diff --git a/docs/bibliography/bibliography.bib b/docs/bibliography/bibliography.bib index 54fc93f..d3359d3 100644 --- a/docs/bibliography/bibliography.bib +++ b/docs/bibliography/bibliography.bib @@ -133,7 +133,7 @@ urldate={2022-05-22}, url={https://kernelnewbies.org/Linux_3.18} }, -@online{ebpf_android, +@misc{ebpf_android, title={eBPF for Windows}, urldate={2022-05-22}, url={https://source.android.com/devices/architecture/kernel/bpf} @@ -447,19 +447,19 @@ url={https://lwn.net/Articles/862021/} }, -@online{bcc_github, +@misc{bcc_github, title={BPF Compiler Collection (BCC)}, urldate={2022-06-01}, url={https://github.com/iovisor/bcc} }, -@online{libbpf_upstream, +@misc{libbpf_upstream, title={BPF next kernel tree}, urldate={2022-06-01}, url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next} }, -@online{libbpf_github, +@misc{libbpf_github, title={libbpf GitHub}, urldate={2022-06-01}, url={https://github.com/libbpf/libbpf} @@ -495,7 +495,7 @@ pages={9} }, -@online{ebpf_caps_intro, +@misc{ebpf_caps_intro, title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}, urldate={2022-06-02}, url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/} @@ -507,25 +507,25 @@ url={https://lwn.net/Articles/797807/} }, -@online{unprivileged_ebpf, +@misc{unprivileged_ebpf, title={Reconsidering unprivileged BPF}, urldate={2022-06-03}, url={https://lwn.net/Articles/796328/} }, -@online{cve_unpriv_ebpf, +@misc{cve_unpriv_ebpf, title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}, urldate={2022-06-03}, url={https://www.openwall.com/lists/oss-security/2022/01/11/4} }, -@online{unpriv_ebpf_ubuntu, +@misc{unpriv_ebpf_ubuntu, title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}, urldate={2022-06-03}, url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047} }, -@online{unpriv_ebpf_redhat, +@misc{unpriv_ebpf_redhat, title={CVE-2022-0002}, urldate={2022-06-03}, url={https://access.redhat.com/security/cve/cve-2021-4001} @@ -557,19 +557,19 @@ AMD64 Architecture Processor Supplement}, pages={15} }, -@online{ebpf_override_return, +@misc{ebpf_override_return, title={BPF-based error injection for the kernel}, urldate={2022-06-06}, url={https://lwn.net/Articles/740146/} }, -@online{code_kernel_open, +@misc{code_kernel_open, title={Linux kernel source code}, urldate={2022-06-06}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192} }, -@online{code_kernel_syscall, +@misc{code_kernel_syscall, title={Linux kernel source code}, urldate={2022-06-06}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233} @@ -619,13 +619,13 @@ AMD64 Architecture Processor Supplement}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, -@online{write_helper_non_fault, +@misc{write_helper_non_fault, title={probe\_write\_common\_error}, urldate={2022-06-06}, url={https://www.spinics.net/lists/bpf/msg16795.html} }, -@online{code_vfs_read, +@misc{code_vfs_read, title={Linux kernel source code}, urldate={2022-06-07}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476} @@ -657,7 +657,7 @@ AMD64 Architecture Processor Supplement}, url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol} }, -@online{tcp_handshake, +@misc{tcp_handshake, title={Three-Way Handshake}, urldate={2022-06-08}, url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake} @@ -683,13 +683,13 @@ AMD64 Architecture Processor Supplement}, pages={37} }, -@online{rop_prog_finder, +@misc{rop_prog_finder, title={ROPgadget Tool}, urldate={2022-06-08}, url={https://github.com/JonathanSalwan/ROPgadget} }, -@online{glibc, +@misc{glibc, title={The