mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-23 09:53:08 +08:00
Updated document structure, reformatted multiple chapters, updated chapter and section intros. Separated hardening features into two. Other changes suggested at the meeting,
This commit is contained in:
h3xduck
@@ -54,16 +54,17 @@
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.5}Code availability}{4}{section.1.5}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_io}
|
||||
\abx@aux@segm{0}{0}{ebpf_io}
|
||||
\abx@aux@cite{bpf_bsd_origin}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin}
|
||||
\abx@aux@cite{ebpf_history_opensource}
|
||||
\abx@aux@segm{0}{0}{ebpf_history_opensource}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}State of the art}{5}{chapter.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}eBPF history - Classic BPF}{5}{section.2.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}BPF}{5}{section.2.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}\protected@file@percent }
|
||||
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
|
||||
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
|
||||
@@ -108,8 +109,8 @@
|
||||
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
|
||||
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
|
||||
\newlabel{section:modern_ebpf}{{2.2}{11}{Analysis of modern eBPF}{section.2.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Modern eBPF}{11}{section.2.2}\protected@file@percent }
|
||||
\newlabel{section:modern_ebpf}{{2.2}{11}{Modern eBPF}{section.2.2}{}}
|
||||
\abx@aux@cite{brendan_gregg_bpf_book}
|
||||
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
|
||||
\abx@aux@cite{brendan_gregg_bpf_book}
|
||||
@@ -257,11 +258,6 @@
|
||||
\newlabel{fig:libbpf}{{2.9}{25}{Sketch of the compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.14}{\ignorespaces Table showing BPF skeleton functions.\relax }}{25}{table.caption.29}\protected@file@percent }
|
||||
\newlabel{table:libbpf_skel}{{2.14}{25}{Table showing BPF skeleton functions.\relax }{table.caption.29}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\newlabel{chapter:analysis_offensive_capabilities}{{3}{27}{Analysis of offensive capabilities}{chapter.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}\protected@file@percent }
|
||||
\abx@aux@cite{ubuntu_caps}
|
||||
\abx@aux@segm{0}{0}{ubuntu_caps}
|
||||
\abx@aux@cite{evil_ebpf_p9}
|
||||
@@ -270,9 +266,10 @@
|
||||
\abx@aux@segm{0}{0}{ebpf_caps_intro}
|
||||
\abx@aux@cite{ebpf_caps_lwn}
|
||||
\abx@aux@segm{0}{0}{ebpf_caps_lwn}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{28}{table.caption.30}\protected@file@percent }
|
||||
\newlabel{table:ebpf_kernel_flags}{{3.1}{28}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.1}Access control}{28}{subsection.3.1.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.5}Security features in eBPF}{26}{section.2.5}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}\protected@file@percent }
|
||||
\newlabel{table:ebpf_kernel_flags}{{2.15}{26}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}\protected@file@percent }
|
||||
\abx@aux@cite{unprivileged_ebpf}
|
||||
\abx@aux@segm{0}{0}{unprivileged_ebpf}
|
||||
\abx@aux@cite{cve_unpriv_ebpf}
|
||||
@@ -283,221 +280,235 @@
|
||||
\abx@aux@segm{0}{0}{unpriv_ebpf_suse}
|
||||
\abx@aux@cite{unpriv_ebpf_redhat}
|
||||
\abx@aux@segm{0}{0}{unpriv_ebpf_redhat}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Capabilities needed for eBPF.\relax }}{29}{table.caption.31}\protected@file@percent }
|
||||
\newlabel{table:ebpf_caps_current}{{3.2}{29}{Capabilities needed for eBPF.\relax }{table.caption.31}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.3}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{29}{table.caption.32}\protected@file@percent }
|
||||
\newlabel{table:unpriv_ebpf_values}{{3.3}{29}{Values for unprivileged eBPF kernel parameter.\relax }{table.caption.32}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi}
|
||||
\newlabel{code:format_kprobe}{{3.1}{31}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{31}{lstlisting.3.1}\protected@file@percent }
|
||||
\newlabel{code:format_uprobe}{{3.2}{31}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{31}{lstlisting.3.2}\protected@file@percent }
|
||||
\newlabel{code:format_tracepoint}{{3.3}{31}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{31}{lstlisting.3.3}\protected@file@percent }
|
||||
\newlabel{code:format_ptregs}{{3.4}{31}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{31}{lstlisting.3.4}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{32}{table.caption.33}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi}{{3.4}{32}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.33}{}}
|
||||
\newlabel{code:sys_enter_read_tp_format}{{3.5}{32}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{32}{lstlisting.3.5}\protected@file@percent }
|
||||
