admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 15:43:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Finished tracing programs part

Browse Source
This commit is contained in:
h3xduck
2022-06-03 21:47:00 -04:00
parent 8bc376e734
commit d184893426
12 changed files with 383 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/bibliography/bibliography.bib
View File

@@ -414,6 +414,36 @@ AMD64 Architecture Processor Supplement},
pages={148},
date={2018-01-28},
url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},
@proceedings{ebpf_friends_p15,
institution = {Datadog},
author = {Guillaume Fournier, Sylvain Afchainthe},
organization= {DEFCON 29},
eventtitle = {Cyber Threats 2021: A year in Retrospect},
url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
pages={15}
},
@online{ebpf_override_return,
title={BPF-based error injection for the kernel},
url={https://lwn.net/Articles/740146/}
},
@online{code_kernel_open,
indextitle={Linux kernel source code},
url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192}
},
@online{code_kernel_open,
indextitle={Linux kernel source code},
url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233}
},
@online{fault_injection,
title={},
url={https://lwn.net/Articles/209257/},
date={2006-11-04}
}
@@ -421,4 +451,3 @@ AMD64 Architecture Processor Supplement},

51
docs/document.aux
View File

@@ -298,24 +298,47 @@
\newlabel{table:systemv_abi}{{3.4}{32}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.33}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Other relevant registers in x86\_64 and their purpose.\relax }}{32}{table.caption.34}\protected@file@percent }
\newlabel{table:systemv_abi_other}{{3.5}{32}{Other relevant registers in x86\_64 and their purpose.\relax }{table.caption.34}{}}
\newlabel{code:sys_enter_read_tp}{{3.5}{32}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.5}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format of custom struct sys\_read\_enter\_ctx.}{32}{lstlisting.3.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{34}{section.3.3}\protected@file@percent }
\newlabel{section:mem_corruption}{{3.3}{34}{Memory corruption}{section.3.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{34}{subsection.3.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{35}{chapter.4}\protected@file@percent }
\newlabel{code:sys_enter_read_tp_format}{{3.5}{32}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{32}{lstlisting.3.5}\protected@file@percent }
\newlabel{code:sys_enter_read_tp}{{3.6}{33}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{33}{lstlisting.3.6}\protected@file@percent }
\abx@aux@cite{ebpf_friends_p15}
\abx@aux@segm{0}{0}{ebpf_friends_p15}
\abx@aux@cite{ebpf_override_return}
\abx@aux@segm{0}{0}{ebpf_override_return}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{34}{subsection.3.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}\protected@file@percent }
\newlabel{code:override_return_1}{{3.7}{34}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.7}\protected@file@percent }
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{fault_injection}
\abx@aux@segm{0}{0}{fault_injection}
\newlabel{code:override_return_2}{{3.8}{35}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_open}}{35}{lstlisting.3.8}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{36}{subsection.3.2.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}\protected@file@percent }
\newlabel{section:mem_corruption}{{3.3}{36}{Memory corruption}{section.3.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{36}{subsection.3.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Methods??}{37}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{36}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{38}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{37}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{39}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{38}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{40}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.36}{}}
\abx@aux@read@bbl@mdfivesum{F47E3F72E57DA91BA8A2EEF65A74B9DA}
\abx@aux@read@bbl@mdfivesum{93A081D5B69A2A9782DE1688707BDCA2}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -378,5 +401,9 @@
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{code_kernel_open}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{60}
\gdef \@abspage@last{62}

