Continued with offensive tracing capabilities

2025-12-17 07:33:07 +08:00 · 2022-06-02 21:07:42 -04:00
parent 2c3648a18a
commit 8bc376e734
9 changed files with 209 additions and 155 deletions
--- a/docs/document.aux
+++ b/docs/document.aux
@@ -229,6 +229,7 @@
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
 \newlabel{table:tc_helpers}{{2.13}{21}{Table showing relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}\protected@file@percent }
+\newlabel{subsection:tracepoints}{{2.3.3}{21}{Tracepoints}{subsection.2.3.3}{}}
 \abx@aux@cite{kprobe_manual}
 \abx@aux@segm{0}{0}{kprobe_manual}
 \abx@aux@cite{kallsyms_kernel}
@@ -283,10 +284,10 @@
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}\protected@file@percent }
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}\protected@file@percent }
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}\protected@file@percent }
-\newlabel{code:format_kprobe}{{3.1}{30}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
-\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{30}{lstlisting.3.1}\protected@file@percent }
 \abx@aux@cite{8664_params_abi}
 \abx@aux@segm{0}{0}{8664_params_abi}
+\newlabel{code:format_kprobe}{{3.1}{31}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
+\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{31}{lstlisting.3.1}\protected@file@percent }
 \newlabel{code:format_uprobe}{{3.2}{31}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
 \@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{31}{lstlisting.3.2}\protected@file@percent }
 \newlabel{code:format_tracepoint}{{3.3}{31}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
@@ -297,18 +298,22 @@
 \newlabel{table:systemv_abi}{{3.4}{32}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.33}{}}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}\protected@file@percent }
 \newlabel{table:systemv_abi_other}{{3.5}{32}{Other relevant registers in x86\_64 and their purpose.\relax }{table.caption.34}{}}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{32}{section.3.3}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{32}{subsection.3.3.1}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{33}{chapter.4}\protected@file@percent }
+\newlabel{code:sys_enter_read_tp}{{3.5}{32}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.5}{}}
+\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format of custom struct sys\_read\_enter\_ctx.}{32}{lstlisting.3.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{34}{section.3.3}\protected@file@percent }
+\newlabel{section:mem_corruption}{{3.3}{34}{Memory corruption}{section.3.3}{}}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{34}{subsection.3.3.1}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{35}{chapter.4}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{34}{chapter.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{36}{chapter.5}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{35}{chapter.6}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{37}{chapter.6}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{36}{chapter.6}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{38}{chapter.6}\protected@file@percent }
 \newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.36}{}}
 \abx@aux@read@bbl@mdfivesum{F47E3F72E57DA91BA8A2EEF65A74B9DA}
 \abx@aux@refcontextdefaultsdone
@@ -374,4 +379,4 @@
 \abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
 \ttl@finishall
-\gdef \@abspage@last{58}
+\gdef \@abspage@last{60}
--- a/docs/document.blg
+++ b/docs/document.blg
@@ -1,79 +1,79 @@
 [0] Config.pm:311> INFO - This is Biber 2.16
 [0] Config.pm:314> INFO - Logfile is 'document.blg'
-[75] biber:340> INFO - === Thu Jun  2, 2022, 18:58:57
-[92] Biber.pm:415> INFO - Reading 'document.bcf'
-[173] Biber.pm:952> INFO - Found 61 citekeys in bib section 0
-[188] Biber.pm:4340> INFO - Processing section 0
-[198] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
-[202] bibtex.pm:1689> INFO - LaTeX decoding ...
-[225] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
-[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 9, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 15, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 22, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 28, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 35, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 42, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 50, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 58, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 65, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 70, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 77, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 85, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 94, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 103, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 112, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 121, warning: 1 characters of junk seen at toplevel
-[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 127, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 132, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 137, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 142, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 153, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 158, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 164, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 170, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 175, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 184, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 191, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 199, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 206, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 215, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 224, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 233, warning: 1 characters of junk seen at toplevel
-[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 239, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 244, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 249, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 256, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 261, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 266, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 271, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 276, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 283, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 288, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 295, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 302, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 309, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 315, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 321, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 327, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 334, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 339, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 344, warning: 1 characters of junk seen at toplevel
