admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Finished ROP by jeff dileo

Browse Source
This commit is contained in:
h3xduck
2022-06-08 08:59:32 -04:00
parent 5d67eddfd7
commit a46339e912
16 changed files with 320 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/bibliography/bibliography.bib
View File

@@ -538,6 +538,11 @@ AMD64 Architecture Processor Supplement},
@online{rop_prog_finder,
title={ROPgadget Tool},
url={https://github.com/JonathanSalwan/ROPgadget}
},
@online{glibc,
title={The GNU C library},
url={https://www.gnu.org/software/libc/}
}

27
docs/document.aux
View File

@@ -423,20 +423,32 @@
\newlabel{fig:buffer_overflow_shellcode}{{4.3}{59}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.51}{}}
\abx@aux@cite{rop_prog_finder}
\abx@aux@segm{0}{0}{rop_prog_finder}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Return oriented programming with eBPF}{60}{subsection.4.1.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Return oriented programming attacks}{60}{subsection.4.1.2}\protected@file@percent }
\newlabel{subsection:rop}{{4.1.2}{60}{Return oriented programming attacks}{subsection.4.1.2}{}}
\newlabel{code:rop_ex}{{4.2}{60}{Sample program to run using ROP}{lstlisting.4.2}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.2}Sample program to run using ROP.}{60}{lstlisting.4.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Steps for executing code sample using ROP.\relax }}{61}{figure.caption.52}\protected@file@percent }
\newlabel{fig:rop_compund}{{4.4}{61}{Steps for executing code sample using ROP.\relax }{figure.caption.52}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{63}{chapter.5}\protected@file@percent }
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{glibc}
\abx@aux@segm{0}{0}{glibc}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{62}{figure.caption.53}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.5}{62}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.53}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{63}{figure.caption.54}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.6}{63}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.54}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{64}{figure.caption.55}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.7}{64}{Stack data is restored and program continues its execution.\relax }{figure.caption.55}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{65}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{64}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{66}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{65}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.54}{}}
\abx@aux@read@bbl@mdfivesum{77A5019A60516627679C213125A49687}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{67}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.57}{}}
\abx@aux@read@bbl@mdfivesum{ED0DCDE6F36062F4590E740430BED62B}
\abx@aux@read@bblrerun
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
@@ -516,5 +528,6 @@
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{90}
\gdef \@abspage@last{92}

12
docs/document.bbl
View File

@@ -1685,6 +1685,18 @@
\verb https://www.sciencedirect.com/topics/computer-science/three-way-handshake
\endverb
\endentry
\entry{rop_prog_finder}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{ROPgadget Tool}
\verb{urlraw}
\verb https://github.com/JonathanSalwan/ROPgadget
\endverb
\verb{url}
\verb https://github.com/JonathanSalwan/ROPgadget
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

2
docs/document.bcf
View File

@@ -2448,6 +2448,8 @@
<bcf:citekey order="111">tcp_handshake</bcf:citekey>
<bcf:citekey order="112">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="113">rop_prog_finder</bcf:citekey>
<bcf:citekey order="114">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="115">glibc</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

