admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Finished analysis of offensive capailities (techniques from defcon finally not included, at least for now)

Browse Source
This commit is contained in:
h3xduck
2022-06-06 20:50:28 -04:00
parent 55378027ab
commit 92103d234e
18 changed files with 543 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/bibliography/bibliography.bib
View File

@@ -496,8 +496,44 @@ AMD64 Architecture Processor Supplement},
pages={19-22},
date={2018-01-28},
url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
}
},
@online{network_layers,
title={The Network Layers Explained [with examples]},
author={Alienor},
date={2018-11-28},
url={https://www.plixer.com/blog/network-layers-explained/}
},
@online{tcp_reliable,
title={Transmission Control Protocol},
date={2022-04-19},
organization={IBM},
url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol}
},
@online{tcp_handshake,
title={Three-Way Handshake},
url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake}
},
@proceedings{evil_ebpf_p6974,
institution = {NCC Group},
author = {Jeff Dileo},
organization= {DEFCON 27},
eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
pages={69-74}
},
@proceedings{ebpf_friends_p37,
institution = {Datadog},
author = {Guillaume Fournier, Sylvain Afchainthe},
organization= {DEFCON 29},
eventtitle = {Cyber Threats 2021: A year in Retrospect},
url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
pages={37}
},

43
docs/document.aux
View File

@@ -29,6 +29,7 @@
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}\protected@file@percent }
\newlabel{section:motivation}{{1.1}{1}{Motivation}{section.1.1}{}}
\abx@aux@cite{rootkit_ptsecurity}
\abx@aux@segm{0}{0}{rootkit_ptsecurity}
\abx@aux@cite{ebpf_linux318}
@@ -258,6 +259,7 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chapter:analysis_offensive_capabilities}{{3}{27}{Analysis of offensive capabilities}{chapter.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}\protected@file@percent }
\abx@aux@cite{ubuntu_caps}
\abx@aux@segm{0}{0}{ubuntu_caps}
@@ -368,6 +370,8 @@
\abx@aux@segm{0}{0}{code_vfs_read}
\abx@aux@cite{code_vfs_read}
\abx@aux@segm{0}{0}{code_vfs_read}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{8664_params_abi_p1922}
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
\newlabel{code:vfs_read}{{3.9}{44}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
@@ -378,16 +382,37 @@
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{45}{lstlisting.3.10}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.5}Conclusion}{46}{subsection.3.3.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{47}{subsection.3.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{48}{chapter.4}\protected@file@percent }
\newlabel{section:abusing_networking}{{3.4}{46}{Abusing networking programs}{section.3.4}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{47}{subsection.3.4.1}\protected@file@percent }
\abx@aux@cite{network_layers}
\abx@aux@segm{0}{0}{network_layers}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{48}{figure.caption.44}\protected@file@percent }
\newlabel{fig:frame}{{3.10}{48}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.44}{}}
\abx@aux@cite{tcp_reliable}
\abx@aux@segm{0}{0}{tcp_reliable}
\abx@aux@cite{tcp_handshake}
\abx@aux@segm{0}{0}{tcp_handshake}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}\protected@file@percent }
\newlabel{subsection:tcp}{{3.4.2}{49}{Introduction to the TCP protocol}{subsection.3.4.2}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{49}{table.caption.45}\protected@file@percent }
\newlabel{table:tcp_flags}{{3.6}{49}{Relevant TCP flags and their purpose.\relax }{table.caption.45}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces TCP 3-way handshake.\relax }}{50}{figure.caption.46}\protected@file@percent }
\newlabel{fig:tcp_conn}{{3.11}{50}{TCP 3-way handshake.\relax }{figure.caption.46}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.12}{\ignorespaces TCP packet retransmission on timeout.\relax }}{51}{figure.caption.47}\protected@file@percent }
\newlabel{fig:tcp_retransmission}{{3.12}{51}{TCP packet retransmission on timeout.\relax }{figure.caption.47}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.13}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{53}{figure.caption.48}\protected@file@percent }
\newlabel{fig:tcp_exfiltrate_retrans}{{3.13}{53}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.48}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{55}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{49}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{56}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{50}{chapter.5}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{5}{}{Appendix A - Bpftool commands}{chapter*.45}{}}
\abx@aux@read@bbl@mdfivesum{070A0F15FB780499B250A471B22B0670}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{57}{chapter.5}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{5}{}{Appendix A - Bpftool commands}{chapter*.50}{}}
\abx@aux@read@bbl@mdfivesum{77A5019A60516627679C213125A49687}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -461,6 +486,10 @@
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{write_helper_non_fault}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf_p6974}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{73}
\gdef \@abspage@last{81}