-[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 349, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 356, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 361, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 366, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 375, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 380, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 385, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 390, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 395, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 400, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 405, warning: 1 characters of junk seen at toplevel
-[370] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_mMuB/f4d088b3f9f145b5c3058da33afd57d4_203373.utf8, line 410, warning: 1 characters of junk seen at toplevel
-[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
+[61] biber:340> INFO - === Thu Jun  2, 2022, 19:20:02
+[74] Biber.pm:415> INFO - Reading 'document.bcf'
+[149] Biber.pm:952> INFO - Found 61 citekeys in bib section 0
+[164] Biber.pm:4340> INFO - Processing section 0
+[173] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
+[175] bibtex.pm:1689> INFO - LaTeX decoding ...
+[198] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 9, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 15, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 22, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 28, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 35, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 42, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 50, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 58, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 65, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 70, warning: 1 characters of junk seen at toplevel
+[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 77, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 85, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 94, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 103, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 112, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 121, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 127, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 132, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 137, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 142, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 153, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 158, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 164, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 170, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 175, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 184, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 191, warning: 1 characters of junk seen at toplevel
+[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 199, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 206, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 215, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 224, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 233, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 239, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 244, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 249, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 256, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 261, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 266, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 271, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 276, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 283, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 288, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 295, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 302, warning: 1 characters of junk seen at toplevel
+[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 309, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 315, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 321, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 327, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 334, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 339, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 344, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 349, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 356, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 361, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 366, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 375, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 380, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 385, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 390, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 395, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 400, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 405, warning: 1 characters of junk seen at toplevel
+[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 410, warning: 1 characters of junk seen at toplevel
 [411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
-[412] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
-[412] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
-[460] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
-[474] bbl.pm:757> INFO - Output to document.bbl
-[475] Biber.pm:128> INFO - WARNINGS: 63
+[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
+[411] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
+[411] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
+[445] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
+[459] bbl.pm:757> INFO - Output to document.bbl
+[459] Biber.pm:128> INFO - WARNINGS: 63
--- a/docs/document.log
+++ b/docs/document.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  2 JUN 2022 18:58
+This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  2 JUN 2022 21:07
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
 )
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 11.39996pt on input line 186.
-<images//Portada_Logo.png, id=181, 456.2865pt x 45.99pt>
+<images//Portada_Logo.png, id=185, 456.2865pt x 45.99pt>
 File: images//Portada_Logo.png Graphic file (type png)
 <use images//Portada_Logo.png>
 Package pdftex.def Info: images//Portada_Logo.png  used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 23.63593pt on input line 201.
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 19.70294pt on input line 205.
-<images/creativecommons.png, id=183, 338.76563pt x 118.19156pt>
+<images/creativecommons.png, id=187, 338.76563pt x 118.19156pt>
 File: images/creativecommons.png Graphic file (type png)
 <use images/creativecommons.png>
 Package pdftex.def Info: images/creativecommons.png  used on input line 215.
@@ -1214,7 +1214,7 @@ Chapter 2.
 LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
 defined on input line 412.