193
docs/document.blg
View File

@@ -1,96 +1,97 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[60] biber:340> INFO - === Tue Jun 7, 2022, 14:31:23
[76] Biber.pm:415> INFO - Reading 'document.bcf'
[153] Biber.pm:952> INFO - Found 77 citekeys in bib section 0
[168] Biber.pm:4340> INFO - Processing section 0
[179] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[182] bibtex.pm:1689> INFO - LaTeX decoding ...
[211] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 9, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 15, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 22, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 28, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 35, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 42, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 50, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 58, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 65, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 70, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 77, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 85, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 94, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 103, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 112, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 121, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 127, warning: 1 characters of junk seen at toplevel
[406] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 132, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 137, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 142, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 153, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 158, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 164, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 170, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 175, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 184, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 191, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 199, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 206, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 215, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 224, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 233, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 239, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 244, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 249, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 256, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 261, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 266, warning: 1 characters of junk seen at toplevel
[407] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 271, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 276, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 283, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 288, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 295, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 302, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 309, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 315, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 321, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 327, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 334, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 339, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 344, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 349, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 356, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 361, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 366, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 375, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 380, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 385, warning: 1 characters of junk seen at toplevel
[408] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 390, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 395, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 400, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 405, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 410, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 419, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 428, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 433, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 438, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 443, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 449, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 459, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 466, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 473, warning: 1 characters of junk seen at toplevel
[409] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 482, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 487, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 492, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 501, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 508, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 515, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 520, warning: 1 characters of junk seen at toplevel
[410] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_Iaax/f4d088b3f9f145b5c3058da33afd57d4_281978.utf8, line 529, warning: 1 characters of junk seen at toplevel
[458] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[458] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[458] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[458] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[500] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[518] bbl.pm:757> INFO - Output to document.bbl
[518] Biber.pm:128> INFO - WARNINGS: 80
[1] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg'
[155] biber:340> INFO - === Wed Jun 8, 2022, 07:27:20
[189] Biber.pm:415> INFO - Reading 'document.bcf'
[389] Biber.pm:952> INFO - Found 78 citekeys in bib section 0
[427] Biber.pm:4340> INFO - Processing section 0
[452] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[458] bibtex.pm:1689> INFO - LaTeX decoding ...
[537] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 9, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 15, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 22, warning: 1 characters of junk seen at toplevel
[880] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 28, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 35, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 42, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 50, warning: 1 characters of junk seen at toplevel
[881] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 58, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 65, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 70, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 77, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 85, warning: 1 characters of junk seen at toplevel
[882] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 94, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 103, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 112, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 121, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 127, warning: 1 characters of junk seen at toplevel
[883] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 132, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 137, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 142, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 153, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 158, warning: 1 characters of junk seen at toplevel
[884] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 164, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 170, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 175, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 184, warning: 1 characters of junk seen at toplevel
[885] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 191, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 199, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 206, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 215, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 224, warning: 1 characters of junk seen at toplevel
[886] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 233, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 239, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 244, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 249, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 256, warning: 1 characters of junk seen at toplevel
[887] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 261, warning: 1 characters of junk seen at toplevel
[888] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 266, warning: 1 characters of junk seen at toplevel
[888] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 271, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 276, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 283, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 288, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 295, warning: 1 characters of junk seen at toplevel
[889] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 302, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 309, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 315, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 321, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 327, warning: 1 characters of junk seen at toplevel
[890] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 334, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 339, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 344, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 349, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 356, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 361, warning: 1 characters of junk seen at toplevel
[891] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 366, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 375, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 380, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 385, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 390, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 395, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 400, warning: 1 characters of junk seen at toplevel
[892] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 405, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 410, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 419, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 428, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 433, warning: 1 characters of junk seen at toplevel
[893] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 438, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 443, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 449, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 459, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 466, warning: 1 characters of junk seen at toplevel
[894] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 473, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 482, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 487, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 492, warning: 1 characters of junk seen at toplevel
[895] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 501, warning: 1 characters of junk seen at toplevel
[896] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 508, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 515, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 520, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 529, warning: 1 characters of junk seen at toplevel
[897] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_BzTn/f4d088b3f9f145b5c3058da33afd57d4_286598.utf8, line 538, warning: 1 characters of junk seen at toplevel
[1031] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[1032] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[1032] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[1032] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[1143] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[1197] bbl.pm:757> INFO - Output to document.bbl
[1198] Biber.pm:128> INFO - WARNINGS: 81

6
docs/document.lof
View File

@@ -61,6 +61,12 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.4}{\ignorespaces Steps for executing code sample using ROP.\relax }}{61}{figure.caption.52}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.5}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{62}{figure.caption.53}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.6}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{63}{figure.caption.54}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.7}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{64}{figure.caption.55}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }

