mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-18 15:53:08 +08:00
Completed motivation
This commit is contained in:
h3xduck
@@ -17,5 +17,54 @@
|
||||
title = {Rootkits: evolution and detection methods},
|
||||
date = {2021-11-03},
|
||||
url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/}
|
||||
},
|
||||
|
||||
@online{ebpf_linux318,
|
||||
indextitle={eBPF incorporation in the Linux Kernel 3.18},
|
||||
date={2014-12-07},
|
||||
url={https://kernelnewbies.org/Linux_3.18}
|
||||
},
|
||||
|
||||
@report{bvp47_report,
|
||||
institution = {Pangu Lab},
|
||||
title = {Bvp47 Top-tier Backdoor of US NSA Equation Group},
|
||||
date = {2022-02-23},
|
||||
url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}
|
||||
},
|
||||
|
||||
@report{bpfdoor_pwc,
|
||||
institution = {PricewaterhouseCoopers},
|
||||
title = {Cyber Threats 2021: A year in Retrospect},
|
||||
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
|
||||
pages = {37}
|
||||
},
|
||||
|
||||
@proceedings{ebpf_friends,
|
||||
institution = {Datadog},
|
||||
author = {Guillaume Fournier, Sylvain Afchainthe},
|
||||
organization= {DEFCON 29},
|
||||
eventtitle = {Cyber Threats 2021: A year in Retrospect},
|
||||
url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
|
||||
},
|
||||
|
||||
@proceedings{evil_ebpf,
|
||||
institution = {NCC Group},
|
||||
author = {Jeff Dileo},
|
||||
organization= {DEFCON 27},
|
||||
eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
|
||||
url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}
|
||||
},
|
||||
|
||||
@online{ebpf_windows,
|
||||
title={eBPF incorporation in the Linux Kernel 3.18},
|
||||
date={2014-12-07},
|
||||
url={https://kernelnewbies.org/Linux_3.18}
|
||||
},
|
||||
@online{ebpf_android,
|
||||
title={eBPF for Windows},
|
||||
url={https://source.android.com/devices/architecture/kernel/bpf}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 20:22
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 22:23
|
||||
entering extended mode
|
||||
restricted \write18 enabled.
|
||||
%&-line parsing enabled.
|
||||
|
||||
@@ -31,26 +31,47 @@
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}\protected@file@percent }
|
||||
\abx@aux@cite{rootkit_ptsecurity}
|
||||
\abx@aux@segm{0}{0}{rootkit_ptsecurity}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Objectives}{2}{section.1.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{2}{section.1.3}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{2}{subsection.1.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{2}{subsection.1.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}State of the Art}{3}{chapter.2}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_linux318}
|
||||
\abx@aux@segm{0}{0}{ebpf_linux318}
|
||||
\abx@aux@cite{bvp47_report}
|
||||
\abx@aux@segm{0}{0}{bvp47_report}
|
||||
\abx@aux@cite{bpfdoor_pwc}
|
||||
\abx@aux@segm{0}{0}{bpfdoor_pwc}
|
||||
\abx@aux@cite{evil_ebpf}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf}
|
||||
\abx@aux@cite{ebpf_friends}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends}
|
||||
\abx@aux@cite{ebpf_windows}
|
||||
\abx@aux@segm{0}{0}{ebpf_windows}
|
||||
\abx@aux@cite{ebpf_android}
|
||||
\abx@aux@segm{0}{0}{ebpf_android}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Objectives}{3}{section.1.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{3}{subsection.1.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{3}{subsection.1.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}State of the Art}{4}{chapter.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{4}{chapter.3}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{5}{chapter.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{5}{chapter.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{6}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{6}{chapter.5}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{7}{chapter.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{7}{chapter.5}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{06B912EE459FE111D955FBA417607BD1}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{8}{chapter.5}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{279FACA5324B1AFB51B5FC1A08973172}
|
||||
\abx@aux@refcontextdefaultsdone
|
||||
