admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated some style aspects, updated positions of tables and figures, other changes.

Browse Source
This commit is contained in:
h3xduck
2022-06-11 16:32:00 -04:00
parent e5bb65925d
commit e697dc867d
16 changed files with 1135 additions and 1099 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/bibliography/bibliography.bib
View File

@@ -91,6 +91,15 @@
pages={1}
},
@article{bpf_bsd_origin_bpf_page2,
title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
author={Steven McCanne, Van Jacobson},
institution={Lawrence Berkeley Laboratory},
date={1992-12-19},
url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
pages={1}
},
@article{bpf_bsd_origin_bpf_page5,
title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
author={Steven McCanne, Van Jacobson},

304
docs/chapters/chapter2.tex
View File

@@ -12,13 +12,13 @@ In this section we will detail the origins of eBPF in the Linux kernel. By offer
\subsection{Introduction to the BPF system}
Nowadays eBPF is not officially considered to be an acronym anymore\cite{ebpf_io}, but it remains largely known as "extended Berkeley Packet Filters", given its roots in the Berkeley Packet Filter (BPF) technology, now known as classic BPF.
BPF was introduced in 1992 by Steven McCanne and Van Jacobson in the paper "The BSD Packet Filter: A New Architecture for User-level Packet Capture"\cite{bpf_bsd_origin}, as a new filtering technology for network packets in the BSD platform. It was first integrated in the Linux kernel on version 2.1.75\cite{ebpf_history_opensource}.
BPF was introduced in 1992 by Steven McCanne and Van Jacobson in the paper "The BSD Packet Filter: A New Architecture for User-level Packet Capture"\cite{bpf_bsd_origin}, as a new filtering technology for network packets in the BSD platform. It was first integrated in the Linux kernel on version 2.1.75 \cite{ebpf_history_opensource}.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=12cm, keepaspectratio=true]{classic_bpf.jpg}
\caption{Sketch of the functionality of classic BPF}
\caption{Functionality of classic BPF. Based on the figure at the original paper \cite{bpf_bsd_origin_bpf_page2}.}
\label{fig:classif_bpf}
\end{figure}
@@ -26,10 +26,10 @@ Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing networ
\subsection{The BPF virtual machine} \label{subsection:bpf_vm}
In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components:
In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine \cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components:
\begin{itemize}
\item \textbf{An accumulator register}, used to store intermediate values of operations.
\item \textbf{An index register}, used to modify operand addresses, it is usually incorporated to optimize vector operations\cite{index_register}.
\item \textbf{An index register}, used to modify operand addresses, it is usually incorporated to optimize vector operations \cite{index_register}.
\item \textbf{An scratch memory store}, a temporary storage.
\item \textbf{A program counter}, used to point to the next machine instruction to execute in a filter program.
\end{itemize}
@@ -42,13 +42,6 @@ As we mentioned in section \ref{subsection:bpf_vm}, the components of the BPF VM
\item If it returns \textit{false}, the packet is not accepted by the filter (and thus the network stack will be the next to operate it).
\end{itemize}
\begin{figure}[H]
\centering
\includegraphics[width=8cm]{cbpf_prog.jpg}
\caption{Execution of a BPF filter.}
\label{fig:cbpf_prog}
\end{figure}
Figure \ref{fig:cbpf_prog} shows an example of a BPF filter upon receiving a packet. In the figure, green lines indicate that the condition is true and red lines that it is evaluated as false. Therefore, the execution works as a control flow graph (CFG) which ends on a boolean value\cite{bpf_bsd_origin_bpf_page5}. The figure presents an example BPF program which accepts the following frames:
\begin{itemize}
\item Frames with an IP packet as a payload directed from IP address X.
@@ -57,12 +50,19 @@ Figure \ref{fig:cbpf_prog} shows an example of a BPF filter upon receiving a pac
\item Frames not from the ARP protocol directed from IP address Y to IP address X.
\end{itemize}
\begin{figure}[ht]
\centering
\includegraphics[width=8cm]{cbpf_prog.jpg}
\caption{Execution of a BPF filter.}
\label{fig:cbpf_prog}
\end{figure}
\subsection{BPF bytecode instruction format}
In order to implement the CFG to be run at the BPF VM, BPF filter programs are made up of BPF bytecode, which is defined by a new BPF instruction set. Therefore, a BPF filter program is an array of BPF bytecode instructions\cite{bpf_organicprogrammer_analysis}.
In order to implement the CFG to be run at the BPF VM, BPF filter programs are made up of BPF bytecode, which is defined by a new BPF instruction set. Therefore, a BPF filter program is an array of BPF bytecode instructions \cite{bpf_organicprogrammer_analysis}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|c|c|c|c|}
\hline
& OPCODE & JT & JF & K\\
@@ -70,11 +70,11 @@ In order to implement the CFG to be run at the BPF VM, BPF filter programs are m
BITS & 16 & 8 & 8 & 32\\
\hline
\end{tabular}
\caption{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.}
\caption{BPF instruction format.}
\label{table:bpf_inst_format}
\end{table}
Table \ref{table:bpf_inst_format} shows the format of a BPF bytecode instruction. As it can be observed, it is a compound of:
Table \ref{table:bpf_inst_format} shows the format of a BPF bytecode instruction. As it can be observed, it is a fixed-length 64 bit instruction composed of:
\begin{itemize}
\item An \textbf{opcode}, similar to assembly opcode, it indicates the operation to be executed.
\item Field \textbf{jt} indicates the offset to the next instruction to jump in case a condition is evaluated as \textit{true}.
@@ -82,14 +82,7 @@ Table \ref{table:bpf_inst_format} shows the format of a BPF bytecode instruction
\item Field \textbf{k} is miscellaneous and its contents vary depending on the instruction opcode.
\end{itemize}
\begin{figure}[H]
\centering
\includegraphics[width=8cm]{bpf_instructions.png}
\caption{Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite{bpf_bsd_origin_bpf_page7}}
\label{fig:bpf_instructions}
\end{figure}
Figure \ref{fig:bpf_instructions} shows how BPF instructions are defined according to the BPF instruction set. As we mentioned, similarly to assembly, instructions include an opcode which indicates the operation to execute, and the multiple arguments defining the arguments of the operation. The table shows, in order by rows, the following instruction types\cite{bpf_bsd_origin_bpf_page8}:
Figure \ref{fig:bpf_instructions} shows how BPF instructions are defined according to the BPF instruction set. As we mentioned, similarly to assembly, instructions include an opcode which indicates the operation to execute, and the multiple arguments defining the arguments of the operation. The table shows, in order by rows, the following instruction types \cite{bpf_bsd_origin_bpf_page8}:
\begin{itemize}
\item Rows 1-4 are \textbf{load instructions}, copying the addressed value into the index or accumulator register.
\item Rows 4-6 are \textbf{store instructions}, copying the accumulator or index register into the scratch memory store.
@@ -98,33 +91,39 @@ Figure \ref{fig:bpf_instructions} shows how BPF instructions are defined accordi
\item Row 20 is a \textbf{return instruction}, it is positioned in the final end of the CFG, and indicate whether the filter accepts the packet (returning true) or otherwise rejects it (return false).
\end{itemize}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=8cm]{bpf_address_mode.png}
\caption{Table explaining the column address modes in Figure\ref{fig:bpf_instructions}, as shown by McCanne and Jacobson\cite{bpf_bsd_origin_bpf_page8}}
\label{fig:bpf_address_mode}
\includegraphics[width=8cm]{bpf_instructions.png}
\caption{Supported classic BPF instructions, as shown by McCanne and Jacobson \cite{bpf_bsd_origin_bpf_page7}}
\label{fig:bpf_instructions}
\end{figure}
The column \textit{addr modes} in figure \ref{fig:bpf_instructions} describes how the parameters of a BPF instruction are referenced depending on the opcode. The address modes are detailed in figure \ref{fig:bpf_address_mode}. As it can be observed, paremeters may consist of immediate values, offsets to memory positions or on the packet, the index register or combinations of the previous.
\begin{figure}[htbp]
\centering
\includegraphics[width=8cm]{bpf_address_mode.png}
\caption{BPF address modes, as shown by McCanne and Jacobson \cite{bpf_bsd_origin_bpf_page8}}
\label{fig:bpf_address_mode}
\end{figure}
\subsection{An example of BPF filter with tcpdump}
At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment\cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump}\cite{tcpdump_page}.
At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment \cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump} \cite{tcpdump_page}.
\textit{tcpdump} is a command-line tool that enables to capture and analyse the network traffic going through the system. It works by setting filters on a network interface, so that it shows the packets that are accepted by the filter. Still today, \textit{tcpdump} uses BPF for the filter implementation. We will now show an example of BPF code used by \textit{tcpdump} to implement a simple filter:
\textit{tcpdump} is a command-line tool that enables to capture and analyse the network traffic going through the system. It works by setting filters on a network interface, so that it shows the packets that are accepted by the filter. Still today, \textit{tcpdump} uses BPF for the filter implementation. Figure \ref{fig:bpf_tcpdump_example} shows an example of BPF code used by \textit{tcpdump} to implement a simple filter.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=10cm]{tcpdump_example.png}
\caption{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.}
\label{fig:bpf_tcpdump_example}
\end{figure}
Figure \ref{fig:bpf_tcpdump_example} shows how tcpdump sets a filter to display traffic directed to all interfaces (\textit{-i any}) directed to port 80. Flag \textit{-d} instructs tcpdump to display BPF bytecode.
In figure \ref{fig:bpf_tcpdump_example} we can see how tcpdump sets a filter to display traffic directed to all interfaces (\textit{-i any}) directed to port 80. Flag \textit{-d} instructs tcpdump to display BPF bytecode.
In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} describes the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=6cm]{cBPF_prog_ex_sol.png}
\caption{Shortest path in the CFG described in the example of figure \ref{fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit{tcpdump}.}
@@ -136,7 +135,7 @@ This section discusses the current state of eBPF in the Linux kernel. By buildin
The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Similarly to how BPF filters were included in the networking module of the Linux kernel, we will now study the necessary changes made in the kernel to support these new program types. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|c|c|}
\hline
Description & Kernel version & Year\\
@@ -155,25 +154,28 @@ Description & Kernel version & Year\\
\hline
\end{tabular}
\caption{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite{ebpf_funcs_by_ver}.}
\caption{Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite{ebpf_funcs_by_ver}.}
\label{table:ebpf_history}
\end{table}
As it can be observed in the table above, the main breakthrough happened in the 3.15 version, where Alexei Starovoitov, along with Daniel Borkmann, decided to expand the capabilities of BPF by remodelling the BPF instruction set and overall architecture\cite{brendan_gregg_bpf_book}.
As it can be observed in the table above, the main breakthrough happened in the 3.15 version, where Alexei Starovoitov, along with Daniel Borkmann, decided to expand the capabilities of BPF by remodelling the BPF instruction set and overall architecture \cite{brendan_gregg_bpf_book}.
Figure \ref{fig:ebpf_architecture} offers an overview of the current eBPF architecture. During the subsequent subsections, we will proceed to explain its components in detail.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15cm]{ebpf_arch.jpg}
\caption{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite{brendan_gregg_bpf_book} and \cite{ebpf_io_arch}.}
\caption{eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite{brendan_gregg_bpf_book} and \cite{ebpf_io_arch}.}
\label{fig:ebpf_architecture}
\end{figure}
\subsection{eBPF instruction set} \label{subsection:ebpf_inst_set}
The eBPF update included a complete remodel of the instruction set architecture (ISA) of the BPF VM. Therefore, eBPF programs will need to follow the new architecture in order to be interpreted as valid and executed.
\begin{table}[H]
Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs \cite{ebpf_inst_set}. As it can be observed, it is a fixed-length 64 bit instruction. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers \cite{8664_inst_set_specs}. Similarly, the instruction set is extended to be similar to the one typically found on x86\_64 systems, the complete list can be consulted in the official documentation \cite{ebpf_inst_set}.
%Should I talk about assembly or this more in detail?
\begin{table}[htbp]
\begin{tabular}{|c|c|c|c|c|c|}
\hline
& IMM & OFF & SRC & DST & OPCODE \\
@@ -181,17 +183,13 @@ The eBPF update included a complete remodel of the instruction set architecture
BITS & 32 & 16 & 4 & 4 & 8\\
\hline
\end{tabular}
\caption{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.}
\caption{eBPF instruction format.}
\label{table:ebpf_inst_format}
\end{table}
Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}. Similarly, the instruction set is extended to be similar to the one typically found on x86\_64 systems, the complete list can be consulted in the official documentation\cite{ebpf_inst_set}.
%Should I talk about assembly or this more in detail?
With respect to the BPF VM registers, they get extended from 32 to 64 bits of length, and the number of registers is incremented to 10, instead of the original accumulator and index registers. These registers are also adapted to be similar to those in assembly, as it is shown in table \ref{table:ebpf_regs}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|c|m{21em}|}
\hline
eBPF register & x86\_64 register & Purpose\\
@@ -209,16 +207,16 @@ r9 & r15 & Callee saved register, value preserved between calls\\
r10 & rbp & Frame pointer for stack, read only\\
\hline
\end{tabular}
\caption{Table showing eBPF registers and their purpose in the BPF VM.\cite{ebpf_inst_set}\cite{ebpf_starovo_slides}.}
\caption{eBPF registers and their purpose in the BPF VM. \cite{ebpf_inst_set} \cite{ebpf_starovo_slides}.}
\label{table:ebpf_regs}
\end{table}
\subsection{JIT compilation}
We mentioned in subsection \ref{subsection:ebpf_inst_set} that eBPF registers and instructions describe an almost one-to-one correspondence to those in x86 assembly. This is in fact not a coincidence, but rather it is with the purpose of improving a functionality that was included in Linux kernel 3.0, called Just-in-Time (JIT) compilation\cite{ebpf_JIT}\cite{ebpf_JIT_demystify_page13}.
We mentioned in subsection \ref{subsection:ebpf_inst_set} that eBPF registers and instructions describe an almost one-to-one correspondence to those in x86 assembly. This is in fact not a coincidence, but rather it is with the purpose of improving a functionality that was included in Linux kernel 3.0, called Just-in-Time (JIT) compilation \cite{ebpf_JIT} \cite{ebpf_JIT_demystify_page13}.
JIT compiling is an extra step that optimizes the execution speed of eBPF programs. It consists of translating BPF bytecode into machine-specific instructions, so that they run as fast as native code in the kernel. Machine instructions are generated during runtime, written directly into executable memory and executed there\cite{ebpf_JIT_demystify_page14}.
JIT compiling is an extra step that optimizes the execution speed of eBPF programs. It consists of translating BPF bytecode into machine-specific instructions, so that they run as fast as native code in the kernel. Machine instructions are generated during runtime, written directly into executable memory and executed there \cite{ebpf_JIT_demystify_page14}.
Therefore, when using JIT compiling (a setting defined by the variable \textit{bpf\_jit\_enable}\cite{jit_enable_setting}, BPF registers are translated into machine-specific registers following their one-to-one mapping and bytecode instructions are translated into machine-specific instructions\cite{ebpf_starovo_slides_page23}. There no longer exists an interpretation step by the BPF VM, since we can execute the code directly\cite{brendan_gregg_bpf_book_bpf_vm}.
Therefore, when using JIT compiling (a setting defined by the variable \textit{bpf\_jit\_enable} \cite{jit_enable_setting}, BPF registers are translated into machine-specific registers following their one-to-one mapping and bytecode instructions are translated into machine-specific instructions \cite{ebpf_starovo_slides_page23}. There no longer exists an interpretation step by the BPF VM, since we can execute the code directly \cite{brendan_gregg_bpf_book_bpf_vm}.
The programs developed during this project will always have JIT compiling active.
@@ -228,10 +226,10 @@ We introduced in figure \ref{fig:ebpf_architecture} the presence of the so-calle
The verifier performs a series of tests which every eBPF program must pass in order to be accepted. Otherwise, user programs could leak privileged data, result in kernel memory corruption, or hang the kernel in an infinite loop, between others. Therefore, the verifier limits multiple aspects of eBPF programs so that they are restricted to the intended functionality, whilst at the same time offering a reasonable amount of freedom to the developer.
The following are the most relevant checks that the verifier performs in eBPF programs\cite{ebpf_verifier_kerneldocs}\cite{ebpf_JIT_demystify_page17-22}:
The following are the most relevant checks that the verifier performs in eBPF programs \cite{ebpf_verifier_kerneldocs} \cite{ebpf_JIT_demystify_page17-22}:
\begin{itemize}
\item Tests for ensuring overall control flow safety:
\subitem No loops allowed (bounded loops accepted since kernel version 5.3\cite{ebpf_bounded_loops}.
\subitem No loops allowed (bounded loops accepted since kernel version 5.3 \cite{ebpf_bounded_loops}.
\subitem Function call and jumps safety to known, reachable functions.
\subitem Sleep and blocking operations not allowed (to prevent hanging the kernel).
\item Tests for individual instructions:
@@ -247,13 +245,13 @@ These checks are performed by two main algorithms:
\end{itemize}
\subsection{eBPF maps} \label{subsection:ebpf_maps}
An eBPF map is a generic storage for eBPF programs used to share data between user and kernel space, to maintain persistent data between eBPF calls and to share information between multiple eBPF programs\cite{ebpf_maps_kernel}.
An eBPF map is a generic storage for eBPF programs used to share data between user and kernel space, to maintain persistent data between eBPF calls and to share information between multiple eBPF programs \cite{ebpf_maps_kernel}.
A map consists of a key + value tuple. Both fields can have an arbitrary data type, the map only needs to know the length of the key and the value field at its creation\cite{bpf_syscall}. Programs can open maps by specifying their ID, and lookup or delete elements in the map by specifying its key, also insert new ones by supplying the element value and they key to store it with.
A map consists of a key + value tuple. Both fields can have an arbitrary data type, the map only needs to know the length of the key and the value field at its creation \cite{bpf_syscall}. Programs can open maps by specifying their ID, and lookup or delete elements in the map by specifying its key, also insert new ones by supplying the element value and they key to store it with.
Therefore, creating a map requires a struct with the following fields:
Therefore, creating a map requires a struct with the fields shown in table \ref{table:ebpf_map_struct}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|c|}
\hline
FIELD & VALUE\\
@@ -264,11 +262,13 @@ value\_size & Size of the data structure to use as value field\\
max\_entries & Maximum number of elements in the map\\
\hline
\end{tabular}
\caption{Table showing common fields for creating an eBPF map.}
\caption{Common fields for creating an eBPF map.}
\label{table:ebpf_map_struct}
\end{table}
\begin{table}[H]
Table \ref{table:ebpf_map_types} describes the main types of eBPF maps that are available for use. During the development of our rootkit, we will mainly focus on hash maps (BPF\_MAP\_TYPE\_HASH), provided that they are simple to use and we do not require of any special storage for our research purposes.
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
TYPE & DESCRIPTION\\
@@ -280,12 +280,10 @@ BPF\_MAP\_TYPE\_PROG\_ARRAY & Stores descriptors of eBPF programs\\
\hline
\hline
\end{tabular}
\caption{Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite{bpf_syscall}}
\caption{Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite{bpf_syscall}}
\label{table:ebpf_map_types}
\end{table}
Table \ref{table:ebpf_maps} describes the main types of eBPF maps that are available for use. During the development of our rootkit, we will mainly focus on hash maps (BPF\_MAP\_TYPE\_HASH), provided that they are simple to use and we do not require of any special storage for our research purposes.
\subsection{The eBPF ring buffer} \label{subsection:bpf_ring_buf}
eBPF ring buffers are a special kind of eBPF maps, providing a one-way directional communication system, going from an eBPF program in the kernel to an user space program that subscribes to its events.
@@ -294,9 +292,9 @@ eBPF ring buffers are a special kind of eBPF maps, providing a one-way direction
\subsection{The bpf() syscall} \label{subsection:bpf_syscall}
The bpf() syscall is used to issue commands from user space to kernel space in eBPF programs. This syscall is multiplexor, meaning that it can perform a great range of actions, changing its behaviour depending on the parameters.
The main operations that can be issued are described in table \ref{table:bpf_syscall}:
The main operations that can be issued are described in table \ref{table:ebpf_syscall}:
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{5cm}|>{\centering\arraybackslash}p{5cm}|}
\hline
COMMAND & ATTRIBUTES & DESCRIPTION\\
@@ -313,13 +311,13 @@ BPF\_MAP\_DELETE\_ELEM & Map ID and struct with key to search in the map & Delet
BPF\_PROG\_LOAD & Struct describing the type of eBPF program to load & Load an eBPF program in the kernel\\
\hline
\end{tabular}
\caption{Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite{bpf_syscall}}
\caption{Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite{bpf_syscall}}
\label{table:ebpf_syscall}
\end{table}
With respect to the program type indicated with BPF\_PROG\_LOAD, this parameter indicates the type of eBPF program, setting the context in the kernel in which it will run, and to which modules it will have access to. The types of programs relevant for our research are described in table \ref{table:ebpf_prog_types}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{5cm}|}
\hline
PROGRAM TYPE & DESCRIPTION\\
@@ -336,20 +334,20 @@ BPF\_PROG\_TYPE\_XDP & Program to filter, redirect and monitor network events fr
BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events using the Traffic Control classifier\\
\hline
\end{tabular}
\caption{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite{bpf_syscall}.}
\caption{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite{bpf_syscall}.}
\label{table:ebpf_prog_types}
\end{table}
In section \ref{section:TODO}, we will proceed to analyse in detail the different program types and what capabilities` they offer.
\subsection{eBPF helpers} \label{subsection:ebpf_helpers}
Our last component to cover of the eBPF architecture are the eBPF helpers. Since eBPF programs have limited accessibility to kernel functions (which kernel modules commonly have free access to), the eBPF system offers a set of limited functions called helpers\cite{ebpf_helpers}, which are used by eBPF programs to perform certain actions and interact with the context on which they are run. The list of helpers a program can call varies between eBPF program types, since different programs run in different contexts.
Our last component to cover of the eBPF architecture are the eBPF helpers. Since eBPF programs have limited accessibility to kernel functions (which kernel modules commonly have free access to), the eBPF system offers a set of limited functions called helpers \cite{ebpf_helpers}, which are used by eBPF programs to perform certain actions and interact with the context on which they are run. The list of helpers a program can call varies between eBPF program types, since different programs run in different contexts.
It is important to highlight that, just like commands issued via the bpf() syscall can only be issued from the user space, eBPF helpers correspond to the kernel-side of eBPF program exclusively. Note that we will also find a symmetric correspondence to those functions of the bpf() syscall related to map operations (since these are accessible both from user and kernel space).