189
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 7 JUN 2022 15:38
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 8 JUN 2022 08:51
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=245, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=249, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=247, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=251, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1146,11 +1146,11 @@ s been already used, duplicate ignored
l.279 \tableofcontents
[6] (./document.toc [7
])
] [8])
\tf@toc=\write6
\openout6 = `document.toc'.
[8] [9] [10] (./document.lof
[9] [10] (./document.lof
LaTeX Font Info: Trying to load font information for OT1+txr on input line 8
.
@@ -1213,7 +1213,7 @@ Chapter 2.
LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 413.
<images//classic_bpf.jpg, id=634, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=644, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 427.
@@ -1221,36 +1221,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 427.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=652, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=662, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 454.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=663, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=673, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 494.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=673, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=683, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 510.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=685, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=695, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 525.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=688, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=698, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 536.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=706, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=716, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 575.
@@ -1302,7 +1302,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 760--790
[]
[17]
<images//xdp_diag.jpg, id=786, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=796, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 806.
@@ -1313,7 +1313,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 869--881
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=845, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=855, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 979.
@@ -1391,51 +1391,51 @@ read_user() and bpf_probe_read_kernel().
[]
[35]
<images//mem_arch_pages.jpg, id=1028, 593.21625pt x 434.62375pt>
<images//mem_arch_pages.jpg, id=1038, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 1350.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[36]
<images//mem_major_page_fault.jpg, id=1036, 639.38875pt x 425.59pt>
<images//mem_major_page_fault.jpg, id=1046, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 1
360.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
[37 <./images//mem_arch_pages.jpg>]
<images//mem_minor_page_fault.jpg, id=1044, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=1054, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 1
368.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
<images//memory.jpg, id=1045, 310.15875pt x 569.12625pt>
<images//memory.jpg, id=1055, 310.15875pt x 569.12625pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 1379.
(pdftex.def) Requested size: 170.71652pt x 313.25488pt.
[38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
[39 <./images//memory.jpg>]
<images//stack_pres.jpg, id=1058, 707.64375pt x 283.0575pt>
<images//stack_pres.jpg, id=1068, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 1403.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[40 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=1067, 524.96124pt x 694.595pt>
<images//stack_ops.jpg, id=1077, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 1437.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
[41]
<images//stack_before.jpg, id=1072, 712.6625pt x 315.1775pt>
<images//stack_before.jpg, id=1082, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 1448.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
<images//stack.jpg, id=1073, 707.64375pt x 381.425pt>
<images//stack.jpg, id=1083, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 1455.
@@ -1447,7 +1447,7 @@ Overfull \hbox (3.09538pt too wide) in paragraph at lines 1499--1500
bpf_probe_read_user()
[]
<images//stack_scan_write_tech.jpg, id=1112, 829.0975pt x 315.1775pt>
<images//stack_scan_write_tech.jpg, id=1122, 829.0975pt x 315.1775pt>
