>2022-05-23T08:11:24-04:00</xmp:MetadataDate> 
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> 
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> 
   <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> 
-   <xmpMM:InstanceID>uuid:7B0B695B-CB9B-8938-A7F7-E39ED4157985</xmpMM:InstanceID> 
+   <xmpMM:InstanceID>uuid:90D3789F-A773-CB9C-625E-C127C19C8414</xmpMM:InstanceID> 
  </rdf:Description> 
 </rdf:RDF> 
 </x:xmpmeta>