93
docs/document.bbl
View File

@@ -1557,6 +1557,40 @@
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476
\endverb
\endentry
\entry{evil_ebpf_p6974}{proceedings}{}
\name{author}{1}{}{%
{{hash=5142e68c748eb70cb619b21160eb7f72}{%
family={Dileo},
familyi={D\bibinitperiod},
given={Jeff},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{NCC Group}%
}
\list{organization}{1}{%
{DEFCON 27}%
}
\strng{namehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{fullhash}{5142e68c748eb70cb619b21160eb7f72}
\strng{bibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{extraname}{3}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\field{pages}{69\bibrangedash 74}
\range{pages}{6}
\verb{urlraw}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\endentry
\entry{8664_params_abi_p1922}{manual}{}
\name{author}{1}{}{%
{{hash=871f02558cb7234c22cde24811cf53a7}{%
@@ -1592,6 +1626,65 @@
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\endentry
\entry{network_layers}{online}{}
\name{author}{1}{}{%
{{hash=ed79ecb3ff4a83522b186b5e3fa37b0d}{%
family={Alienor},
familyi={A\bibinitperiod}}}%
}
\strng{namehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{fullhash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{bibnamehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{authorbibnamehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{authornamehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{authorfullhash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
\field{month}{11}
\field{title}{The Network Layers Explained [with examples]}
\field{year}{2018}
\field{dateera}{ce}
\verb{urlraw}
\verb https://www.plixer.com/blog/network-layers-explained/
\endverb
\verb{url}
\verb https://www.plixer.com/blog/network-layers-explained/
\endverb
\endentry
\entry{tcp_reliable}{online}{}
\list{organization}{1}{%
{IBM}%
}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{4}
\field{title}{Transmission Control Protocol}
\field{year}{2022}
\field{dateera}{ce}
\verb{urlraw}
\verb https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol
\endverb
\verb{url}
\verb https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol
\endverb
\endentry
\entry{tcp_handshake}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Three-Way Handshake}
\verb{urlraw}
\verb https://www.sciencedirect.com/topics/computer-science/three-way-handshake
\endverb
\verb{url}
\verb https://www.sciencedirect.com/topics/computer-science/three-way-handshake
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

6
docs/document.bcf
View File

@@ -2441,7 +2441,11 @@
<bcf:citekey order="104">write_helper_non_fault</bcf:citekey>
<bcf:citekey order="105">code_vfs_read</bcf:citekey>
<bcf:citekey order="106">code_vfs_read</bcf:citekey>
<bcf:citekey order="107">8664_params_abi_p1922</bcf:citekey>
<bcf:citekey order="107">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="108">8664_params_abi_p1922</bcf:citekey>
<bcf:citekey order="109">network_layers</bcf:citekey>
<bcf:citekey order="110">tcp_reliable</bcf:citekey>
<bcf:citekey order="111">tcp_handshake</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