File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
<use images//stack_scan_write_tech.jpg>
Package pdftex.def Info: images//stack_scan_write_tech.jpg used on input line
@@ -1463,14 +1463,14 @@ Overfull \hbox (28.45273pt too wide) in paragraph at lines 1515--1516
LaTeX Warning: Reference `TODO' on page 46 undefined on input line 1537.
[46 <./images//stack_scan_write_tech.jpg>] [47]
<images//frame.jpg, id=1159, 695.59875pt x 705.63625pt>
<images//frame.jpg, id=1169, 695.59875pt x 705.63625pt>
File: images//frame.jpg Graphic file (type jpg)
<use images//frame.jpg>
Package pdftex.def Info: images//frame.jpg used on input line 1573.
(pdftex.def) Requested size: 398.33858pt x 404.07954pt.
[48 <./images//frame.jpg>]
[49]
<images//tcp_conn.jpg, id=1180, 452.69125pt x 405.515pt>
<images//tcp_conn.jpg, id=1190, 452.69125pt x 405.515pt>
File: images//tcp_conn.jpg Graphic file (type jpg)
<use images//tcp_conn.jpg>
Package pdftex.def Info: images//tcp_conn.jpg used on input line 1621.
@@ -1482,14 +1482,14 @@ e-quence of <SYN>, <SYN+ACK>,
[]
[50 <./images//tcp_conn.jpg>]
<images//tcp_retransmission.jpg, id=1187, 523.9575pt x 485.815pt>
<images//tcp_retransmission.jpg, id=1197, 523.9575pt x 485.815pt>
File: images//tcp_retransmission.jpg Graphic file (type jpg)
<use images//tcp_retransmission.jpg>
Package pdftex.def Info: images//tcp_retransmission.jpg used on input line 163
7.
(pdftex.def) Requested size: 341.43306pt x 316.58401pt.
[51 <./images//tcp_retransmission.jpg>] [52]
<images//tcp_exfiltrate_retrans.jpg, id=1204, 633.36626pt x 475.7775pt>
<images//tcp_exfiltrate_retrans.jpg, id=1214, 633.36626pt x 475.7775pt>
File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
<use images//tcp_exfiltrate_retrans.jpg>
Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg used on input line
@@ -1501,19 +1501,19 @@ Chapter 4.
[55
]
<images//stack_ret_hij_simple.jpg, id=1223, 774.895pt x 674.52pt>
<images//stack_ret_hij_simple.jpg, id=1233, 774.895pt x 674.52pt>
File: images//stack_ret_hij_simple.jpg Graphic file (type jpg)
<use images//stack_ret_hij_simple.jpg>
Package pdftex.def Info: images//stack_ret_hij_simple.jpg used on input line 1
730.
(pdftex.def) Requested size: 426.79134pt x 371.51205pt.
[56] [57 <./images//stack_ret_hij_simple.jpg>]
<images//buffer_overflow.jpg, id=1241, 707.64375pt x 343.2825pt>
<images//buffer_overflow.jpg, id=1251, 707.64375pt x 343.2825pt>
File: images//buffer_overflow.jpg Graphic file (type jpg)
<use images//buffer_overflow.jpg>
Package pdftex.def Info: images//buffer_overflow.jpg used on input line 1755.
(pdftex.def) Requested size: 426.79134pt x 207.03964pt.
<images//buffer_overflow_shellcode.jpg, id=1243, 707.64375pt x 379.4175pt>
<images//buffer_overflow_shellcode.jpg, id=1253, 707.64375pt x 379.4175pt>
File: images//buffer_overflow_shellcode.jpg Graphic file (type jpg)
<use images//buffer_overflow_shellcode.jpg>
Package pdftex.def Info: images//buffer_overflow_shellcode.jpg used on input l
@@ -1528,11 +1528,7 @@ LaTeX Warning: Reference `TODO probably an Annex' on page 59 undefined on input
LaTeX Warning: Reference `TODO' on page 59 undefined on input line 1781.
[59 <./images//buffer_overflow_shellcode.jpg>]
LaTeX Warning: Citation 'rop_prog_finder' on page 60 undefined on input line 17
90.
<images//ROPcompound.jpg, id=1259, 1296.845pt x 790.955pt>
<images//ROPcompound.jpg, id=1270, 1296.845pt x 790.955pt>
File: images//ROPcompound.jpg Graphic file (type jpg)
<use images//ROPcompound.jpg>
Package pdftex.def Info: images//ROPcompound.jpg used on input line 1803.
@@ -1546,132 +1542,176 @@ Overfull \hbox (28.45273pt too wide) in paragraph at lines 1803--1804
LaTeX Warning: Reference `TODO' on page 61 undefined on input line 1815.
[61 <./images//ROPcompound.jpg>] [62]
[61 <./images//ROPcompound.jpg>]
<images//rop_evil_ebpf_1.jpg, id=1291, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_1.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_1.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_1.jpg used on input line 1824.
(pdftex.def) Requested size: 426.79134pt x 213.66933pt.
LaTeX Warning: Reference `TODO' on page 62 undefined on input line 1831.
LaTeX Warning: Citation 'glibc' on page 62 undefined on input line 1831.
[62 <./images//rop_evil_ebpf_1.jpg>]
Overfull \hbox (4.42868pt too wide) in paragraph at lines 1840--1841
\T1/txr/m/n/12 the orig-i-nal data later) and we pro-ceed to over-write the sta
ck us-ing bpf_probe_write_user(),
[]
<images//rop_evil_ebpf_2.jpg, id=1299, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_2.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_2.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_2.jpg used on input line 1844.