-<images//classic_bpf.jpg, id=491, 588.1975pt x 432.61626pt>
+<images//classic_bpf.jpg, id=497, 588.1975pt x 432.61626pt>
 File: images//classic_bpf.jpg Graphic file (type jpg)
 <use images//classic_bpf.jpg>
 Package pdftex.def Info: images//classic_bpf.jpg  used on input line 426.
@@ -1222,36 +1222,36 @@ Package pdftex.def Info: images//classic_bpf.jpg  used on input line 426.
 [5

 ] [6 <./images//classic_bpf.jpg>]
-<images//cbpf_prog.jpg, id=509, 403.5075pt x 451.6875pt>
+<images//cbpf_prog.jpg, id=515, 403.5075pt x 451.6875pt>
 File: images//cbpf_prog.jpg Graphic file (type jpg)
 <use images//cbpf_prog.jpg>
 Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 453.
 (pdftex.def)             Requested size: 227.62204pt x 254.80415pt.
 [7 <./images/cBPF_prog.jpg>]
-<images//bpf_instructions.png, id=519, 380.92313pt x 475.27562pt>
+<images//bpf_instructions.png, id=525, 380.92313pt x 475.27562pt>
 File: images//bpf_instructions.png Graphic file (type png)
 <use images//bpf_instructions.png>
 Package pdftex.def Info: images//bpf_instructions.png  used on input line 493.
 (pdftex.def)             Requested size: 227.62204pt x 283.99998pt.
 [8 <./images//bpf_instructions.png>]
-<images//bpf_address_mode.png, id=529, 417.05812pt x 313.67188pt>
+<images//bpf_address_mode.png, id=535, 417.05812pt x 313.67188pt>
 File: images//bpf_address_mode.png Graphic file (type png)
 <use images//bpf_address_mode.png>
 Package pdftex.def Info: images//bpf_address_mode.png  used on input line 509.
 (pdftex.def)             Requested size: 227.62204pt x 171.19905pt.
 [9 <./images//bpf_address_mode.png>]
-<images//tcpdump_example.png, id=542, 534.99875pt x 454.69875pt>
+<images//tcpdump_example.png, id=548, 534.99875pt x 454.69875pt>
 File: images//tcpdump_example.png Graphic file (type png)
 <use images//tcpdump_example.png>
 Package pdftex.def Info: images//tcpdump_example.png  used on input line 524.
 (pdftex.def)             Requested size: 284.52756pt x 241.82869pt.
-<images//cBPF_prog_ex_sol.png, id=545, 242.9075pt x 321.2pt>
+<images//cBPF_prog_ex_sol.png, id=551, 242.9075pt x 321.2pt>
 File: images//cBPF_prog_ex_sol.png Graphic file (type png)
 <use images//cBPF_prog_ex_sol.png>
 Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 535.
 (pdftex.def)             Requested size: 170.71652pt x 225.74026pt.
 [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
-<images//ebpf_arch.jpg, id=563, 739.76375pt x 472.76625pt>
+<images//ebpf_arch.jpg, id=569, 739.76375pt x 472.76625pt>
 File: images//ebpf_arch.jpg Graphic file (type jpg)
 <use images//ebpf_arch.jpg>
 Package pdftex.def Info: images//ebpf_arch.jpg  used on input line 574.
@@ -1303,7 +1303,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 758--788
 []

 [17]
-<images//xdp_diag.jpg, id=643, 649.42625pt x 472.76625pt>
+<images//xdp_diag.jpg, id=649, 649.42625pt x 472.76625pt>
 File: images//xdp_diag.jpg Graphic file (type jpg)
 <use images//xdp_diag.jpg>
 Package pdftex.def Info: images//xdp_diag.jpg  used on input line 804.
@@ -1314,7 +1314,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 867--879
 []

 [20] [21] [22] [23]
-<images//libbpf_prog.jpg, id=702, 543.02875pt x 502.87875pt>
+<images//libbpf_prog.jpg, id=708, 543.02875pt x 502.87875pt>
 File: images//libbpf_prog.jpg Graphic file (type jpg)
 <use images//libbpf_prog.jpg>
 Package pdftex.def Info: images//libbpf_prog.jpg  used on input line 977.
@@ -1358,85 +1358,92 @@ File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
 )
 Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
 nput line 1141.
+ [30]
 LaTeX Font Info:    Trying to load font information for T1+txtt on input line 1
 141.