183
docs/document.blg
View File

@@ -1,91 +1,96 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[60] biber:340> INFO - === Sun Jun 5, 2022, 18:05:09
[76] Biber.pm:415> INFO - Reading 'document.bcf'
[150] Biber.pm:952> INFO - Found 73 citekeys in bib section 0
[165] Biber.pm:4340> INFO - Processing section 0
[174] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[177] bibtex.pm:1689> INFO - LaTeX decoding ...
[205] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 9, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 15, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 22, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 28, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 35, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 42, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 50, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 58, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 65, warning: 1 characters of junk seen at toplevel
[384] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 70, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 77, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 85, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 94, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 103, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 112, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 121, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 127, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 132, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 137, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 142, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 153, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 158, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 164, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 170, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 175, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 184, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 191, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 199, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 206, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 215, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 224, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 233, warning: 1 characters of junk seen at toplevel
[385] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 239, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 244, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 249, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 256, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 261, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 266, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 271, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 276, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 283, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 288, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 295, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 302, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 309, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 315, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 321, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 327, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 334, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 339, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 344, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 349, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 356, warning: 1 characters of junk seen at toplevel
[386] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 361, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 366, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 375, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 380, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 385, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 390, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 395, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 400, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 405, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 410, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 419, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 428, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 433, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 438, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 443, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 449, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 459, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 466, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 473, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 482, warning: 1 characters of junk seen at toplevel
[387] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 487, warning: 1 characters of junk seen at toplevel
[388] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BrAh/f4d088b3f9f145b5c3058da33afd57d4_244039.utf8, line 492, warning: 1 characters of junk seen at toplevel
[431] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[432] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[432] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[432] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[472] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[489] bbl.pm:757> INFO - Output to document.bbl
[489] Biber.pm:128> INFO - WARNINGS: 75
[59] biber:340> INFO - === Mon Jun 6, 2022, 20:45:55
[71] Biber.pm:415> INFO - Reading 'document.bcf'
[149] Biber.pm:952> INFO - Found 77 citekeys in bib section 0
[163] Biber.pm:4340> INFO - Processing section 0
[172] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[174] bibtex.pm:1689> INFO - LaTeX decoding ...
[203] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 9, warning: 1 characters of junk seen at toplevel
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 15, warning: 1 characters of junk seen at toplevel
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 22, warning: 1 characters of junk seen at toplevel
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 28, warning: 1 characters of junk seen at toplevel
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 35, warning: 1 characters of junk seen at toplevel
[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 42, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 50, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 58, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 65, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 70, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 77, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 85, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 94, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 103, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 112, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 121, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 127, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 132, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 137, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 142, warning: 1 characters of junk seen at toplevel
[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 153, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 158, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 164, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 170, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 175, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 184, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 191, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 199, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 206, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 215, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 224, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 233, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 239, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 244, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 249, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 256, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 261, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 266, warning: 1 characters of junk seen at toplevel
[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 271, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 276, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 283, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 288, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 295, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 302, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 309, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 315, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 321, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 327, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 334, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 339, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 344, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 349, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 356, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 361, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 366, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 375, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 380, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 385, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 390, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 395, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 400, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 405, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 410, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 419, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 428, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 433, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 438, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 443, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 449, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 459, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 466, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 473, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 482, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 487, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 492, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 501, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 508, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 515, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 520, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 529, warning: 1 characters of junk seen at toplevel
[448] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[449] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[449] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[449] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[490] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[507] bbl.pm:757> INFO - Output to document.bbl
[508] Biber.pm:128> INFO - WARNINGS: 80

8
docs/document.lof
View File

@@ -43,6 +43,14 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{45}{figure.caption.43}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.10}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{48}{figure.caption.44}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.11}{\ignorespaces TCP 3-way handshake.\relax }}{50}{figure.caption.46}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.12}{\ignorespaces TCP packet retransmission on timeout.\relax }}{51}{figure.caption.47}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.13}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{53}{figure.caption.48}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