(pdftex.def) Requested size: 426.79134pt x 213.66933pt.
LaTeX Warning: Reference `subsection:rop' on page 63 undefined on input line 18
49.
[63 <./images//rop_evil_ebpf_2.jpg>]
LaTeX Warning: Reference `fig:rop_evil_ebpf_3' on page 64 undefined on input li
ne 1851.
<images//rop_evil_ebpf_3.jpg, id=1307, 789.95125pt x 369.38pt>
File: images//rop_evil_ebpf_3.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_3.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_3.jpg used on input line 1855.
(pdftex.def) Requested size: 426.79134pt x 199.5693pt.
[64 <./images//rop_evil_ebpf_3.jpg>]
Chapter 5.
[63
[65
]
Chapter 6.
[64
[66
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1898--1898
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[65
[67
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1898--1898
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1898--1898
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[66]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1852--1852
[68]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1898--1898
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[67]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1852--1852
[69]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[68]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1852--1852
[70]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1898--1898
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (9.33742pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
[]
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (18.44974pt too wide) in paragraph at lines 1898--1898
\T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
mory -[] Management -[] Christoph -[]
[]
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (5.92503pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/n/12 D. Breaker. ^^P Un-der-stand-ing page faults and mem-ory swap
-in/outs.^^Q (Aug. 19, 2019),
[]
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (40.56133pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
[]
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (47.32059pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[69]
Overfull \hbox (11.10025pt too wide) in paragraph at lines 1852--1852
[71]
Overfull \hbox (11.10025pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/n/12 DE-F-CON 27, pp. 69^^U74. [On-line]. Avail-able: [][]$\T1/txtt/m
/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (39.98859pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
Overfull \hbox (21.2149pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (21.2149pt too wide) in paragraph at lines 1898--1898
\T1/txr/m/n/12 line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / www . plixer
. com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (4.29944pt too wide) in paragraph at lines 1852--1852
Overfull \hbox (4.29944pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/n/12 ^^P Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[70] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
Overfull \hbox (18.27475pt too wide) in paragraph at lines 1898--1898
[]\T1/txr/m/n/12 ^^P Rop-gad-get tool.^^Q (), [On-line]. Avail-able: [][]$\T1/
txtt/m/n/12 https : / / github . com / JonathanSalwan /
[]
[72] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1682,15 +1722,18 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1912 \end{document}
l.1958 \end{document}
[2
] (./document.aux)
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: A0D9888CF217B41DB9D86D22513DB939;4682.
(rerunfilecheck) Checksum: 542EF2AE9E1F050EEFB8CF77859493DE;4750.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
@@ -1701,10 +1744,10 @@ Package logreq Info: Writing requests to 'document.run.xml'.
)
Here is how much of TeX's memory you used:
28602 strings out of 481209
456331 string characters out of 5914747
1353969 words of memory out of 5000000
44687 multiletter control sequences out of 15000+600000
28637 strings out of 481209
457167 string characters out of 5914747
1354862 words of memory out of 5000000
44709 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3693s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1720,9 +1763,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (90 pages, 1838612 bytes).
Output written on document.pdf (92 pages, 2058830 bytes).
PDF statistics:
1631 PDF objects out of 1728 (max. 8388607)
401 named destinations out of 1000 (max. 500000)
633 words of extra memory for PDF output out of 10000 (max. 10000000)
1667 PDF objects out of 1728 (max. 8388607)
411 named destinations out of 1000 (max. 500000)
656 words of extra memory for PDF output out of 10000 (max. 10000000)