\newlabel{code:sys_enter_read_tp}{{3.6}{32}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{32}{lstlisting.3.6}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:out_read_bounds}{{3.2.2}{33}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
||||
\abx@aux@cite{ebpf_friends_p15}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends_p15}
|
||||
\abx@aux@cite{ebpf_override_return}
|
||||
\abx@aux@segm{0}{0}{ebpf_override_return}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}\protected@file@percent }
|
||||
\newlabel{code:override_return_1}{{3.7}{34}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{34}{lstlisting.3.7}\protected@file@percent }
|
||||
\newlabel{code:override_return_2}{{3.8}{34}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{34}{lstlisting.3.8}\protected@file@percent }
|
||||
\abx@aux@cite{fault_injection}
|
||||
\abx@aux@segm{0}{0}{fault_injection}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{35}{subsection.3.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{35}{Conclusion}{subsection.3.2.5}{}}
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.16}{\ignorespaces Capabilities needed for eBPF.\relax }}{27}{table.caption.31}\protected@file@percent }
|
||||
\newlabel{table:ebpf_caps_current}{{2.16}{27}{Capabilities needed for eBPF.\relax }{table.caption.31}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.17}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{27}{table.caption.32}\protected@file@percent }
|
||||
\newlabel{table:unpriv_ebpf_values}{{2.17}{27}{Values for unprivileged eBPF kernel parameter.\relax }{table.caption.32}{}}
|
||||
\abx@aux@cite{mem_page_arch}
|
||||
\abx@aux@segm{0}{0}{mem_page_arch}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}\protected@file@percent }
|
||||
\newlabel{section:mem_corruption}{{3.3}{36}{Memory corruption}{section.3.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Memory management in Linux}{36}{subsection.3.3.1}\protected@file@percent }
|
||||
\abx@aux@cite{page_faults}
|
||||
\abx@aux@segm{0}{0}{page_faults}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{37}{figure.caption.34}\protected@file@percent }
|
||||
\newlabel{fig:mem_arch_pages}{{3.1}{37}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.34}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.6}Memory management in Linux}{28}{section.2.6}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}\protected@file@percent }
|
||||
\newlabel{fig:mem_arch_pages}{{2.10}{28}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.33}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}\protected@file@percent }
|
||||
\newlabel{fig:mem_major_page_fault}{{2.11}{29}{Major page fault after a page was removed from RAM.\relax }{figure.caption.34}{}}
|
||||
\abx@aux@cite{mem_arch_proc}
|
||||
\abx@aux@segm{0}{0}{mem_arch_proc}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{38}{figure.caption.35}\protected@file@percent }
|
||||
\newlabel{fig:mem_major_page_fault}{{3.2}{38}{Major page fault after a page was removed from RAM.\relax }{figure.caption.35}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{38}{figure.caption.36}\protected@file@percent }
|
||||
\newlabel{fig:mem_minor_page_fault}{{3.3}{38}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.36}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Process virtual memory}{39}{subsection.3.3.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{39}{figure.caption.37}\protected@file@percent }
|
||||
\newlabel{fig:mem_proc_arch}{{3.4}{39}{Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }{figure.caption.37}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}\protected@file@percent }
|
||||
\newlabel{subsection:stack}{{3.3.3}{40}{The process stack}{subsection.3.3.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{40}{figure.caption.38}\protected@file@percent }
|
||||
\newlabel{fig:stack_pres}{{3.5}{40}{Simplified stack representation showing only stack frames.\relax }{figure.caption.38}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{40}{table.caption.39}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi_other}{{3.5}{40}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.39}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{42}{figure.caption.40}\protected@file@percent }
|
||||
\newlabel{fig:stack_ops}{{3.6}{42}{Representation of push and pop operations in the stack.\relax }{figure.caption.40}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces Stack representation right before starting the function call process.\relax }}{42}{figure.caption.41}\protected@file@percent }
|
||||
\newlabel{fig:stack_before}{{3.7}{42}{Stack representation right before starting the function call process.\relax }{figure.caption.41}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}\protected@file@percent }
|
||||
