admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-24 18:33:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed command and control

Browse Source
This commit is contained in:
h3xduck
2022-06-15 12:45:59 -04:00
parent f09d6a6989
commit 8f844c748b
5 changed files with 125 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/chapters/chapter3.tex
View File

@@ -1,4 +1,4 @@
\chapter{Analysis of offensive capabilities of eBPF} \label{chapter:analysis_offensive_capabilities}
\chapter{Analysis of offensive capabilities} \label{chapter:analysis_offensive_capabilities}
In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture. As with every technology, a prior deep understanding is fundamental for discussing its security implications.
Therefore, given the previous background, this chapter is dedicated to an analysis in detail of the security implications of a malicious use of eBPF. For this, we will firstly explore the security features incorporated in the eBPF system. Then, we will identify the fundamental pillars onto which malware can build their functionality. As we mentioned during the project goals, these main topics of research will be the following:
@@ -317,7 +317,7 @@ Networking eBPF programs not only have read access to the network packets, but a
Apart from write access to the packet, the other critical feature of networking programs is their ability to drop packets. As we presented in tables \ref{table:xdp_actions_av} and \ref{table:tc_actions}, this can be achieved by returning specific values.
\subsection{Attacks and limitations of networking programs}
\subsection{Attacks and limitations of networking programs} \label{subsection:network_attacks}
Based on the previous background, we will now proceed to explore which limitations exist on which actions a network eBPF program can perform:
\begin{itemize}
\item Read and write access to the packet is heavily controlled by the eBPF verifier. It is not possible to read or write data out of bounds. Extreme care must also be taken before attempting to read any data inside the packet, since the verifier first requires making lots of checks beforehand. For any access to take place, the program must first classify the packet according to the network protocol it belongs, and later check that every header of every layer is well defined (e.g: Ethernet, IP and TCP). Only after that, the headers can be modified.