9
docs/document.out
View File

@@ -54,7 +54,8 @@
\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 54
\BOOKMARK [1][-]{section.4.1}{Library\040injection\040via\040.GOT\040hijacking}{chapter.4}% 55
\BOOKMARK [2][-]{subsection.4.1.1}{Attacks\040at\040the\040stack:\040buffer\040overflow}{section.4.1}% 56
\BOOKMARK [2][-]{subsection.4.1.2}{Return\040oriented\040programming\040with\040eBPF}{section.4.1}% 57
\BOOKMARK [0][-]{chapter.5}{Results}{}% 58
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 59
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 60
\BOOKMARK [2][-]{subsection.4.1.2}{Return\040oriented\040programming\040attacks}{section.4.1}% 57
\BOOKMARK [2][-]{subsection.4.1.3}{ROP\040with\040eBPF}{section.4.1}% 58
\BOOKMARK [0][-]{chapter.5}{Results}{}% 59
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 60
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 61

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

48
docs/document.tex
View File

@@ -1780,7 +1780,7 @@ As we can observe in the figure, the attacker will take advantage of the buffer
By using eBPF, we should in principle be able to overwrite the stack, inject shellcode, overwrite ret and then execute our malicious code. However, the classic buffer overflow is one of the oldest techniques in binary exploitation, and thus numerous protections have historically been incorporated and thus the attack presented here does not work work in modern systems any more. One of the protections is the prohibition of executing code from the stack. By marking the stack as non-executable, in the case of rip pointing to an address in the stack any malicious code will not be ran, even if an application was vulnerable to a buffer overflow. We will explain more in detail the main protections that nowadays are incorporated in modern systems in section \ref{TODO}.
\subsection{Return oriented programming with eBPF}
\subsection{Return oriented programming attacks} \label{subsection:rop}
After the stack was marked non-executable, a new refined technique was invented to circumvent this restriction and adapt the classic buffer overflow to modern systems. In the end, attackers still maintained the ability to overflow the buffer in the stack of vulnerable applications, writing shellcode and overwriting ret, the only issue was that the shellcode could not be executed.
Return Oriented Programming (ROP) is an exploitation technique that takes advantage of the fact that, even if malicious code in the stack cannot be executed, the attacker can still redirect the flow of execution by modifying ret to any other piece of executable code. The challenge for the attacker is executing malicious code, since any available executable instructions are either at the .text section (which will correspond to the normal functioning of the program) or at shared libraries, but none are useful for malware.
@@ -1816,6 +1816,52 @@ After this step, the return instruction will be executed. Note that, at this poi
\end{enumerate}
\subsection{ROP with eBPF}
In 2019, Jeff Dileo presented in DEFCON 27 the first technique to achieve arbitrary code execution using eBPF\cite{evil_ebpf_p6974}. For this, he used the ROP technique we have described previously to inject malicious code into a process. We will present an overview on his technique, in order to later compare it to ours and find advantages and disadvantages. Note that this is a summary and some aspects have been simplified, however we will present the whole process during the explanation of our own technique.
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{rop_evil_ebpf_1.jpg}
\caption{Initial setup for the ROP with eBPF technique.}
\label{fig:rop_evil_ebpf_1}
\end{figure}
Figure \ref{fig:rop_evil_ebpf_1} shows an overview on the process memory and the eBPF programs loaded. For this injection, we will use the stack scanning technique (section \ref{subsection:bpf_probe_write_apps}) using the arguments of a system call whose arguments are passed using the stack (sys\_timerfd\_settime, which receives two structs utmr and otmr). Therefore, a kprobe is attached to the system call, so that it can start to scan for the return address of the system call, which we know is the original value of register rip which was pushed into the stack (ret).
An additional aspect must be introduced now (we will cover it more in detail in section \ref{TODO}): system calls are not directly called by the instructions in the .text section, but rather user programs in C make use of the C Standard Library to delegate the actual syscall, which in this case is the GNU Standard Library (glibc)\cite{glibc}. Therefore, a program calls a function in glibc (in this case timerfd\_settime) in which the syscall is performed, and the kernel executes it.