\newlabel{fig:mem_minor_page_fault}{{2.12}{30}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.35}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{30}{subsection.2.6.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{31}{figure.caption.36}\protected@file@percent }
|
||||
\newlabel{fig:mem_proc_arch}{{2.13}{31}{Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }{figure.caption.36}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.3}The process stack}{32}{subsection.2.6.3}\protected@file@percent }
|
||||
\newlabel{subsection:stack}{{2.6.3}{32}{The process stack}{subsection.2.6.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{32}{figure.caption.37}\protected@file@percent }
|
||||
\newlabel{fig:stack_pres}{{2.14}{32}{Simplified stack representation showing only stack frames.\relax }{figure.caption.37}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi_other}{{2.18}{32}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.38}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}\protected@file@percent }
|
||||
\newlabel{fig:stack_ops}{{2.15}{33}{Representation of push and pop operations in the stack.\relax }{figure.caption.39}{}}
|
||||
\abx@aux@cite{8664_params_abi_p18}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p18}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Stack representation right after the function preamble.\relax }}{43}{figure.caption.42}\protected@file@percent }
|
||||
\newlabel{fig:stack}{{3.8}{43}{Stack representation right after the function preamble.\relax }{figure.caption.42}{}}
|
||||
\abx@aux@cite{write_helper_non_fault}
|
||||
\abx@aux@segm{0}{0}{write_helper_non_fault}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{44}{subsection.3.3.4}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_probe_write_apps}{{3.3.4}{44}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{8664_params_abi_p1922}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
|
||||
\newlabel{code:vfs_read}{{3.9}{45}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{45}{lstlisting.3.9}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{46}{figure.caption.43}\protected@file@percent }
|
||||
\newlabel{fig:stack_scan_write_tech}{{3.9}{46}{Overview of stack scanning and writing technique.\relax }{figure.caption.43}{}}
|
||||
\newlabel{code:stack_scan_write_tech}{{3.10}{46}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{46}{lstlisting.3.10}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.5}Conclusion}{47}{subsection.3.3.5}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{47}{section.3.4}\protected@file@percent }
|
||||
\newlabel{section:abusing_networking}{{3.4}{47}{Abusing networking programs}{section.3.4}{}}
|
||||
\abx@aux@cite{network_layers}
|
||||
\abx@aux@segm{0}{0}{network_layers}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{48}{subsection.3.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{48}{figure.caption.44}\protected@file@percent }
|
||||
\newlabel{fig:frame}{{3.10}{48}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.44}{}}
|
||||
\abx@aux@cite{tcp_reliable}
|
||||
\abx@aux@segm{0}{0}{tcp_reliable}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}\protected@file@percent }
|
||||
\newlabel{subsection:tcp}{{3.4.2}{49}{Introduction to the TCP protocol}{subsection.3.4.2}{}}
|
||||
\abx@aux@cite{tcp_handshake}
|
||||
\abx@aux@segm{0}{0}{tcp_handshake}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{50}{table.caption.45}\protected@file@percent }
|
||||
\newlabel{table:tcp_flags}{{3.6}{50}{Relevant TCP flags and their purpose.\relax }{table.caption.45}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces TCP 3-way handshake.\relax }}{50}{figure.caption.46}\protected@file@percent }
|
||||
\newlabel{fig:tcp_conn}{{3.11}{50}{TCP 3-way handshake.\relax }{figure.caption.46}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.12}{\ignorespaces TCP packet retransmission on timeout.\relax }}{51}{figure.caption.47}\protected@file@percent }
|
||||
\newlabel{fig:tcp_retransmission}{{3.12}{51}{TCP packet retransmission on timeout.\relax }{figure.caption.47}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.13}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{53}{figure.caption.48}\protected@file@percent }
|
||||
\newlabel{fig:tcp_exfiltrate_retrans}{{3.13}{53}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.48}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.4}Conclusion}{54}{subsection.3.4.4}\protected@file@percent }
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection via GOT hijacking}{55}{section.4.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}\protected@file@percent }
|
||||
\newlabel{subsection: buf_overflow}{{4.1.1}{56}{Attacks at the stack: buffer overflow}{subsection.4.1.1}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{57}{figure.caption.49}\protected@file@percent }
|
||||
\newlabel{fig:stack_ret_hij_simple}{{4.1}{57}{Execution hijack overwriting saved rip value.\relax }{figure.caption.49}{}}
|
||||