215
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 5 JUN 2022 21:19
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 6 JUN 2022 20:49
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=221, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=229, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=223, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=231, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1186,14 +1186,14 @@ File: utxsyc.fd 2000/12/15 v3.1
[10
] [11]
(./document.lot)
] [11] [12]
(./document.lot [13
])
\tf@lot=\write8
\openout8 = `document.lot'.
[12
] [13] [14]
[14] [15]
Chapter 1.
LaTeX Font Info: Trying to load font information for TS1+txr on input line 3
30.
@@ -1211,10 +1211,9 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356
[3] [4]
Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 412.
<images//classic_bpf.jpg, id=572, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=598, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1222,36 +1221,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=590, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=616, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=600, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=626, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=610, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=637, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=623, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=649, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=626, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=652, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=644, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=670, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1303,7 +1302,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 759--789
[]
[17]
<images//xdp_diag.jpg, id=724, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=750, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 805.
@@ -1314,7 +1313,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 868--880
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=783, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=809, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 978.
@@ -1387,51 +1386,51 @@ read_user() and bpf_probe_read_kernel().
[]
[35]
<images//mem_arch_pages.jpg, id=967, 593.21625pt x 434.62375pt>
<images//mem_arch_pages.jpg, id=993, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1347.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[36]
<images//mem_major_page_fault.jpg, id=975, 639.38875pt x 425.59pt>
<images//mem_major_page_fault.jpg, id=1001, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 1
357.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
[37 <./images//mem_arch_pages.jpg>]
<images//mem_minor_page_fault.jpg, id=982, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=1008, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 1
365.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
<images//memory.jpg, id=983, 310.15875pt x 519.9425pt>
<images//memory.jpg, id=1009, 310.15875pt x 519.9425pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 1376.
(pdftex.def) Requested size: 170.71652pt x 286.18347pt.
[38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
[39 <./images//memory.jpg>]
<images//stack_pres.jpg, id=997, 707.64375pt x 283.0575pt>
<images//stack_pres.jpg, id=1023, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 1399.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[40 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=1006, 524.96124pt x 694.595pt>
<images//stack_ops.jpg, id=1032, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 1433.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
<images//stack_before.jpg, id=1007, 712.6625pt x 315.1775pt>
<images//stack_before.jpg, id=1033, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 1444.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
[41 <./images//stack_ops.jpg>]
<images//stack.jpg, id=1012, 707.64375pt x 381.425pt>
<images//stack.jpg, id=1038, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 1451.
@@ -1443,7 +1442,7 @@ Overfull \hbox (3.09538pt too wide) in paragraph at lines 1495--1496
[]
[44]
<images//stack_scan_write_tech.jpg, id=1055, 829.0975pt x 315.1775pt>
<images//stack_scan_write_tech.jpg, id=1084, 829.0975pt x 315.1775pt>
File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
<use images//stack_scan_write_tech.jpg>
Package pdftex.def Info: images//stack_scan_write_tech.jpg used on input line
@@ -1457,114 +1456,164 @@ Overfull \hbox (28.45273pt too wide) in paragraph at lines 1511--1512
LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1533.
[45 <./images//stack_scan_write_tech.jpg>] [46] [47]
[45 <./images//stack_scan_write_tech.jpg>] [46]
<images//frame.jpg, id=1120, 695.59875pt x 705.63625pt>
File: images//frame.jpg Graphic file (type jpg)
<use images//frame.jpg>
Package pdftex.def Info: images//frame.jpg used on input line 1569.
(pdftex.def) Requested size: 398.33858pt x 404.07954pt.
[47] [48 <./images//frame.jpg>]
<images//tcp_conn.jpg, id=1139, 452.69125pt x 405.515pt>
File: images//tcp_conn.jpg Graphic file (type jpg)
<use images//tcp_conn.jpg>
Package pdftex.def Info: images//tcp_conn.jpg used on input line 1617.
(pdftex.def) Requested size: 341.43306pt x 305.84947pt.
[49]
Overfull \hbox (30.78944pt too wide) in paragraph at lines 1622--1623
[]\T1/txr/m/n/12 As we can ob-serve in the fig-ure, the hosts in-ter-change a s
e-quence of <SYN>, <SYN+ACK>,
[]
<images//tcp_retransmission.jpg, id=1147, 523.9575pt x 485.815pt>
File: images//tcp_retransmission.jpg Graphic file (type jpg)
<use images//tcp_retransmission.jpg>
Package pdftex.def Info: images//tcp_retransmission.jpg used on input line 163
3.
(pdftex.def) Requested size: 341.43306pt x 316.58401pt.
[50 <./images//tcp_conn.jpg>] [51 <./images//tcp_retransmission.jpg>]
<images//tcp_exfiltrate_retrans.jpg, id=1165, 633.36626pt x 475.7775pt>
File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
<use images//tcp_exfiltrate_retrans.jpg>
Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg used on input line
1670.
(pdftex.def) Requested size: 426.79134pt x 320.60597pt.
[52]
[53 <./images//tcp_exfiltrate_retrans.jpg>] [54]
Chapter 4.
[48
[55
]
Chapter 5.
[49
[56
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1713--1713
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[50
[57
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1713--1713
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1713--1713
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[51]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1610--1610
[58]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1713--1713
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[52]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1610--1610
[59]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[53]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1610--1610
[60]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1713--1713
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
[]
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1713--1713
\T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
mory -[] Management -[] Christoph -[]
[]
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/n/12 D. Breaker. ^^P Un-der-stand-ing page faults and mem-ory swap
-in/outs.^^Q (Aug. 19, 2019),
[]
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
[]
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1610--1610
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[54]
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1610--1610
[61]
Overfull \hbox (11.10025pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/n/12 DE-F-CON 27, pp. 69^^U74. [On-line]. Avail-able: [][]$\T1/txtt/m
/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[55] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
Overfull \hbox (21.2149pt too wide) in paragraph at lines 1713--1713
\T1/txr/m/n/12 line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / www . plixer
. com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (4.29944pt too wide) in paragraph at lines 1713--1713
[]\T1/txr/m/n/12 ^^P Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[62] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1575,54 +1624,42 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1670 \end{document}
l.1773 \end{document}
[2
] (./document.aux)
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: D79DA99C79A7C21C04809C7BF087F9C6;4075
(rerunfilecheck) After: 6377ECFD9064550E1372CD631FBAEB79;4030.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 92AAE055ABF4033A3038C889397F3EC1;4293.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
28447 strings out of 481209
453201 string characters out of 5914747
1348498 words of memory out of 5000000
44595 multiletter control sequences out of 15000+600000
28510 strings out of 481209
454701 string characters out of 5914747
1353298 words of memory out of 5000000
44633 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
pdfTeX warning (dest): name{chapter.6} has been referenced but does not exist
, replaced by a fixed one
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texlive/
texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dist/
fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/type1
/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfo
nts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.pfb
></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb></usr/sha
re/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/share/texlive/
texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
rw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utm
b8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/s
hare/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (73 pages, 1195969 bytes).
88i,12n,90p,1029b,3693s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
e1/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx
fonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.p
fb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xbtt.pfb></usr/s
hare/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/share/texliv
e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (81 pages, 1439700 bytes).
PDF statistics:
1426 PDF objects out of 1440 (max. 8388607)
345 named destinations out of 1000 (max. 500000)
545 words of extra memory for PDF output out of 10000 (max. 10000000)
1522 PDF objects out of 1728 (max. 8388607)
367 named destinations out of 1000 (max. 500000)
581 words of extra memory for PDF output out of 10000 (max. 10000000)