72
docs/document.bbl
View File

@@ -212,6 +212,7 @@
\strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe}
\field{extraname}{1}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
@@ -1317,6 +1318,77 @@
\verb https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf
\endverb
\endentry
\entry{ebpf_friends_p15}{proceedings}{}
\name{author}{1}{}{%
{{hash=2994fc802c0b46f7289cf001e2c26cfe}{%
family={Guillaume\bibnamedelima Fournier},
familyi={G\bibinitperiod\bibinitdelim F\bibinitperiod},
given={Sylvain\bibnamedelima Afchainthe},
giveni={S\bibinitperiod\bibinitdelim A\bibinitperiod}}}%
}
\list{institution}{1}{%
{Datadog}%
}
\list{organization}{1}{%
{DEFCON 29}%
}
\strng{namehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{fullhash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{bibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe}
\field{extraname}{2}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{eventtitle}{Cyber Threats 2021: A year in Retrospect}
\field{pages}{15}
\range{pages}{1}
\verb{urlraw}
\verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf
\endverb
\verb{url}
\verb https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf
\endverb
\endentry
\entry{ebpf_override_return}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{BPF-based error injection for the kernel}
\verb{urlraw}
\verb https://lwn.net/Articles/740146/
\endverb
\verb{url}
\verb https://lwn.net/Articles/740146/
\endverb
\endentry
\entry{code_kernel_open}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{indextitle}{Linux kernel source code}
\verb{urlraw}
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192
\endverb
\verb{url}
\verb https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192
\endverb
\endentry
\entry{fault_injection}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{day}{4}
\field{month}{11}
\field{year}{2006}
\field{dateera}{ce}
\verb{urlraw}
\verb https://lwn.net/Articles/209257/
\endverb
\verb{url}
\verb https://lwn.net/Articles/209257/
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

7
docs/document.bcf
View File

@@ -2426,6 +2426,13 @@
<bcf:citekey order="88">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="89">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="90">8664_params_abi</bcf:citekey>
<bcf:citekey order="91">ebpf_friends_p15</bcf:citekey>
<bcf:citekey order="92">ebpf_override_return</bcf:citekey>
<bcf:citekey order="93">code_kernel_open</bcf:citekey>
<bcf:citekey order="94">code_kernel_open</bcf:citekey>
<bcf:citekey order="95">code_kernel_open</bcf:citekey>
<bcf:citekey order="96">code_kernel_open</bcf:citekey>
<bcf:citekey order="97">fault_injection</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

160
docs/document.blg
View File

@@ -1,79 +1,85 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[61] biber:340> INFO - === Thu Jun 2, 2022, 19:20:02
[74] Biber.pm:415> INFO - Reading 'document.bcf'
[149] Biber.pm:952> INFO - Found 61 citekeys in bib section 0
[164] Biber.pm:4340> INFO - Processing section 0
[173] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[175] bibtex.pm:1689> INFO - LaTeX decoding ...
[198] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 9, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 15, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 22, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 28, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 35, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 42, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 50, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 58, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 65, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 70, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 77, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 85, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 94, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 103, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 112, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 121, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 127, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 132, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 137, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 142, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 153, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 158, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 164, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 170, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 175, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 184, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 191, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 199, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 206, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 215, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 224, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 233, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 239, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 244, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 249, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 256, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 261, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 266, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 271, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 276, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 283, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 288, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 295, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 302, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 309, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 315, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 321, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 327, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 334, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 339, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 344, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 349, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 356, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 361, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 366, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 375, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 380, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 385, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 390, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 395, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 400, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 405, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_A9qZ/f4d088b3f9f145b5c3058da33afd57d4_204259.utf8, line 410, warning: 1 characters of junk seen at toplevel
[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[411] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[411] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[411] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[445] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[459] bbl.pm:757> INFO - Output to document.bbl
[459] Biber.pm:128> INFO - WARNINGS: 63
[57] biber:340> INFO - === Fri Jun 3, 2022, 19:08:32
[69] Biber.pm:415> INFO - Reading 'document.bcf'
[143] Biber.pm:952> INFO - Found 65 citekeys in bib section 0
[158] Biber.pm:4340> INFO - Processing section 0
[167] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[169] bibtex.pm:1689> INFO - LaTeX decoding ...
[194] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[198] Utils.pm:384> WARN - Duplicate entry key: 'code_kernel_open' in file 'bibliography/bibliography.bib', skipping ...
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 9, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 15, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 22, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 28, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 35, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 42, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 50, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 58, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 65, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 70, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 77, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 85, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 94, warning: 1 characters of junk seen at toplevel
[346] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 103, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 112, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 121, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 127, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 132, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 137, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 142, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 153, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 158, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 164, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 170, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 175, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 184, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 191, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 199, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 206, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 215, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 224, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 233, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 239, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 244, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 249, warning: 1 characters of junk seen at toplevel
[347] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 256, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 261, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 266, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 271, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 276, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 283, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 288, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 295, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 302, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 309, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 315, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 321, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 327, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 334, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 339, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 344, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 349, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 356, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 361, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 366, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 375, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 380, warning: 1 characters of junk seen at toplevel
[348] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 385, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 390, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 395, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 400, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 405, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 410, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 419, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 428, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 433, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 438, warning: 1 characters of junk seen at toplevel
[349] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_B_Hb/f4d088b3f9f145b5c3058da33afd57d4_214634.utf8, line 443, warning: 1 characters of junk seen at toplevel
[390] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[390] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[390] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[390] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[426] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[441] bbl.pm:757> INFO - Output to document.bbl
[442] Biber.pm:128> INFO - WARNINGS: 69