\newlabel{code:vuln_overflow}{{4.1}{57}{Program vulnerable to buffer overflow}{lstlisting.4.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.1}Program vulnerable to buffer overflow.}{57}{lstlisting.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{58}{figure.caption.50}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow}{{4.2}{58}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.50}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{59}{figure.caption.51}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow_shellcode}{{4.3}{59}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.51}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{34}{figure.caption.40}\protected@file@percent }
|
||||
\newlabel{fig:stack_before}{{2.16}{34}{Stack representation right before starting the function call process.\relax }{figure.caption.40}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}\protected@file@percent }
|
||||
\newlabel{fig:stack}{{2.17}{34}{Stack representation right after the function preamble.\relax }{figure.caption.41}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}\protected@file@percent }
|
||||
\newlabel{section:attacks_stack}{{2.7}{35}{Attacks at the stack}{section.2.7}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.18}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{36}{figure.caption.42}\protected@file@percent }
|
||||
\newlabel{fig:stack_ret_hij_simple}{{2.18}{36}{Execution hijack overwriting saved rip value.\relax }{figure.caption.42}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{36}{subsection.2.7.1}\protected@file@percent }
|
||||
\newlabel{subsection: buf_overflow}{{2.7.1}{36}{Buffer overflow}{subsection.2.7.1}{}}
|
||||
\newlabel{code:vuln_overflow}{{2.1}{37}{Program vulnerable to buffer overflow}{lstlisting.2.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.1}Program vulnerable to buffer overflow.}{37}{lstlisting.2.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.19}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{37}{figure.caption.43}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow}{{2.19}{37}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.43}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.20}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{38}{figure.caption.44}\protected@file@percent }
|
||||
\newlabel{fig:buffer_overflow_shellcode}{{2.20}{38}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.44}{}}
|
||||
\abx@aux@cite{rop_prog_finder}
|
||||
\abx@aux@segm{0}{0}{rop_prog_finder}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Return oriented programming attacks}{60}{subsection.4.1.2}\protected@file@percent }
|
||||
\newlabel{subsection:rop}{{4.1.2}{60}{Return oriented programming attacks}{subsection.4.1.2}{}}
|
||||
\newlabel{code:rop_ex}{{4.2}{60}{Sample program to run using ROP}{lstlisting.4.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.2}Sample program to run using ROP.}{60}{lstlisting.4.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Steps for executing code sample using ROP.\relax }}{61}{figure.caption.52}\protected@file@percent }
|
||||
\newlabel{fig:rop_compund}{{4.4}{61}{Steps for executing code sample using ROP.\relax }{figure.caption.52}{}}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{glibc}
|
||||
\abx@aux@segm{0}{0}{glibc}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}\protected@file@percent }
|
||||
\newlabel{subsection:rop_ebpf}{{4.1.3}{62}{ROP with eBPF}{subsection.4.1.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{62}{figure.caption.53}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_1}{{4.5}{62}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.53}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{63}{figure.caption.54}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_2}{{4.6}{63}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.54}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{39}{subsection.2.7.2}\protected@file@percent }
|
||||
\newlabel{subsection:rop}{{2.7.2}{39}{Return oriented programming attacks}{subsection.2.7.2}{}}
|
||||
\newlabel{code:rop_ex}{{2.2}{39}{Sample program to run using ROP}{lstlisting.2.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.2}Sample program to run using ROP.}{39}{lstlisting.2.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}\protected@file@percent }
|
||||
\newlabel{fig:rop_compund}{{2.21}{40}{Steps for executing code sample using ROP.\relax }{figure.caption.45}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{41}{section.2.8}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}\protected@file@percent }
|
||||
\abx@aux@cite{network_layers}
|
||||
\abx@aux@segm{0}{0}{network_layers}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{42}{figure.caption.46}\protected@file@percent }
|
||||
\newlabel{fig:frame}{{2.22}{42}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.46}{}}
|
||||
\abx@aux@cite{tcp_reliable}
|
||||
\abx@aux@segm{0}{0}{tcp_reliable}
|
||||