2
docs/document.lot
View File

@@ -45,6 +45,8 @@
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{49}{table.caption.45}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

11
docs/document.out
View File

@@ -47,7 +47,10 @@
\BOOKMARK [2][-]{subsection.3.3.4}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 47
\BOOKMARK [2][-]{subsection.3.3.5}{Conclusion}{section.3.3}% 48
\BOOKMARK [1][-]{section.3.4}{Abusing\040networking\040programs}{chapter.3}% 49
\BOOKMARK [2][-]{subsection.3.4.1}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 50
\BOOKMARK [0][-]{chapter.4}{Results}{}% 51
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 52
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 53
\BOOKMARK [2][-]{subsection.3.4.1}{An\040overview\040on\040the\040network\040layer}{section.3.4}% 50
\BOOKMARK [2][-]{subsection.3.4.2}{Introduction\040to\040the\040TCP\040protocol}{section.3.4}% 51
\BOOKMARK [2][-]{subsection.3.4.3}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 52
\BOOKMARK [2][-]{subsection.3.4.4}{Conclusion}{section.3.4}% 53
\BOOKMARK [0][-]{chapter.4}{Results}{}% 54
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 55
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 56

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

132
docs/document.tex
View File

@@ -311,7 +311,7 @@ hmargin=3cm
\pagenumbering{arabic}
\chapter{Introduction}
\section{Motivation}
\section{Motivation} \label{section:motivation}
%M-> SA bit long, but it summarizes and presents the ideas and background needed to understand the topic in order:
% Main idea: Malware keeps evolving ->
% -> Relevance of innovating and researching on the new techniques ->
@@ -409,7 +409,7 @@ The rootkit will work in a fresh-install of a Linux system with the following ch
% I WILL NOT INCLUDE A ROOTKIT BACKGROUND, considering that a deep study of that is not fully relevant for us. I explained what it is, its two main types (should we include bootkits, maybe?) and its relation with eBPF in the introduction, since it is needed to introduce the overall context. Should we do otherwise?
This chapter is dedicated to an study of the eBPF technology. Firstly, we will analyse its origins, understanding what it is and how it works, and discuss the reasons why it is a necessary component of the Linux kernel today. Afterwards, we will cover the main features of eBPF in detail. Finally, an study of the existing alternatives for developing eBPF applications will be also included.
Although during our discussion of the offensive capabilities of eBPF in section\ref{section:analysis_offensive_capabilities} we will use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it.
Although during our discussion of the offensive capabilities of eBPF in section\ref{section:TODO} we will use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it.
\section{eBPF history - Classic BPF}
% Is it ok to have sections / chapters without individual intros?
@@ -1008,7 +1008,7 @@ Note that the BPF skeleton also offers further granularity at the time of dealin
\chapter{Analysis of offensive capabilities}
\chapter{Analysis of offensive capabilities} \label{chapter:analysis_offensive_capabilities}
In the previous chapter, we detailed which functionalities eBPF offers and studied its underlying architecture. As with every technology, a prior deep understanding is fundamental for discussing its security implications.
Therefore, given the previous background, this chapter is dedicated to an analysis in detail of the security implications of a malicious use of eBPF. For this, we will firstly explore the security features incorporated in the eBPF system. Then, we will identify the fundamental pillars onto which malware can build their functionality. As we mentioned during the project goals, these main topics of research will be the following:
@@ -1492,7 +1492,7 @@ Although we will not be able to modify kernel memory or the instructions of a pr
ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
\end{lstlisting}
Then, if we attach a kprobe to vfs\_read, we would be able to modify the value of the buffer.
\item Modify process memory by taking function parameters as a reference and scanning the stack. This technique, first introduced in section \ref{subsection:out_read_bounds} when we mentioned that tracing programs can read any user memory location with the bpf\_probe\_read\_user() helper, consists of:
\item Modify process memory by taking function parameters as a reference and scanning the stack. This technique, first introduced in section \ref{subsection:out_read_bounds} when we mentioned that tracing programs can read any user memory location with the bpf\_probe\_read\_user() helper, and which was publicly first used by Jeff Dileo at his talk in DEFCON 27\cite{evil_ebpf_p6974}, consists of:
\begin{enumerate}
\item Take an user-passed parameter received on a tracing program. The parameter must be a pointer to a memory location (such as a pointer to a buffer), so that we can use that memory address as the reference point in user space. According to the x86\_64 documentation, this parameter will be stored in the stack\cite{8664_params_abi_p1922}, so we will receive an stack address.
\item Locate the target data which we aim to write. There are two main methods for this:
@@ -1544,7 +1544,7 @@ Therefore, if on the conclusion of section \ref{subsection:tracing_attacks_concl