GNU C library}, urldate={2022-06-08}, url={https://www.gnu.org/software/libc/} @@ -717,13 +717,13 @@ AMD64 Architecture Processor Supplement}, url={https://wiki.osdev.org/ELF} }, -@online{pie_exploit, +@misc{pie_exploit, title={Position Independent Code}, urldate={2022-06-08}, url={https://ir0nstone.gitbook.io/notes/types/stack/pie} }, -@online{aslr_pie_intro, +@misc{aslr_pie_intro, title={aslr/pie intro}, urldate={2022-06-08}, url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro} @@ -753,13 +753,13 @@ AMD64 Architecture Processor Supplement}, url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29} }, -@online{canary_exploit, +@misc{canary_exploit, title={Stack Canaries}, urldate={2022-06-08}, url={https://ir0nstone.gitbook.io/notes/types/stack/canaries} }, -@online{rawtcp_lib, +@misc{rawtcp_lib, title={RawTCP\_Lib}, author={Marcos Sánchez Bajo}, urldate={2022-06-10}, @@ -772,7 +772,7 @@ AMD64 Architecture Processor Supplement}, url={https://man7.org/linux/man-pages/man5/proc.5.html} }, -@online{proc_mem_write, +@misc{proc_mem_write, title={enable writing to /proc/pid/mem}, urldate={2022-06-12}, url={https://lwn.net/Articles/433326/} @@ -784,13 +784,13 @@ AMD64 Architecture Processor Supplement}, url={https://www.imperva.com/learn/application-security/reverse-shell/} }, -@online{sudoers_man, +@misc{sudoers_man, title={die.net sudoers(5) - Linux man page}, urldate={2022-06-13}, url={https://linux.die.net/man/5/sudoers} }, -@online{syscall_reference, +@misc{syscall_reference, title={Linux Syscall Reference (64bit)}, urldate={2022-06-13}, url={https://syscalls64.paolostivanin.com/} @@ -808,7 +808,7 @@ AMD64 Architecture Processor Supplement}, url={https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/} }, -@online{execve_man, +@misc{execve_man, title={execve(2) — Linux manual page}, urldate={2022-06-13}, url={https://man7.org/linux/man-pages/man2/execve.2.html} @@ -821,26 +821,26 @@ AMD64 Architecture Processor Supplement}, url={https://lists.linuxfoundation.org/pipermail/iovisor-dev/2017-September/001035.html} }, -@online{c_standard_main, +@misc{c_standard_main, title={Main function}, urldate={2022-06-15}, url={https://en.cppreference.com/w/c/language/main_function} }, -@online{busybox_argv, +@misc{busybox_argv, title={BusyBox Examples}, urldate={2022-06-15}, url={https://en.wikipedia.org/wiki/BusyBox#Examples} }, -@online{ips, +@misc{ips, title={What is an intrusion prevention system?}, organization={VMware}, urldate={2022-06-16}, url={https://www.vmware.com/topics/glossary/content/intrusion-prevention-system.html} }, -@online{port_knocking, +@misc{port_knocking, title={Port Knocking -- Network Authentication Across Closed Ports}, author={Martin Krzywinski}, urldate={2022-06-16}, @@ -856,13 +856,13 @@ AMD64 Architecture Processor Supplement}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, -@online{pangu_lab, +@misc{pangu_lab, title={Welcome to Pangu Research Lab}, urldate={2022-06-16}, url={https://pangukaitian.github.io/pangu/?lg=en} }, -@online{rfc_tcp4, +@misc{rfc_tcp4, title={TFC 793}, institution={Information Sciences Institute, University of Southern California}, date={1981-09-01}, @@ -870,7 +870,7 @@ AMD64 Architecture Processor Supplement}, url={https://datatracker.ietf.org/doc/html/rfc793} }, -@online{tcp_syn_payload, +@misc{tcp_syn_payload, title={TCP Fast Open: expediting web services}, date={2012-08-01}, urldate={2022-06-16}, @@ -887,33 +887,33 @@ AMD64 Architecture Processor