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_linux318}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bvp47_report}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{bpfdoor_pwc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_friends}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_windows}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_android}{none/global//global/global}
|
||||
\ttl@finishall
|
||||
\gdef \@abspage@last{23}
|
||||
\gdef \@abspage@last{24}
|
||||
|
||||
@@ -53,6 +53,147 @@
|
||||
\verb https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{ebpf_linux318}{online}{}
|
||||
\field{sortinit}{3}
|
||||
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
|
||||
\field{day}{7}
|
||||
\field{indextitle}{eBPF incorporation in the Linux Kernel 3.18}
|
||||
\field{month}{12}
|
||||
\field{year}{2014}
|
||||
\field{dateera}{ce}
|
||||
\verb{urlraw}
|
||||
\verb https://kernelnewbies.org/Linux_3.18
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://kernelnewbies.org/Linux_3.18
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{bvp47_report}{report}{}
|
||||
\list{institution}{1}{%
|
||||
{Pangu Lab}%
|
||||
}
|
||||
\field{sortinit}{4}
|
||||
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
|
||||
\field{labeltitlesource}{title}
|
||||
\field{day}{23}
|
||||
\field{month}{2}
|
||||
\field{title}{Bvp47 Top-tier Backdoor of US NSA Equation Group}
|
||||
\field{year}{2022}
|
||||
\field{dateera}{ce}
|
||||
\verb{urlraw}
|
||||
\verb https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{bpfdoor_pwc}{report}{}
|
||||
\list{institution}{1}{%
|
||||
{PricewaterhouseCoopers}%
|
||||
}
|
||||
\field{sortinit}{5}
|
||||
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
|
||||
\field{labeltitlesource}{title}
|
||||
\field{title}{Cyber Threats 2021: A year in Retrospect}
|
||||
\field{pages}{37}
|
||||
\range{pages}{1}
|
||||
\verb{urlraw}
|
||||
\verb https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{evil_ebpf}{proceedings}{}
|
||||
\name{author}{1}{}{%
|
||||
{{hash=5142e68c748eb70cb619b21160eb7f72}{%
|
||||
family={Dileo},
|
||||
familyi={D\bibinitperiod},
|
||||
given={Jeff},
|
||||
giveni={J\bibinitperiod}}}%
|
||||
}
|
||||
\list{institution}{1}{%
|
||||
{NCC Group}%
|
||||
}
|
||||
\list{organization}{1}{%
|
||||
{DEFCON 27}%
|
||||
}
|
||||
\strng{namehash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\strng{fullhash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\strng{bibnamehash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
|
||||
\field{sortinit}{6}
|
||||
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
|
||||
\field{labelnamesource}{author}
|
||||
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
|
||||
\verb{urlraw}
|
||||
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{ebpf_friends}{proceedings}{}
|
||||
\name{author}{1}{}{%
|
||||
{{hash=2994fc802c0b46f7289cf001e2c26cfe}{%
|
||||
family={Guillaume\bibnamedelima Fournier},
|
||||
familyi={G\bibinitperiod\bibinitdelim F\bibinitperiod},
|
||||
given={Sylvain\bibnamedelima Afchainthe},
|
||||
giveni={S\bibinitperiod\bibinitdelim A\bibinitperiod}}}%
|
||||
}
|
||||
\list{institution}{1}{%
|
||||
{Datadog}%
|
||||
}
|
||||
\list{organization}{1}{%
|
||||
{DEFCON 29}%
|
||||
}
|
||||
\strng{namehash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\strng{fullhash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\strng{bibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe}
|
||||
\field{sortinit}{7}
|
||||
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
|
||||
\field{labelnamesource}{author}
|
||||
\field{eventtitle}{Cyber Threats 2021: A year in Retrospect}
|
||||
\verb{urlraw}
|
||||
\verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{ebpf_windows}{online}{}
|
||||
\field{sortinit}{8}
|
||||
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
|
||||
\field{labeltitlesource}{title}
|
||||
\field{day}{7}
|
||||
\field{month}{12}
|
||||
\field{title}{eBPF incorporation in the Linux Kernel 3.18}
|
||||
\field{year}{2014}
|
||||
\field{dateera}{ce}
|
||||
\verb{urlraw}
|
||||
\verb https://kernelnewbies.org/Linux_3.18
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://kernelnewbies.org/Linux_3.18
|
||||
\endverb
|
||||
\endentry
|
||||
\entry{ebpf_android}{online}{}
|
||||
\field{sortinit}{9}
|
||||
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
|
||||
\field{labeltitlesource}{title}
|
||||
\field{title}{eBPF for Windows}
|
||||
\verb{urlraw}
|
||||
\verb https://source.android.com/devices/architecture/kernel/bpf