 (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
 File: t1txtt.fd 2000/12/15 v3.1
-) [30]
+)
 LaTeX Font Info:    Font shape `T1/txtt/b/n' in size <10> not available
 (Font)              Font shape `T1/txtt/bx/n' tried instead on input line 1143.

 [31] [32]
+Overfull \hbox (55.2727pt too wide) in paragraph at lines 1286--1287
+\T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
+_read_user() and bpf_probe_read_kernel()
+ []
+
+[33] [34]
 Chapter 4.
-[33
-
-]
-Chapter 5.
-[34
-
-]
-Chapter 6.
 [35

 ]
-Overfull \hbox (5.34976pt too wide) in paragraph at lines 1291--1291
+Chapter 5.
+[36
+
+]
+Chapter 6.
+[37
+
+]
+Overfull \hbox (5.34976pt too wide) in paragraph at lines 1330--1330
 \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect 
 / yir -[] cyber -[] threats -[]
 []

-[36
+[38


 ]
-Overfull \hbox (6.22696pt too wide) in paragraph at lines 1291--1291
+Overfull \hbox (6.22696pt too wide) in paragraph at lines 1330--1330
 []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
 -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
 []


-Overfull \hbox (7.34976pt too wide) in paragraph at lines 1291--1291
+Overfull \hbox (7.34976pt too wide) in paragraph at lines 1330--1330
 [][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
 -[] verification -[] architecture$[][]\T1/txr/m/n/12 . 
 []


-Overfull \hbox (21.24973pt too wide) in paragraph at lines 1291--1291
+Overfull \hbox (21.24973pt too wide) in paragraph at lines 1330--1330
 \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
 mmit _ 2015feb20 .
 []

-[37]
-Overfull \hbox (9.14975pt too wide) in paragraph at lines 1291--1291
+[39]
+Overfull \hbox (9.14975pt too wide) in paragraph at lines 1330--1330
 \T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
 2C % 20i ,[] %20other %
 []


-Overfull \hbox (6.49615pt too wide) in paragraph at lines 1291--1291
+Overfull \hbox (6.49615pt too wide) in paragraph at lines 1330--1330
 []\T1/txr/m/n/12 D. Lavie. ^^P  A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
 022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
 []

-[38]
-Overfull \hbox (0.76683pt too wide) in paragraph at lines 1291--1291
+[40]
+Overfull \hbox (0.76683pt too wide) in paragraph at lines 1330--1330
 []\T1/txr/m/n/12 ^^P  Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
 $\T1/txtt/m/n/12 https : / / kernel . googlesource .
 []


-Overfull \hbox (14.49278pt too wide) in paragraph at lines 1291--1291
+Overfull \hbox (14.49278pt too wide) in paragraph at lines 1330--1330
 []\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
 12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
 []

-[39]
-Overfull \hbox (53.32059pt too wide) in paragraph at lines 1291--1291
+[41]
+Overfull \hbox (53.32059pt too wide) in paragraph at lines 1330--1330
 \T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line]. 
 Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
 []

-[40] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
+[42] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
 File: lstlang1.sty 2020/03/24 1.8d listings language file
 )
 (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1447,7 +1454,7 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
 been already used, duplicate ignored
 <to be read again> 
                   \relax 
-l.1351 \end{document}
+l.1390 \end{document}
                      [2

 ] (./document.aux)
@@ -1455,19 +1462,19 @@ l.1351 \end{document}
 LaTeX Warning: There were undefined references.

 Package rerunfilecheck Info: File `document.out' has not changed.
-(rerunfilecheck)             Checksum: 986F56F3947BD730EBF6BFF75F31FFDD;3180.
+(rerunfilecheck)             Checksum: 20DB7CB323EAFF43AD98146C3A150506;3274.
 Package logreq Info: Writing requests to 'document.run.xml'.
 \openout1 = `document.run.xml'.