109
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 2 JUN 2022 21:07
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 3 JUN 2022 20:57
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=185, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=197, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=187, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=199, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1214,7 +1214,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=497, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=515, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1222,36 +1222,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=515, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=533, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=525, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=543, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=535, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=553, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=548, 534.99875pt x 454.69875pt>
<images//tcpdump_example.png, id=566, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=551, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=569, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=569, 739.76375pt x 472.76625pt>
<images//ebpf_arch.jpg, id=587, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1303,7 +1303,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 758--788
[]
[17]
<images//xdp_diag.jpg, id=649, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=667, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 804.
@@ -1314,7 +1314,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 867--879
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=708, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=726, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 977.
@@ -1368,82 +1368,97 @@ File: t1txtt.fd 2000/12/15 v3.1
LaTeX Font Info: Font shape `T1/txtt/b/n' in size <10> not available
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 1143.
[31] [32]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1286--1287
[31] [32] [33]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 1303--1304
\T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
_read_user() and bpf_probe_read_kernel()
[]
[33] [34]
LaTeX Warning: Reference `TODO' on page 34 undefined on input line 1307.
Overfull \hbox (47.97661pt too wide) in paragraph at lines 1312--1313
\T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the
CON-FIG_BPF_KPROBE_OVERRIDE
[]
[34] [35] [36]
Chapter 4.
[35
]
Chapter 5.
[36
]
Chapter 6.
[37
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1330--1330
Chapter 5.
[38
]
Chapter 6.
[39
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 1389--1389
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[38
[40
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1330--1330
Overfull \hbox (6.22696pt too wide) in paragraph at lines 1389--1389
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1330--1330
Overfull \hbox (7.34976pt too wide) in paragraph at lines 1389--1389
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1330--1330
Overfull \hbox (21.24973pt too wide) in paragraph at lines 1389--1389
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[39]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1330--1330
[41]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 1389--1389
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1330--1330
Overfull \hbox (6.49615pt too wide) in paragraph at lines 1389--1389
[]\T1/txr/m/n/12 D. Lavie. ^^P A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[40]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1330--1330
[42]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 1389--1389
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1330--1330
Overfull \hbox (14.49278pt too wide) in paragraph at lines 1389--1389
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[41]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1330--1330
[43]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 1389--1389
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[42] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
Overfull \hbox (33.3497pt too wide) in paragraph at lines 1389--1389
\T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
vain % 20Afchain %
[]
[44] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1454,7 +1469,7 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
been already used, duplicate ignored
<to be read again>
\relax
l.1390 \end{document}
l.1449 \end{document}
[2
] (./document.aux)
@@ -1462,16 +1477,16 @@ l.1390 \end{document}
LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 20DB7CB323EAFF43AD98146C3A150506;3274.
(rerunfilecheck) Checksum: AF3CC8DCAEA55305B734C2E6C108DD02;3532.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
28158 strings out of 481209
447576 string characters out of 5914747
1336920 words of memory out of 5000000
44416 multiletter control sequences out of 15000+600000
28262 strings out of 481209
449404 string characters out of 5914747
1340026 words of memory out of 5000000
44488 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3681s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1487,9 +1502,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (60 pages, 784308 bytes).
Output written on document.pdf (62 pages, 802511 bytes).
PDF statistics:
1130 PDF objects out of 1200 (max. 8388607)
244 named destinations out of 1000 (max. 500000)
428 words of extra memory for PDF output out of 10000 (max. 10000000)
1208 PDF objects out of 1440 (max. 8388607)
276 named destinations out of 1000 (max. 500000)
452 words of extra memory for PDF output out of 10000 (max. 10000000)

