admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-19 00:03:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated document structure, reformatted multiple chapters, updated chapter and section intros. Separated hardening features into two. Other changes suggested at the meeting,

Browse Source
This commit is contained in:
h3xduck
2022-06-11 13:07:10 -04:00
parent 1595caa8d0
commit e5bb65925d
24 changed files with 3650 additions and 3127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
docs/document.toc
View File

@@ -15,9 +15,11 @@
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {2}State of the art}{5}{chapter.2}%
\contentsline {section}{\numberline {1.5}Code availability}{4}{section.1.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.1}eBPF history - Classic BPF}{5}{section.2.1}%
\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.1}BPF}{5}{section.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}%
\defcounter {refsection}{0}\relax
@@ -29,7 +31,7 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
\contentsline {section}{\numberline {2.2}Modern eBPF}{11}{section.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}%
\defcounter {refsection}{0}\relax
@@ -65,67 +67,77 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{27}{chapter.3}%
\contentsline {section}{\numberline {2.5}Security features in eBPF}{26}{section.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.1}Security features in eBPF}{27}{section.3.1}%
\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.1.1}Access control}{28}{subsection.3.1.1}%
\contentsline {section}{\numberline {2.6}Memory management in Linux}{28}{section.2.6}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.1.2}eBPF maps security}{30}{subsection.3.1.2}%
\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{30}{section.3.2}%
\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{30}{subsection.2.6.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{30}{subsection.3.2.1}%
\contentsline {subsection}{\numberline {2.6.3}The process stack}{32}{subsection.2.6.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{33}{subsection.3.2.2}%
\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{34}{subsection.3.2.3}%
\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{36}{subsection.2.7.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{35}{subsection.3.2.4}%
\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{39}{subsection.2.7.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{35}{subsection.3.2.5}%
\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{41}{section.2.8}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.3}Memory corruption}{36}{section.3.3}%
\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.1}Memory management in Linux}{36}{subsection.3.3.1}%
\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{43}{subsection.2.8.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.2}Process virtual memory}{39}{subsection.3.3.2}%
\contentsline {section}{\numberline {2.9}ELF binaries}{45}{section.2.9}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.3}The process stack}{40}{subsection.3.3.3}%
\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{44}{subsection.3.3.4}%
\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{49}{subsection.2.9.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.5}Conclusion}{47}{subsection.3.3.5}%
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.4}Abusing networking programs}{47}{section.3.4}%
\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.1}An overview on the network layer}{48}{subsection.3.4.1}%
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.2}Introduction to the TCP protocol}{49}{subsection.3.4.2}%
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.3}Attacks and limitations of networking programs}{51}{subsection.3.4.3}%
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.4}Conclusion}{54}{subsection.3.4.4}%
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{57}{subsection.3.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}%
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {4.1}Library injection via GOT hijacking}{55}{section.4.1}%
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{58}{subsection.3.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.1}Attacks at the stack: buffer overflow}{56}{subsection.4.1.1}%
\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.2}Return oriented programming attacks}{60}{subsection.4.1.2}%
\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{59}{subsection.3.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.3}ROP with eBPF}{62}{subsection.4.1.3}%
\contentsline {subsection}{\numberline {3.3.2}Conclusion}{61}{subsection.3.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.4}The ELF format and Lazy Binding}{64}{subsection.4.1.4}%
\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.5}Hardening ELF binaries and possible bypasses}{67}{subsection.4.1.5}%
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.6}Design of our attack}{70}{subsection.4.1.6}%
\contentsline {subsection}{\numberline {3.4.2}Conclusion}{65}{subsection.3.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Results}{72}{chapter.5}%
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Conclusion and future work}{73}{chapter.6}%
\contentsline {section}{\numberline {4.1}Library injection attacks}{66}{section.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{74}{chapter.6}%
\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{67}{subsection.4.1.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{69}{subsection.4.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{71}{subsection.4.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Evaluation}{73}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Related work}{74}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{75}{chapter.6}%
\contentsfinish