Table \ref{table:ebpf_helpers} lists the most relevant general-purpose eBPF helpers we will use during the development of our project. We will later detail those helpers exclusive to an specific eBPF program type in the sections on which they are studied.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
@@ -380,7 +378,7 @@ bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify
bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\
\hline
\end{tabular}
\caption{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.}
\caption{Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.}
\label{table:ebpf_helpers}
\end{table}
@@ -392,24 +390,24 @@ In the previous subsection \ref{subsection:bpf_syscall} we introduced the new ty
\subsection{XDP} \label{subsection:xdp}
eXpress Data Path (XDP) programs are a novel type of eBPF program that allows for the lowest-latency traffic filtering and monitoring in the whole Linux kernel. In order to load an XDP program, a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_XDP must be issued.
These programs are directly attached to the Network Interface Controller (NIC) driver, and thus they can process the packet before any other module\cite{xdp_gentle_intro}.
These programs are directly attached to the Network Interface Controller (NIC) driver, and thus they can process the packet before any other module \cite{xdp_gentle_intro}.
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{xdp_diag.jpg}
% Either this caption, or change the text afterwards. I still need to know whether to put the long explanation here or on the paragraph, it gets repetitive.
\caption{Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.}
\label{fig:xdp_diag}
\end{figure}
Figure \ref{fig:xdp_diag} shows how XDP is integrated in the network processing of the Linux kernel. After receiving a raw packet (in the figure, \textit{xdp\_md}, which consists on the raw bytes plus some very basic metadata about the packet) from the incoming traffic, XDP program can perform the following actions\cite{xdp_manual}:
Figure \ref{fig:xdp_diag} shows how XDP is integrated in the network processing of the Linux kernel. After receiving a raw packet (in the figure, \textit{xdp\_md}, which consists on the raw bytes plus some very basic metadata about the packet) from the incoming traffic, XDP program can perform the following actions \cite{xdp_manual}:
\begin{itemize}
\item Analyse the data between the packet buffer bounds.
\item Modify the packet contents, and modify the packet length.
\item Decide between one of the actions displayed in table \ref{table:xdp_actions_av}.
\end{itemize}
\begin{table}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15cm]{xdp_diag.jpg}
% Either this caption, or change the text afterwards. I still need to know whether to put the long explanation here or on the paragraph, it gets repetitive.
\caption{XDP and TC modules integration in the network processing module of the Linux kernel.}
\label{fig:xdp_diag}
\end{figure}
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
ACTION & DESCRIPTION\\
@@ -422,12 +420,12 @@ XDP\_TX & Return the packet at the same NIC it was received from. Packet modific
XDP\_DROP & Drops the packet completely, kernel networking will not be notified.\\
\hline
\end{tabular}
\caption{Table showing XDP relevant return values.}
\caption{Relevant XDP return values.}
\label{table:xdp_actions_av}
\end{table}
Some of the XDP-exclusive eBPF helpers we will be discussing in later sections are shown in table \ref{table:xdp_helpers}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
@@ -438,7 +436,7 @@ bpf\_xdp\_adjust\_head() & Enlarges or reduces the extension of a packet, by mov
bpf\_xdp\_adjust\_tail() & Enlarges or reduces the extension of a packet, by moving the address of its last byte.\\
\hline
\end{tabular}
\caption{Table showing relevant XDP-exclusive eBPF helpers.}
\caption{Relevant XDP-exclusive eBPF helpers.}
\label{table:xdp_helpers}
\end{table}
@@ -446,11 +444,11 @@ bpf\_xdp\_adjust\_tail() & Enlarges or reduces the extension of a packet, by mov
\subsection{Traffic Control} \label{subsection:tc}
Traffic Control (TC) programs are also indicated for networking instrumentation. Similarly to XDP, their module is positioned before entering the overall network processing of the kernel. However, as it can be observed in figure \ref{fig:xdp_diag}, they differ in some aspects:
\begin{itemize}
\item TC programs receive a network buffer with metadata (in the figure, \textit{sk\_buff}) about the packet in it. This renders TC programs less ideal than XDP for performing large packet modifications (like new headers), but at the same time the additional metadata fields make it easier to locate and modify specific packet fields\cite{tc_differences}.
\item TC programs receive a network buffer with metadata (in the figure, \textit{sk\_buff}) about the packet in it. This renders TC programs less ideal than XDP for performing large packet modifications (like new headers), but at the same time the additional metadata fields make it easier to locate and modify specific packet fields \cite{tc_differences}.
\item TC programs can be attached to the \textit{ingress} or \textit{egress} points, meaning that an eBPF program can operate not only over incoming traffic, but also over the outgoing packets.
\end{itemize}
With respect to how TC programs operate, the Traffic Control system in Linux is greatly complex and would require a complete section by itself. In fact, it was already a complete system before the appearance of eBPF. Full documentation can be found at \cite{tc_docs_complete}. For this document, we will explain the overall process needed to load a TC program\cite{tc_direct_action}:
With respect to how TC programs operate, the Traffic Control system in Linux is greatly complex and would require a complete section by itself. In fact, it was already a complete system before the appearance of eBPF. Full documentation can be found at \cite{tc_docs_complete}. For this document, we will explain the overall process needed to load a TC program \cite{tc_direct_action}:
\begin{enumerate}
\item The TC program defines a so-called queuing discipline (qdisc), a packet scheduler that issues packets in a First-In-First-Out (FIFO) order as soon as they are received. This qdisc will be attached to an specific network interface (e.g.: wlan0).
\item Our TC eBPF program is attached to the qdisc. It will work as a filter, being run for every of the packets dispatched by the qdisc.
@@ -458,7 +456,7 @@ With respect to how TC programs operate, the Traffic Control system in Linux is
Similarly to XDP, the TC eBPF programs can decide an action to be executed on a packet by specifying a return value. These actions are almost analogous to the ones in XDP, as it can be observed in table \ref{table:tc_actions}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
ACTION & DESCRIPTION\\
@@ -471,12 +469,12 @@ TC\_ACT\_RECLASSIFY & Return the packet to the back of the qdisc scheduling queu
TC\_ACT\_SHOT & Drops the packet completely, kernel networking will not be notified.\\
\hline
\end{tabular}
\caption{Table showing TC relevant return values. Full list can be consulted at \cite{tc_ret_list_complete}.}
\caption{Relevant TC return values. Full list can be consulted at \cite{tc_ret_list_complete}.}
\label{table:tc_actions}
\end{table}
Finally, as in XDP, there exists a list of useful BPF helpers that will be relevant for the creation of our rootkit. They are shown in table \ref{table:tc_helpers}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
@@ -496,14 +494,14 @@ bpf\_skb\_change\_tail() & Enlarges or reduces the extension of a packet, by mov
\hline
\hline
\end{tabular}
\caption{Table showing relevant TC-exclusive eBPF helpers.}
\caption{Relevant TC-exclusive eBPF helpers.}
\label{table:tc_helpers}
\end{table}
%TODO This section might benefit from some diagrams, maybe. It was a bit to extense already, so skipping it from now
\subsection{Tracepoints} \label{subsection:tracepoints}
Tracepoints are a technology in the Linux kernel that allows to hook functions in the kernel, connecting a 'probe': a function that is executed every time the hooked function is called\cite{tp_kernel}. These tracepoints are set statically during kernel development, meaning that for a function to be hooked, it needs to have been previously marked with a tracepoint statement indicating its traceability. At the same time, this limits the number of tracepoints available.
Tracepoints are a technology in the Linux kernel that allows to hook functions in the kernel, connecting a 'probe': a function that is executed every time the hooked function is called \cite{tp_kernel}. These tracepoints are set statically during kernel development, meaning that for a function to be hooked, it needs to have been previously marked with a tracepoint statement indicating its traceability. At the same time, this limits the number of tracepoints available.
The list of tracepoint events available depends on the kernel version and can be visited under the directory \textit{/sys/kernel/debug/tracing/events}.
@@ -514,9 +512,9 @@ Also, note that the probe functions that are called when hitting a tracepoint re
In eBPF, a program can issue a bpf() syscall with the command BPF\_PROG\_LOAD and the program type BPF\_PROG\_TYPE\_TRACEPOINT, specifying which is the function with the tracepoint to attach to and an arbitrary function probe to call when it is hit. This function probe is defined by the user in the eBPF program submitted to the kernel.
\subsection{Kprobes}
Kprobes are another tracing technology of the Linux kernel whose functionality has been become available to eBPF programs. Similarly to tracepoints, kprobes enable to hook functions in the kernel, with the only difference that it is dynamically attached to any arbitrary function, rather than to a set of predefined positions\cite{kprobe_manual}. It does not require that kernel developers specifically mark a function to be probed, but rather kprobes can be attached to any instruction, with a short list of blacklisted exceptions.
Kprobes are another tracing technology of the Linux kernel whose functionality has been become available to eBPF programs. Similarly to tracepoints, kprobes enable to hook functions in the kernel, with the only difference that it is dynamically attached to any arbitrary function, rather than to a set of predefined positions \cite{kprobe_manual}. It does not require that kernel developers specifically mark a function to be probed, but rather kprobes can be attached to any instruction, with a short list of blacklisted exceptions.
As it happened with tracepoints, the probe functions have access to the parameters of the original hooked function. Also, the kernel maintains a list of kernel symbols (addresses) which are relevant for tracing and that offer us insight into which functions we can probe. It can be visited under the file \textit{/proc/kallsyms}, which exports symbols of kernel functions and loaded kernel modules\cite{kallsyms_kernel}.
As it happened with tracepoints, the probe functions have access to the parameters of the original hooked function. Also, the kernel maintains a list of kernel symbols (addresses) which are relevant for tracing and that offer us insight into which functions we can probe. It can be visited under the file \textit{/proc/kallsyms}, which exports symbols of kernel functions and loaded kernel modules \cite{kallsyms_kernel}.
Also similarly, since tracepoints could be found in their \textit{enter} and \textit{exit} variations, kprobes have their counterpart, name kretprobes, which call the hooked probe once a return instruction is reached after the hooked symbol. This means that a kretprobe hooked to a kernel function will call the probe function once it exits.
@@ -543,7 +541,7 @@ In section \ref{section:modern_ebpf}, we discussed the overall architecture of t
Nowadays, there exist multiple popular alternatives for writing and running eBPF programs. We will overview which they are and proceed to analyse in further detail the option that we will use for the development of our rootkit.
\subsection{BCC}
BPF Compiler Collection (BCC) is one of the first and well-known toolkits for eBPF programming available\cite{bcc_github}. It allows to include eBPF code into user programs. These programs are developed in python, and the eBPF code is embedded as a plain string. An example of a BCC program is included in %TODO ANNEX???
BPF Compiler Collection (BCC) is one of the first and well-known toolkits for eBPF programming available \cite{bcc_github}. It allows to include eBPF code into user programs. These programs are developed in python, and the eBPF code is embedded as a plain string. An example of a BCC program is included in %TODO ANNEX???
Although BCC offers a wide range of tools to easy the development of eBPF programs, we found it not to be the most appropriate for our large-scale eBPF project. This was in particular due to the feature of eBPF programs being stored as a python string, which leads to difficult scalability, poor development experience given that programming errors are detected at runtime (once the python program issues the compilation of the string), and simply better features from competing libraries.
@@ -560,17 +558,17 @@ bpftool is not a development framework like BCC, but one of the most relevant to
Although we will not be covering bpftool during our overview on the constructed eBPF rootkit, it was used extensively during the development and became a key tool for debugging eBPF programs, particularly to peek data at eBPF maps during runtime.
\subsection{Libbpf}
libbpf\cite{libbpf_github} is a library for loading and interacting with eBPF programs, which is currently maintained in the Linux kernel source tree\cite{libbpf_upstream}. It is one of the most popular frameworks to develop eBPF applications, both because it makes eBPF programming similar to common kernel development and because it aims at reducing kernel-version dependencies, thus increasing programs portability between systems\cite{libbpf_core}. During our research, however, we will not make use of this functionalities given that a portable program is not in our research goals.
libbpf \cite{libbpf_github} is a library for loading and interacting with eBPF programs, which is currently maintained in the Linux kernel source tree \cite{libbpf_upstream}. It is one of the most popular frameworks to develop eBPF applications, both because it makes eBPF programming similar to common kernel development and because it aims at reducing kernel-version dependencies, thus increasing programs portability between systems \cite{libbpf_core}. During our research, however, we will not make use of this functionalities given that a portable program is not in our research goals.
As we discussed in section \ref{section:modern_ebpf}, eBPF programs are composed of both the eBPF code in the kernel and a user space program that can interact with it. With libbpf, the eBPF kernel program is developed in C (a real program, not a string later compiled as with BCC), while user programs are usually developed in C, Rust or GO. For our project, we will use the C version of libbpf, so both the user and kernel side of our rootkit will be developed in this language.
% Cites in the following paragraph?
When using libbpf with the C language, both the user-side and kernel eBPF program are compiled together using the Clang/LLVM compiler, translating C instructions into eBPF bytecode. As a clarification, Clang is the front-end of the compiler, translating C instructions into an intermediate form understandable by LLVM, whilst LLVM is the back-end compiling the intermediate code into eBPF bytecode. As it can be observed in figure \ref{fig:libbpf}, the result of the compilation is a single program, comprising the user-side which will launch a user process, the eBPF bytecode to be run in the kernel, and other structures libbpf generates about eBPF maps and other meta data. This program is encapsulated as an ELF file (a common executable format).
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=12cm, keepaspectratio=true]{libbpf_prog.jpg}
\caption{Sketch of the compilation and loading process of a program developed with libbpf.}
\caption{Compilation and loading process of a program developed with libbpf.}
\label{fig:libbpf}
\end{figure}
@@ -578,7 +576,7 @@ Finally, we will overview one of the main functionalities of libbpf to simplify
Table \ref{table:libbpf_skel} describes the API offered by the BPF skeleton. Note that <name> is subtituted by the name of the program being compiled.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
Function name & Description\\
@@ -593,7 +591,7 @@ Function name & Description\\
<name>\_\_destroy() & Detach and unload the eBPF programs from the kernel.\\
\hline
\end{tabular}
\caption{Table showing BPF skeleton functions.}
\caption{BPF skeleton functions.}
\label{table:libbpf_skel}
\end{table}
@@ -604,7 +602,7 @@ Note that the BPF skeleton also offers further granularity at the time of dealin
\section{Security features in eBPF}
As we have shown in section \ref{section:modern_ebpf}, eBPF has been an active part of the Linux kernel from its 3.18 version. However, as with many other components of the kernel, its availability to the user depends on the parameters with which the kernel has been compiled. Specifically, eBPF is only available to kernels compiled with the flags specified in table \ref{table:ebpf_kernel_flags}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|c|c|>{\centering\arraybackslash}p{8cm}|}
\hline
Flag & Value & Description\\
@@ -637,20 +635,20 @@ CONFIG\_XDP\_SOCKETS & y & Enable XDP\\
\label{table:ebpf_kernel_flags}
\end{table}
The above table is based on BCC's documentation\ref{table:ebpf_kernel_flags}, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in Annex \ref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF.
Table \ref{table:ebpf_kernel_flags} is based on BCC's documentation, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in Annex \ref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF.
\subsection{Access control}
It must be noted that, similarly to kernel modules, loading an eBPF program requires privileged access in the system. In old kernel versions, this means either an user having full root permissions, or having the Linux capability\cite{ubuntu_caps} CAP\_SYS\_ADMIN. Therefore, there existed two main options:
\subsection{Access control} \label{subsection:access_control}
It must be noted that, similarly to kernel modules, loading an eBPF program requires privileged access in the system. In old kernel versions, this means either an user having full root permissions, or having the Linux capability \cite{ubuntu_caps} CAP\_SYS\_ADMIN. Therefore, there existed two main options:
%TODO some words about capabilities
\begin{itemize}
\item \textbf{Privileged users} can load any kind of eBPF program and use any functionality.
\item \textbf{Unprivileged users} can only load and attach eBPF programs of type BPF\_PROG\_TYPE\_SOCKET\_FILTER\cite{evil_ebpf_p9}, offering the very limited functionality of filtering packets received on a socket.
\item \textbf{Unprivileged users} can only load and attach eBPF programs of type BPF\_PROG\_TYPE\_SOCKET\_FILTER \cite{evil_ebpf_p9}, offering the very limited functionality of filtering packets received on a socket.
\end{itemize}
More recently, in an effort to further granulate the permissions needed for loading, attaching and running eBPF programs, CAP\_SYS\_ADMIN has been substituted by more specific capabilities\cite{ebpf_caps_intro}\cite{ebpf_caps_lwn}. The current system is therefore described in table \ref{table:ebpf_caps_current}.
More recently, in an effort to further granulate the permissions needed for loading, attaching and running eBPF programs, CAP\_SYS\_ADMIN has been substituted by more specific capabilities \cite{ebpf_caps_intro} \cite{ebpf_caps_lwn}. The current system is therefore described in table \ref{table:ebpf_caps_current}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Capabilities & eBPF functionality\\
@@ -673,11 +671,11 @@ CAP\_SYS\_ADMIN & Privileged eBPF. Includes iterating over eBPF maps, and CAP\_B
Therefore, eBPF network programs usually require both CAP\_BPF and CAP\_NET\_ADMIN, whilst tracing programs require CAP\_BPF and CAP\_PERFMON. CAP\_SYS\_ADMIN still remains as the (non-preferred) capability to assign to eBPF programs with complete access in the system.
Although for a long time there have existed efforts towards enhancing unprivileged eBPF, it remains a worrying feature\cite{unprivileged_ebpf}. The main issue is that the verifier must be prepared to detect any attempt to extract kernel memory access or user memory modification by unprivileged eBPF programs, which is a complex task. In fact, there have existed numerous security vulnerabilities which allow for privilege escalation using eBPF, that is, execution of privileged eBPF programs by exploiting vulnerabilities in unprivileged eBPF\cite{cve_unpriv_ebpf}.
Although for a long time there have existed efforts towards enhancing unprivileged eBPF, it remains a worrying feature \cite{unprivileged_ebpf}. The main issue is that the verifier must be prepared to detect any attempt to extract kernel memory access or user memory modification by unprivileged eBPF programs, which is a complex task. In fact, there have existed numerous security vulnerabilities which allow for privilege escalation using eBPF, that is, execution of privileged eBPF programs by exploiting vulnerabilities in unprivileged eBPF \cite{cve_unpriv_ebpf}.
This influx of security vulnerabilities leads to the recent inclusion of an attribute into the kernel which allows for setting whether unprivileged eBPF is allowed in the system or not. This parameter is named \textit{kernel.unprivileged\_bpf\_disabled}, its values can be seen in table \ref{table:unpriv_ebpf_values}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Value & Meaning\\
@@ -694,7 +692,7 @@ Value & Meaning\\
\label{table:unpriv_ebpf_values}
\end{table}
Nowadays, most Linux distributions have set value 1 to this parameter, therefore disallowing unprivileged eBPF completely. These include Ubuntu\cite{unpriv_ebpf_ubuntu}, Suse Linux\cite{unpriv_ebpf_suse} or Red Hat Linux\cite{unpriv_ebpf_redhat}, between others.
Nowadays, most Linux distributions have set value 1 to this parameter, therefore disallowing unprivileged eBPF completely. These include Ubuntu \cite{unpriv_ebpf_ubuntu}, Suse Linux \cite{unpriv_ebpf_suse} or Red Hat Linux \cite{unpriv_ebpf_redhat}, between others.
@@ -704,19 +702,19 @@ Multiple of the techniques incorporated in our rootkit require a deep understand
\subsection{Memory pages and faults}
Linux systems divide the available random access memory (RAM) into 'pages', subsections of an specific length, usually 4 KB. The collection of all pages is called physical memory.
Likewise, individual memory sections need to be assigned to each running process in the system, but instead of assigning a set of pages from physical memory, a new address space is defined, named virtual memory, which is divided into pages as well. These virtual memory pages are related to physical memory pages via a page table, so that each virtual memory address of a process can be translated into a real, physical memory address in RAM\cite{mem_page_arch}. Figure \ref{fig:mem_arch_pages} shows a diagram of the described architecture.
Likewise, individual memory sections need to be assigned to each running process in the system, but instead of assigning a set of pages from physical memory, a new address space is defined, named virtual memory, which is divided into pages as well. These virtual memory pages are related to physical memory pages via a page table, so that each virtual memory address of a process can be translated into a real, physical memory address in RAM \cite{mem_page_arch}. Figure \ref{fig:mem_arch_pages} shows a diagram of the described architecture.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=13cm]{mem_arch_pages.jpg}
\caption{Memory translation of virtual pages to physical pages.}
\label{fig:mem_arch_pages}
\end{figure}
As we can observe in the figure, each virtual page is related to one physical page. However, RAM needs to maintain multiple processes and data simultaneously, and therefore sometimes the operating system (OS) will remove them from physical memory when it believes they are no longer being used. This leads to the occurrence of two type of memory events\cite{page_faults}:
As we can observe in the figure, each virtual page is related to one physical page. However, RAM needs to maintain multiple processes and data simultaneously, and therefore sometimes the operating system (OS) will remove them from physical memory when it believes they are no longer being used. This leads to the occurrence of two type of memory events \cite{page_faults}:
\begin{itemize}
\item \textbf{Major page faults} occur when a process tries to access a virtual page, but the related physical page has been removed from RAM. In this case, the OS will need to request a secondary storage (such as a hard disk) for the data removed, and allocate a new physical page for the virtual page. Figure \ref{fig:mem_major_page_fault} illustrates a major page fault.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=11cm]{mem_major_page_fault.jpg}