Supplement}, url={https://books.google.es/books?id=-lvwaqFbIS8C&dq=syn+packet+firewall+ignore+payload} }, -@online{hive_implant, +@misc{hive_implant, title={(U) Hive Engineering Development Guide}, date = {2014-10-15}, urldate={2022-06-17}, url={https://wikileaks.org/vault7/document/hive-DevelopersGuide/hive-DevelopersGuide.pdf} }, -@online{crc, +@misc{crc, title={Cyclic redundancy check}, organization={Wikipedia}, urldate={2022-06-17}, url={https://en.wikipedia.org/wiki/Cyclic_redundancy_check} }, -@online{file_descriptors, +@misc{file_descriptors, title={File Descriptor}, urldate={2022-06-17}, url={http://www.cse.cuhk.edu.hk/~ericlo/teaching/os/lab/11-FS/fd.html} }, -@online{raw_sockets, +@misc{raw_sockets, title={raw(7) — Linux manual page}, urldate={2022-06-18}, urlhttps://man7.org/linux/man-pages/man7/raw.7.html={} }, -@online{cron, +@misc{cron, title={How To Add Jobs To cron Under Linux or UNIX}, date={2022-06-02}, author={Vivek Gite}, @@ -921,7 +921,7 @@ AMD64 Architecture Processor Supplement}, url={https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/} }, -@online{linux_daemons, +@misc{linux_daemons, title={Linux Jargon Buster: What are Daemons in Linux?}, date={2021-06-05}, author={Bill Dyer}, @@ -929,31 +929,31 @@ AMD64 Architecture Processor Supplement}, url={https://itsfoss.com/linux-daemons/} }, -@online{code_kernel_getdents64, +@misc{code_kernel_getdents64, title={Linux kernel source code}, urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L351} }, -@online{getdents_man, +@misc{getdents_man, title={getdents(2) — Linux manual page}, urldate={2022-06-19}, url={https://man7.org/linux/man-pages/man2/getdents.2.html} }, -@online{code_kernel_linux_dirent64, +@misc{code_kernel_linux_dirent64, title={Linux kernel source code}, urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/dirent.h#L5} }, -@online{code_kerel_getdents_buffer_alignation, +@misc{code_kerel_getdents_buffer_alignation, title={Linux kernel source code}, urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L313} }, -@online{xcellerator_getdents, +@misc{xcellerator_getdents, title={Linux Rootkits Part 6: Hiding Directories}, date={2020-09-19}, urldate={2022-06-19}, @@ -961,7 +961,7 @@ AMD64 Architecture Processor Supplement}, url={https://xcellerator.github.io/posts/linux_rootkits_06/} }, -@online{embracethered_getdents, +@misc{embracethered_getdents, title={Offensive BPF: Understanding and using bpf\_probe\_write\_user}, date={2021-10-20}, urldate={2022-06-19}, @@ -969,32 +969,32 @@ AMD64 Architecture Processor Supplement}, url={https://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/} }, -@online{dtype_dirent, +@misc{dtype_dirent, title={Format of a Directory Entry}, urldate={2022-06-19}, url={https://www.gnu.org/software/libc/manual/html_node/Directory-Entries.html} }, -@online{virtualbox_page, +@misc{virtualbox_page, title={VirtualBox}, urldate={2022-06-21}, url={https://www.virtualbox.org/} }, -@online{bridged_networking, +@misc{bridged_networking, title={Bridgeg Networking}, urldate={2022-06-21}, url={https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/network_bridged.html} }, -@online{nat_comptia, +@misc{nat_comptia, title={What Is NAT?