 ) 
 Here is how much of TeX's memory you used:
- 28129 strings out of 481209
- 447183 string characters out of 5914747
- 1335757 words of memory out of 5000000
- 44399 multiletter control sequences out of 15000+600000
+ 28158 strings out of 481209
+ 447576 string characters out of 5914747
+ 1336920 words of memory out of 5000000
+ 44416 multiletter control sequences out of 15000+600000
 459242 words of font info for 106 fonts, out of 8000000 for 9000
 36 hyphenation exceptions out of 8191
- 88i,12n,90p,1029b,3702s stack positions out of 5000i,500n,10000p,200000b,80000s
+ 88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
 {/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
 e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
 t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
@@ -1480,9 +1487,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
 /urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
 tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
 /share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on document.pdf (58 pages, 775719 bytes).
+Output written on document.pdf (60 pages, 784308 bytes).
 PDF statistics:
- 1098 PDF objects out of 1200 (max. 8388607)
- 232 named destinations out of 1000 (max. 500000)
- 420 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 1130 PDF objects out of 1200 (max. 8388607)
+ 244 named destinations out of 1000 (max. 500000)
+ 428 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/docs/document.out
+++ b/docs/document.out
@@ -36,9 +36,10 @@
 \BOOKMARK [2][-]{subsection.3.1.2}{eBPF\040maps\040security}{section.3.1}% 36
 \BOOKMARK [1][-]{section.3.2}{Abusing\040tracing\040programs}{chapter.3}% 37
 \BOOKMARK [2][-]{subsection.3.2.1}{Access\040to\040function\040arguments}{section.3.2}% 38
-\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 39
-\BOOKMARK [2][-]{subsection.3.3.1}{Accessing\040user\040memory}{section.3.3}% 40
-\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 41
-\BOOKMARK [0][-]{chapter.5}{Results}{}% 42
-\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 43
-\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 44
+\BOOKMARK [2][-]{subsection.3.2.2}{Reading\040memory\040out\040of\040bounds}{section.3.2}% 39
+\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 40
+\BOOKMARK [2][-]{subsection.3.3.1}{Accessing\040user\040memory}{section.3.3}% 41
+\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 42
+\BOOKMARK [0][-]{chapter.5}{Results}{}% 43
+\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 44
+\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 45
--- a/docs/document.pdf
+++ b/docs/document.pdf
--- a/docs/document.synctex.gz
+++ b/docs/document.synctex.gz
--- a/docs/document.tex
+++ b/docs/document.tex
@@ -907,7 +907,7 @@ bpf\_skb\_change\_tail() & Enlarges or reduces the extension of a packet, by mov


 %TODO This section might benefit from some diagrams, maybe. It was a bit to extense already, so skipping it from now
-\subsection{Tracepoints}
+\subsection{Tracepoints} \label{subsection:tracepoints}
 Tracepoints are a technology in the Linux kernel that allows to hook functions in the kernel, connecting a 'probe': a function that is executed every time the hooked function is called\cite{tp_kernel}. These tracepoints are set statically during kernel development, meaning that for a function to be hooked, it needs to have been previously marked with a tracepoint statement indicating its traceability. At the same time, this limits the number of tracepoints available.

 The list of tracepoint events available depends on the kernel version and can be visited under the directory \textit{/sys/kernel/debug/tracing/events}.
@@ -1013,7 +1013,7 @@ Note that the BPF skeleton also offers further granularity at the time of dealin
 \chapter{Analysis of offensive capabilities}
 In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture. As with every technology, a prior deep understanding is fundamental for discussing its security implications. 