\caption{Major page fault after a page was removed from RAM.}
@@ -724,7 +722,7 @@ As we can observe in the figure, each virtual page is related to one physical pa
\end{figure}
\item \textbf{Minor page faults} occur when a process tries to access a virtual page, and although the related physical page exists, the connection in the page table has not been completed. A common event when these fault happen is on fork() calls, since with the purpose of making the call more efficient, the page table of the parent is not always completely copied into the child, leading into multiple minor page faults once the child tries to access the data on them. Figure \ref{fig:mem_minor_page_fault} illustrates a minor page fault after a fork.
\end{itemize}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=11cm]{mem_minor_page_fault.jpg}
\caption{Minor page fault after a fork() in which the page table was not copied completely.}
@@ -734,14 +732,13 @@ As we can observe in the figure, each virtual page is related to one physical pa
\subsection{Process virtual memory}
In the previous subsection we have studied that each process disposes of a virtual address space. We will now describe how this virtual memory is organized in a Linux system.
\begin{figure}[H]
Figure \ref{fig:mem_proc_arch} describes how virtual memory is distributed within a process in the x86\_64 architecture. As we can observe, it is partitioned into multiple sections:
\begin{figure}[htbp]
\centering
\includegraphics[width=6cm]{memory.jpg}
\caption{Virtual memory architecture of a process\cite{mem_arch_proc}.}
\caption{Virtual memory architecture of a process \cite{mem_arch_proc}.}
\label{fig:mem_proc_arch}
\end{figure}
Figure \ref{fig:mem_proc_arch} describes how virtual memory is distributed within a process in the x86\_64 architecture. As we can observe, it is partitioned into multiple sections:
\begin{itemize}
\item Lower and upper memory addresses are reserved for the kernel.
\item A section where shared libraries code is stored.
@@ -758,14 +755,14 @@ Between all the sections we identified in a process virtual memory, the stack wi
Firstly, we will present how the stack is structured, and which operations can be executed on it. Figure \ref{fig:stack_pres} presents a stack during the execution of a program. Table \ref{table:systemv_abi_other} explains the purpose of the most relevant registers related to the stack and program execution:
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=14cm]{stack_pres.jpg}
\caption{Simplified stack representation showing only stack frames.}
\label{fig:stack_pres}
\end{figure}
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Register & Purpose\\
@@ -786,13 +783,13 @@ As it can be observed in figure \ref{fig:stack_pres}, the stack grows towards lo
As table \ref{table:systemv_abi_other} explains, the rbp and rsp registers are used for keeping track of the starting and final position of the current stack frame respectively. We can see in figure \ref{fig:stack_pres} that their value is a memory address pointing to their stack positions. On the other hand, the rip register does not point to the stack, but rather to the .text section (see figure \ref{fig:mem_proc_arch}), where it points to the next instruction to be executed. However, as we will now see, its value must also be stored in the stack frame when a nested function is called, since after the nested function exits we need to restore the execution in the same instruction of the original function.
As with any LIFO structure, the stack supports two main operations: \textit{push} and \textit{pop}. In the x86\_64 architecture, it operates with chunks of data of either 16, 32 or 64 bytes.
As with any LIFO structure, the stack supports two main operations: \textit{push} and \textit{pop}. In the x86\_64 architecture, it operates with chunks of data of either 16, 32 or 64 bytes. Table \ref{fig:stack_ops} shows a representation of these operations in the stack.
\begin{itemize}
\item A \textbf{push} operation writes data in the free memory pointed by register rsp. It then moves the value of rsp to point to the new end of the stack.
\item A \textbf{pop} operation moves the value of rsp by 16, 32 or 64 bytes, and reads the data previously saved in that position.
\end{itemize}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=10cm]{stack_ops.jpg}
\caption{Representation of push and pop operations in the stack.}
@@ -800,17 +797,16 @@ As with any LIFO structure, the stack supports two main operations: \textit{push
\end{figure}
As we mentioned, the stack stores function parameters, return addresses and local variables inside a stack frame. We will now study how the processor uses the stack in order to call, execute, and exit a function. To illustrate this process, we will simulate the execution of function \lstinline{func(char* a, char* b, char* c)} \lstinline{}. Figures \ref{fig:stack_before} and \ref{fig:stack} show a representation of the stack during these operations.
As we mentioned, the stack stores function parameters, return addresses and local variables inside a stack frame. We will now study how the processor uses the stack in order to call, execute, and exit a function. To illustrate this process, we will simulate the execution of function \lstinline{func(char* a, char* b, char* c)} \lstinline{}:
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=14cm]{stack_before.jpg}
\caption{Stack representation right before starting the function call process.}
\label{fig:stack_before}
\end{figure}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=14cm]{stack.jpg}
\caption{Stack representation right after the function preamble.}
@@ -818,14 +814,14 @@ As we mentioned, the stack stores function parameters, return addresses and loca
\end{figure}
\begin{enumerate}
\item The function arguments are pushed into the stack. We can see them in the stack in reverse order.
\item The function arguments are pushed into the stack. We can see them in the stack of figure \ref{fig:stack} in reverse order.
\item The function is called:
\begin{enumerate}
\item The value of register rip is pushed into the stack, so that it is saved for when the function exists. We can see it on the figure as 'ret'.
\item The value of register rip is pushed into the stack, so that it is saved for when the function exists. We can see it on figure \ref{fig:stack} as 'ret'.
\item The value of rip changes to point to the first instruction of the called function.
\item We execute what is called as the \textit{function preamble}\cite{8664_params_abi_p18}, which prepares the stack frame for the called function:
\item We execute what is called as the \textit{function preamble} \cite{8664_params_abi_p18}, which prepares the stack frame for the called function:
\begin{enumerate}
\item The value of rbp is pushed into the stack, so that we can restore the previous stack frame when the function exits. We can see it on the figure as the 'saved frame pointer'.
\item The value of rbp is pushed into the stack, so that we can restore the previous stack frame when the function exits. We can see it on figure \ref{fig:stack} as the 'saved frame pointer'.
\item The value of rsp is moved into rbp. Therefore, now rbp points to the end of the previous stack frame.
\item The value of rsp is usually decremented (since the stack needs to go to lower memory addresses) so that we allocate some space for function variables.
\end{enumerate}
@@ -849,8 +845,8 @@ In section \ref{subsection:stack}, we studied how the stack works and which is t
\item The original value of the rbp register (sfp), to restore the frame pointer of the original stack frame.
\end{itemize}
Although this process is simple enough, it opens the possibility for an attacker to easily hijack the flow of execution if it can modify the value of ret, as it is shown in figure \ref{fig:stack_ret_hij_simple}:
\begin{figure}[H]
Although this process is simple enough, it opens the possibility for an attacker to easily hijack the flow of execution if it can modify the value of ret, as it is shown in figure \ref{fig:stack_ret_hij_simple}.
\begin{figure}[htbp]
\centering
\includegraphics[width=15cm]{stack_ret_hij_simple.jpg}
\caption{Execution hijack overwriting saved rip value.}
@@ -878,7 +874,7 @@ int main(int argc, char *argv[]){
During the execution of the above program, since the char array \textit{buffer} is a buffer of length 12 stored in the stack, then if the value of \textit{bar} is larger than 12 bytes it will overflow the allocated space in the stack. This is usually the case of using unsafe functions for processing user input such as strcpy(), which does not check whether the array fits in the buffer. Figure \ref{fig:buffer_overflow} shows how the overflow happens in the stack.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15cm]{buffer_overflow.jpg}
\caption{Stack buffer overflow overwriting ret value.}
@@ -889,7 +885,7 @@ As we can observe in the figure, the new data written into the buffer has also o
Usually, an attacker exploiting a program vulnerable to stack buffer overflow is interested in running arbitrary (malicious) code. For this, the attacker follows the process shown in figure \ref{fig:buffer_overflow_shellcode}:
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15cm]{buffer_overflow_shellcode.jpg}
\caption{Executing arbitrary code exploiting a buffer overflow vulnerability.}
@@ -917,7 +913,7 @@ Return Oriented Programming (ROP) is an exploitation technique that takes advant
ROP tackles this challenge by designing a method of reconstructing malicious code from parts of already-existing code, as in a 'collage'. Assembly instructions are selected from multiple places, so that, when put together and executed sequentially, they recreate the shellcode which the attacker wants to execute. These pieces of code are called ROP gadgets, and consist of a set of arbitrary instructions followed by a final \textit{ret} instruction, which triggers the function exit and pops the value of ret. These gadgets may belong to any code in the process memory, usually selected between the code of the shared libraries (see figure \ref{fig:stack}) to which the process is linked.
Finding ROP gadgets and writing ROP-compatible payloads manually is hard, thus multiple programs exist that automatically scan the system libraries and construct provide the gadgets given the shellcode to execute\cite{rop_prog_finder}.
Finding ROP gadgets and writing ROP-compatible payloads manually is hard, thus multiple programs exist that automatically scan the system libraries and construct provide the gadgets given the shellcode to execute \cite{rop_prog_finder}.
However, we will now illustrate how ROP works with an example. Suppose that an attacker has discovered a buffer overflow vulnerability, but the stack is marked as not executable. The attacker wants to execute the assembly code shown in snippet \ref{code:rop_ex}:
@@ -928,7 +924,7 @@ mov rax, [rsp]
After finding the address of the ROP gadgets manually or using an automated tool, the attacker takes advantage of a buffer overflow (or, in our case, a direct write using eBPF's bpf\_probe\_write\_user()) to overwrite the vale of ret with the address of the first ROP gadget, and also additional data in the stack. Figure \ref{fig:rop_compund} shows how we can execute the original program using ROP:
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=16cm]{ROPcompound.jpg}
\caption{Steps for executing code sample using ROP.}
@@ -953,14 +949,14 @@ This section presents an overview on the most relevant aspects of the network sy
\subsection{An overview on the network layer}
Firstly, we will describe the data structure we will be dealing with in networking programs. This will be Ethernet frames containing TCP/IP packets. Figure \ref{fig:frame} shows the frame in its completeness:
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=14cm]{frame.jpg}
\caption{Ethernet frame with TCP/IP packet.}
\label{fig:frame}
\end{figure}
As we can observe, we can distinguish five different network layers in the frame. This division is made according to the OSI model\cite{network_layers}:
As we can observe, we can distinguish five different network layers in the frame. This division is made according to the OSI model \cite{network_layers}:
\begin{itemize}
\item Layer 1 corresponds to the physical layer, and it is processed by the NIC hardware, even before it reaches the XDP module (see figure \ref{fig:xdp_diag}). Therefore, this layer is discarded and completely invisible to the kernel. Note that it does not only include a header, but also a trailer (a Frame Check Sequence, a redundancy check included to check frame integrity).
\item Layer 2 is the data layer, it is in charge of transporting the frame via physical media, in our case an Ethernet connection. Most relevant fields are the MAC destination and source, used for performing physical addressing.
@@ -973,7 +969,7 @@ As we can observe, we can distinguish five different network layers in the frame
\subsection{Introduction to the TCP protocol} \label{subsection:tcp}
We will now focus our view on the transport layer, specifically on the TCP protocol, since it will be a major concern at the time of designing the network capabilities of our rootkit.
Firstly, since TCP aims to offer a reliable and ordered packet transmission\cite{tcp_reliable}, it includes sequence numbers (see table \ref{fig:frame}) which mark the order in which they are transmitted. However, since the physical medium may corrupt or lose packets during the transmission, TCP must incorporate mechanisms for ensuring the order and delivery of all packets:
Firstly, since TCP aims to offer a reliable and ordered packet transmission \cite{tcp_reliable}, it includes sequence numbers (see table \ref{fig:frame}) which mark the order in which they are transmitted. However, since the physical medium may corrupt or lose packets during the transmission, TCP must incorporate mechanisms for ensuring the order and delivery of all packets:
\begin{itemize}
\item Mechanism for opening and establishing a reliable connection between two parties.
\item Mechanism for ensuring that packets are retransmitted in case of an error during the connection.
@@ -981,7 +977,7 @@ Firstly, since TCP aims to offer a reliable and ordered packet transmission\cite
With respect to the establishment of a reliable connection, this is achieved via a 3-way handshake, in which certain TCP flags will be set in a series of interchanged packets (see in figure \ref{fig:frame} the field TCP flags). Most relevant TCP flags are described in table \ref{table:tcp_flags}.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{4cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Flag & Purpose\\
@@ -1000,8 +996,8 @@ RST & Abruptly terminates the connection, usually sent when a host receives an u
\label{table:tcp_flags}
\end{table}
Taking the above into account, figure \ref{fig:tcp_conn} shows a depiction of the 3-way handshake\cite{tcp_handshake}:
\begin{figure}[H]
Taking the above into account, figure \ref{fig:tcp_conn} shows a depiction of the 3-way handshake \cite{tcp_handshake}:
\begin{figure}[htbp]
\centering
\includegraphics[width=12cm]{tcp_conn.jpg}
\caption{TCP 3-way handshake.}
@@ -1017,7 +1013,7 @@ With respect to maintaining the integrity of the connection once it starts, TCP
\item The sender receives the ACK packet and stops the timer. If, for any reason, the ACK packet is not received before the timer ends, then the same packet is retransmitted.
\end{enumerate}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=12cm]{tcp_retransmission.jpg}
\caption{TCP packet retransmission on timeout.}
@@ -1025,14 +1021,14 @@ With respect to maintaining the integrity of the connection once it starts, TCP
\end{figure}
\section{ELF binaries} \label{section:elf}
This section details the Executable and Linkable Format (ELF)\cite{elf}, the format in which we find executable files (between other file types) in Linux systems. We will perform an analysis from a security standpoint, that is, mainly oriented to describe the most relevant sections and the permissions incorporated into them. We will also focus on several of these sections which will be relevant for designing our attack.
This section details the Executable and Linkable Format (ELF) \cite{elf}, the format in which we find executable files (between other file types) in Linux systems. We will perform an analysis from a security standpoint, that is, mainly oriented to describe the most relevant sections and the permissions incorporated into them. We will also focus on several of these sections which will be relevant for designing our attack.
After that, we will overview the security hardening techniques that have been historically incorporated into Linux to mitigate possible exploitation techniques when running ELF executables (such as the stack buffer overflow we explained in section \ref{subsection: buf_overflow}). During the design of our rootkit, we will attempt to bypass these techniques using multiple workarounds.
\subsection{The ELF format and Lazy Binding} \label{subsection:elf_lazy_binding}
Linux supports multiple tools that enable a deep inspection of ELF binaries and its sections. Table \ref{table:elf_tools} shows the main tools we will use during this analysis:
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{3cm}|>{\centering\arraybackslash}p{10cm}|}
\hline
Tool & Purposes\\
@@ -1055,7 +1051,7 @@ Firstly, we will analyse the main sections we can find in an ELF executable. We
The commands used and complete list of headers can be found in Annex \ref{annexsec:readelf_sec_headers}. The most relevant sections are described in table \ref{table:elf_sec_headers}:
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{1cm}|>{\centering\arraybackslash}p{9cm}|>{\centering\arraybackslash}p{2cm}|}
\hline
Tool & Purpose & Permissions\\
@@ -1084,11 +1080,11 @@ Tool & Purpose & Permissions\\
As it can be observed in table \ref{table:elf_sec_headers}, we can find that all sections have the Alloc flag, meaning they will be loaded into process memory during runtime (see table \ref{TODO}, they have not been shown in previous diagrams for simpleness).
Apart from those we have already discussed previously, we can find the GOT and PLT sections, whose purpose is to support Position Independent Code (PIC), that is, instructions whose address in virtual memory is not hardcoded by the compiler into the executable, but rather they are not known until resolved at runtime. This is usually the case of shared libraries, which can be loaded into virtual memory starting at any address\cite{plt_got_overlord}.
Apart from those we have already discussed previously, we can find the GOT and PLT sections, whose purpose is to support Position Independent Code (PIC), that is, instructions whose address in virtual memory is not hardcoded by the compiler into the executable, but rather they are not known until resolved at runtime. This is usually the case of shared libraries, which can be loaded into virtual memory starting at any address \cite{plt_got_overlord}.
Therefore, in order to call a function of a shared library, the dynamic linker follows a process called 'Lazy binding'\cite{plt_got_technovelty}:
Therefore, in order to call a function of a shared library, the dynamic linker follows a process called 'Lazy binding' \cite{plt_got_technovelty}:
\begin{enumerate}
\item From the .text section, instead of calling a direct absolute address as usual, a PLT stub (in the .plt section) is called. Snippet \ref{code:lazy_bind_1} shows a call to the function timerfd\_settime, implemented by the shared library glibc and thus using a PLT:
\item From the .text section, instead of calling a direct absolute address as usual, a PLT stub (in the .plt section) is called. Snippet \ref{code:lazy_bind_1} shows a call to the function timerfd\_settime, implemented by the shared library glibc and thus using a PLT.
\begin{lstlisting}[language=C, caption={Call to PLT stub seen from objdump.}, label={code:lazy_bind_1}]
$ objdump -d simple_timer
4014cb: b9 00 00 00 00 mov $0x0,%ecx
@@ -1099,14 +1095,14 @@ $ objdump -d simple_timer
\item In the PLT stub, the flow of execution jumps to an address which is stored in the GOT section, which is the absolute address of the function at glibc. This address must be written there by the dynamic linker but, according to lazy binding, the first time to call this function the linker has not calculated that address yet.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15.5cm]{sch_gdb_plt.png}
\caption{PLT stub for timerfd\_settime, seen from gdb-peda.}
\label{fig:lazy_bind_2}
\end{figure}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15.5cm]{sch_gdb_got_prev.png}
\caption{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.}
@@ -1115,14 +1111,14 @@ $ objdump -d simple_timer
\item As we can see in figures \ref{fig:lazy_bind_2} and \ref{fig:lazy_bind_3}, the PLT stub calls address 0x4010a0, which leads to a dynamic linking routine, which proceeds to write the address into the GOT section and jump back to the start of the PLT stub. This time, the memory address at GOT to which the PLT jumps is already loaded with the address to the function at the shared library, as shown by figure \ref{fig:lazy_bind_4}.
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15.5cm]{sch_gdb_got_after.png}
\caption{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.}
\label{fig:lazy_bind_4}
\end{figure}
\begin{figure}[H]
\begin{figure}[htbp]
\centering
\includegraphics[width=15.5cm]{sch_glibc_func.png}
\caption{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.}
@@ -1140,7 +1136,7 @@ During section \ref{section:attacks_stack}, we presented multiple of the classic
Table \ref{table:compilers} shows the compilers that we will be considering during this study. We will be exclusively looking at those security features that are included by default.
\begin{table}[H]
\begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{5cm}|>{\centering\arraybackslash}p{8cm}|}
\hline
Compiler & Security features by default\\
@@ -1166,7 +1162,7 @@ Data Execution Prevention, also known as No Execute, is the option of marking th
The creation of advanced techniques like ROP is one reaction to this mitigation, that circumvents this protection.
\textbf{ASLR}\\
Address Space Layout Randomization is a technique that randomizes the position of memory sections in a process virtual memory, including the heap, stack and libraries, so that an attacker cannot rely on known addresses during exploitation (e.g: libraries are loaded at a different memory address each time the program is run, so ROP gadgets change their position)\cite{aslr_pie_intro}.
Address Space Layout Randomization is a technique that randomizes the position of memory sections in a process virtual memory, including the heap, stack and libraries, so that an attacker cannot rely on known addresses during exploitation (e.g: libraries are loaded at a different memory address each time the program is run, so ROP gadgets change their position) \cite{aslr_pie_intro}.
In the context of a stack buffer overflow attack, the memory position of the stack is random, and therefore even if shellcode is injected into the stack by an attacker, the address at which it resides cannot be written into the saved value of rip in order to hijack the flow of execution.
@@ -1179,7 +1175,7 @@ Relocation Read-Only is a hardening technique that mitigates the possibility of
Two settings for RELRO are the most widespread, either Partial RELRO (which only marks sections of the .got section not related to the PLT as read-only, leaving .got.plt writeable) or Full RELRO (which marks the .got section as read-only completely). Binaries with only Partial RELRO are still non-secure, as the address at which the PLT section jumps can still be overwriten (including from eBPF, as we will explain) \cite{relro_redhat}.
\textbf{Intel CET}\\
Intel Control-flow Enforcement Technology is a hardening feature fully incorporated in Windows 10 systems \cite{cet_windows} and a work in progress in Linux\cite{cet_linux}. Its purpose is to defeat ROP attacks and other derivates (e.g: Jump-oriented programming, JOP), by adding a strict kernel-supported control of the return addresses and strong restrictions over jump and call instructions.
Intel Control-flow Enforcement Technology is a hardening feature fully incorporated in Windows 10 systems \cite{cet_windows} and a work in progress in Linux \cite{cet_linux}. Its purpose is to defeat ROP attacks and other derivates (e.g: Jump-oriented programming, JOP), by adding a strict kernel-supported control of the return addresses and strong restrictions over jump and call instructions.
In Linux, the kernel will support a hidden 'shadow stack' that will save the return addresses for each call. This prevents modifying the saved value of rip in the stack, since the kernel would realise that the flow of execution has been modified. We can also find that modern compilers (such as GCC 10.3.0) already generate Intel CET-related instructions such as \textit{endbr64}, whose purpose is to be placed at the start of functions, marking that as the only address to which an indirect jump can land (otherwise, jumps will be rejected if not landing at \textit{endbr64}).