|
||||
\endverb
|
||||
\verb{url}
|
||||
\verb https://source.android.com/devices/architecture/kernel/bpf
|
||||
\endverb
|
||||
\endentry
|
||||
\enddatalist
|
||||
\endrefsection
|
||||
\endinput
|
||||
|
||||
@@ -2350,6 +2350,13 @@
|
||||
<bcf:section number="0">
|
||||
<bcf:citekey order="1">ransomware_pwc</bcf:citekey>
|
||||
<bcf:citekey order="2">rootkit_ptsecurity</bcf:citekey>
|
||||
<bcf:citekey order="3">ebpf_linux318</bcf:citekey>
|
||||
<bcf:citekey order="4">bvp47_report</bcf:citekey>
|
||||
<bcf:citekey order="5">bpfdoor_pwc</bcf:citekey>
|
||||
<bcf:citekey order="6">evil_ebpf</bcf:citekey>
|
||||
<bcf:citekey order="7">ebpf_friends</bcf:citekey>
|
||||
<bcf:citekey order="8">ebpf_windows</bcf:citekey>
|
||||
<bcf:citekey order="9">ebpf_android</bcf:citekey>
|
||||
</bcf:section>
|
||||
<!-- SORTING TEMPLATES -->
|
||||
<bcf:sortingtemplate name="none">
|
||||
|
||||
@@ -1,18 +1,25 @@
|
||||
[0] Config.pm:311> INFO - This is Biber 2.16
|
||||
[0] Config.pm:314> INFO - Logfile is 'document.blg'
|
||||
[58] biber:340> INFO - === Fri May 20, 2022, 21:19:02
|
||||
[70] Biber.pm:415> INFO - Reading 'document.bcf'
|
||||
[138] Biber.pm:952> INFO - Found 2 citekeys in bib section 0
|
||||
[152] Biber.pm:4340> INFO - Processing section 0
|
||||
[160] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
|
||||
[161] bibtex.pm:1689> INFO - LaTeX decoding ...
|
||||
[163] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
|
||||
[190] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ziL5/f4d088b3f9f145b5c3058da33afd57d4_89896.utf8, line 9, warning: 1 characters of junk seen at toplevel
|
||||
[191] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ziL5/f4d088b3f9f145b5c3058da33afd57d4_89896.utf8, line 15, warning: 1 characters of junk seen at toplevel
|
||||
[199] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
|
||||
[199] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
|
||||
[199] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
|
||||
[199] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
|
||||
[204] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
|
||||
[205] bbl.pm:757> INFO - Output to document.bbl
|
||||
[205] Biber.pm:128> INFO - WARNINGS: 2
|
||||
[57] biber:340> INFO - === Fri May 20, 2022, 22:57:51
|
||||
[69] Biber.pm:415> INFO - Reading 'document.bcf'
|
||||
[136] Biber.pm:952> INFO - Found 9 citekeys in bib section 0
|
||||
[150] Biber.pm:4340> INFO - Processing section 0
|
||||
[159] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
|
||||
[160] bibtex.pm:1689> INFO - LaTeX decoding ...
|
||||
[166] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 9, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 15, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 22, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 28, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 35, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 42, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 50, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 58, warning: 1 characters of junk seen at toplevel
|
||||
[199] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_FK6G/f4d088b3f9f145b5c3058da33afd57d4_91789.utf8, line 63, warning: 1 characters of junk seen at toplevel
|
||||
[211] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
|
||||
[211] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
|
||||
[211] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
|
||||
[211] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
|
||||
[220] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
|
||||
[222] bbl.pm:757> INFO - Output to document.bbl
|
||||
[222] Biber.pm:128> INFO - WARNINGS: 9
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 21:19
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 20 MAY 2022 22:57
|
||||
entering extended mode
|
||||
restricted \write18 enabled.
|
||||
%&-line parsing enabled.
|
||||
@@ -1172,64 +1172,64 @@ File: ts1txr.fd 2000/12/15 v3.1
|
||||
) [1
|
||||
|
||||
|
||||
] [2]
|
||||
] [2] [3]
|
||||
Chapter 2.
|
||||
[3
|
||||
|
||||
]
|
||||
Chapter 3.
|
||||
[4
|
||||
|
||||
]
|
||||
Chapter 4.
|
||||
Chapter 3.
|
||||
[5
|
||||
|
||||
]
|
||||
Chapter 5.
|
||||
Chapter 4.
|
||||
[6
|
||||
|
||||
]
|
||||
Chapter 5.
|
||||
[7
|
||||
|
||||
]
|
||||
LaTeX Font Info: Trying to load font information for T1+txtt on input line 3
|
||||
81.
|
||||
83.