This means that, during the stack scanning technique, if we start from struct utmr and scan forward in the stack, what we will find in ret is the return address of the function of glibc, and not directly that of the syscall to the kernel. Therefore, our goal is, for every data in the stack while scanning forward, check whether it is the real return address of glibc. For an address to be the real return address, we will follow the next steps:
\begin{enumerate}
\item Take an address from the stack. If that is the return address (the old rip), then the instruction that called the function in glibc must be the previous instruction (rip - 1).
\item We now have a \textit{call} instruction, that directs us to the function at glibc. We check in the instruction to which address it moves the flow of execution, that is the address of timerfd\_settime in glibc.
\item We scan forward, inside timerfd\_settime of glibc, until we find a \textit{syscall} instruction. That is the point where the flow of execution moves to the kernel, so we have checked that the return address we found in the stack truly is the one we are looking for.
\end{enumerate}
Now that we have found the return address, we save a backup of the stack (to recover the original data later) and we proceed to overwrite the stack using bpf\_probe\_write\_user(), setting it for the ROP technique. For this, some gadgets (G0, G1 ... GN) have been previously discovered in the glibc library. Figure \ref{fig:rop_evil_ebpf_2} shows process memory after this overwrite:
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{rop_evil_ebpf_2.jpg}
\caption{Process memory after syscall exits and ROP code overwrites the stack.}
\label{fig:rop_evil_ebpf_2}
\end{figure}
As we can see in the figure, the function has already exited, and ret has been popped into register rip. As we explained in section \ref{subsection:rop}, the attacker places in that position the address of the first ROP gadget. After that, the attacker can execute arbitrary code. Jeff Dileo, for instance, loads a malicious library into the process (we will do the same and explain this process in the next sections).
Once the attacker has finished executing the injected code, the stack must be restored to the original position so that the program can continue without crashing. A simplified view of this procedure consists of attaching a kprobe to a random system call (in this case, sys\_close()) so that, from the ROP code, we can alert the eBPF program when it is time to remove the ROP code and restore the original stack. Figure \ref{fig:rop_evil_ebpf_3} shows this final step:
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{rop_evil_ebpf_3.jpg}
\caption{Stack data is restored and program continues its execution.}
\label{fig:rop_evil_ebpf_3}
\end{figure}
As we can see, eBPF writes back the original stack and thus the execution can continue. Note that, in practice, some final gadgets must also be executed in order to restore the state of rip and rsp, the stack data for this is written in the free memory zone, so that it does not need to be removed.

10
docs/document.toc
View File

@@ -113,11 +113,13 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.2}Return oriented programming with eBPF}{60}{subsection.4.1.2}%
\contentsline {subsection}{\numberline {4.1.2}Return oriented programming attacks}{60}{subsection.4.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{63}{chapter.5}%
\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{64}{chapter.6}%
\contentsline {chapter}{\numberline {5}Results}{65}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{65}{chapter.6}%
\contentsline {chapter}{\numberline {6}Conclusion and future work}{66}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{67}{chapter.6}%
\contentsfinish

BIN
docs/images/rop_evil_ebpf_1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
docs/images/rop_evil_ebpf_2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
docs/images/rop_evil_ebpf_3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-07T15:38:18-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-07T15:38:18-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-07T15:38:18-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-08T08:51:58-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-08T08:51:58-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-08T08:51:58-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:FFC22840-A5D2-811D-B4DC-552224123B21</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:67E0605E-9AD5-2C9E-F626-78177DE1F15D</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>