15
docs/chapters/chapter3.tex
View File

@@ -9,14 +9,10 @@ Therefore, given the previous background, this chapter is dedicated to an analys
\end{itemize}
%TODO if this is finally not included, change the intro
Finally, we will study in detail some of the malicious applications that previous researchers have proposed to take advantage of these capabilities of eBPF. In the next chapter, we will proceed to elaborate on these ideas, find new purposes and design our own rootkit.
\section{eBPF maps security}
In table \ref{table:ebpf_caps_current}, we observed that only programs with CAP\_SYS\_ADMIN are allowed to iterate over eBPF maps. The reason why this is restricted to privileged programs is because it is functionality that is a potential security vulnerability, which we will now proceed to analyse.
In section \ref{subsection:access_control}, we explained that only programs with CAP\_SYS\_ADMIN are allowed to iterate over eBPF maps. The reason why this is restricted to privileged programs is because it is functionality that is a potential security vulnerability, which we will now proceed to analyse.
In subsection \ref{subsection:ebpf_maps} we mentioned that eBPF maps are opened by specifying an ID (which works similarly to the typical file descriptors), while in table \ref{table:ebpf_map_types} we showed that, for performing operations over eBPF maps using the bpf() syscall, the map ID must be specified too.
Also, in section \ref{subsection:ebpf_maps}, we mentioned that eBPF maps are opened by specifying an ID (which works similarly to the typical file descriptors), while in table \ref{table:ebpf_map_types} we showed that, for performing operations over eBPF maps using the bpf() syscall, the map ID must be specified too.
Map IDs are known by a program after creating the eBPF map, however, a program can also explore all the available maps in the system by using the BPF\_MAP\_GET\_NEXT\_ID operation in the bpf() syscall, which allows for iterating through a complete hidden list of all the maps created. This means that privileged programs can find and have read and write access to any eBPF map used by any program in the system.
@@ -33,7 +29,6 @@ eBPF tracing programs (kprobes, uprobes and tracepoints) are hooked to specific
\subsection{Access to function arguments}
As we saw in section \ref{section:ebpf_prog_types}, tracing programs receive as a parameter those arguments with which the hooked function originally was called. These parameters are read-only and thus, in principle, they cannot be modified inside the tracing program (we will show this is not entirely true in section \ref{section:mem_corruption}). The next code snippets show the format in which parameters are received when using libbpf (Note that libbpf also includes some macros that offer an alternative format, but the parameters are the same).
\begin{lstlisting}[language=C, caption={Probe function for a kprobe on the kernel function vfs\_write.}, label={code:format_kprobe}]
SEC("kprobe/vfs_write")
int kprobe_vfs_write(struct pt_regs* ctx){
@@ -266,7 +261,7 @@ Then, if we attach a kprobe to vfs\_read, we would be able to modify the value o
\end{enumerate}
\end{itemize}
Figure \ref{fig:stack_scan_write_tech} illustrates a high-level overview of the stack scanning technique previously described:
Figure \ref{fig:stack_scan_write_tech} illustrates a high-level overview of the stack scanning technique previously described.
%TODO i just noticed I included SFP outside the current stack frame, correct it here and everywhere
\begin{figure}[H]
\centering
@@ -275,7 +270,7 @@ Figure \ref{fig:stack_scan_write_tech} illustrates a high-level overview of the
\label{fig:stack_scan_write_tech}
\end{figure}
The above figure shows process memory executing a program similar to the following:
The figure shows process memory executing a program similar to the following:
\begin{lstlisting}[language=C, caption={Sample program being executed on figure \ref{fig:stack_scan_write_tech}.}, label={code:stack_scan_write_tech}]
void func(char* a, char* b, char* c){
int fd = open("FILE", 0);
@@ -370,4 +365,4 @@ Ultimately, the capabilities discussed in this section unlock complete freedom f
\item A \textbf{backdoor}, a stealthy program which listens on the network interface and waits for secret instructions from a remote attacker-controlled client program. This backdoor can have \textbf{Command and Control (C2)} capabilities, meaning that it can process commands sent by the attacker and received at the backdoor, executing a series of actions corresponding to the request received, and (when needed) answering the attacker with the result of the command.
\end{itemize}
%TODO maybe a conclusion for this section?
%TODO maybe a conclusion for this chapter?