-Therefore, given the previous background, this chapter is dedicated to an analysis in detail of the security implications of a malicious use of eBPF. For this, we will firstly explore the security features incorporated in the eBPF system. Then, we will revise previous research to identify the fundamental pillars onto which malware can build their functionality. As we mentioned during the project goals, these main topics of research will be the following:
+Therefore, given the previous background, this chapter is dedicated to an analysis in detail of the security implications of a malicious use of eBPF. For this, we will firstly explore the security features incorporated in the eBPF system. Then, we will identify the fundamental pillars onto which malware can build their functionality. As we mentioned during the project goals, these main topics of research will be the following:
 \begin{itemize}
 \item Analysing eBPF's possibilities when hooking system calls and kernel functions.
 \item Learning eBPF's potential to read/write arbitrary memory.
@@ -1135,7 +1135,7 @@ Therefore, a malicious privileged eBPF program can access and modify other progr
 eBPF tracing programs (kprobes, uprobes and tracepoints) are hooked to specific points in the kernel or in the user space, and call probe functions once the flow of execution reaches the instruction to which they are attached. This section details the main security concerns regarding this type of programs.

 \subsection{Access to function arguments}
-As we saw in section \ref{section:ebpf_prog_types}, tracing programs receive as a parameter those arguments with which the hooked function originally was called. The next code snippets show the format in which they are received when using libbpf (Note that libbpf also included macros that offer an alternative format, but the parameters are the same).
+As we saw in section \ref{section:ebpf_prog_types}, tracing programs receive as a parameter those arguments with which the hooked function originally was called. These parameters are read-only and thus, in principle, they cannot be modified inside the tracing program (we will show this is not entirely true in section \ref{section:mem_corruption}). The next code snippets show the format in which parameters are received when using libbpf (Note that libbpf also includes  some macros that offer an alternative format, but the parameters are the same).


 \begin{lstlisting}[language=C, caption={Probe function for a kprobe on the kernel function vfs\_write.}, label={code:format_kprobe}]
@@ -1247,13 +1247,52 @@ rbp & Base/Frame Pointer - Memory address of the start of the stack frame\\
 \label{table:systemv_abi_other}
 \end{table}

+In the case of tracepoints, we can see in code snippet \ref{code:format_tracepoint} that it receives a \textit{struct sys\_read\_enter\_ctx*}. This struct must be manually defined, as explained in \ref{subsection:tracepoints}, by looking at the file \textit{/sys/kernel/debug/tracing/events/syscalls/sys\_enter\_read/format}. Code snippet \ref{code:sys_enter_read_tp} shows the format of the struct.
+
+\begin{lstlisting}[language=C, caption={Format of custom struct sys\_read\_enter\_ctx.}, label={code:sys_enter_read_tp}]
+struct sys_read_enter_ctx {
+    unsigned long long pt_regs;
+    int __syscall_nr;
+    unsigned int padding;
+    unsigned long fd;
+    char* buf;
+    size_t count;
+};
+\end{lstlisting}
+
+As we can observe, we are given a set of attributes which include the parameters with which the syscall was called, and a first attribute containing the address pointing to another \textit{struct pt\_regs} as in kprobes and uprobes, so that we will be able to extract the value of the rest of the registers too. It must be noted that, in syscalls, in addition to use the kernel parameter passing convention specified in table \ref{table:systemv_abi}, the number specifying the syscall must be passed in register rax too.
+
+On a final note, as we mentioned in section \ref{section:ebpf_prog_types}, there exist differences in the parameters received in probe functions depending on the two variations of tracing programs. Therefore:
+\begin{itemize}
+\item kprobe, uprobe and \textit{enter} tracepoints will receive the full parameters as we specified before, but not the return value of the function (since it is not executed yet).
+\item kretprobes, uretprobes and \textit{exit} tracepoints will still receive the \textit{struct pt\_regs}, but without any of the parameters and with only the return value of the function.
+\end{itemize}
+
+Taking into account all the previous, the fact that tracing programs have read-only access to function arguments can be considered an useful and needed feature for tracing applications, but malicious eBPF can use this for purposes such as:
+\begin{itemize}
+\item Gather kernel and user data passed to a function as a parameter. In many cases this information can be potentially interesting for an attacker, such as passwords.
+\item Store in eBPF maps information about system activities, to be used by other malicious eBPF programs.
+\end{itemize}
+
+Usually, since many function arguments are pointers to user or kernel addresses (such as buffers where a string or a struct with data is located), eBPF tracing programs can use two eBPF helpers that enable to read large byte arrays from both kernel and user space:
+\begin{itemize}
+\item bpf\_probe\_read\_user()
+\item bpf\_probe\_read\_kernel()
+\end{itemize}
+
+These helpers, previously introduced in table \ref{table:ebpf_helpers}, enable to read an arbitrary number of bytes from an user or kernel address respectively, allowing us to extract the information pointed by the parameters received by eBPF programs.
+
+\subsection{Reading memory out of bounds}
+As we introduced in the previous subsection, the bpf\_probe\_read\_user() and bpf\_probe\_read\_kernel() helpers can be used to access memory of pointers received as parameters in the hooked functions. 
+
+In general, the eBPF verifier attempts to reject illegal memory accesses, however it does not prevent a malicious program from passing an arbitrary memory address (in kernel or user space) to the above helpers. This means that an eBPF program can read any address in user or kernel space. Furthermore, an attacker can locate specific data structures and memory sections by taking the function parameter as a reference point in memory.
+
+A particularly relevant case (which we will later use for our rootkit) involves accessing user memory via the parameters of tracepoints attached at system calls. Provided the nature of syscalls, whose purpose is to communicate user and kernel space, all parameters received will belong to the user space, and therefore any pointer passed will be an address in user memory.
+
+%TODO continue here, next is explaining stack scanning technique