15
docs/document.out
View File

@@ -37,9 +37,12 @@
\BOOKMARK [1][-]{section.3.2}{Abusing\040tracing\040programs}{chapter.3}% 37
\BOOKMARK [2][-]{subsection.3.2.1}{Access\040to\040function\040arguments}{section.3.2}% 38
\BOOKMARK [2][-]{subsection.3.2.2}{Reading\040memory\040out\040of\040bounds}{section.3.2}% 39
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 40
\BOOKMARK [2][-]{subsection.3.3.1}{Accessing\040user\040memory}{section.3.3}% 41
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 42
\BOOKMARK [0][-]{chapter.5}{Results}{}% 43
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 44
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 45
\BOOKMARK [2][-]{subsection.3.2.3}{Overriding\040function\040return\040values}{section.3.2}% 40
\BOOKMARK [2][-]{subsection.3.2.4}{Sending\040signals\040to\040user\040programs}{section.3.2}% 41
\BOOKMARK [2][-]{subsection.3.2.5}{Conclusion}{section.3.2}% 42
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 43
\BOOKMARK [2][-]{subsection.3.3.1}{Accessing\040user\040memory}{section.3.3}% 44
\BOOKMARK [0][-]{chapter.4}{Methods??}{}% 45
\BOOKMARK [0][-]{chapter.5}{Results}{}% 46
\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 47
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 48