419
docs/document.aux
View File

@@ -61,6 +61,8 @@
\abx@aux@segm{0}{0}{bpf_bsd_origin}
\abx@aux@cite{ebpf_history_opensource}
\abx@aux@segm{0}{0}{ebpf_history_opensource}
\abx@aux@cite{bpf_bsd_origin_bpf_page2}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page2}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
@@ -70,57 +72,55 @@
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
\abx@aux@cite{index_register}
\abx@aux@segm{0}{0}{index_register}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}\protected@file@percent }
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
\newlabel{fig:classif_bpf}{{2.1}{6}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}}
\newlabel{fig:classif_bpf}{{2.1}{6}{Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }{figure.caption.7}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent }
\newlabel{subsection:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}\protected@file@percent }
\newlabel{subsection:analysis_bpf_filter_prog}{{2.1.3}{6}{Analysis of a BPF filter program}{subsection.2.1.3}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page5}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5}
\abx@aux@cite{bpf_organicprogrammer_analysis}
\abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}\protected@file@percent }
\newlabel{subsection:analysis_bpf_filter_prog}{{2.1.3}{7}{Analysis of a BPF filter program}{subsection.2.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent }
\newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}\protected@file@percent }
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}\protected@file@percent }
\newlabel{table:bpf_inst_format}{{2.1}{8}{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.9}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }}{8}{figure.caption.10}\protected@file@percent }
\newlabel{fig:bpf_instructions}{{2.3}{8}{Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7}
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
\abx@aux@cite{tcpdump_page}
\abx@aux@segm{0}{0}{tcpdump_page}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
\newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}\protected@file@percent }
\newlabel{table:bpf_inst_format}{{2.1}{8}{BPF instruction format.\relax }{table.caption.9}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{8}{subsection.2.1.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }}{9}{figure.caption.10}\protected@file@percent }
\newlabel{fig:bpf_instructions}{{2.3}{9}{Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
\newlabel{fig:bpf_address_mode}{{2.4}{9}{BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent }
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Modern eBPF}{10}{section.2.2}\protected@file@percent }
\newlabel{section:modern_ebpf}{{2.2}{10}{Modern eBPF}{section.2.2}{}}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Modern eBPF}{11}{section.2.2}\protected@file@percent }
\newlabel{section:modern_ebpf}{{2.2}{11}{Modern eBPF}{section.2.2}{}}
\abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{ebpf_io_arch}
\abx@aux@segm{0}{0}{ebpf_io_arch}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}\protected@file@percent }
\newlabel{table:ebpf_history}{{2.2}{12}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent }
\newlabel{fig:ebpf_architecture}{{2.7}{12}{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent }
\newlabel{table:ebpf_history}{{2.2}{11}{Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{8664_inst_set_specs}
@@ -139,13 +139,12 @@
\abx@aux@segm{0}{0}{ebpf_JIT}
\abx@aux@cite{ebpf_JIT_demystify_page13}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page13}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}\protected@file@percent }
\newlabel{subsection:ebpf_inst_set}{{2.2.1}{13}{eBPF instruction set}{subsection.2.2.1}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}\protected@file@percent }
\newlabel{table:ebpf_inst_format}{{2.3}{13}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.16}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent }
\newlabel{table:ebpf_regs}{{2.4}{13}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent }
\newlabel{fig:ebpf_architecture}{{2.7}{12}{eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{12}{subsection.2.2.1}\protected@file@percent }
\newlabel{subsection:ebpf_inst_set}{{2.2.1}{12}{eBPF instruction set}{subsection.2.2.1}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}\protected@file@percent }
\newlabel{table:ebpf_inst_format}{{2.3}{12}{eBPF instruction format.\relax }{table.caption.16}{}}
\abx@aux@cite{ebpf_JIT_demystify_page14}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page14}
\abx@aux@cite{jit_enable_setting}
@@ -154,14 +153,17 @@
\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23}
\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent }
\newlabel{table:ebpf_regs}{{2.4}{13}{eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{13}{subsection.2.2.3}\protected@file@percent }
\newlabel{subsection:ebpf_verifier}{{2.2.3}{13}{The eBPF verifier}{subsection.2.2.3}{}}
\abx@aux@cite{ebpf_verifier_kerneldocs}
\abx@aux@segm{0}{0}{ebpf_verifier_kerneldocs}
\abx@aux@cite{ebpf_JIT_demystify_page17-22}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page17-22}
\abx@aux@cite{ebpf_bounded_loops}
\abx@aux@segm{0}{0}{ebpf_bounded_loops}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}\protected@file@percent }
\newlabel{subsection:ebpf_verifier}{{2.2.3}{14}{The eBPF verifier}{subsection.2.2.3}{}}
\abx@aux@cite{ebpf_maps_kernel}
\abx@aux@segm{0}{0}{ebpf_maps_kernel}
\abx@aux@cite{bpf_syscall}
@@ -170,12 +172,8 @@
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}\protected@file@percent }
\newlabel{subsection:ebpf_maps}{{2.2.4}{15}{eBPF maps}{subsection.2.2.4}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Table showing common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Table showing common fields for creating an eBPF map.\relax }{table.caption.18}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
\newlabel{table:ebpf_map_types}{{2.6}{15}{Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.19}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{14}{subsection.2.2.4}\protected@file@percent }
\newlabel{subsection:ebpf_maps}{{2.2.4}{14}{eBPF maps}{subsection.2.2.4}{}}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
@@ -184,38 +182,46 @@
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}\protected@file@percent }
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{16}{The eBPF ring buffer}{subsection.2.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}\protected@file@percent }
\newlabel{subsection:bpf_syscall}{{2.2.6}{16}{The bpf() syscall}{subsection.2.2.6}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
\newlabel{table:ebpf_syscall}{{2.7}{16}{Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Common fields for creating an eBPF map.\relax }{table.caption.18}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
\newlabel{table:ebpf_map_types}{{2.6}{15}{Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.19}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{15}{subsection.2.2.5}\protected@file@percent }
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{15}{The eBPF ring buffer}{subsection.2.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{15}{subsection.2.2.6}\protected@file@percent }
\newlabel{subsection:bpf_syscall}{{2.2.6}{15}{The bpf() syscall}{subsection.2.2.6}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{15}{subsection.2.2.7}\protected@file@percent }
\newlabel{subsection:ebpf_helpers}{{2.2.7}{15}{eBPF helpers}{subsection.2.2.7}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
\newlabel{table:ebpf_syscall}{{2.7}{16}{Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}\protected@file@percent }
\newlabel{table:ebpf_prog_types}{{2.8}{16}{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}\protected@file@percent }
\newlabel{table:ebpf_prog_types}{{2.8}{17}{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}\protected@file@percent }
\newlabel{subsection:ebpf_helpers}{{2.2.7}{17}{eBPF helpers}{subsection.2.2.7}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}\protected@file@percent }
\newlabel{table:ebpf_helpers}{{2.9}{17}{Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
\abx@aux@cite{xdp_gentle_intro}
\abx@aux@segm{0}{0}{xdp_gentle_intro}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}\protected@file@percent }
\newlabel{table:ebpf_helpers}{{2.9}{18}{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
\abx@aux@cite{xdp_manual}
\abx@aux@segm{0}{0}{xdp_manual}
\abx@aux@cite{tc_differences}
\abx@aux@segm{0}{0}{tc_differences}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
\newlabel{section:ebpf_prog_types}{{2.3}{18}{eBPF program types}{section.2.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
\newlabel{subsection:xdp}{{2.3.1}{18}{XDP}{subsection.2.3.1}{}}
\abx@aux@cite{xdp_manual}
\abx@aux@segm{0}{0}{xdp_manual}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
\newlabel{fig:xdp_diag}{{2.8}{19}{Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }{figure.caption.23}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.10}{\ignorespaces Table showing XDP relevant return values.\relax }}{19}{table.caption.24}\protected@file@percent }
\newlabel{table:xdp_actions_av}{{2.10}{19}{Table showing XDP relevant return values.\relax }{table.caption.24}{}}
\abx@aux@cite{tc_differences}
\abx@aux@segm{0}{0}{tc_differences}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}\protected@file@percent }
\newlabel{table:xdp_actions_av}{{2.10}{18}{Relevant XDP return values.\relax }{table.caption.24}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{18}{subsection.2.3.2}\protected@file@percent }
\newlabel{subsection:tc}{{2.3.2}{18}{Traffic Control}{subsection.2.3.2}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
\newlabel{fig:xdp_diag}{{2.8}{19}{XDP and TC modules integration in the network processing module of the Linux kernel.\relax }{figure.caption.23}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}\protected@file@percent }
\newlabel{table:xdp_helpers}{{2.11}{19}{Relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
\abx@aux@cite{tc_docs_complete}
\abx@aux@segm{0}{0}{tc_docs_complete}
\abx@aux@cite{tc_direct_action}
@@ -224,40 +230,36 @@
\abx@aux@segm{0}{0}{tc_ret_list_complete}
\abx@aux@cite{tc_ret_list_complete}
\abx@aux@segm{0}{0}{tc_ret_list_complete}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}\protected@file@percent }
\newlabel{table:xdp_helpers}{{2.11}{20}{Table showing relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}\protected@file@percent }
\newlabel{subsection:tc}{{2.3.2}{20}{Traffic Control}{subsection.2.3.2}{}}
\abx@aux@cite{tp_kernel}
\abx@aux@segm{0}{0}{tp_kernel}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}\protected@file@percent }
\newlabel{table:tc_actions}{{2.12}{21}{Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
\newlabel{table:tc_helpers}{{2.13}{21}{Table showing relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}\protected@file@percent }
\newlabel{subsection:tracepoints}{{2.3.3}{21}{Tracepoints}{subsection.2.3.3}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}\protected@file@percent }
\newlabel{table:tc_actions}{{2.12}{20}{Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{20}{subsection.2.3.3}\protected@file@percent }
\newlabel{subsection:tracepoints}{{2.3.3}{20}{Tracepoints}{subsection.2.3.3}{}}
\abx@aux@cite{kprobe_manual}
\abx@aux@segm{0}{0}{kprobe_manual}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
\newlabel{table:tc_helpers}{{2.13}{21}{Relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.4}Kprobes}{21}{subsection.2.3.4}\protected@file@percent }
\abx@aux@cite{kallsyms_kernel}
\abx@aux@segm{0}{0}{kallsyms_kernel}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.4}Kprobes}{22}{subsection.2.3.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}\protected@file@percent }
\abx@aux@cite{bcc_github}
\abx@aux@segm{0}{0}{bcc_github}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
\abx@aux@cite{libbpf_github}
\abx@aux@segm{0}{0}{libbpf_github}
\abx@aux@cite{libbpf_upstream}
\abx@aux@segm{0}{0}{libbpf_upstream}
\abx@aux@cite{libbpf_core}
\abx@aux@segm{0}{0}{libbpf_core}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{24}{subsection.2.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Sketch of the compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}\protected@file@percent }
\newlabel{fig:libbpf}{{2.9}{25}{Sketch of the compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.14}{\ignorespaces Table showing BPF skeleton functions.\relax }}{25}{table.caption.29}\protected@file@percent }
\newlabel{table:libbpf_skel}{{2.14}{25}{Table showing BPF skeleton functions.\relax }{table.caption.29}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}\protected@file@percent }
\newlabel{fig:libbpf}{{2.9}{25}{Compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}\protected@file@percent }
\newlabel{table:libbpf_skel}{{2.14}{25}{BPF skeleton functions.\relax }{table.caption.29}{}}
\abx@aux@cite{ubuntu_caps}
\abx@aux@segm{0}{0}{ubuntu_caps}
\abx@aux@cite{evil_ebpf_p9}
@@ -270,6 +272,7 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}\protected@file@percent }
\newlabel{table:ebpf_kernel_flags}{{2.15}{26}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}\protected@file@percent }
\newlabel{subsection:access_control}{{2.5.1}{26}{Access control}{subsection.2.5.1}{}}
\abx@aux@cite{unprivileged_ebpf}
\abx@aux@segm{0}{0}{unprivileged_ebpf}
\abx@aux@cite{cve_unpriv_ebpf}
@@ -292,97 +295,97 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}\protected@file@percent }
\newlabel{fig:mem_arch_pages}{{2.10}{28}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.33}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}\protected@file@percent }
\newlabel{fig:mem_major_page_fault}{{2.11}{29}{Major page fault after a page was removed from RAM.\relax }{figure.caption.34}{}}
\abx@aux@cite{mem_arch_proc}
\abx@aux@segm{0}{0}{mem_arch_proc}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}\protected@file@percent }
\newlabel{fig:mem_major_page_fault}{{2.11}{29}{Major page fault after a page was removed from RAM.\relax }{figure.caption.34}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{29}{subsection.2.6.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}\protected@file@percent }
\newlabel{fig:mem_minor_page_fault}{{2.12}{30}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.35}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{30}{subsection.2.6.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{31}{figure.caption.36}\protected@file@percent }
\newlabel{fig:mem_proc_arch}{{2.13}{31}{Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }{figure.caption.36}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.3}The process stack}{32}{subsection.2.6.3}\protected@file@percent }
\newlabel{subsection:stack}{{2.6.3}{32}{The process stack}{subsection.2.6.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{32}{figure.caption.37}\protected@file@percent }
\newlabel{fig:stack_pres}{{2.14}{32}{Simplified stack representation showing only stack frames.\relax }{figure.caption.37}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}\protected@file@percent }
\newlabel{fig:mem_proc_arch}{{2.13}{30}{Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }{figure.caption.36}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.3}The process stack}{31}{subsection.2.6.3}\protected@file@percent }
\newlabel{subsection:stack}{{2.6.3}{31}{The process stack}{subsection.2.6.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{31}{figure.caption.37}\protected@file@percent }
\newlabel{fig:stack_pres}{{2.14}{31}{Simplified stack representation showing only stack frames.\relax }{figure.caption.37}{}}
\abx@aux@cite{8664_params_abi_p18}
\abx@aux@segm{0}{0}{8664_params_abi_p18}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}\protected@file@percent }
\newlabel{table:systemv_abi_other}{{2.18}{32}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.38}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}\protected@file@percent }
\newlabel{fig:stack_ops}{{2.15}{33}{Representation of push and pop operations in the stack.\relax }{figure.caption.39}{}}
\abx@aux@cite{8664_params_abi_p18}
\abx@aux@segm{0}{0}{8664_params_abi_p18}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{34}{figure.caption.40}\protected@file@percent }
\newlabel{fig:stack_before}{{2.16}{34}{Stack representation right before starting the function call process.\relax }{figure.caption.40}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}\protected@file@percent }
\newlabel{fig:stack_before}{{2.16}{33}{Stack representation right before starting the function call process.\relax }{figure.caption.40}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}\protected@file@percent }
\newlabel{fig:stack}{{2.17}{34}{Stack representation right after the function preamble.\relax }{figure.caption.41}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}\protected@file@percent }
\newlabel{section:attacks_stack}{{2.7}{35}{Attacks at the stack}{section.2.7}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{35}{subsection.2.7.1}\protected@file@percent }
\newlabel{subsection: buf_overflow}{{2.7.1}{35}{Buffer overflow}{subsection.2.7.1}{}}
\newlabel{code:vuln_overflow}{{2.1}{35}{Program vulnerable to buffer overflow}{lstlisting.2.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.1}Program vulnerable to buffer overflow.}{35}{lstlisting.2.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.18}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{36}{figure.caption.42}\protected@file@percent }
\newlabel{fig:stack_ret_hij_simple}{{2.18}{36}{Execution hijack overwriting saved rip value.\relax }{figure.caption.42}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{36}{subsection.2.7.1}\protected@file@percent }
\newlabel{subsection: buf_overflow}{{2.7.1}{36}{Buffer overflow}{subsection.2.7.1}{}}
\newlabel{code:vuln_overflow}{{2.1}{37}{Program vulnerable to buffer overflow}{lstlisting.2.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.1}Program vulnerable to buffer overflow.}{37}{lstlisting.2.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.19}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{37}{figure.caption.43}\protected@file@percent }
\newlabel{fig:buffer_overflow}{{2.19}{37}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.43}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.20}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{38}{figure.caption.44}\protected@file@percent }
\newlabel{fig:buffer_overflow_shellcode}{{2.20}{38}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.44}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{38}{subsection.2.7.2}\protected@file@percent }
\newlabel{subsection:rop}{{2.7.2}{38}{Return oriented programming attacks}{subsection.2.7.2}{}}
\abx@aux@cite{rop_prog_finder}
\abx@aux@segm{0}{0}{rop_prog_finder}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{39}{subsection.2.7.2}\protected@file@percent }
\newlabel{subsection:rop}{{2.7.2}{39}{Return oriented programming attacks}{subsection.2.7.2}{}}
\newlabel{code:rop_ex}{{2.2}{39}{Sample program to run using ROP}{lstlisting.2.2}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.2}Sample program to run using ROP.}{39}{lstlisting.2.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}\protected@file@percent }
\newlabel{fig:rop_compund}{{2.21}{40}{Steps for executing code sample using ROP.\relax }{figure.caption.45}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{41}{section.2.8}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{40}{section.2.8}\protected@file@percent }
\abx@aux@cite{network_layers}
\abx@aux@segm{0}{0}{network_layers}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{42}{figure.caption.46}\protected@file@percent }
\newlabel{fig:frame}{{2.22}{42}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.46}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{41}{figure.caption.46}\protected@file@percent }
\newlabel{fig:frame}{{2.22}{41}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.46}{}}
\abx@aux@cite{tcp_reliable}
\abx@aux@segm{0}{0}{tcp_reliable}
\abx@aux@cite{tcp_handshake}
\abx@aux@segm{0}{0}{tcp_handshake}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{43}{subsection.2.8.2}\protected@file@percent }
\newlabel{subsection:tcp}{{2.8.2}{43}{Introduction to the TCP protocol}{subsection.2.8.2}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{42}{subsection.2.8.2}\protected@file@percent }
\newlabel{subsection:tcp}{{2.8.2}{42}{Introduction to the TCP protocol}{subsection.2.8.2}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}\protected@file@percent }
\newlabel{table:tcp_flags}{{2.19}{43}{Relevant TCP flags and their purpose.\relax }{table.caption.47}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{44}{figure.caption.48}\protected@file@percent }
\newlabel{fig:tcp_conn}{{2.23}{44}{TCP 3-way handshake.\relax }{figure.caption.48}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{43}{figure.caption.48}\protected@file@percent }
\newlabel{fig:tcp_conn}{{2.23}{43}{TCP 3-way handshake.\relax }{figure.caption.48}{}}
\abx@aux@cite{elf}
\abx@aux@segm{0}{0}{elf}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{45}{figure.caption.49}\protected@file@percent }
\newlabel{fig:tcp_retransmission}{{2.24}{45}{TCP packet retransmission on timeout.\relax }{figure.caption.49}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.9}ELF binaries}{45}{section.2.9}\protected@file@percent }
\newlabel{section:elf}{{2.9}{45}{ELF binaries}{section.2.9}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}\protected@file@percent }
\newlabel{subsection:elf_lazy_binding}{{2.9.1}{45}{The ELF format and Lazy Binding}{subsection.2.9.1}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.50}\protected@file@percent }
\newlabel{table:elf_tools}{{2.20}{46}{Tools used for analysis of ELF programs.\relax }{table.caption.50}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{44}{figure.caption.49}\protected@file@percent }
\newlabel{fig:tcp_retransmission}{{2.24}{44}{TCP packet retransmission on timeout.\relax }{figure.caption.49}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.9}ELF binaries}{44}{section.2.9}\protected@file@percent }
\newlabel{section:elf}{{2.9}{44}{ELF binaries}{section.2.9}{}}
\abx@aux@cite{plt_got_overlord}
\abx@aux@segm{0}{0}{plt_got_overlord}
\abx@aux@cite{plt_got_technovelty}
\abx@aux@segm{0}{0}{plt_got_technovelty}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{47}{table.caption.51}\protected@file@percent }
\newlabel{table:elf_sec_headers}{{2.21}{47}{Tools used for analysis of ELF programs.\relax }{table.caption.51}{}}
\newlabel{code:lazy_bind_1}{{2.3}{47}{Call to PLT stub seen from objdump}{lstlisting.2.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.3}Call to PLT stub seen from objdump.}{47}{lstlisting.2.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{48}{figure.caption.52}\protected@file@percent }
\newlabel{fig:lazy_bind_2}{{2.25}{48}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.52}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.53}\protected@file@percent }
\newlabel{fig:lazy_bind_3}{{2.26}{48}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.53}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.54}\protected@file@percent }
\newlabel{fig:lazy_bind_4}{{2.27}{48}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.54}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}\protected@file@percent }
\newlabel{fig:lazy_bind_5}{{2.28}{48}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.55}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}\protected@file@percent }
\newlabel{subsection:elf_lazy_binding}{{2.9.1}{45}{The ELF format and Lazy Binding}{subsection.2.9.1}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}\protected@file@percent }
\newlabel{table:elf_tools}{{2.20}{45}{Tools used for analysis of ELF programs.\relax }{table.caption.50}{}}
\newlabel{code:lazy_bind_1}{{2.3}{45}{Call to PLT stub seen from objdump}{lstlisting.2.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.3}Call to PLT stub seen from objdump.}{45}{lstlisting.2.3}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}\protected@file@percent }
\newlabel{table:elf_sec_headers}{{2.21}{46}{Tools used for analysis of ELF programs.\relax }{table.caption.51}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{47}{figure.caption.52}\protected@file@percent }
\newlabel{fig:lazy_bind_2}{{2.25}{47}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.52}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}\protected@file@percent }
\newlabel{fig:lazy_bind_3}{{2.26}{47}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.53}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}\protected@file@percent }
\newlabel{fig:lazy_bind_4}{{2.27}{47}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.54}{}}
\abx@aux@cite{aslr_pie_intro}
\abx@aux@segm{0}{0}{aslr_pie_intro}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{49}{subsection.2.9.2}\protected@file@percent }
\newlabel{subsection:hardening_elf}{{2.9.2}{49}{Hardening ELF binaries}{subsection.2.9.2}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{49}{table.caption.56}\protected@file@percent }
\newlabel{table:compilers}{{2.22}{49}{Security features in C compilers used in the study.\relax }{table.caption.56}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}\protected@file@percent }
\newlabel{fig:lazy_bind_5}{{2.28}{48}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.55}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{48}{subsection.2.9.2}\protected@file@percent }
\newlabel{subsection:hardening_elf}{{2.9.2}{48}{Hardening ELF binaries}{subsection.2.9.2}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}\protected@file@percent }
\newlabel{table:compilers}{{2.22}{48}{Security features in C compilers used in the study.\relax }{table.caption.56}{}}
\abx@aux@cite{aslr_pie_intro}
\abx@aux@segm{0}{0}{aslr_pie_intro}
\abx@aux@cite{relro_redhat}
@@ -391,35 +394,36 @@
\abx@aux@segm{0}{0}{cet_windows}
\abx@aux@cite{cet_linux}
\abx@aux@segm{0}{0}{cet_linux}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{50}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chapter:analysis_offensive_capabilities}{{3}{52}{Analysis of offensive capabilities}{chapter.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}\protected@file@percent }
\newlabel{code:format_kprobe}{{3.1}{53}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{53}{lstlisting.3.1}\protected@file@percent }
\newlabel{code:format_uprobe}{{3.2}{53}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{53}{lstlisting.3.2}\protected@file@percent }
\newlabel{code:format_tracepoint}{{3.3}{53}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{53}{lstlisting.3.3}\protected@file@percent }
\newlabel{chapter:analysis_offensive_capabilities}{{3}{50}{Analysis of offensive capabilities}{chapter.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{50}{section.3.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{51}{section.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{51}{subsection.3.2.1}\protected@file@percent }
\newlabel{code:format_kprobe}{{3.1}{51}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{51}{lstlisting.3.1}\protected@file@percent }
\newlabel{code:format_uprobe}{{3.2}{51}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{51}{lstlisting.3.2}\protected@file@percent }
\newlabel{code:format_tracepoint}{{3.3}{51}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{51}{lstlisting.3.3}\protected@file@percent }
\newlabel{code:format_ptregs}{{3.4}{51}{Format of struct pt\_regs}{lstlisting.3.4}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{51}{lstlisting.3.4}\protected@file@percent }
\abx@aux@cite{8664_params_abi}
\abx@aux@segm{0}{0}{8664_params_abi}
\newlabel{code:format_ptregs}{{3.4}{54}{Format of struct pt\_regs}{lstlisting.3.4}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{54}{lstlisting.3.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.57}\protected@file@percent }
\newlabel{table:systemv_abi}{{3.1}{54}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.57}{}}
\newlabel{code:sys_enter_read_tp_format}{{3.5}{55}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{55}{lstlisting.3.5}\protected@file@percent }
\newlabel{code:sys_enter_read_tp}{{3.6}{55}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{55}{lstlisting.3.6}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{52}{table.caption.57}\protected@file@percent }
\newlabel{table:systemv_abi}{{3.1}{52}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.57}{}}
\newlabel{code:sys_enter_read_tp_format}{{3.5}{52}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{52}{lstlisting.3.5}\protected@file@percent }
\newlabel{code:sys_enter_read_tp}{{3.6}{53}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{53}{lstlisting.3.6}\protected@file@percent }
\abx@aux@cite{ebpf_friends_p15}
\abx@aux@segm{0}{0}{ebpf_friends_p15}
\abx@aux@cite{ebpf_override_return}
\abx@aux@segm{0}{0}{ebpf_override_return}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}\protected@file@percent }
\newlabel{subsection:out_read_bounds}{{3.2.2}{56}{Reading memory out of bounds}{subsection.3.2.2}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{54}{subsection.3.2.2}\protected@file@percent }
\newlabel{subsection:out_read_bounds}{{3.2.2}{54}{Reading memory out of bounds}{subsection.3.2.2}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{54}{subsection.3.2.3}\protected@file@percent }
\abx@aux@cite{code_kernel_open}
\abx@aux@segm{0}{0}{code_kernel_open}
\abx@aux@cite{code_kernel_open}
@@ -430,86 +434,86 @@
\abx@aux@segm{0}{0}{code_kernel_syscall}
\abx@aux@cite{fault_injection}
\abx@aux@segm{0}{0}{fault_injection}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{57}{subsection.3.2.3}\protected@file@percent }
\newlabel{code:override_return_1}{{3.7}{57}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{57}{lstlisting.3.7}\protected@file@percent }
\newlabel{code:override_return_2}{{3.8}{57}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{57}{lstlisting.3.8}\protected@file@percent }
\newlabel{code:override_return_1}{{3.7}{55}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{55}{lstlisting.3.7}\protected@file@percent }
\newlabel{code:override_return_2}{{3.8}{55}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{55}{lstlisting.3.8}\protected@file@percent }
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Conclusion}{58}{subsection.3.2.5}\protected@file@percent }
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{58}{Conclusion}{subsection.3.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}\protected@file@percent }
\newlabel{section:mem_corruption}{{3.3}{58}{Memory corruption}{section.3.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{56}{subsection.3.2.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Takeaways}{56}{subsection.3.2.5}\protected@file@percent }
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{56}{Takeaways}{subsection.3.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{56}{section.3.3}\protected@file@percent }
\newlabel{section:mem_corruption}{{3.3}{56}{Memory corruption}{section.3.3}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{56}{subsection.3.3.1}\protected@file@percent }
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{56}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
\abx@aux@cite{write_helper_non_fault}
\abx@aux@segm{0}{0}{write_helper_non_fault}
\abx@aux@cite{code_vfs_read}
\abx@aux@segm{0}{0}{code_vfs_read}
\abx@aux@cite{code_vfs_read}
\abx@aux@segm{0}{0}{code_vfs_read}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{59}{subsection.3.3.1}\protected@file@percent }
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{59}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\newlabel{code:vfs_read}{{3.9}{57}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{57}{lstlisting.3.9}\protected@file@percent }
\abx@aux@cite{8664_params_abi_p1922}
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
\newlabel{code:vfs_read}{{3.9}{60}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{60}{lstlisting.3.9}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.58}\protected@file@percent }
\newlabel{fig:stack_scan_write_tech}{{3.1}{60}{Overview of stack scanning and writing technique.\relax }{figure.caption.58}{}}
\newlabel{code:stack_scan_write_tech}{{3.10}{61}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{61}{lstlisting.3.10}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Conclusion}{61}{subsection.3.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}\protected@file@percent }
\newlabel{section:abusing_networking}{{3.4}{62}{Abusing networking programs}{section.3.4}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.59}\protected@file@percent }
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{64}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.59}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Conclusion}{65}{subsection.3.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{58}{figure.caption.58}\protected@file@percent }
\newlabel{fig:stack_scan_write_tech}{{3.1}{58}{Overview of stack scanning and writing technique.\relax }{figure.caption.58}{}}
\newlabel{code:stack_scan_write_tech}{{3.10}{58}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{58}{lstlisting.3.10}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Takeaways}{59}{subsection.3.3.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{60}{section.3.4}\protected@file@percent }
\newlabel{section:abusing_networking}{{3.4}{60}{Abusing networking programs}{section.3.4}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{60}{subsection.3.4.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{62}{figure.caption.59}\protected@file@percent }
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{62}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.59}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Takeaways}{63}{subsection.3.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{64}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection attacks}{66}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection attacks}{64}{section.4.1}\protected@file@percent }
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{glibc}
\abx@aux@segm{0}{0}{glibc}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{67}{subsection.4.1.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.1.1}{67}{ROP with eBPF}{subsection.4.1.1}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{67}{figure.caption.60}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.1}{67}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.60}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{68}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.2}{68}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.61}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{65}{subsection.4.1.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.1.1}{65}{ROP with eBPF}{subsection.4.1.1}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{65}{figure.caption.60}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.1}{65}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.60}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{66}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.2}{66}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.61}{}}
\abx@aux@cite{canary_exploit}
\abx@aux@segm{0}{0}{canary_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{69}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.3}{69}{Stack data is restored and program continues its execution.\relax }{figure.caption.62}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{69}{subsection.4.1.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{67}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.3}{67}{Stack data is restored and program continues its execution.\relax }{figure.caption.62}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{67}{subsection.4.1.2}\protected@file@percent }
\abx@aux@cite{pie_exploit}
\abx@aux@segm{0}{0}{pie_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{70}{figure.caption.63}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.4}{70}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{71}{subsection.4.1.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.1.3}{71}{Library injection via GOT hijacking}{subsection.4.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{72}{figure.caption.64}\protected@file@percent }
\newlabel{fig:firstcall}{{4.5}{72}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{73}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{68}{figure.caption.63}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.4}{68}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{69}{subsection.4.1.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.1.3}{69}{Library injection via GOT hijacking}{subsection.4.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{70}{figure.caption.64}\protected@file@percent }
\newlabel{fig:firstcall}{{4.5}{70}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{71}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{74}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{71}{section.5.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{71}{section.5.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{72}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{75}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{73}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.66}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.67}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.67}{}}
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{073A2C7C705B80891C5D9DCBDBB01C38}
\abx@aux@read@bblrerun
\abx@aux@read@bbl@mdfivesum{29EDBEBA551C78783A4E376AB79D67BE}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -524,12 +528,13 @@
\abx@aux@defaultrefcontext{0}{ebpf_io}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_history_opensource}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page2}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page1}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{index_register}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page5}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_organicprogrammer_analysis}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page8}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global}
@@ -562,6 +567,15 @@
\abx@aux@defaultrefcontext{0}{libbpf_github}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{libbpf_upstream}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{libbpf_core}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_lwn}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unprivileged_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{cve_unpriv_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_ubuntu}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
@@ -577,15 +591,6 @@
\abx@aux@defaultrefcontext{0}{relro_redhat}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{cet_windows}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{cet_linux}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_caps_lwn}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unprivileged_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{cve_unpriv_ebpf}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_ubuntu}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
@@ -600,4 +605,4 @@
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{102}
\gdef \@abspage@last{100}