}, institution={CompTIA}, urldate={2022-06-21}, url={https://www.comptia.org/content/guides/what-is-network-address-translation} }, -@online{kernel_modules_restrict, +@misc{kernel_modules_restrict, title={Increasing Linux kernel integrity}, author={Michael Boelen}, date={2015-05-12}, @@ -1002,7 +1002,7 @@ AMD64 Architecture Processor Supplement}, url={https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/} }, -@online{jynx2_infosecinstitute, +@misc{jynx2_infosecinstitute, title={Blackhat Academy}, author={Blackhat Academy}, date={2012-03-15}, @@ -1037,75 +1037,75 @@ Userland Linux Rootkits}, url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf} }, -@online{jynx_github, +@misc{jynx_github, title={Jynx-kit}, author={BlackHatAcademy.org}, urldate={2022-06-22}, url={https://github.com/chokepoint/jynxkit} }, -@online{jynx2_github, +@misc{jynx2_github, title={Jynx-kit (2)}, author={BlackHatAcademy.org}, urldate={2022-06-22}, url={https://github.com/chokepoint/Jynx2} }, -@online{azazel_github, +@misc{azazel_github, title={Azazel}, urldate={2022-06-22}, url={https://github.com/chokepoint/azazel} }, -@online{azazel_wiki, +@misc{azazel_wiki, title={Azazel}, urldate={2022-06-22}, url={https://web.archive.org/web/20141102234744/http://blackhatlibrary.net/Azazel#Hooking_Methods} }, -@online{ld_preload_detect, +@misc{ld_preload_detect, title={Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload}, date={2022-05-18}, urldate={2022-06-22}, url={https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload/} }, -@online{suckit_rootkit, +@misc{suckit_rootkit, title={SucKIT rootkit}, urldate={2022-06-22}, url={https://github.com/CSLDepend/exploits/blob/master/Rootkit_tools/suckit2priv.tar.gz} }, -@online{suckit_lasamhna, +@misc{suckit_lasamhna, title={Linux Kernel Rootkits}, urldate={2022-06-22}, url={https://www.la-samhna.de/library/rootkits/basics.html#FLOW} }, -@online{dev_kmem, +@misc{dev_kmem, title={kmem(4) - Linux man page}, urldate={2022-06-22}, url={https://linux.die.net/man/4/kmem} }, -@online{dev_kmem_debian, +@misc{dev_kmem_debian, title={mem(4)}, urldate={2022-06-22}, url={https://manpages.debian.org/buster-backports/manpages/port.4.en.html} }, -@online{dev_kmem_off_default, +@misc{dev_kmem_off_default, title={Change CONFIG\_DEVKMEM default value to n}, urldate={2022-06-22}, url={https://lore.kernel.org/all/20161007035719.GB17183@kroah.com/T/} }, -@online{diamorphine_github, +@misc{diamorphine_github, title={Diamorphine}, url={https://github.com/m0nad/Diamorphine} }, -@online{incibe_rootkit_lkm, +@misc{incibe_rootkit_lkm, title={Malware in Linux: Kernel-mode-rootkits}, author={Antonio López}, urldate={2022-06-22}, @@ -1113,19 +1113,19 @@ Userland Linux Rootkits}, url={https://www.incibe-cert.es/en/blog/kernel-rootkits-en} }, -@online{reptile_github, +@misc{reptile_github, title={Reptile}, urldate={2022-06-22}, url={https://github.com/f0rb1dd3n/Reptile} }, -@online{usermode_helper_lkm, +@misc{usermode_helper_lkm, title={call\_usermodehelper, Module Loading}, urldate={2022-06-22}, url={https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper.html} }, -@online{rasps, +@misc{rasps, title={RASP rings in a new Java application security paradigm}, author={Hussein Badakhchani}, date={2016-10-20}, @@ -1133,20 +1133,20 @@ Userland Linux Rootkits}, url={https://www.infoworld.com/article/3125515/rasp-rings-in-a-new-java-application-security-paradigm.html} }, -@online{sql_injection, +@misc{sql_injection, title={SQL Injection}, urldate={2022-06-22}, url={https://www.w3schools.com/sql/sql_injection.asp} }, -@online{boopkit, +@misc{boopkit, title={Boopkit}, author={Kris Nóva}, urldate={2022-06-22}, url={https://github.com/kris-nova/boopkit} }, -@online{symbiote, +@misc{symbiote, title={Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat}, institution={The BlackBerry Research & Intelligence Team}, date={2022-06-09}, @@ -1154,7 +1154,7 @@ Userland Linux