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

69
docs/document.tex
View File

@@ -1181,11 +1181,13 @@ struct pt_regs {
};
\end{lstlisting}
By observing the value of the registers, we are able to extract the parameters of the original hooked function. This can be done by using the System V AMD64 ABI\cite{8664_params_abi}, the calling convention used in Linux. Depending on whether we are in the kernel or in user space, the registers used are different to store the values of the function arguments. Table \ref{table:systemv_abi} summarizes these two interfaces. Some other relevant registers are also displayed as a reference in table \ref{table:systemv_abi_other}.
By observing the value of the registers, we are able to extract the parameters of the original hooked function. This can be done by using the System V AMD64 ABI\cite{8664_params_abi}, the calling convention used in Linux. Depending on whether we are in the kernel or in user space, the registers used to store the values of the function arguments are different. Table \ref{table:systemv_abi} summarizes these two interfaces. Some other relevant registers are also displayed as a reference in table \ref{table:systemv_abi_other}.
\begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline
\multicolumn{2}{|c|}{User interface}\\
\hline
Register & Purpose\\
\hline
\hline
@@ -1207,6 +1209,8 @@ rax & Return value\\
\quad
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline
\multicolumn{2}{|c|}{Kernel interface}\\
\hline
Register & Purpose\\
\hline
\hline
@@ -1249,6 +1253,17 @@ rbp & Base/Frame Pointer - Memory address of the start of the stack frame\\
In the case of tracepoints, we can see in code snippet \ref{code:format_tracepoint} that it receives a \textit{struct sys\_read\_enter\_ctx*}. This struct must be manually defined, as explained in \ref{subsection:tracepoints}, by looking at the file \textit{/sys/kernel/debug/tracing/events/syscalls/sys\_enter\_read/format}. Code snippet \ref{code:sys_enter_read_tp} shows the format of the struct.
\begin{lstlisting}[language=C, caption={Format for parameters in sys\_enter\_read specified at the format file.}, label={code:sys_enter_read_tp_format}]
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:unsigned int fd; offset:16; size:8; signed:0;
field:char * buf; offset:24; size:8; signed:0;
field:size_t count; offset:32; size:8; signed:0;
\end{lstlisting}
\begin{lstlisting}[language=C, caption={Format of custom struct sys\_read\_enter\_ctx.}, label={code:sys_enter_read_tp}]
struct sys_read_enter_ctx {
unsigned long long pt_regs;
@@ -1260,7 +1275,9 @@ struct sys_read_enter_ctx {
};
\end{lstlisting}
As we can observe, we are given a set of attributes which include the parameters with which the syscall was called, and a first attribute containing the address pointing to another \textit{struct pt\_regs} as in kprobes and uprobes, so that we will be able to extract the value of the rest of the registers too. It must be noted that, in syscalls, in addition to use the kernel parameter passing convention specified in table \ref{table:systemv_abi}, the number specifying the syscall must be passed in register rax too.
As we can observe, we are given a set of attributes which include the parameters with which the syscall was called. Moreover, we can still obtain an address pointing to another \textit{struct pt\_regs}, as in kprobes and uprobes, by combining the first four fields and considering it as a 32-bit long address. This means we will still be able to extract the value of the rest of the registers too.
It must be noted that, in syscalls, in addition to use the kernel parameter passing convention specified in table \ref{table:systemv_abi}, the number specifying the syscall must be passed in register rax too.
On a final note, as we mentioned in section \ref{section:ebpf_prog_types}, there exist differences in the parameters received in probe functions depending on the two variations of tracing programs. Therefore:
\begin{itemize}
@@ -1285,12 +1302,53 @@ These helpers, previously introduced in table \ref{table:ebpf_helpers}, enable t
\subsection{Reading memory out of bounds}
As we introduced in the previous subsection, the bpf\_probe\_read\_user() and bpf\_probe\_read\_kernel() helpers can be used to access memory of pointers received as parameters in the hooked functions.
In general, the eBPF verifier attempts to reject illegal memory accesses, however it does not prevent a malicious program from passing an arbitrary memory address (in kernel or user space) to the above helpers. This means that an eBPF program can read any address in user or kernel space. Furthermore, an attacker can locate specific data structures and memory sections by taking the function parameter as a reference point in memory.
However, although in general the eBPF verifier attempts to reject illegal memory accesses, it does not prevent a malicious program from passing an arbitrary memory address (in kernel or user space) to the above helpers. This means that an eBPF program can potentially read any address in user or kernel space, (as long as it is marked as readable in the corresponding memory pages). Furthermore, an attacker can locate specific data structures and memory sections by taking the function parameter as a reference point in memory.
A particularly relevant case (which we will later use for our rootkit) involves accessing user memory via the parameters of tracepoints attached at system calls. Provided the nature of syscalls, whose purpose is to communicate user and kernel space, all parameters received will belong to the user space, and therefore any pointer passed will be an address in user memory.
A particularly relevant case (which we will later use for our rootkit) involves accessing user memory via the parameters of tracepoints attached at system calls. Provided the nature of syscalls, whose purpose is to communicate user and kernel space, all parameters received will belong to the user space, and therefore any pointer passed will be an address in user memory. This enables an eBPF program to get a foothold into the virtual address space of the process calling the syscall, which it can proceed to scan looking for data or specific instructions. This technique will be further elaborated in section \ref{TODO}.