474
docs/document.bbl
View File

@@ -105,8 +105,8 @@
\endverb
\endentry
\entry{ebpf_windows}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title}
\field{day}{7}
\field{month}{12}
@@ -286,7 +286,7 @@
\verb https://opensource.com/article/17/9/intro-ebpf
\endverb
\endentry
\entry{bpf_bsd_origin_bpf_page1}{article}{}
\entry{bpf_bsd_origin_bpf_page2}{article}{}
\name{author}{1}{}{%
{{hash=b74c2671072cf5a1a1400dc035240dfd}{%
family={Steven\bibnamedelima McCanne},
@@ -322,9 +322,45 @@
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\endentry
\entry{index_register}{manual}{}
\entry{bpf_bsd_origin_bpf_page1}{article}{}
\name{author}{1}{}{%
{{hash=b74c2671072cf5a1a1400dc035240dfd}{%
family={Steven\bibnamedelima McCanne},
familyi={S\bibinitperiod\bibinitdelim M\bibinitperiod},
given={Van\bibnamedelima Jacobson},
giveni={V\bibinitperiod\bibinitdelim J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Lawrence Berkeley Laboratory}%
}
\strng{namehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{fullhash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{bibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorbibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{3}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{12}
\field{title}{The BSD Packet Filter: A New Architecture for User-level Packet Capture}
\field{year}{1992}
\field{dateera}{ce}
\field{pages}{1}
\range{pages}{1}
\verb{urlraw}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\verb{url}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\endentry
\entry{index_register}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{title}{Index register}
\verb{urlraw}
@@ -351,9 +387,9 @@
\strng{authorbibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{3}
\field{sortinit}{2}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{extraname}{4}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -386,42 +422,6 @@
\verb https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/
\endverb
\endentry
\entry{bpf_bsd_origin_bpf_page7}{article}{}
\name{author}{1}{}{%
{{hash=b74c2671072cf5a1a1400dc035240dfd}{%
family={Steven\bibnamedelima McCanne},
familyi={S\bibinitperiod\bibinitdelim M\bibinitperiod},
given={Van\bibnamedelima Jacobson},
giveni={V\bibinitperiod\bibinitdelim J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Lawrence Berkeley Laboratory}%
}
\strng{namehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{fullhash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{bibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorbibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{4}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{12}
\field{title}{The BSD Packet Filter: A New Architecture for User-level Packet Capture}
\field{year}{1992}
\field{dateera}{ce}
\field{pages}{7}
\range{pages}{1}
\verb{urlraw}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\verb{url}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\endentry
\entry{bpf_bsd_origin_bpf_page8}{article}{}
\name{author}{1}{}{%
{{hash=b74c2671072cf5a1a1400dc035240dfd}{%
@@ -458,6 +458,42 @@
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\endentry
\entry{bpf_bsd_origin_bpf_page7}{article}{}
\name{author}{1}{}{%
{{hash=b74c2671072cf5a1a1400dc035240dfd}{%
family={Steven\bibnamedelima McCanne},
familyi={S\bibinitperiod\bibinitdelim M\bibinitperiod},
given={Van\bibnamedelima Jacobson},
giveni={V\bibinitperiod\bibinitdelim J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Lawrence Berkeley Laboratory}%
}
\strng{namehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{fullhash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{bibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorbibnamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{6}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{12}
\field{title}{The BSD Packet Filter: A New Architecture for User-level Packet Capture}
\field{year}{1992}
\field{dateera}{ce}
\field{pages}{7}
\range{pages}{1}
\verb{urlraw}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\verb{url}
\verb https://www.tcpdump.org/papers/bpf-usenix93.pdf
\endverb
\endentry
\entry{tcpdump_page}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
@@ -500,8 +536,8 @@
\strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\field{extraname}{1}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{BPF performance tools}
@@ -600,8 +636,8 @@
\strng{authorbibnamehash}{729670cd9d39b9b575390147a29d51d7}
\strng{authornamehash}{729670cd9d39b9b575390147a29d51d7}
\strng{authorfullhash}{729670cd9d39b9b575390147a29d51d7}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{12}
@@ -634,8 +670,8 @@
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{1}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
@@ -839,8 +875,8 @@
\endverb
\endentry
\entry{bpf_syscall}{manual}{}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{labeltitlesource}{title}
\field{title}{bpf(2)- Linux manual page}
\verb{urlraw}
@@ -876,8 +912,8 @@
\strng{authorbibnamehash}{78dcb92591468323e355b4f87108649d}
\strng{authornamehash}{78dcb92591468323e355b4f87108649d}
\strng{authorfullhash}{78dcb92591468323e355b4f87108649d}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{3}
@@ -893,8 +929,8 @@
\endverb
\endentry
\entry{xdp_manual}{manual}{}
\field{sortinit}{6}
\field{sortinithash}{7851c86048328b027313775d8fbd2131}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{labeltitlesource}{title}
\field{title}{XDP actions}
\verb{urlraw}
@@ -1090,8 +1126,8 @@
\endverb
\endentry
\entry{bcc_github}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{BPF Compiler Collection (BCC)}
\verb{urlraw}
@@ -1102,8 +1138,8 @@
\endverb
\endentry
\entry{libbpf_github}{online}{}
\field{sortinit}{7}
\field{sortinithash}{f615fb9c6fba11c6f962fb3fd599810e}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{indextitle}{libbpf GitHub}
\verb{urlraw}
\verb https://github.com/libbpf/libbpf
@@ -1154,6 +1190,136 @@
\verb https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html
\endverb
\endentry
\entry{ubuntu_caps}{manual}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{capabilities - overview of Linux capabilities}
\verb{urlraw}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\verb{url}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\endentry
\entry{evil_ebpf_p9}{proceedings}{}
\name{author}{1}{}{%
{{hash=5142e68c748eb70cb619b21160eb7f72}{%
family={Dileo},
familyi={D\bibinitperiod},
given={Jeff},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{NCC Group}%
}
\list{organization}{1}{%
{DEFCON 27}%
}
\strng{namehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{fullhash}{5142e68c748eb70cb619b21160eb7f72}
\strng{bibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{extraname}{2}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\field{pages}{9}
\range{pages}{1}
\verb{urlraw}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\endentry
\entry{ebpf_caps_intro}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}
\verb{urlraw}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\verb{url}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\endentry
\entry{ebpf_caps_lwn}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{capability: introduce CAP\_BPF and CAP\_TRACING}
\verb{urlraw}
\verb https://lwn.net/Articles/797807/
\endverb
\verb{url}
\verb https://lwn.net/Articles/797807/
\endverb
\endentry
\entry{unprivileged_ebpf}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{Reconsidering unprivileged BPF}
\verb{urlraw}
\verb https://lwn.net/Articles/796328/
\endverb
\verb{url}
\verb https://lwn.net/Articles/796328/
\endverb
\endentry
\entry{cve_unpriv_ebpf}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{labeltitlesource}{title}
\field{title}{CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}
\verb{urlraw}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\verb{url}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\endentry
\entry{unpriv_ebpf_ubuntu}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}
\verb{urlraw}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\verb{url}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\endentry
\entry{unpriv_ebpf_suse}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{Security Hardening: Use of eBPF by unprivileged users has been disabled by default}
\verb{urlraw}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\verb{url}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\endentry
\entry{unpriv_ebpf_redhat}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{CVE-2022-0002}
\verb{urlraw}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\verb{url}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\endentry
\entry{mem_page_arch}{online}{}
\name{author}{1}{}{%
{{hash=47635127541392c1419dbc4a4d3153c6}{%
@@ -1174,8 +1340,8 @@
\strng{authorbibnamehash}{47635127541392c1419dbc4a4d3153c6}
\strng{authornamehash}{47635127541392c1419dbc4a4d3153c6}
\strng{authorfullhash}{47635127541392c1419dbc4a4d3153c6}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{1}
@@ -1204,8 +1370,8 @@
\strng{authorbibnamehash}{28efc25c8eae7f3d05fad64c4679158f}
\strng{authornamehash}{28efc25c8eae7f3d05fad64c4679158f}
\strng{authorfullhash}{28efc25c8eae7f3d05fad64c4679158f}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -1234,8 +1400,8 @@
\strng{authorbibnamehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{authornamehash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\strng{authorfullhash}{c6b49e9e6fbe96fdd89720e842dc0b03}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{23}
@@ -1267,8 +1433,8 @@
\strng{authornamehash}{871f02558cb7234c22cde24811cf53a7}
\strng{authorfullhash}{871f02558cb7234c22cde24811cf53a7}
\field{extraname}{1}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
@@ -1286,8 +1452,8 @@
\endverb
\endentry
\entry{rop_prog_finder}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{ROPgadget Tool}
\verb{urlraw}
@@ -1309,8 +1475,8 @@
\strng{authorbibnamehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{authornamehash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\strng{authorfullhash}{ed79ecb3ff4a83522b186b5e3fa37b0d}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
@@ -1329,8 +1495,8 @@
\list{organization}{1}{%
{IBM}%
}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{day}{19}
\field{month}{4}
@@ -1345,8 +1511,8 @@
\endverb
\endentry
\entry{tcp_handshake}{online}{}
\field{sortinit}{8}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Three-Way Handshake}
\verb{urlraw}
@@ -1357,8 +1523,8 @@
\endverb
\endentry
\entry{elf}{manual}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{ELF}
\verb{urlraw}
@@ -1382,8 +1548,8 @@
\strng{authorbibnamehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{authornamehash}{9724da855997a02e74ee77d11b4d64e2}
\strng{authorfullhash}{9724da855997a02e74ee77d11b4d64e2}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{19}
@@ -1412,8 +1578,8 @@
\strng{authorbibnamehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{authornamehash}{4e4902d108d0796e7e54d06a47cfe1ee}
\strng{authorfullhash}{4e4902d108d0796e7e54d06a47cfe1ee}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
@@ -1429,8 +1595,8 @@
\endverb
\endentry
\entry{aslr_pie_intro}{online}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{aslr/pie intro}
\verb{urlraw}
@@ -1454,8 +1620,8 @@
\strng{authorbibnamehash}{b77619d1671f5a819a9a13e8e0f51723}
\strng{authornamehash}{b77619d1671f5a819a9a13e8e0f51723}
\strng{authorfullhash}{b77619d1671f5a819a9a13e8e0f51723}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{28}
@@ -1484,8 +1650,8 @@
\strng{authorbibnamehash}{3de76fe0797950a06f4be8a7bf380d22}
\strng{authornamehash}{3de76fe0797950a06f4be8a7bf380d22}
\strng{authorfullhash}{3de76fe0797950a06f4be8a7bf380d22}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{1}
@@ -1514,8 +1680,8 @@
\strng{authorbibnamehash}{b51b9464b5589cf5380e3b897d0a43b6}
\strng{authornamehash}{b51b9464b5589cf5380e3b897d0a43b6}
\strng{authorfullhash}{b51b9464b5589cf5380e3b897d0a43b6}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{21}
@@ -1530,136 +1696,6 @@
\verb https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29
\endverb
\endentry
\entry{ubuntu_caps}{manual}{}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labeltitlesource}{title}
\field{title}{capabilities - overview of Linux capabilities}
\verb{urlraw}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\verb{url}
\verb http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html
\endverb
\endentry
\entry{evil_ebpf_p9}{proceedings}{}
\name{author}{1}{}{%
{{hash=5142e68c748eb70cb619b21160eb7f72}{%
family={Dileo},
familyi={D\bibinitperiod},
given={Jeff},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{NCC Group}%
}
\list{organization}{1}{%
{DEFCON 27}%
}
\strng{namehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{fullhash}{5142e68c748eb70cb619b21160eb7f72}
\strng{bibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorbibnamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authornamehash}{5142e68c748eb70cb619b21160eb7f72}
\strng{authorfullhash}{5142e68c748eb70cb619b21160eb7f72}
\field{extraname}{2}
\field{sortinit}{9}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0}
\field{labelnamesource}{author}
\field{eventtitle}{Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}
\field{pages}{9}
\range{pages}{1}
\verb{urlraw}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\verb{url}
\verb https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf
\endverb
\endentry
\entry{ebpf_caps_intro}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}
\verb{urlraw}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\verb{url}
\verb https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/
\endverb
\endentry
\entry{ebpf_caps_lwn}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{capability: introduce CAP\_BPF and CAP\_TRACING}
\verb{urlraw}
\verb https://lwn.net/Articles/797807/
\endverb
\verb{url}
\verb https://lwn.net/Articles/797807/
\endverb
\endentry
\entry{unprivileged_ebpf}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Reconsidering unprivileged BPF}
\verb{urlraw}
\verb https://lwn.net/Articles/796328/
\endverb
\verb{url}
\verb https://lwn.net/Articles/796328/
\endverb
\endentry
\entry{cve_unpriv_ebpf}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}
\verb{urlraw}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\verb{url}
\verb https://www.openwall.com/lists/oss-security/2022/01/11/4
\endverb
\endentry
\entry{unpriv_ebpf_ubuntu}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}
\verb{urlraw}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\verb{url}
\verb https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047
\endverb
\endentry
\entry{unpriv_ebpf_suse}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{Security Hardening: Use of eBPF by unprivileged users has been disabled by default}
\verb{urlraw}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\verb{url}
\verb https://www.suse.com/support/kb/doc/?id=000020545
\endverb
\endentry
\entry{unpriv_ebpf_redhat}{online}{}
\field{sortinit}{1}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title}
\field{title}{CVE-2022-0002}
\verb{urlraw}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\verb{url}
\verb https://access.redhat.com/security/cve/cve-2021-4001
\endverb
\endentry
\entry{8664_params_abi}{manual}{}
\name{author}{1}{}{%
{{hash=871f02558cb7234c22cde24811cf53a7}{%

203
docs/document.bcf
View File

@@ -2348,118 +2348,119 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata>
<bcf:section number="0">
<bcf:citekey order="14">ransomware_pwc</bcf:citekey>
<bcf:citekey order="15">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="16">ebpf_linux318</bcf:citekey>
<bcf:citekey order="17">bvp47_report</bcf:citekey>
<bcf:citekey order="18">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="19">ebpf_windows</bcf:citekey>
<bcf:citekey order="20">ebpf_android</bcf:citekey>
<bcf:citekey order="21">evil_ebpf</bcf:citekey>
<bcf:citekey order="22">bad_ebpf</bcf:citekey>
<bcf:citekey order="23">ebpf_friends</bcf:citekey>
<bcf:citekey order="24">ebpf_io</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="26">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="27">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="28">index_register</bcf:citekey>
<bcf:citekey order="29">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="30">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="31">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="32">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="15">ransomware_pwc</bcf:citekey>
<bcf:citekey order="16">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="17">ebpf_linux318</bcf:citekey>
<bcf:citekey order="18">bvp47_report</bcf:citekey>
<bcf:citekey order="19">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="20">ebpf_windows</bcf:citekey>
<bcf:citekey order="21">ebpf_android</bcf:citekey>
<bcf:citekey order="22">evil_ebpf</bcf:citekey>
<bcf:citekey order="23">bad_ebpf</bcf:citekey>
<bcf:citekey order="24">ebpf_friends</bcf:citekey>
<bcf:citekey order="25">ebpf_io</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="27">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="28">bpf_bsd_origin_bpf_page2</bcf:citekey>
<bcf:citekey order="29">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="30">index_register</bcf:citekey>
<bcf:citekey order="31">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="32">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="33">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="34">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="35">tcpdump_page</bcf:citekey>
<bcf:citekey order="36">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="37">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="38">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="39">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="40">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="41">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="42">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="34">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="35">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="36">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="37">tcpdump_page</bcf:citekey>
<bcf:citekey order="38">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="39">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="40">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="41">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="42">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="43">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="44">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="45">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="44">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="45">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="46">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="47">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="48">ebpf_JIT</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="50">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="51">jit_enable_setting</bcf:citekey>
<bcf:citekey order="52">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="53">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="54">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="55">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="56">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="57">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="58">bpf_syscall</bcf:citekey>
<bcf:citekey order="59">bpf_syscall</bcf:citekey>
<bcf:citekey order="48">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="49">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="50">ebpf_JIT</bcf:citekey>
<bcf:citekey order="51">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="52">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="53">jit_enable_setting</bcf:citekey>
<bcf:citekey order="54">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="55">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="56">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="57">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="58">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="59">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="60">bpf_syscall</bcf:citekey>
<bcf:citekey order="61">bpf_syscall</bcf:citekey>
<bcf:citekey order="62">bpf_syscall</bcf:citekey>
<bcf:citekey order="63">bpf_syscall</bcf:citekey>
<bcf:citekey order="64">bpf_syscall</bcf:citekey>
<bcf:citekey order="65">ebpf_helpers</bcf:citekey>
<bcf:citekey order="66">ebpf_helpers</bcf:citekey>
<bcf:citekey order="65">bpf_syscall</bcf:citekey>
<bcf:citekey order="66">bpf_syscall</bcf:citekey>
<bcf:citekey order="67">ebpf_helpers</bcf:citekey>
<bcf:citekey order="68">xdp_gentle_intro</bcf:citekey>
<bcf:citekey order="69">xdp_manual</bcf:citekey>
<bcf:citekey order="70">tc_differences</bcf:citekey>
<bcf:citekey order="71">tc_docs_complete</bcf:citekey>
<bcf:citekey order="72">tc_direct_action</bcf:citekey>
<bcf:citekey order="73">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="74">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="75">tp_kernel</bcf:citekey>
<bcf:citekey order="76">kprobe_manual</bcf:citekey>
<bcf:citekey order="77">kallsyms_kernel</bcf:citekey>
<bcf:citekey order="78">bcc_github</bcf:citekey>
<bcf:citekey order="79">libbpf_github</bcf:citekey>
<bcf:citekey order="80">libbpf_upstream</bcf:citekey>
<bcf:citekey order="81">libbpf_core</bcf:citekey>
<bcf:citekey order="82">ubuntu_caps</bcf:citekey>
<bcf:citekey order="83">evil_ebpf_p9</bcf:citekey>
<bcf:citekey order="84">ebpf_caps_intro</bcf:citekey>
<bcf:citekey order="85">ebpf_caps_lwn</bcf:citekey>
<bcf:citekey order="86">unprivileged_ebpf</bcf:citekey>
<bcf:citekey order="87">cve_unpriv_ebpf</bcf:citekey>
<bcf:citekey order="88">unpriv_ebpf_ubuntu</bcf:citekey>
<bcf:citekey order="89">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="90">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="91">mem_page_arch</bcf:citekey>
<bcf:citekey order="92">page_faults</bcf:citekey>
<bcf:citekey order="93">mem_arch_proc</bcf:citekey>
<bcf:citekey order="94">8664_params_abi_p18</bcf:citekey>
<bcf:citekey order="95">rop_prog_finder</bcf:citekey>
<bcf:citekey order="96">network_layers</bcf:citekey>
<bcf:citekey order="97">tcp_reliable</bcf:citekey>
<bcf:citekey order="98">tcp_handshake</bcf:citekey>
<bcf:citekey order="99">elf</bcf:citekey>
<bcf:citekey order="100">plt_got_overlord</bcf:citekey>
<bcf:citekey order="101">plt_got_technovelty</bcf:citekey>
<bcf:citekey order="102">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="103">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="104">relro_redhat</bcf:citekey>
<bcf:citekey order="105">cet_windows</bcf:citekey>
<bcf:citekey order="106">cet_linux</bcf:citekey>
<bcf:citekey order="107">8664_params_abi</bcf:citekey>
<bcf:citekey order="108">ebpf_friends_p15</bcf:citekey>
<bcf:citekey order="109">ebpf_override_return</bcf:citekey>
<bcf:citekey order="110">code_kernel_open</bcf:citekey>
<bcf:citekey order="111">code_kernel_open</bcf:citekey>
<bcf:citekey order="112">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="113">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="114">fault_injection</bcf:citekey>
<bcf:citekey order="115">ebpf_helpers</bcf:citekey>
<bcf:citekey order="116">write_helper_non_fault</bcf:citekey>
<bcf:citekey order="117">code_vfs_read</bcf:citekey>
<bcf:citekey order="118">code_vfs_read</bcf:citekey>
<bcf:citekey order="119">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="120">8664_params_abi_p1922</bcf:citekey>
<bcf:citekey order="68">ebpf_helpers</bcf:citekey>
<bcf:citekey order="69">ebpf_helpers</bcf:citekey>
<bcf:citekey order="70">xdp_gentle_intro</bcf:citekey>
<bcf:citekey order="71">xdp_manual</bcf:citekey>
<bcf:citekey order="72">tc_differences</bcf:citekey>
<bcf:citekey order="73">tc_docs_complete</bcf:citekey>
<bcf:citekey order="74">tc_direct_action</bcf:citekey>
<bcf:citekey order="75">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="76">tc_ret_list_complete</bcf:citekey>
<bcf:citekey order="77">tp_kernel</bcf:citekey>
<bcf:citekey order="78">kprobe_manual</bcf:citekey>
<bcf:citekey order="79">kallsyms_kernel</bcf:citekey>
<bcf:citekey order="80">bcc_github</bcf:citekey>
<bcf:citekey order="81">libbpf_github</bcf:citekey>
<bcf:citekey order="82">libbpf_upstream</bcf:citekey>
<bcf:citekey order="83">libbpf_core</bcf:citekey>
<bcf:citekey order="84">ubuntu_caps</bcf:citekey>
<bcf:citekey order="85">evil_ebpf_p9</bcf:citekey>
<bcf:citekey order="86">ebpf_caps_intro</bcf:citekey>
<bcf:citekey order="87">ebpf_caps_lwn</bcf:citekey>
<bcf:citekey order="88">unprivileged_ebpf</bcf:citekey>
<bcf:citekey order="89">cve_unpriv_ebpf</bcf:citekey>
<bcf:citekey order="90">unpriv_ebpf_ubuntu</bcf:citekey>
<bcf:citekey order="91">unpriv_ebpf_suse</bcf:citekey>
<bcf:citekey order="92">unpriv_ebpf_redhat</bcf:citekey>
<bcf:citekey order="93">mem_page_arch</bcf:citekey>
<bcf:citekey order="94">page_faults</bcf:citekey>
<bcf:citekey order="95">mem_arch_proc</bcf:citekey>
<bcf:citekey order="96">8664_params_abi_p18</bcf:citekey>
<bcf:citekey order="97">rop_prog_finder</bcf:citekey>
<bcf:citekey order="98">network_layers</bcf:citekey>
<bcf:citekey order="99">tcp_reliable</bcf:citekey>
<bcf:citekey order="100">tcp_handshake</bcf:citekey>
<bcf:citekey order="101">elf</bcf:citekey>
<bcf:citekey order="102">plt_got_overlord</bcf:citekey>
<bcf:citekey order="103">plt_got_technovelty</bcf:citekey>
<bcf:citekey order="104">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="105">aslr_pie_intro</bcf:citekey>
<bcf:citekey order="106">relro_redhat</bcf:citekey>
<bcf:citekey order="107">cet_windows</bcf:citekey>
<bcf:citekey order="108">cet_linux</bcf:citekey>
<bcf:citekey order="109">8664_params_abi</bcf:citekey>
<bcf:citekey order="110">ebpf_friends_p15</bcf:citekey>
<bcf:citekey order="111">ebpf_override_return</bcf:citekey>
<bcf:citekey order="112">code_kernel_open</bcf:citekey>
<bcf:citekey order="113">code_kernel_open</bcf:citekey>
<bcf:citekey order="114">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="115">code_kernel_syscall</bcf:citekey>
<bcf:citekey order="116">fault_injection</bcf:citekey>
<bcf:citekey order="117">ebpf_helpers</bcf:citekey>
<bcf:citekey order="118">write_helper_non_fault</bcf:citekey>
<bcf:citekey order="119">code_vfs_read</bcf:citekey>
<bcf:citekey order="120">code_vfs_read</bcf:citekey>
<bcf:citekey order="121">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="122">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="123">glibc</bcf:citekey>
<bcf:citekey order="124">canary_exploit</bcf:citekey>
<bcf:citekey order="125">pie_exploit</bcf:citekey>
<bcf:citekey order="122">8664_params_abi_p1922</bcf:citekey>
<bcf:citekey order="123">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="124">evil_ebpf_p6974</bcf:citekey>
<bcf:citekey order="125">glibc</bcf:citekey>
<bcf:citekey order="126">canary_exploit</bcf:citekey>
<bcf:citekey order="127">pie_exploit</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