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
|
||||
File: t1txtt.fd 2000/12/15 v3.1
|
||||
)
|
||||
LaTeX Font Info: Trying to load font information for OT1+txr on input line 3
|
||||
81.
|
||||
83.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/ot1txr.fd
|
||||
File: ot1txr.fd 2000/12/15 v3.1
|
||||
)
|
||||
LaTeX Font Info: Trying to load font information for U+txsya on input line 3
|
||||
81.
|
||||
83.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsya.fd
|
||||
File: utxsya.fd 2000/12/15 v3.1
|
||||
)
|
||||
LaTeX Font Info: Trying to load font information for U+txsyb on input line 3
|
||||
81.
|
||||
83.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyb.fd
|
||||
File: utxsyb.fd 2000/12/15 v3.1
|
||||
)
|
||||
LaTeX Font Info: Trying to load font information for U+txmia on input line 3
|
||||
81.
|
||||
83.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxmia.fd
|
||||
File: utxmia.fd 2000/12/15 v3.1
|
||||
)
|
||||
LaTeX Font Info: Trying to load font information for U+txsyc on input line 3
|
||||
81.
|
||||
83.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/utxsyc.fd
|
||||
File: utxsyc.fd 2000/12/15 v3.1
|
||||
)
|
||||
Overfull \hbox (2.7712pt too wide) in paragraph at lines 382--382
|
||||
Overfull \hbox (2.7712pt too wide) in paragraph at lines 384--384
|
||||
[]\T1/txr/m/n/12 ^^P Cy-ber threats 2021: A year in ret-ro-spect,^^Q Price-wa-
|
||||
ter-house-C-oop-ers. [On-line]. Avail-
|
||||
[]
|
||||
|
||||
[7
|
||||
[8
|
||||
|
||||
|
||||
] [1
|
||||
@@ -1247,7 +1247,7 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
|
||||
een already used, duplicate ignored
|
||||
<to be read again>
|
||||
\relax
|
||||
l.398 \end{document}
|
||||
l.400 \end{document}
|
||||
[2
|
||||
|
||||
] (./document.aux)
|
||||
@@ -1258,10 +1258,10 @@ Package logreq Info: Writing requests to 'document.run.xml'.
|
||||
|
||||
)
|
||||
Here is how much of TeX's memory you used:
|
||||
27136 strings out of 481209
|
||||
429695 string characters out of 5914747
|
||||
1160713 words of memory out of 5000000
|
||||
43630 multiletter control sequences out of 15000+600000
|
||||
27168 strings out of 481209
|
||||
430663 string characters out of 5914747
|
||||
1165085 words of memory out of 5000000
|
||||
43654 multiletter control sequences out of 15000+600000
|
||||
444100 words of font info for 89 fonts, out of 8000000 for 9000
|
||||
36 hyphenation exceptions out of 8191
|
||||
88i,11n,90p,1029b,2369s stack positions out of 5000i,500n,10000p,200000b,80000s
|
||||
@@ -1273,9 +1273,9 @@ tic/uhvb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.p
|
||||
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/sha
|
||||
re/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texm
|
||||
f-dist/fonts/type1/urw/times/utmr8a.pfb>
|
||||
Output written on document.pdf (23 pages, 144617 bytes).
|
||||
Output written on document.pdf (24 pages, 157809 bytes).
|
||||
PDF statistics:
|
||||
240 PDF objects out of 1000 (max. 8388607)
|
||||
40 named destinations out of 1000 (max. 500000)
|
||||
274 PDF objects out of 1000 (max. 8388607)
|
||||
48 named destinations out of 1000 (max. 500000)
|
||||
111 words of extra memory for PDF output out of 10000 (max. 10000000)
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -335,10 +335,12 @@ These rootkits are usually the most attractive (and difficult to build) option f
|
||||
|
||||
Historically, kernel-mode rootkits have been tightly associated with espionage activities on governments and research institutes by Advanced Persistent Threat (APT) groups\cite{rootkit_ptsecurity}, state-sponsored or criminal organizations specialized on long-term operations to gather intelligence and gain unauthorized persistent access to computer systems. Although rootkits' functionality is tailored for each specific attack, a common set of techniques and procedures can be identified being used by these organizations. However, during the last years, a new technology called eBPF has been found to be the target of the latest innovation on the development of rootkits.