Moreover, in the next sections we will discuss how we can create advanced attacks on the basis of the background and techniques previously discussed. We will research further into which sections of a process memory are writeable and whether they can lead to new attack vectors.
\section{Abusing networking programs}
\section{Abusing networking programs}\label{section:abusing_networking}
The final main piece of a malicious eBPF program comes from taking advantage of the networking capabilities of TC and XDP programs. As we mentioned during sections \ref{subsection:xdp} and \ref{subsection:tc}, these type of programs have access to network traffic:
\begin{itemize}
\item Traffic Control programs can be placed either on egress or ingress traffic, and receive a struct \textit{sk\_buff}, containing the packet bytes and meta data that helps operating on it.
@@ -1553,30 +1553,138 @@ The final main piece of a malicious eBPF program comes from taking advantage of
Networking eBPF programs not only have read access to the network packets, but also write access:
\begin{itemize}
\item XDP programs can directly modify the raw packet via memcpy() operations. They can also increment or reduce the size of the packet by any of its ends (adding bytes before the head or after the packet tail). This is done via the multiple helpers previously presented on table \ref{table:xdp_helpers}.
\item XDP programs can directly modify the raw packet via memcpy() operations. They can also increment or reduce the size of the packet at any of its ends (adding bytes before the head or after the packet tail). This is done via the multiple helpers previously presented on table \ref{table:xdp_helpers}.
\item TC programs can also modify the packet via the helpers presented on table \ref{table:tc_helpers}. The packet can be expanded or reduced via these eBPF helpers too.
\end{itemize}
Apart from write access to the packet, the other critical feature of networking programs is their ability to drop packets. As we presented in tables \ref{table:xdp_actions_av} and \ref{table:tc_actions}, this can be achieved by returning specific values.
\subsection{An overview on the network layer}
In order to tackle multiple techniques we will be using in networking programs, we will offer an overview on the relevant aspects of the Ethernet, IP and TCP protocols, on which we will focus during the later development of our rootkit.
Firstly, we will describe the data structure we will be dealing with in networking programs. This will be Ethernet frames containing TCP/IP packets. Figure \ref{fig:frame} shows the frame in its completeness:
\begin{figure}[H]
\centering
\includegraphics[width=14cm]{frame.jpg}
\caption{Ethernet frame with TCP/IP packet.}
\label{fig:frame}
\end{figure}
As we can observe, we can distinguish five different network layers in the frame. This division is made according to the OSI model\cite{network_layers}:
\begin{itemize}
\item Layer 1 corresponds to the physical layer, and it is processed by the NIC hardware, even before it reaches the XDP module (see figure \ref{fig:xdp_diag}). Therefore, this layer is discarded and completely invisible to the kernel. Note that it does not only include a header, but also a trailer (a Frame Check Sequence, a redundancy check included to check frame integrity).
\item Layer 2 is the data layer, it is in charge of transporting the frame via physical media, in our case an Ethernet connection. Most relevant fields are the MAC destination and source, used for performing physical addressing.
\item Layer 3 is the network layer, in charge of packet forwarding and routing. In our case, packets will be using the IP protocol. Most relevant fields are the source and destination IP, used to indicate the host that sent the packet and who is the receiver.
\item Layer 4 is the transport layer, in charge of providing end-to-end connection services to applications in a host. We will be focusing on TCP during our research. Relevant fields include the source and destination port, which indicate the ports involved in the communication on which the application on each host are listening and sending packets.
\item The last layer is the payload of the TCP packet, which contains, according to the OSI model, all layers belong to application data.
\end{itemize}
\subsection{Introduction to the TCP protocol} \label{subsection:tcp}
We will now focus our view on the transport layer, specifically on the TCP protocol, since it will be a major concern at the time of designing the network capabilities of our rootkit.
Firstly, since TCP aims to offer a reliable and ordered packet transmission\cite{tcp_reliable}, it includes sequence numbers (see table \ref{fig:frame}) which mark the order in which they are transmitted. However, since the physical medium may corrupt or lose packets during the transmission, TCP must incorporate mechanisms for ensuring the order and delivery of all packets:
\begin{itemize}
\item Mechanism for opening and establishing a reliable connection between two parties.
\item Mechanism for ensuring that packets are retransmitted in case of an error during the connection.
\end{itemize}
With respect to the establishment of a reliable connection, this is achieved via a 3-way handshake, in which certain TCP flags will be set in a series of interchanged packets (see in figure \ref{fig:frame} the field TCP flags). Most relevant TCP flags are described in table \ref{table:tcp_flags}.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Flag & Purpose\\