211
docs/document.blg
View File

@@ -1,107 +1,108 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[59] biber:340> INFO - === Sat Jun 11, 2022, 12:41:51
[75] Biber.pm:415> INFO - Reading 'document.bcf'
[153] Biber.pm:952> INFO - Found 88 citekeys in bib section 0
[171] Biber.pm:4340> INFO - Processing section 0
[180] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[183] bibtex.pm:1689> INFO - LaTeX decoding ...
[216] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 9, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 15, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 22, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 28, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 35, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 42, warning: 1 characters of junk seen at toplevel
[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 50, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 58, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 65, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 70, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 77, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 85, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 94, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 103, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 112, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 121, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 127, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 132, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 137, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 142, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 153, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 158, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 164, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 170, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 175, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 184, warning: 1 characters of junk seen at toplevel
[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 191, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 199, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 206, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 215, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 224, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 233, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 239, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 244, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 249, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 256, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 261, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 266, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 271, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 276, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 283, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 288, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 295, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 302, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 309, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 315, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 321, warning: 1 characters of junk seen at toplevel
[400] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 327, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 334, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 339, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 344, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 349, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 356, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 361, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 366, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 375, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 380, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 385, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 390, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 395, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 400, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 405, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 410, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 419, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 428, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 433, warning: 1 characters of junk seen at toplevel
[401] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 438, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 443, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 449, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 459, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 466, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 473, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 482, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 487, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 492, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 501, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 508, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 515, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 520, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 529, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 538, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 543, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 548, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 555, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 562, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 567, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 572, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 577, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 584, warning: 1 characters of junk seen at toplevel
[402] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 591, warning: 1 characters of junk seen at toplevel
[403] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_l5xw/f4d088b3f9f145b5c3058da33afd57d4_19342.utf8, line 598, warning: 1 characters of junk seen at toplevel
[455] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[456] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[456] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[456] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[503] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[523] bbl.pm:757> INFO - Output to document.bbl
[524] Biber.pm:128> INFO - WARNINGS: 91
[59] biber:340> INFO - === Sat Jun 11, 2022, 13:49:30
[71] Biber.pm:415> INFO - Reading 'document.bcf'
[148] Biber.pm:952> INFO - Found 89 citekeys in bib section 0
[163] Biber.pm:4340> INFO - Processing section 0
[171] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[173] bibtex.pm:1689> INFO - LaTeX decoding ...
[206] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[364] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 9, warning: 1 characters of junk seen at toplevel
[364] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 15, warning: 1 characters of junk seen at toplevel
[364] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 22, warning: 1 characters of junk seen at toplevel
[364] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 28, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 35, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 42, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 50, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 58, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 65, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 70, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 77, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 85, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 94, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 103, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 112, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 121, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 130, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 136, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 141, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 146, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 151, warning: 1 characters of junk seen at toplevel
[365] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 162, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 167, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 173, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 179, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 184, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 193, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 200, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 208, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 215, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 224, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 233, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 242, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 248, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 253, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 258, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 265, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 270, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 275, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 280, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 285, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 292, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 297, warning: 1 characters of junk seen at toplevel
[366] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 304, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 311, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 318, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 324, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 330, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 336, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 343, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 348, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 353, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 358, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 365, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 370, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 375, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 384, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 389, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 394, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 399, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 404, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 409, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 414, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 419, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 428, warning: 1 characters of junk seen at toplevel
[367] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 437, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 442, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 447, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 452, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 458, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 468, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 475, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 482, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 491, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 496, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 501, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 510, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 517, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 524, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 529, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 538, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 547, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 552, warning: 1 characters of junk seen at toplevel
[368] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 557, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 564, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 571, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 576, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 581, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 586, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 593, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 600, warning: 1 characters of junk seen at toplevel
[369] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_xRwn/f4d088b3f9f145b5c3058da33afd57d4_21103.utf8, line 607, warning: 1 characters of junk seen at toplevel
[423] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[423] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[423] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[423] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[470] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[490] bbl.pm:757> INFO - Output to document.bbl
[490] Biber.pm:128> INFO - WARNINGS: 92

44
docs/document.lof
View File

@@ -5,23 +5,23 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}%
\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.3}{\ignorespaces Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }}{8}{figure.caption.10}%
\contentsline {figure}{\numberline {2.3}{\ignorespaces Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }}{9}{figure.caption.10}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}%
\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.8}{\ignorespaces Figure showing how the eBPF XDP and TC modules are integrated in the network processing in the Linux kernel.\relax }}{19}{figure.caption.23}%
\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.9}{\ignorespaces Sketch of the compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}%
\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}%
\defcounter {refsection}{0}\relax
@@ -29,13 +29,13 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process\cite {mem_arch_proc}.\relax }}{31}{figure.caption.36}%
\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{32}{figure.caption.37}%
\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{31}{figure.caption.37}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{34}{figure.caption.40}%
\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}%
\defcounter {refsection}{0}\relax
@@ -47,37 +47,37 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{42}{figure.caption.46}%
\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{41}{figure.caption.46}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{44}{figure.caption.48}%
\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{43}{figure.caption.48}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{45}{figure.caption.49}%
\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{44}{figure.caption.49}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{48}{figure.caption.52}%
\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{47}{figure.caption.52}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.53}%
\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{48}{figure.caption.54}%
\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.58}%
\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{58}{figure.caption.58}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.59}%
\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{62}{figure.caption.59}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{67}{figure.caption.60}%
\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{65}{figure.caption.60}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{68}{figure.caption.61}%
\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{66}{figure.caption.61}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{69}{figure.caption.62}%
\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{67}{figure.caption.62}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{70}{figure.caption.63}%
\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{68}{figure.caption.63}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{72}{figure.caption.64}%
\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{70}{figure.caption.64}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

403
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 11 JUN 2022 12:59
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 11 JUN 2022 16:30
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=285, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=293, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=287, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=295, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1187,13 +1187,13 @@ File: utxsyc.fd 2000/12/15 v3.1
\openout7 = `document.lof'.
[12] [13]
(./document.lot [14
])
(./document.lot)
\tf@lot=\write8
\openout8 = `document.lot'.
[15] [16] (./chapters/chapter1.tex
[14
] [15] [16] (./chapters/chapter1.tex
Chapter 1.
LaTeX Font Info: Trying to load font information for TS1+txr on input line 1
8.
@@ -1210,7 +1210,7 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 43--44
[3]) (./chapters/chapter2.tex [4]
Chapter 2.
<images//classic_bpf.jpg, id=722, 588.1975pt x 432.61626pt>
<images//classic_bpf.jpg, id=728, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 20.
@@ -1218,193 +1218,175 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 20.
[5
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=740, 403.5075pt x 451.6875pt>
<images//cbpf_prog.jpg, id=749, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 47.
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 55.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=751, 380.92313pt x 475.27562pt>
<images//bpf_instructions.png, id=761, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 87.
Package pdftex.def Info: images//bpf_instructions.png used on input line 96.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=761, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=765, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 103.
Package pdftex.def Info: images//bpf_address_mode.png used on input line 105.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=773, 534.99875pt x 454.69875pt>
[8] [9 <./images//bpf_instructions.png> <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=780, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 118.
Package pdftex.def Info: images//tcpdump_example.png used on input line 117.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=776, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=783, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 129.
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 128.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=794, 739.76375pt x 472.76625pt>
[10 <./images//tcpdump_example.png>]
<images//ebpf_arch.jpg, id=796, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 168.
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 167.
(pdftex.def) Requested size: 426.79134pt x 272.75464pt.
[12 <./images//ebpf_arch.jpg>]
Overfull \hbox (3.10062pt too wide) in paragraph at lines 195--212
[11 <./images//cBPF_prog_ex_sol.png>]
Overfull \hbox (3.10062pt too wide) in paragraph at lines 193--210
[][]
[]
[13]
Overfull \hbox (17.02478pt too wide) in paragraph at lines 221--222
[]\T1/txr/m/n/12 Therefore, when us-ing JIT com-pil-ing (a set-ting de-fined by
the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]],
[]
[14]
Overfull \hbox (56.55217pt too wide) in paragraph at lines 272--283
[][]
[]
LaTeX Warning: Reference `table:ebpf_maps' on page 15 undefined on input line 2
87.
Overfull \hbox (11.26865pt too wide) in paragraph at lines 287--288
[12 <./images//ebpf_arch.jpg>] [13]
Overfull \hbox (11.26865pt too wide) in paragraph at lines 269--270
\T1/txr/m/n/12 de-vel-op-ment of our rootkit, we will mainly fo-cus on hash map
s (BPF_MAP_TYPE_HASH),
[]
[15]
LaTeX Warning: Reference `table:bpf_syscall' on page 16 undefined on input line
297.
Overfull \hbox (42.01218pt too wide) in paragraph at lines 300--316
Overfull \hbox (56.55217pt too wide) in paragraph at lines 272--283
[][]
[]
[16]
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 343.
[14]
Overfull \hbox (42.01218pt too wide) in paragraph at lines 298--314
[][]
[]
LaTeX Warning: Reference `section:TODO' on page 15 undefined on input line 341.
Overfull \hbox (13.5802pt too wide) in paragraph at lines 353--383
[15] [16]
Overfull \hbox (13.5802pt too wide) in paragraph at lines 351--381
[][]
[]
[17]
<images//xdp_diag.jpg, id=874, 649.42625pt x 472.76625pt>
<images//xdp_diag.jpg, id=887, 649.42625pt x 472.76625pt>
File: images//xdp_diag.jpg Graphic file (type jpg)
<use images//xdp_diag.jpg>
Package pdftex.def Info: images//xdp_diag.jpg used on input line 399.
Package pdftex.def Info: images//xdp_diag.jpg used on input line 404.
(pdftex.def) Requested size: 426.79134pt x 310.69934pt.
[18] [19 <./images//xdp_diag.jpg>]
Overfull \hbox (5.80417pt too wide) in paragraph at lines 462--474
Overfull \hbox (5.80417pt too wide) in paragraph at lines 460--472
[][]
[]
[20] [21] [22] [23]
<images//libbpf_prog.jpg, id=933, 543.02875pt x 502.87875pt>
<images//libbpf_prog.jpg, id=943, 543.02875pt x 502.87875pt>
File: images//libbpf_prog.jpg Graphic file (type jpg)
<use images//libbpf_prog.jpg>
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 572.
Package pdftex.def Info: images//libbpf_prog.jpg used on input line 570.
(pdftex.def) Requested size: 341.43306pt x 316.20142pt.
[24]
LaTeX Warning: Reference `TODO' on page 25 undefined on input line 600.
[25 <./images//libbpf_prog.jpg>]
Overfull \hbox (15.27466pt too wide) in paragraph at lines 608--636
LaTeX Warning: Reference `TODO' on page 24 undefined on input line 598.
[24] [25 <./images//libbpf_prog.jpg>]
Overfull \hbox (15.27466pt too wide) in paragraph at lines 606--634
[][]
[]
Overfull \hbox (144.2746pt too wide) in paragraph at lines 648--649
Overfull \hbox (121.2826pt too wide) in paragraph at lines 646--647
[]\T1/txr/bx/n/12 Unprivileged users \T1/txr/m/n/12 can only load and at-tach e
BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER[[][]68[][]],
BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER
[]
[26]
Overfull \hbox (33.33205pt too wide) in paragraph at lines 674--675
Overfull \hbox (33.33205pt too wide) in paragraph at lines 672--673
[]\T1/txr/m/n/12 Therefore, eBPF net-work pro-grams usu-ally re-quire both CAP_
BPF and CAP_NET_ADMIN,
[]
[27]
<images//mem_arch_pages.jpg, id=979, 593.21625pt x 434.62375pt>
[26] [27]
<images//mem_arch_pages.jpg, id=992, 593.21625pt x 434.62375pt>
File: images//mem_arch_pages.jpg Graphic file (type jpg)
<use images//mem_arch_pages.jpg>
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 711.
Package pdftex.def Info: images//mem_arch_pages.jpg used on input line 709.
(pdftex.def) Requested size: 369.88582pt x 271.00914pt.
[28 <./images//mem_arch_pages.jpg>]
<images//mem_major_page_fault.jpg, id=990, 639.38875pt x 425.59pt>
<images//mem_major_page_fault.jpg, id=1000, 639.38875pt x 425.59pt>
File: images//mem_major_page_fault.jpg Graphic file (type jpg)
<use images//mem_major_page_fault.jpg>
Package pdftex.def Info: images//mem_major_page_fault.jpg used on input line 7
21.
19.
(pdftex.def) Requested size: 312.9803pt x 208.32661pt.
<images//mem_minor_page_fault.jpg, id=992, 654.445pt x 555.07375pt>
<images//mem_minor_page_fault.jpg, id=1002, 654.445pt x 555.07375pt>
File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
<use images//mem_minor_page_fault.jpg>
Package pdftex.def Info: images//mem_minor_page_fault.jpg used on input line 7
29.
27.
(pdftex.def) Requested size: 312.9803pt x 265.45834pt.
[29 <./images//mem_major_page_fault.jpg>]
<images//memory.jpg, id=998, 310.15875pt x 569.12625pt>
<images//memory.jpg, id=1004, 310.15875pt x 569.12625pt>
File: images//memory.jpg Graphic file (type jpg)
<use images//memory.jpg>
Package pdftex.def Info: images//memory.jpg used on input line 739.
Package pdftex.def Info: images//memory.jpg used on input line 738.
(pdftex.def) Requested size: 170.71652pt x 313.25488pt.
[30 <./images//mem_minor_page_fault.jpg>]
Overfull \hbox (0.23746pt too wide) in paragraph at lines 744--745
Overfull \hbox (0.23746pt too wide) in paragraph at lines 735--742
[]\T1/txr/m/n/12 Figure [][]2.13[][] de-scribes how vir-tual mem-ory is dis-tri
buted within a pro-cess in the x86_64
[]
[31 <./images//memory.jpg>]
<images//stack_pres.jpg, id=1012, 707.64375pt x 283.0575pt>
[29 <./images//mem_major_page_fault.jpg>] [30 <./images//mem_minor_page_fault.j
pg> <./images//memory.jpg>]
<images//stack_pres.jpg, id=1017, 707.64375pt x 283.0575pt>
File: images//stack_pres.jpg Graphic file (type jpg)
<use images//stack_pres.jpg>
Package pdftex.def Info: images//stack_pres.jpg used on input line 763.
Package pdftex.def Info: images//stack_pres.jpg used on input line 760.
(pdftex.def) Requested size: 398.33858pt x 159.33606pt.
[32 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=1021, 524.96124pt x 694.595pt>
[31 <./images//stack_pres.jpg>]
<images//stack_ops.jpg, id=1028, 524.96124pt x 694.595pt>
File: images//stack_ops.jpg Graphic file (type jpg)
<use images//stack_ops.jpg>
Package pdftex.def Info: images//stack_ops.jpg used on input line 797.
Package pdftex.def Info: images//stack_ops.jpg used on input line 794.
(pdftex.def) Requested size: 284.52756pt x 376.47473pt.
LaTeX Font Info: Trying to load font information for T1+txtt on input line 8
04.
00.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
<images//stack_before.jpg, id=1022, 712.6625pt x 315.1775pt>
<images//stack_before.jpg, id=1031, 712.6625pt x 315.1775pt>
File: images//stack_before.jpg Graphic file (type jpg)
<use images//stack_before.jpg>
Package pdftex.def Info: images//stack_before.jpg used on input line 808.
Package pdftex.def Info: images//stack_before.jpg used on input line 804.
(pdftex.def) Requested size: 398.33858pt x 176.16635pt.
[33 <./images//stack_ops.jpg>]
<images//stack.jpg, id=1027, 707.64375pt x 381.425pt>
<images//stack.jpg, id=1032, 707.64375pt x 381.425pt>
File: images//stack.jpg Graphic file (type jpg)
<use images//stack.jpg>
Package pdftex.def Info: images//stack.jpg used on input line 815.
Package pdftex.def Info: images//stack.jpg used on input line 811.
(pdftex.def) Requested size: 398.33858pt x 214.70816pt.
[34 <./images//stack_before.jpg> <./images//stack.jpg>]
<images//stack_ret_hij_simple.jpg, id=1043, 774.895pt x 674.52pt>
[32] [33 <./images//stack_ops.jpg> <./images//stack_before.jpg>] [34 <./images
//stack.jpg>]
<images//stack_ret_hij_simple.jpg, id=1068, 774.895pt x 674.52pt>
File: images//stack_ret_hij_simple.jpg Graphic file (type jpg)
<use images//stack_ret_hij_simple.jpg>
Package pdftex.def Info: images//stack_ret_hij_simple.jpg used on input line 8
55.
51.
(pdftex.def) Requested size: 426.79134pt x 371.51205pt.
[35]
[36 <./images//stack_ret_hij_simple.jpg>]
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
@@ -1412,243 +1394,250 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
)
Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
nput line 867.
nput line 863.
LaTeX Font Info: Font shape `T1/txtt/b/n' in size <10> not available
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 868.
<images//buffer_overflow.jpg, id=1064, 707.64375pt x 343.2825pt>
(Font) Font shape `T1/txtt/bx/n' tried instead on input line 864.
[35] [36 <./images//stack_ret_hij_simple.jpg>]
<images//buffer_overflow.jpg, id=1089, 707.64375pt x 343.2825pt>
File: images//buffer_overflow.jpg Graphic file (type jpg)
<use images//buffer_overflow.jpg>
Package pdftex.def Info: images//buffer_overflow.jpg used on input line 883.
Package pdftex.def Info: images//buffer_overflow.jpg used on input line 879.
(pdftex.def) Requested size: 426.79134pt x 207.03964pt.
<images//buffer_overflow_shellcode.jpg, id=1066, 707.64375pt x 379.4175pt>
<images//buffer_overflow_shellcode.jpg, id=1091, 707.64375pt x 379.4175pt>
File: images//buffer_overflow_shellcode.jpg Graphic file (type jpg)
<use images//buffer_overflow_shellcode.jpg>
Package pdftex.def Info: images//buffer_overflow_shellcode.jpg used on input l
ine 894.
ine 890.
(pdftex.def) Requested size: 426.79134pt x 228.8333pt.
[37 <./images//buffer_overflow.jpg>]
LaTeX Warning: Reference `TODO probably an Annex' on page 38 undefined on input
line 899.
LaTeX Warning: Reference `TODO' on page 38 undefined on input line 911.
LaTeX Warning: Reference `TODO probably an Annex' on page 37 undefined on input
line 895.
[37 <./images//buffer_overflow.jpg>]
LaTeX Warning: Reference `TODO' on page 38 undefined on input line 907.
[38 <./images//buffer_overflow_shellcode.jpg>]
<images//ROPcompound.jpg, id=1091, 1296.845pt x 790.955pt>
<images//ROPcompound.jpg, id=1107, 1296.845pt x 790.955pt>
File: images//ROPcompound.jpg Graphic file (type jpg)
<use images//ROPcompound.jpg>
Package pdftex.def Info: images//ROPcompound.jpg used on input line 933.
Package pdftex.def Info: images//ROPcompound.jpg used on input line 929.
(pdftex.def) Requested size: 455.24408pt x 277.65909pt.
Overfull \hbox (28.45273pt too wide) in paragraph at lines 933--934
Overfull \hbox (28.45273pt too wide) in paragraph at lines 929--930
[][]
[]
[39]
LaTeX Warning: Reference `TODO' on page 40 undefined on input line 945.
LaTeX Warning: Reference `TODO' on page 40 undefined on input line 941.
[40 <./images//ROPcompound.jpg>]
<images//frame.jpg, id=1111, 695.59875pt x 705.63625pt>
<images//frame.jpg, id=1127, 695.59875pt x 705.63625pt>
File: images//frame.jpg Graphic file (type jpg)
<use images//frame.jpg>
Package pdftex.def Info: images//frame.jpg used on input line 958.
Package pdftex.def Info: images//frame.jpg used on input line 954.
(pdftex.def) Requested size: 398.33858pt x 404.07954pt.
[41] [42 <./images//frame.jpg>]
<images//tcp_conn.jpg, id=1130, 452.69125pt x 405.515pt>
[41 <./images//frame.jpg>]
<images//tcp_conn.jpg, id=1142, 452.69125pt x 405.515pt>
File: images//tcp_conn.jpg Graphic file (type jpg)
<use images//tcp_conn.jpg>
Package pdftex.def Info: images//tcp_conn.jpg used on input line 1006.
Package pdftex.def Info: images//tcp_conn.jpg used on input line 1002.
(pdftex.def) Requested size: 341.43306pt x 305.84947pt.
[43]
Overfull \hbox (0.11748pt too wide) in paragraph at lines 1011--1012
Overfull \hbox (0.11748pt too wide) in paragraph at lines 1007--1008
[]\T1/txr/m/n/12 As we can ob-serve in the fig-ure, the hosts in-ter-change a s
e-quence of SYN, SYN+ACK,
[]
<images//tcp_retransmission.jpg, id=1139, 523.9575pt x 485.815pt>
[42] [43 <./images//tcp_conn.jpg>]
<images//tcp_retransmission.jpg, id=1156, 523.9575pt x 485.815pt>
File: images//tcp_retransmission.jpg Graphic file (type jpg)
<use images//tcp_retransmission.jpg>
Package pdftex.def Info: images//tcp_retransmission.jpg used on input line 102
2.
Package pdftex.def Info: images//tcp_retransmission.jpg used on input line 101
8.
(pdftex.def) Requested size: 341.43306pt x 316.58401pt.
[44 <./images//tcp_conn.jpg>] [45 <./images//tcp_retransmission.jpg>]
Overfull \hbox (1.1025pt too wide) in paragraph at lines 1061--1062
[44 <./images//tcp_retransmission.jpg>]
Overfull \hbox (1.1025pt too wide) in paragraph at lines 1057--1058
[]|\T1/txr/m/n/12 Permissions|
[]
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1070--1070
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1066--1066
[]|\T1/txr/m/n/12 .got.plt|
[]
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1072--1072
Overfull \hbox (5.55525pt too wide) in paragraph at lines 1068--1068
[]|\T1/txr/m/n/12 .plt.got|
[]
[46]
LaTeX Warning: Reference `TODO' on page 47 undefined on input line 1085.
LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1081.
Overfull \hbox (26.32735pt too wide) in paragraph at lines 1091--1092
Overfull \hbox (26.32735pt too wide) in paragraph at lines 1087--1088
\T1/txr/m/n/12 stub (in the .plt sec-tion) is called. Snip-pet [][]2.3[][] show
s a call to the func-tion timerfd_settime,
[]
[47]
<images//sch_gdb_plt.png, id=1175, 1040.88875pt x 146.5475pt>
[45] [46]
<images//sch_gdb_plt.png, id=1186, 1040.88875pt x 146.5475pt>
File: images//sch_gdb_plt.png Graphic file (type png)
<use images//sch_gdb_plt.png>
Package pdftex.def Info: images//sch_gdb_plt.png used on input line 1104.
Package pdftex.def Info: images//sch_gdb_plt.png used on input line 1100.
(pdftex.def) Requested size: 441.01772pt x 62.09065pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1104--1105
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1100--1101
[][]
[]
<images//sch_gdb_got_prev.png, id=1176, 529.98pt x 39.14626pt>
<images//sch_gdb_got_prev.png, id=1187, 529.98pt x 39.14626pt>
File: images//sch_gdb_got_prev.png Graphic file (type png)
<use images//sch_gdb_got_prev.png>
Package pdftex.def Info: images//sch_gdb_got_prev.png used on input line 1111.
Package pdftex.def Info: images//sch_gdb_got_prev.png used on input line 1107.
(pdftex.def) Requested size: 441.01772pt x 32.57559pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1111--1112
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1107--1108
[][]
[]
<images//sch_gdb_got_after.png, id=1180, 532.99126pt x 41.15375pt>
<images//sch_gdb_got_after.png, id=1191, 532.99126pt x 41.15375pt>
File: images//sch_gdb_got_after.png Graphic file (type png)
<use images//sch_gdb_got_after.png>
Package pdftex.def Info: images//sch_gdb_got_after.png used on input line 1120
Package pdftex.def Info: images//sch_gdb_got_after.png used on input line 1116
.
(pdftex.def) Requested size: 441.01772pt x 34.05334pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1120--1121
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1116--1117
[][]
[]
<images//sch_glibc_func.png, id=1181, 585.18625pt x 89.33376pt>
<images//sch_glibc_func.png, id=1192, 585.18625pt x 89.33376pt>
File: images//sch_glibc_func.png Graphic file (type png)
<use images//sch_glibc_func.png>
Package pdftex.def Info: images//sch_glibc_func.png used on input line 1127.
Package pdftex.def Info: images//sch_glibc_func.png used on input line 1123.
(pdftex.def) Requested size: 441.01772pt x 67.32729pt.
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1127--1128
Overfull \hbox (14.22636pt too wide) in paragraph at lines 1123--1124
[][]
[]
[48 <./images//sch_gdb_plt.png> <./images//sch_gdb_got_prev.png> <./images//sch
_gdb_got_after.png> <./images//sch_glibc_func.png>] [49] [50])
(./chapters/chapter3.tex [51]
[47 <./images//sch_gdb_plt.png> <./images//sch_gdb_got_prev.png> <./images//sch
_gdb_got_after.png>] [48 <./images//sch_glibc_func.png>])
(./chapters/chapter3.tex [49]
Chapter 3.
Overfull \hbox (18.75664pt too wide) in paragraph at lines 21--22
LaTeX Warning: Reference `subsection:access_control' on page 50 undefined on in
put line 13.
Overfull \hbox (18.75664pt too wide) in paragraph at lines 17--18
\T1/txr/m/n/12 can also ex-plore all the avail-able maps in the sys-tem by us-i
ng the BPF_MAP_GET_NEXT_ID
[]
[52
[50
] [53] [54] [55]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 181--182
] [51] [52] [53]
Overfull \hbox (55.2727pt too wide) in paragraph at lines 176--177
\T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
_read_user() and bpf_probe_read_kernel()
[]
LaTeX Warning: Reference `subsection_bpf_probe_write_apps' on page 56 undefined
on input line 185.
LaTeX Warning: Reference `subsection_bpf_probe_write_apps' on page 54 undefined
on input line 180.
[56]
Overfull \hbox (47.97661pt too wide) in paragraph at lines 190--191
Overfull \hbox (47.97661pt too wide) in paragraph at lines 185--186
\T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the
CON-FIG_BPF_KPROBE_OVERRIDE
[]
[57]
Overfull \hbox (62.0767pt too wide) in paragraph at lines 232--233
[54] [55]
Overfull \hbox (62.0767pt too wide) in paragraph at lines 227--228
\T1/txr/m/n/12 the bounds of func-tion pa-ram-e-ters via the helpers bpf_probe_
read_user() and bpf_probe_read_kernel().
[]
[58] [59]
Overfull \hbox (3.09538pt too wide) in paragraph at lines 257--258
[56]
Overfull \hbox (3.09538pt too wide) in paragraph at lines 252--253
\T1/txr/m/n/12 trac-ing pro-grams can read any user mem-ory lo-ca-tion with the
bpf_probe_read_user()
[]
<images//stack_scan_write_tech.jpg, id=1364, 829.0975pt x 315.1775pt>
[57]
<images//stack_scan_write_tech.jpg, id=1374, 829.0975pt x 315.1775pt>
File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
<use images//stack_scan_write_tech.jpg>
Package pdftex.def Info: images//stack_scan_write_tech.jpg used on input line
273.
268.
(pdftex.def) Requested size: 455.24408pt x 173.0548pt.
Overfull \hbox (28.45273pt too wide) in paragraph at lines 273--274
Overfull \hbox (28.45273pt too wide) in paragraph at lines 268--269
[][]
[]
[60 <./images//stack_scan_write_tech.jpg>]
[58 <./images//stack_scan_write_tech.jpg>]
LaTeX Warning: Reference `TODO' on page 61 undefined on input line 295.
LaTeX Warning: Reference `TODO' on page 59 undefined on input line 290.
[61] [62] [63]
<images//tcp_exfiltrate_retrans.jpg, id=1420, 633.36626pt x 475.7775pt>
[59] [60] [61]
<images//tcp_exfiltrate_retrans.jpg, id=1427, 633.36626pt x 475.7775pt>
File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
<use images//tcp_exfiltrate_retrans.jpg>
Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg used on input line
355.
350.
(pdftex.def) Requested size: 426.79134pt x 320.60597pt.
[64 <./images//tcp_exfiltrate_retrans.jpg>])
(./chapters/chapter4.tex [65]
[62 <./images//tcp_exfiltrate_retrans.jpg>])
(./chapters/chapter4.tex [63]
Chapter 4.
[66
[64
]
LaTeX Warning: Reference `TODO EVALUATION' on page 67 undefined on input line 2
LaTeX Warning: Reference `TODO EVALUATION' on page 65 undefined on input line 2
2.
<images//rop_evil_ebpf_1.jpg, id=1438, 789.95125pt x 395.4775pt>
<images//rop_evil_ebpf_1.jpg, id=1445, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_1.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_1.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_1.jpg used on input line 30.
(pdftex.def) Requested size: 426.79134pt x 213.66933pt.
LaTeX Warning: Reference `TODO' on page 67 undefined on input line 38.
LaTeX Warning: Reference `TODO' on page 65 undefined on input line 38.
[67 <./images//rop_evil_ebpf_1.jpg>]
[65 <./images//rop_evil_ebpf_1.jpg>]
Overfull \hbox (4.42868pt too wide) in paragraph at lines 47--48
\T1/txr/m/n/12 the orig-i-nal data later) and we pro-ceed to over-write the sta
ck us-ing bpf_probe_write_user(),
[]
<images//rop_evil_ebpf_2.jpg, id=1449, 789.95125pt x 395.4775pt>
<images//rop_evil_ebpf_2.jpg, id=1455, 789.95125pt x 395.4775pt>
File: images//rop_evil_ebpf_2.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_2.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_2.jpg used on input line 51.
(pdftex.def) Requested size: 426.79134pt x 213.66933pt.
[68 <./images//rop_evil_ebpf_2.jpg>]
<images//rop_evil_ebpf_3.jpg, id=1459, 789.95125pt x 369.38pt>
[66 <./images//rop_evil_ebpf_2.jpg>]
<images//rop_evil_ebpf_3.jpg, id=1465, 789.95125pt x 369.38pt>
File: images//rop_evil_ebpf_3.jpg Graphic file (type jpg)
<use images//rop_evil_ebpf_3.jpg>
Package pdftex.def Info: images//rop_evil_ebpf_3.jpg used on input line 62.
(pdftex.def) Requested size: 426.79134pt x 199.5693pt.
[69 <./images//rop_evil_ebpf_3.jpg>]
[67 <./images//rop_evil_ebpf_3.jpg>]
LaTeX Warning: Reference `table:aslr_offset' on page 70 undefined on input line
LaTeX Warning: Reference `table:aslr_offset' on page 68 undefined on input line
85.
<images//aslr_offset.jpg, id=1467, 597.23125pt x 273.02pt>
<images//aslr_offset.jpg, id=1474, 597.23125pt x 273.02pt>
File: images//aslr_offset.jpg Graphic file (type jpg)
<use images//aslr_offset.jpg>
Package pdftex.def Info: images//aslr_offset.jpg used on input line 90.
(pdftex.def) Requested size: 369.88582pt x 169.0915pt.
[70 <./images//aslr_offset.jpg>]
[68 <./images//aslr_offset.jpg>]
Overfull \hbox (0.26146pt too wide) in paragraph at lines 113--114
[]\T1/txr/m/n/12 This tech-nique works both in com-pil-ers with low hard-en-ing
fe-tau-res by de-fault (Clang)
@@ -1660,19 +1649,19 @@ Overfull \hbox (38.05193pt too wide) in paragraph at lines 117--119
m/it/12 en-ter \T1/txr/m/n/12 po-si-tion of syscall sys_timerfd_settime.
[]
[71]
<images//sch_firstcall.png, id=1484, 643.40375pt x 91.34125pt>
[69]
<images//sch_firstcall.png, id=1491, 643.40375pt x 91.34125pt>
File: images//sch_firstcall.png Graphic file (type png)
<use images//sch_firstcall.png>
Package pdftex.def Info: images//sch_firstcall.png used on input line 127.
(pdftex.def) Requested size: 369.88582pt x 52.51244pt.
) (./chapters/chapter5.tex [72 <./images//sch_firstcall.png>]
) (./chapters/chapter5.tex [70 <./images//sch_firstcall.png>]
Chapter 5.
) (./chapters/chapter6.tex [73
) (./chapters/chapter6.tex [71
]
Chapter 6.
) [74
) [72
]
Overfull \hbox (5.34976pt too wide) in paragraph at lines 338--338
@@ -1680,7 +1669,7 @@ Overfull \hbox (5.34976pt too wide) in paragraph at lines 338--338
/ yir -[] cyber -[] threats -[]
[]
[75
[73
]
@@ -1701,7 +1690,7 @@ Overfull \hbox (21.24973pt too wide) in paragraph at lines 338--338
mmit _ 2015feb20 .
[]
[76]
[74]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 338--338
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
@@ -1713,13 +1702,19 @@ Overfull \hbox (6.49615pt too wide) in paragraph at lines 338--338
022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[77]
[75]
Overfull \hbox (0.76683pt too wide) in paragraph at lines 338--338
[]\T1/txr/m/n/12 ^^P Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
$\T1/txtt/m/n/12 https : / / kernel . googlesource .
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 338--338
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[76]
Overfull \hbox (9.33742pt too wide) in paragraph at lines 338--338
\T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
ndation . org / wp -[] content / uploads /
@@ -1761,25 +1756,19 @@ Overfull \hbox (21.2149pt too wide) in paragraph at lines 338--338
. com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 .
[]
[78]
Overfull \hbox (4.29944pt too wide) in paragraph at lines 338--338
[]\T1/txr/m/n/12 ^^P Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
[]
[77]
Overfull \hbox (6.53491pt too wide) in paragraph at lines 338--338
[]\T1/txr/m/n/12 H. Sidh-pur-wala. ^^P Hard-en-ing elf bi-na-ries us-ing re-lo
-ca-tion read-only (relro).^^Q (Jan. 28,
[]
Overfull \hbox (14.49278pt too wide) in paragraph at lines 338--338
[]\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
[]
[79]
Overfull \hbox (53.32059pt too wide) in paragraph at lines 338--338
\T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line].
Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
@@ -1803,7 +1792,7 @@ Overfull \hbox (39.98859pt too wide) in paragraph at lines 338--338
il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
[]
[80] (./chapters/annex.tex [81]
[78] (./chapters/annex.tex [79]
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2020/03/24 1.8d listings language file
)
@@ -1828,25 +1817,23 @@ l.346 \end{document}
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 73080A21CC6BDDF13751F7DFC4130C5D;5364.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
(biblatex) and rerun LaTeX afterwards.
(rerunfilecheck) Checksum: 7A34DDECD47F12129DDDCF15A57C6F25;5503.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
29191 strings out of 481209
465022 string characters out of 5914747
1628963 words of memory out of 5000000
45101 multiletter control sequences out of 15000+600000
29195 strings out of 481209
465192 string characters out of 5914747
1628061 words of memory out of 5000000
45104 multiletter control sequences out of 15000+600000
459242 words of font info for 106 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,12n,90p,1029b,3715s stack positions out of 5000i,500n,10000p,200000b,80000s
88i,12n,90p,1029b,3721s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
@@ -1859,9 +1846,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (102 pages, 2221224 bytes).
Output written on document.pdf (100 pages, 2220915 bytes).
PDF statistics:
1984 PDF objects out of 2073 (max. 8388607)
545 named destinations out of 1000 (max. 500000)
758 words of extra memory for PDF output out of 10000 (max. 10000000)
1993 PDF objects out of 2073 (max. 8388607)
546 named destinations out of 1000 (max. 500000)
774 words of extra memory for PDF output out of 10000 (max. 10000000)