|
||||
|
||||
%eBPF is
|
||||
eBPF is a technology incorporated in the 3.18 version of the Linux kernel\cite{ebpf_linux318}, which provides the possibility of running code in the kernel without the need of loading a kernel module. Programs are created in a restrictive version of the C language and compiled into eBPF bytecode, which is loaded into the kernel via a new bpf() system call. After a mandatory step of verification by the kernel in which the code is checked to be safe to run, the bytecode is compiled into native machine instructions. These programs can then get access to kernel-exclusive functionalities including network traffic filtering, system calls hooking or tracing.
|
||||
|
||||
Although eBPF has built an outstanding environment for the creation of networking and tracing tools, its ability to run kernel programs without the need to load a kernel module has attracted the attention of multiple APTs. In fact, on February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that remained unnoticed from 2013 that uses eBPF for its networking functionality and that infected telecommunications, scientific and military systems worldwide\cite{bvp47_report}. More recently, PwC reports about a China-based threat actor that has targeted telecommunications systems with a eBPF-based backdoor\cite{bpfdoor_pwc}.
|
||||
|
||||
Taking all the previous background into account, and attending to the previous work on this matter by Jeff Dileo from NCC Group at DEFCON 27\cite{evil_ebpf} and by Guillaume Fournier and Sylvain Afchainthe from Datadog at DEFCON 29\cite{ebpf_friends}, we can confidently claim that there is a growing interest on researching the capabilities of eBPF in the context of offensive security, in particular given its potential on becoming a common component of modern rootkits. Additionally, there currently exists official efforts to extend the eBPF technology into Windows\cite{ebpf_windows} and Android systems\cite{ebpf_android}, which extends the mentioned risks to new platforms.
|
||||
|
||||
%On February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that uses eBPF
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -5,21 +5,21 @@
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.2}Objectives}{2}{section.1.2}%
|
||||
\contentsline {section}{\numberline {1.2}Objectives}{3}{section.1.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {section}{\numberline {1.3}Regulatory framework}{2}{section.1.3}%
|
||||
\contentsline {section}{\numberline {1.3}Regulatory framework}{3}{section.1.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{2}{subsection.1.3.1}%
|
||||
\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{3}{subsection.1.3.1}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {subsection}{\numberline {1.3.2}Budget}{2}{subsection.1.3.2}%
|
||||
\contentsline {subsection}{\numberline {1.3.2}Budget}{3}{subsection.1.3.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {2}State of the Art}{3}{chapter.2}%
|
||||
\contentsline {chapter}{\numberline {2}State of the Art}{4}{chapter.2}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {3}Methods??}{4}{chapter.3}%
|
||||
\contentsline {chapter}{\numberline {3}Methods??}{5}{chapter.3}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {4}Results}{5}{chapter.4}%
|
||||
\contentsline {chapter}{\numberline {4}Results}{6}{chapter.4}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{\numberline {5}Conclusion and future work}{6}{chapter.5}%
|
||||
\contentsline {chapter}{\numberline {5}Conclusion and future work}{7}{chapter.5}%
|
||||
\defcounter {refsection}{0}\relax
|
||||
\contentsline {chapter}{Bibliography}{7}{chapter.5}%
|
||||
\contentsline {chapter}{Bibliography}{8}{chapter.5}%
|
||||
\contentsfinish
|
||||
|
||||
@@ -73,15 +73,15 @@
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
|
||||
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
|
||||
<xmp:ModifyDate>2022-05-20T21:19:14-04:00</xmp:ModifyDate>
|
||||
<xmp:CreateDate>2022-05-20T21:19:14-04:00</xmp:CreateDate>
|
||||
<xmp:MetadataDate>2022-05-20T21:19:14-04:00</xmp:MetadataDate>
|
||||
<xmp:ModifyDate>2022-05-20T22:57:53-04:00</xmp:ModifyDate>
|
||||
<xmp:CreateDate>2022-05-20T22:57:53-04:00</xmp:CreateDate>
|
||||
<xmp:MetadataDate>2022-05-20T22:57:53-04:00</xmp:MetadataDate>
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
|
||||
</rdf:Description>
|
||||
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
|
||||
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
|
||||
<xmpMM:InstanceID>uuid:0F413EA9-E228-5EFB-10AE-E66876925AB8</xmpMM:InstanceID>
|
||||
<xmpMM:InstanceID>uuid:7FB03FB0-B3AA-C9EA-5AC6-57FBAE6526E0</xmpMM:InstanceID>
|
||||
</rdf:Description>
|
||||
</rdf:RDF>
|
||||
</x:xmpmeta>
|
||||
|
||||
Reference in New Issue
Block a user