-
-
-
-
-\section{Memory corruption}
+\section{Memory corruption} \label{section:mem_corruption}
 Privileged malicious eBPF programs (or those with the CAP\_BPF + CAP\_PERFMON capabilities) have the potential to get:
 \begin{itemize}
 \item Read and write access in user memory.
--- a/docs/document.toc
+++ b/docs/document.toc
@@ -77,15 +77,17 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {section}{\numberline {3.3}Memory corruption}{32}{section.3.3}%
+\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}%
 \defcounter {refsection}{0}\relax 
-\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{32}{subsection.3.3.1}%
+\contentsline {section}{\numberline {3.3}Memory corruption}{34}{section.3.3}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {4}Methods??}{33}{chapter.4}%
+\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{34}{subsection.3.3.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {5}Results}{34}{chapter.5}%
+\contentsline {chapter}{\numberline {4}Methods??}{35}{chapter.4}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {6}Conclusion and future work}{35}{chapter.6}%
+\contentsline {chapter}{\numberline {5}Results}{36}{chapter.5}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{Bibliography}{36}{chapter.6}%
+\contentsline {chapter}{\numberline {6}Conclusion and future work}{37}{chapter.6}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{Bibliography}{38}{chapter.6}%
 \contentsfinish 
--- a/docs/pdfa.xmpi
+++ b/docs/pdfa.xmpi
@@ -73,15 +73,15 @@
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> 
   <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> 
-   <xmp:ModifyDate>2022-06-02T18:58:59-04:00</xmp:ModifyDate> 
-   <xmp:CreateDate>2022-06-02T18:58:59-04:00</xmp:CreateDate> 
-   <xmp:MetadataDate>2022-06-02T18:58:59-04:00</xmp:MetadataDate> 
+   <xmp:ModifyDate>2022-06-02T21:07:01-04:00</xmp:ModifyDate> 
+   <xmp:CreateDate>2022-06-02T21:07:01-04:00</xmp:CreateDate> 
+   <xmp:MetadataDate>2022-06-02T21:07:01-04:00</xmp:MetadataDate> 
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> 
  </rdf:Description> 
  <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> 
   <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> 
-   <xmpMM:InstanceID>uuid:3F9C98B7-9F3F-22FB-04E4-95C2B6B88512</xmpMM:InstanceID> 
+   <xmpMM:InstanceID>uuid:6D3E5CED-EA6F-CB21-6268-B6ABB3457825</xmpMM:InstanceID> 
  </rdf:Description> 
 </rdf:RDF> 
 </x:xmpmeta>