36
docs/document.lot
View File

@@ -5,33 +5,33 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}%
\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}%
\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}%
\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.5}{\ignorespaces Table showing common fields for creating an eBPF map.\relax }}{15}{table.caption.18}%
\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.6}{\ignorespaces Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}%
\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.7}{\ignorespaces Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}%
\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}%
\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}%
\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.10}{\ignorespaces Table showing XDP relevant return values.\relax }}{19}{table.caption.24}%
\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.11}{\ignorespaces Table showing relevant XDP-exclusive eBPF helpers.\relax }}{20}{table.caption.25}%
\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.12}{\ignorespaces Table showing TC relevant return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{21}{table.caption.26}%
\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.13}{\ignorespaces Table showing relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}%
\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.14}{\ignorespaces Table showing BPF skeleton functions.\relax }}{25}{table.caption.29}%
\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}%
\defcounter {refsection}{0}\relax
@@ -43,15 +43,15 @@
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.50}%
\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{47}{table.caption.51}%
\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{49}{table.caption.56}%
\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.57}%
\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{52}{table.caption.57}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

12
docs/document.out
View File

@@ -53,18 +53,20 @@
\BOOKMARK [2][-]{subsection.3.2.2}{Reading\040memory\040out\040of\040bounds}{section.3.2}% 53
\BOOKMARK [2][-]{subsection.3.2.3}{Overriding\040function\040return\040values}{section.3.2}% 54
\BOOKMARK [2][-]{subsection.3.2.4}{Sending\040signals\040to\040user\040programs}{section.3.2}% 55
\BOOKMARK [2][-]{subsection.3.2.5}{Conclusion}{section.3.2}% 56
\BOOKMARK [2][-]{subsection.3.2.5}{Takeaways}{section.3.2}% 56
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 57
\BOOKMARK [2][-]{subsection.3.3.1}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 58
\BOOKMARK [2][-]{subsection.3.3.2}{Conclusion}{section.3.3}% 59
\BOOKMARK [2][-]{subsection.3.3.2}{Takeaways}{section.3.3}% 59
\BOOKMARK [1][-]{section.3.4}{Abusing\040networking\040programs}{chapter.3}% 60
\BOOKMARK [2][-]{subsection.3.4.1}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 61
\BOOKMARK [2][-]{subsection.3.4.2}{Conclusion}{section.3.4}% 62
\BOOKMARK [2][-]{subsection.3.4.2}{Takeaways}{section.3.4}% 62
\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 63
\BOOKMARK [1][-]{section.4.1}{Library\040injection\040attacks}{chapter.4}% 64
\BOOKMARK [2][-]{subsection.4.1.1}{ROP\040with\040eBPF}{section.4.1}% 65
\BOOKMARK [2][-]{subsection.4.1.2}{Bypassing\040hardening\040features\040in\040ELFs}{section.4.1}% 66
\BOOKMARK [2][-]{subsection.4.1.3}{Library\040injection\040via\040GOT\040hijacking}{section.4.1}% 67
\BOOKMARK [0][-]{chapter.5}{Evaluation}{}% 68
\BOOKMARK [0][-]{chapter.6}{Related\040work}{}% 69
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 70
\BOOKMARK [1][-]{section.5.1}{Developed\040capabilities}{chapter.5}% 69
\BOOKMARK [1][-]{section.5.2}{Rootkit\040use\040cases}{chapter.5}% 70
\BOOKMARK [0][-]{chapter.6}{Related\040work}{}% 71
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 72

BIN
docs/document.pdf
View File

Binary file not shown.

4
docs/document.run.xml
View File

@@ -41,7 +41,7 @@
>
]>
<requests version="1.0">
<internal package="biblatex" priority="9" active="1">
<internal package="biblatex" priority="9" active="0">
<generic>latex</generic>
<provides type="dynamic">
<file>document.bcf</file>
@@ -63,7 +63,7 @@
<file>english.lbx</file>
</requires>
</internal>
<external package="biblatex" priority="5" active="1">
<external package="biblatex" priority="5" active="0">
<generic>biber</generic>
<cmdline>
<binary>biber</binary>

BIN
docs/document.synctex.gz
View File

Binary file not shown.

92
docs/document.toc
View File

@@ -25,37 +25,37 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}%
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}%
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}%
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{8}{subsection.2.1.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.2}Modern eBPF}{11}{section.2.2}%
\contentsline {section}{\numberline {2.2}Modern eBPF}{10}{section.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}%
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{12}{subsection.2.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}%
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{13}{subsection.2.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}%
\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{14}{subsection.2.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}%
\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{15}{subsection.2.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}%
\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{15}{subsection.2.2.6}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}%
\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{15}{subsection.2.2.7}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{20}{subsection.2.3.2}%
\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{18}{subsection.2.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{21}{subsection.2.3.3}%
\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{20}{subsection.2.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.4}Kprobes}{22}{subsection.2.3.4}%
\contentsline {subsection}{\numberline {2.3.4}Kprobes}{21}{subsection.2.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}%
\defcounter {refsection}{0}\relax
@@ -63,7 +63,7 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{24}{subsection.2.4.2}%
\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}%
\defcounter {refsection}{0}\relax
@@ -75,69 +75,73 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{30}{subsection.2.6.2}%
\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{29}{subsection.2.6.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.6.3}The process stack}{32}{subsection.2.6.3}%
\contentsline {subsection}{\numberline {2.6.3}The process stack}{31}{subsection.2.6.3}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{36}{subsection.2.7.1}%
\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{35}{subsection.2.7.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{39}{subsection.2.7.2}%
\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{38}{subsection.2.7.2}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{41}{section.2.8}%
\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{40}{section.2.8}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{43}{subsection.2.8.2}%
\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{42}{subsection.2.8.2}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.9}ELF binaries}{45}{section.2.9}%
\contentsline {section}{\numberline {2.9}ELF binaries}{44}{section.2.9}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{49}{subsection.2.9.2}%
\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{48}{subsection.2.9.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}%
\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{50}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}%
\contentsline {section}{\numberline {3.1}eBPF maps security}{50}{section.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}%
\contentsline {section}{\numberline {3.2}Abusing tracing programs}{51}{section.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}%
\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{51}{subsection.3.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}%
\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{54}{subsection.3.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{57}{subsection.3.2.3}%
\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{54}{subsection.3.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}%
\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{56}{subsection.3.2.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.2.5}Conclusion}{58}{subsection.3.2.5}%
\contentsline {subsection}{\numberline {3.2.5}Takeaways}{56}{subsection.3.2.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}%
\contentsline {section}{\numberline {3.3}Memory corruption}{56}{section.3.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{59}{subsection.3.3.1}%
\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{56}{subsection.3.3.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.3.2}Conclusion}{61}{subsection.3.3.2}%
\contentsline {subsection}{\numberline {3.3.2}Takeaways}{59}{subsection.3.3.2}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}%
\contentsline {section}{\numberline {3.4}Abusing networking programs}{60}{section.3.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}%
\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{60}{subsection.3.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {3.4.2}Conclusion}{65}{subsection.3.4.2}%
\contentsline {subsection}{\numberline {3.4.2}Takeaways}{63}{subsection.3.4.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}%
\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{64}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {4.1}Library injection attacks}{66}{section.4.1}%
\contentsline {section}{\numberline {4.1}Library injection attacks}{64}{section.4.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{67}{subsection.4.1.1}%
\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{65}{subsection.4.1.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{69}{subsection.4.1.2}%
\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{67}{subsection.4.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{71}{subsection.4.1.3}%
\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{69}{subsection.4.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Evaluation}{73}{chapter.5}%
\contentsline {chapter}{\numberline {5}Evaluation}{71}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Related work}{74}{chapter.6}%
\contentsline {section}{\numberline {5.1}Developed capabilities}{71}{section.5.1}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{75}{chapter.6}%
\contentsline {section}{\numberline {5.2}Rootkit use cases}{71}{section.5.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {6}Related work}{72}{chapter.6}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{73}{chapter.6}%
\contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-06-11T12:59:35-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-11T12:59:35-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-11T12:59:35-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-06-11T16:30:44-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-06-11T16:30:44-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-06-11T16:30:44-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:252C0EB8-B2F4-7FB8-D36F-54C42CCB7207</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:A911227A-C454-1FF8-C50A-E41F8F5F8B00</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>