Rootkits}, url={https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat} }, -@online{pentest_redteam, +@misc{pentest_redteam, title={Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues}, date={2016-06-23}, urldate={2022-06-22}, @@ -1162,7 +1162,7 @@ Userland Linux Rootkits}, url={https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/} }, -@online{nist_cyber, +@misc{nist_cyber, title={Framework for Improving Critical Infrastructure Cybersecurity}, date={2018-04-16}, urldate={2022-06-22}, @@ -1170,7 +1170,7 @@ Userland Linux Rootkits}, url={https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf} }, -@online{mitre_blog, +@misc{mitre_blog, title={ATT\&CK 101}, author={Blake Strom}, urldate={2022-06-22}, @@ -1178,50 +1178,50 @@ Userland Linux Rootkits}, url={https://medium.com/mitre-attack/att-ck-101-17074d3bc62} }, -@online{mitre_blog_2, +@misc{mitre_blog_2, title={What Is the MITRE ATT\&CK Framework?}, urldate={2022-06-22}, url={https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html} }, -@online{mitre_matrix_linux, +@misc{mitre_matrix_linux, title={ATT\&CK Matrix for Enterprise}, urldate={2022-06-22}, url={https://attack.mitre.org/matrices/enterprise/linux/} }, -@online{glass_analyst, +@misc{glass_analyst, title={Cyber Security Analist salary in Madrid}, urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-cyber-security-analyst-sueldo-SRCH_IL.0,6_IM1030_KO7,29.htm} }, -@online{glass_manager, +@misc{glass_manager, title={Project Manager salary in Madrid}, urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-project-manager-sueldo-SRCH_IL.0,6_IM1030_KO7,22.htm?clickSource=searchBtn} }, -@online{glass_programmer, +@misc{glass_programmer, title={Programmer salary in Madrid}, urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-programmer-sueldo-SRCH_IL.0,6_IM1030_KO7,17.htm?clickSource=searchBtn} }, -@online{ebpfkit_monitor_github, +@misc{ebpfkit_monitor_github, title={ebpfkit-monitor}, author = {Guillaume Fournier, Sylvain Afchain}, urldate={2022-06-22}, url={https://github.com/Gui774ume/ebpfkit-monitor} }, -@online{lkm_signing, +@misc{lkm_signing, title={Kernel module signing facility}, urldate={2022-06-22}, url={https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html} }, -@online{bpf_signing, +@misc{bpf_signing, title={Toward signed BPF programs}, author={Jonathan Corbet}, urldate={2022-06-22}, @@ -1229,32 +1229,32 @@ Userland Linux Rootkits}, url={https://lwn.net/Articles/853489/} }, -@online{arch_linux_sign, +@misc{arch_linux_sign, title={Signed kernel modules}, urldate={2022-06-22}, url={https://wiki.archlinux.org/title/Signed_kernel_modules} }, -@online{triplecross_github, +@misc{triplecross_github, title={TripleCross}, urldate={2022-06-23}, author={Marcos Sánchez Bajo}, url={https://github.com/h3xduck/TripleCross} }, -@online{repo_simple_timer, +@misc{repo_simple_timer, title={simple\_timer.c}, urldate={2022-06-23}, url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/simple_timer.c} }, -@online{repo_execve_hijack, +@misc{repo_execve_hijack, title={simple\_timer.c}, urldate={2022-06-23}, url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/execve_hijack.c} }, -@online{downgrade_attack, +@misc{downgrade_attack, title={What is a downgrade attack and how to prevent it}, author={Borislav Kiprin}, date={2022-04-18}, diff --git a/docs/ebpf_offensive_rootkit_tfg.pdf b/docs/ebpf_offensive_rootkit_tfg.pdf index dbff08d..a447834 100644 Binary files a/docs/ebpf_offensive_rootkit_tfg.pdf and b/docs/ebpf_offensive_rootkit_tfg.pdf differ