\abx@aux@cite{tcp_handshake}
|
||||
\abx@aux@segm{0}{0}{tcp_handshake}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{43}{subsection.2.8.2}\protected@file@percent }
|
||||
\newlabel{subsection:tcp}{{2.8.2}{43}{Introduction to the TCP protocol}{subsection.2.8.2}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}\protected@file@percent }
|
||||
\newlabel{table:tcp_flags}{{2.19}{43}{Relevant TCP flags and their purpose.\relax }{table.caption.47}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{44}{figure.caption.48}\protected@file@percent }
|
||||
\newlabel{fig:tcp_conn}{{2.23}{44}{TCP 3-way handshake.\relax }{figure.caption.48}{}}
|
||||
\abx@aux@cite{elf}
|
||||
\abx@aux@segm{0}{0}{elf}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{64}{figure.caption.55}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_3}{{4.7}{64}{Stack data is restored and program continues its execution.\relax }{figure.caption.55}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.4}The ELF format and Lazy Binding}{64}{subsection.4.1.4}\protected@file@percent }
|
||||
\newlabel{subsection:elf_lazy_binding}{{4.1.4}{64}{The ELF format and Lazy Binding}{subsection.4.1.4}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.56}\protected@file@percent }
|
||||
\newlabel{table:elf_tools}{{4.1}{65}{Tools used for analysis of ELF programs.\relax }{table.caption.56}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{65}{table.caption.57}\protected@file@percent }
|
||||
\newlabel{table:elf_sec_headers}{{4.2}{65}{Tools used for analysis of ELF programs.\relax }{table.caption.57}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{45}{figure.caption.49}\protected@file@percent }
|
||||
\newlabel{fig:tcp_retransmission}{{2.24}{45}{TCP packet retransmission on timeout.\relax }{figure.caption.49}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.9}ELF binaries}{45}{section.2.9}\protected@file@percent }
|
||||
\newlabel{section:elf}{{2.9}{45}{ELF binaries}{section.2.9}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}\protected@file@percent }
|
||||
\newlabel{subsection:elf_lazy_binding}{{2.9.1}{45}{The ELF format and Lazy Binding}{subsection.2.9.1}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.50}\protected@file@percent }
|
||||
\newlabel{table:elf_tools}{{2.20}{46}{Tools used for analysis of ELF programs.\relax }{table.caption.50}{}}
|
||||
\abx@aux@cite{plt_got_overlord}
|
||||
\abx@aux@segm{0}{0}{plt_got_overlord}
|
||||
\abx@aux@cite{plt_got_technovelty}
|
||||
\abx@aux@segm{0}{0}{plt_got_technovelty}
|
||||
\newlabel{code:lazy_bind_1}{{4.3}{66}{Call to PLT stub seen from objdump}{lstlisting.4.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {4.3}Call to PLT stub seen from objdump.}{66}{lstlisting.4.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{66}{figure.caption.58}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_2}{{4.8}{66}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.58}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.9}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{66}{figure.caption.59}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_3}{{4.9}{66}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.59}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.10}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{67}{figure.caption.60}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_4}{{4.10}{67}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.60}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.11}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{67}{figure.caption.61}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_5}{{4.11}{67}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.61}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.5}Hardening ELF binaries and possible bypasses}{67}{subsection.4.1.5}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{47}{table.caption.51}\protected@file@percent }
|
||||
\newlabel{table:elf_sec_headers}{{2.21}{47}{Tools used for analysis of ELF programs.\relax }{table.caption.51}{}}
|
||||
\newlabel{code:lazy_bind_1}{{2.3}{47}{Call to PLT stub seen from objdump}{lstlisting.2.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.3}Call to PLT stub seen from objdump.}{47}{lstlisting.2.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{48}{figure.caption.52}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_2}{{2.25}{48}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.52}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.53}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_3}{{2.26}{48}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.53}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.54}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_4}{{2.27}{48}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.54}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}\protected@file@percent }
|
||||