%TODO continue here, next is explaining stack scanning technique
\subsection{Overriding function return values}
A potentially dangerous functionality in eBPF tracing programs is the ability to modify the return value of kernel functions\cite{ebpf_friends_p15}\cite{ebpf_override_return}. This can be done via the eBPF helper bpf\_override\_return, and it works exclusively from kretprobes.
Apart from only working on kretprobes, additional restrictions are applied to this helper. It will only work if the kernel was compiled with the CONFIG\_BPF\_KPROBE\_OVERRIDE flag, and only if the kretprobe is attached to a function to which, during the kernel development, the macro ALLOW\_ERROR\_INJECTION() has been indicated. Currently, only a small selection of functions include this macro, but most system calls can be found to implement it. The following code snippets show how a system call like sys\_open is defined in kernel v5.11:
\begin{lstlisting}[language=C, caption={Definition of the syscall sys\_open in the kernel \cite{code_kernel_open}}, label={code:override_return_1}]
SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
{
if (force_o_largefile())
flags |= O_LARGEFILE;
return do_sys_open(AT_FDCWD, filename, flags, mode);
}
\end{lstlisting}
\begin{lstlisting}[language=C, caption={Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite{code_kernel_open}}, label={code:override_return_2}]
#define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
#ifndef __SYSCALL_DEFINEx
#define __SYSCALL_DEFINEx(x, name, ...)\
[...]
ALLOW_ERROR_INJECTION(sys##name, ERRNO);\
[...]
\end{lstlisting}
By looking at snippets \ref{code:override_return_1} and \ref{code:override_return_2}, we can observe that the system call sys\_open involves the inclusion of the ALLOW\_ERROR\_INJECTION macro. Therefore, any kretprobe attached to a system call function will be able to modify its return value.
In order to be able to modify the return value of functions, the aforementioned eBPF helper makes use of the fault injection framework of the Linux kernel\cite{fault_injection}, which was created before eBPF itself, and whose original purpose is to allow for generating errors in kernel programs for debugging purposes.
Taking the previous information into account, we can find that a malicious eBPF program, by tampering with the kernel-user space interface which are system calls, can mislead user programs, which trust the output of kernel code. This can lead to:
\begin{itemize}
\item A program believes a system call exited with an error, while in reality the kernel completed the operation with success, or viceversa. For instance, the result of a call to sys\_open can mislead a user program into thinking that a file does not exist.
\item A program receives incorrect data on purpose. For instance, a buffer may look empty or of a reduced size upon a sys\_read call, while in reality more data is available to be read.
\end{itemize}
\subsection{Sending signals to user programs}
Another eBPF helper that is subject to malicious purposes is bpf\_send\_signal. This helper enables to send an arbitrary signal to the thread of the process running a hooked function.
Therefore, this helper can be used to forcefully terminate running user processes, by sending the SIGKILL signal. In this way, combined with the observability into the parameters received at a call, a malicious eBPF can kill and deactivate processes to favour its malicious purposes.
\subsection{Conclusion}
As a summary, a malicious eBPF program loaded and attached as a tracing program undermines the existing trust between user programs and the kernel space.
Its ability to access sensitive data in function parameters and reading arbitrary memory can lead to gathering extensive information on the running processes of a system, whilst the malicious use of eBPF helpers means the modification of the data passed to the user space, and the control over which programs are allowed to be running on the system.
\section{Memory corruption} \label{section:mem_corruption}
Privileged malicious eBPF programs (or those with the CAP\_BPF + CAP\_PERFMON capabilities) have the potential to get:
@@ -1299,6 +1357,7 @@ Privileged malicious eBPF programs (or those with the CAP\_BPF + CAP\_PERFMON ca
\item Read-only access in kernel memory.
\end{itemize}
\subsection{Accessing user memory}

20
docs/document.toc
View File

@@ -77,17 +77,23 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}%
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{34}{subsection.3.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.3}Memory corruption}{34}{section.3.3}%
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{34}{subsection.3.3.1}%
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Methods??}{35}{chapter.4}%
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{36}{subsection.3.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{36}{chapter.5}%
\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{37}{chapter.6}%
\contentsline {subsection}{\numberline {3.3.1}Accessing user memory}{36}{subsection.3.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{38}{chapter.6}%
\contentsline {chapter}{\numberline {4}Methods??}{37}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{38}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{39}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{40}{chapter.6}%
\contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-02T21:07:01-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-02T21:07:01-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-02T21:07:01-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-03T20:57:18-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-03T20:57:18-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-03T20:57:18-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:6D3E5CED-EA6F-CB21-6268-B6ABB3457825</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:FB8776F5-6FD5-6DDD-3EB3-BAB953432AB7</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>