\hline
\hline
ACK & Acknowledges that a packet has been successfully received. In the acknowledgment number (see figure \ref{fig:frame}), it is stored the sequence number of the packet being acknowledged + 1. \\
\hline
SYN & Used during the 3-way handshake, indicates request for establishing a connection.\\
\hline
FIN & Used to request a connection termination.\\
\hline
RST & Abruptly terminates the connection, usually sent when a host receives an unexpected or unrecognized packet.\\
\hline
\end{tabular}
\caption{Relevant TCP flags and their purpose.}
\label{table:tcp_flags}
\end{table}
Taking the above into account, figure \ref{fig:tcp_conn} shows a depiction of the 3-way handshake\cite{tcp_handshake}:
\begin{figure}[H]
\centering
\includegraphics[width=12cm]{tcp_conn.jpg}
\caption{TCP 3-way handshake.}
\label{fig:tcp_conn}
\end{figure}
As we can observe in the figure, the hosts interchange a sequence of <SYN>, <SYN+ACK>, <ACK> packets, after which the communication starts. During this communication, the sender transmits packets with data (and no flags set), to which it expects an <ACK> packet acknowledging having received it.
With respect to maintaining the integrity of the connection once it starts, TCP works using timers, as it is illustrated in figure \ref{fig:tcp_retransmission}:
\begin{enumerate}
\item A data packet with sequence number X is sent. The timer starts.
\item The destination host receives the packet and returns an ACK packet with acknowledgment number X+1.
\item The sender receives the ACK packet and stops the timer. If, for any reason, the ACK packet is not received before the timer ends, then the same packet is retransmitted.
\end{enumerate}
\begin{figure}[H]
\centering
\includegraphics[width=12cm]{tcp_retransmission.jpg}
\caption{TCP packet retransmission on timeout.}
\label{fig:tcp_retransmission}
\end{figure}
\subsection{Attacks and limitations of networking programs}
Multiple restrictions exist on network eBPF programs:
Based on the previous background, we will now proceed to explore which limitations exist on which actions a network eBPF program can perform:
\begin{itemize}
\item Read and write access to the packet is heavily controlled by the eBPF verifier. It is not possible to read or write data out of bounds. Extreme care must also be taken before attempting to read any data inside the packet, since the verifier first requires making lots of checks beforehand. For any access to take place, the program must first classify the packet according to the network protocol it belongs, and later check that every header of every network layer is well defined (e.g: Ethernet, IP and TCP). Only after that, the headers can be modified.
\item Read and write access to the packet is heavily controlled by the eBPF verifier. It is not possible to read or write data out of bounds. Extreme care must also be taken before attempting to read any data inside the packet, since the verifier first requires making lots of checks beforehand. For any access to take place, the program must first classify the packet according to the network protocol it belongs, and later check that every header of every layer is well defined (e.g: Ethernet, IP and TCP). Only after that, the headers can be modified.
If the program also wants to modify the packet payload, then it must be checked to be between the bounds of the packet and well defined according to the packet headers. Also, after using any of the helpers that enlarge or reduce the size of the packet, all check operations must be repeated again before any subsequent operation.
If the program also wants to modify the packet payload, then it must be checked to be between the bounds of the packet and well defined according to the packet headers(using fields IHL, packet length and data offset, in figure \ref{fig:frame}). Also, after using any of the helpers that enlarge or reduce the size of the packet, all check operations must be repeated again before any subsequent operation.
Finally, note that after any modification in the packet, some network protocols (such as IP and TCP) require to recalculate their checksum fields.
\item XDP and TC programs are not able to create packets, they can only operate over existing traffic.
\item If an XDP program modifies an incoming packet, the kernel will not know about the original data, but if an egress TC program modifies a packet being sent, the kernel will be able to notice the modification.
\end{itemize}
Having the previous restrictions in mind, we can find multiple possible malicious uses of an XDP/TC program:
\begin{itemize}
\item \textbf{Spy all network connections} in the system. An XDP or TC ingress program can read any packet from any interface, therefore achieving a comprehensive view on which are the running communications and opened ports (even if protocols with encryption are being used) and gathering transmitted data (if the connection is also in plaintext).
\item \textbf{Hide arbitrary traffic} from the host. If an XDP program drops a packet, the kernel will not be able to know any packet was received in the first place. This can be used to hide malicious incoming traffic. However, as we will mention in section{TODO}, malicious traffic may still be detected by other external devices, such as network-wide firewalls.
\item \textbf{Modify incoming traffic} with XDP programs. Every packet can be modified (as we mentioned at the beginning of section \ref{section:abusing_networking}), and any modification will be unnoticeable to the kernel, meaning that we will have complete, invisible control over the packets received by the kernel.