\newlabel{fig:lazy_bind_5}{{2.28}{48}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.55}{}}
|
||||
\abx@aux@cite{aslr_pie_intro}
|
||||
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Security features in C compilers used in the study.\relax }}{68}{table.caption.62}\protected@file@percent }
|
||||
\newlabel{table:compilers}{{4.3}{68}{Security features in C compilers used in the study.\relax }{table.caption.62}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{49}{subsection.2.9.2}\protected@file@percent }
|
||||
\newlabel{subsection:hardening_elf}{{2.9.2}{49}{Hardening ELF binaries}{subsection.2.9.2}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{49}{table.caption.56}\protected@file@percent }
|
||||
\newlabel{table:compilers}{{2.22}{49}{Security features in C compilers used in the study.\relax }{table.caption.56}{}}
|
||||
\abx@aux@cite{aslr_pie_intro}
|
||||
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
||||
\abx@aux@cite{pie_exploit}
|
||||
\abx@aux@segm{0}{0}{pie_exploit}
|
||||
\abx@aux@cite{relro_redhat}
|
||||
\abx@aux@segm{0}{0}{relro_redhat}
|
||||
\abx@aux@cite{cet_windows}
|
||||
\abx@aux@segm{0}{0}{cet_windows}
|
||||
\abx@aux@cite{cet_linux}
|
||||
\abx@aux@segm{0}{0}{cet_linux}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.12}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{69}{figure.caption.63}\protected@file@percent }
|
||||
\newlabel{fig:alsr_offset}{{4.12}{69}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.6}Design of our attack}{70}{subsection.4.1.6}\protected@file@percent }
|
||||
\newlabel{subsection:got_attack}{{4.1.6}{70}{Design of our attack}{subsection.4.1.6}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.13}{\ignorespaces Call to the glibc function, using objdump\relax }}{71}{figure.caption.64}\protected@file@percent }
|
||||
\newlabel{fig:firstcall}{{4.13}{71}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{72}{chapter.5}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{73}{chapter.6}\protected@file@percent }
|
||||
\newlabel{chapter:analysis_offensive_capabilities}{{3}{52}{Analysis of offensive capabilities}{chapter.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}\protected@file@percent }
|
||||
\newlabel{code:format_kprobe}{{3.1}{53}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{53}{lstlisting.3.1}\protected@file@percent }
|
||||
\newlabel{code:format_uprobe}{{3.2}{53}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{53}{lstlisting.3.2}\protected@file@percent }
|
||||
\newlabel{code:format_tracepoint}{{3.3}{53}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{53}{lstlisting.3.3}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi}
|
||||
\newlabel{code:format_ptregs}{{3.4}{54}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{54}{lstlisting.3.4}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.57}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi}{{3.1}{54}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.57}{}}
|
||||
\newlabel{code:sys_enter_read_tp_format}{{3.5}{55}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{55}{lstlisting.3.5}\protected@file@percent }
|
||||
\newlabel{code:sys_enter_read_tp}{{3.6}{55}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{55}{lstlisting.3.6}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_friends_p15}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends_p15}
|
||||
\abx@aux@cite{ebpf_override_return}
|
||||
\abx@aux@segm{0}{0}{ebpf_override_return}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:out_read_bounds}{{3.2.2}{56}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{code_kernel_syscall}
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{fault_injection}
|
||||
\abx@aux@segm{0}{0}{fault_injection}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{57}{subsection.3.2.3}\protected@file@percent }
|
||||
\newlabel{code:override_return_1}{{3.7}{57}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{57}{lstlisting.3.7}\protected@file@percent }
|
||||
\newlabel{code:override_return_2}{{3.8}{57}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{57}{lstlisting.3.8}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{58}{subsection.3.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{58}{Conclusion}{subsection.3.2.5}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}\protected@file@percent }
|
||||
\newlabel{section:mem_corruption}{{3.3}{58}{Memory corruption}{section.3.3}{}}
|
||||
\abx@aux@cite{write_helper_non_fault}
|
||||
\abx@aux@segm{0}{0}{write_helper_non_fault}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{59}{subsection.3.3.1}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{59}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{8664_params_abi_p1922}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
|
||||
\newlabel{code:vfs_read}{{3.9}{60}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{60}{lstlisting.3.9}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.58}\protected@file@percent }
|
||||
\newlabel{fig:stack_scan_write_tech}{{3.1}{60}{Overview of stack scanning and writing technique.\relax }{figure.caption.58}{}}
|
||||
\newlabel{code:stack_scan_write_tech}{{3.10}{61}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{61}{lstlisting.3.10}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Conclusion}{61}{subsection.3.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}\protected@file@percent }
|
||||
\newlabel{section:abusing_networking}{{3.4}{62}{Abusing networking programs}{section.3.4}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.59}\protected@file@percent }
|
||||
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{64}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.59}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Conclusion}{65}{subsection.3.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{74}{chapter.6}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection attacks}{66}{section.4.1}\protected@file@percent }
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{glibc}
|
||||
\abx@aux@segm{0}{0}{glibc}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{67}{subsection.4.1.1}\protected@file@percent }
|
||||
\newlabel{subsection:rop_ebpf}{{4.1.1}{67}{ROP with eBPF}{subsection.4.1.1}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{67}{figure.caption.60}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_1}{{4.1}{67}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.60}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{68}{figure.caption.61}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_2}{{4.2}{68}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.61}{}}
|
||||
\abx@aux@cite{canary_exploit}
|
||||
\abx@aux@segm{0}{0}{canary_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{69}{figure.caption.62}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_3}{{4.3}{69}{Stack data is restored and program continues its execution.\relax }{figure.caption.62}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{69}{subsection.4.1.2}\protected@file@percent }
|
||||
\abx@aux@cite{pie_exploit}
|
||||
\abx@aux@segm{0}{0}{pie_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{70}{figure.caption.63}\protected@file@percent }
|
||||
\newlabel{fig:alsr_offset}{{4.4}{70}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{71}{subsection.4.1.3}\protected@file@percent }
|
||||
\newlabel{subsection:got_attack}{{4.1.3}{71}{Library injection via GOT hijacking}{subsection.4.1.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{72}{figure.caption.64}\protected@file@percent }
|
||||
\newlabel{fig:firstcall}{{4.5}{72}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{73}{chapter.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{74}{chapter.6}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{75}{chapter.6}\protected@file@percent }
|
||||
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.66}{}}
|
||||
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.67}{}}
|
||||
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.67}{}}
|
||||
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{DAEC68472698FE766A5D65F3ABD46C28}
|
||||
\abx@aux@read@bbl@mdfivesum{073A2C7C705B80891C5D9DCBDBB01C38}
|
||||
\abx@aux@read@bblrerun
|
||||
\abx@aux@refcontextdefaultsdone
|
||||
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
|
||||
@@ -551,6 +562,21 @@
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_github}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_upstream}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{libbpf_core}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{elf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_overlord}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_technovelty}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{aslr_pie_intro}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{relro_redhat}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_windows}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_linux}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
|
||||
@@ -566,23 +592,12 @@
|
||||
\abx@aux@defaultrefcontext{0}{code_kernel_open}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{code_kernel_syscall}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{write_helper_non_fault}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{evil_ebpf_p6974}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{glibc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{elf}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_overlord}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{plt_got_technovelty}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{aslr_pie_intro}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
|
||||
\ttl@finishall
|
||||
\gdef \@abspage@last{100}
|
||||
\gdef \@abspage@last{102}
|
||||
|
||||
Reference in New Issue
Block a user