\item \textbf{Modify outgoing traffic} with TC egress programs. Since every packet can be modified at will, we will therefore have complete control over any packet sent by the host. This can be used to enable a malicious program to communicate over the network and exfiltrate data, since even if we cannot create a new connection from eBPF, we can still modify existing packets, writing any payload and headers on it (thus being able to, for instance, change the destination of the packet).
Notice, however, that these modifications are not transparent to the kernel as with XDP, and thus an internal firewall may detect our malicious traffic.
\end{itemize}
Although we mention the possibility of modifying outgoing traffic as an alternative to the impossibility of sending new packets from eBPF, there exists a major disadvantage by doing this, since the original packet of the application will be lost, and we will thus be disrupting the normal functioning of the system (which in a rootkit is unacceptable, as we mentioned in section \ref{section:motivation}, stealth is a priority).
There exists, however, a simple way of duplicating a packet so that the original packet is not lost but we can still send our overwritten packet. This technique, first presented by Guillaume Fournier and Sylvain Afchainthe in their DEFCON talk, consists of taking advantage of TCP retransmissions we described on section \ref{subsection:tcp}. Figure \ref{fig:tcp_exfiltrate_retrans} shows this process:
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{tcp_exfiltrate_retrans.jpg}
\caption{Technique to duplicate a packet for exfiltrating data.}
\label{fig:tcp_exfiltrate_retrans}
\end{figure}
In the figure, we can observe a host infected by a malicious TC egress program. An user space application at some point needs to send a packet (in this case a simple ping), and the TC program will overwrite it (in this case, it writes a password which it has been able to find, and substitutes the destination IP address with that of a listening attacker.
After the timer runs out, the TCP protocol itself will retransmit the same packet as previously and thus the original data is delivered too.
Using this technique, we will be able to send our own packets every time an application sends outgoing traffic. And, unless the network is being monitored, this attack will go unnoticed, provided that the delay of the original packet is similar to that when a single packet lost.
\subsection{Conclusion}
As a summary, networking eBPF programs offer complete control over incoming and outgoing traffic. If tracing programs and memory corruption techniques served to disrupt the trust in the execution of both any user or kernel program, then a malicious networking program has the potential to do the same with any communication, since any packet is under the control of eBPF.
Ultimately, the capabilities discussed in this section unlock complete freedom for the design of malicious programs. As we will explain in the next chapter, one particularly relevant type of application can be built:
\begin{itemize}
\item A \textbf{backdoor}, a stealthy program which listens on the network interface and waits for secret instructions from a remote attacker-controlled client program. This backdoor can have \textbf{Command and Control (C2)} capabilities, meaning that it can process commands sent by the attacker and received at the backdoor, executing a series of actions corresponding to the request received, and (when needed) answering the attacker with the result of the command.
\end{itemize}
%TODO talk about TCP connection and its repeating packets.
% Talk about attacks.
% Conclusion of the section.

14
docs/document.toc
View File

@@ -99,11 +99,17 @@
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.4}Abusing networking programs}{46}{section.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{47}{subsection.3.4.1}%
\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{47}{subsection.3.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{48}{chapter.4}%
\contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{49}{chapter.5}%
\contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{50}{chapter.5}%
\contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{55}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{56}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{57}{chapter.5}%
\contentsfinish

BIN
docs/images/frame.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
docs/images/tcp_conn.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
docs/images/tcp_exfiltrate_retrans.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
docs/images/tcp_retransmission.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-05T21:19:01-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-05T21:19:01-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-05T21:19:01-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-06T20:49:24-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-06T20:49:24-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-06T20:49:24-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:62AED33B-11F7-1F15-2F84-24FCCE82AC8A</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:26A5E47A-114F-F7CD-5787-82CC4D0D8429</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>