Started section about rootkit techniques

docs/document.aux

@@ -49,6 +49,7 @@
 \abx@aux@cite{ebpf_friends}
 \abx@aux@segm{0}{0}{ebpf_friends}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}\protected@file@percent }
+\newlabel{section:project_objectives}{{1.2}{3}{Project objectives}{section.1.2}{}}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{4}{section.1.3}\protected@file@percent }
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}\protected@file@percent }
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}\protected@file@percent }
@@ -365,7 +366,7 @@
 \abx@aux@cite{write_helper_non_fault}
 \abx@aux@segm{0}{0}{write_helper_non_fault}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Attacks and limitations of bpf\_probe\_write\_user()}{43}{subsection.3.3.4}\protected@file@percent }
-\newlabel{subsection_bpf_probe_write_apps}{{3.3.4}{43}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
+\newlabel{subsection:bpf_probe_write_apps}{{3.3.4}{43}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.4}{}}
 \abx@aux@cite{code_vfs_read}
 \abx@aux@segm{0}{0}{code_vfs_read}
 \abx@aux@cite{code_vfs_read}
@@ -404,14 +405,19 @@
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.13}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{53}{figure.caption.48}\protected@file@percent }
 \newlabel{fig:tcp_exfiltrate_retrans}{{3.13}{53}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.48}{}}
 \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}\protected@file@percent }
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{55}{chapter.4}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{56}{chapter.5}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Introduction to attacks in the stack}{56}{subsection.4.1.1}\protected@file@percent }
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Results}{57}{chapter.5}\protected@file@percent }
 \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
 \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
-\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{57}{chapter.5}\protected@file@percent }
-\newlabel{annex:bpftool_flags_kernel}{{5}{}{Appendix A - Bpftool commands}{chapter*.50}{}}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion and future work}{58}{chapter.6}\protected@file@percent }
+\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
+\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
+\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{59}{chapter.6}\protected@file@percent }
+\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.50}{}}
 \abx@aux@read@bbl@mdfivesum{77A5019A60516627679C213125A49687}
 \abx@aux@refcontextdefaultsdone
 \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
@@ -492,4 +498,4 @@
 \abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
 \abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
 \ttl@finishall
-\gdef \@abspage@last{81}
+\gdef \@abspage@last{83}

docs/document.blg

@@ -1,96 +1,96 @@
 [0] Config.pm:311> INFO - This is Biber 2.16
 [0] Config.pm:314> INFO - Logfile is 'document.blg'
-[59] biber:340> INFO - === Mon Jun  6, 2022, 20:45:55
-[71] Biber.pm:415> INFO - Reading 'document.bcf'
-[149] Biber.pm:952> INFO - Found 77 citekeys in bib section 0
-[163] Biber.pm:4340> INFO - Processing section 0
-[172] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
-[174] bibtex.pm:1689> INFO - LaTeX decoding ...
-[203] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 9, warning: 1 characters of junk seen at toplevel
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 15, warning: 1 characters of junk seen at toplevel
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 22, warning: 1 characters of junk seen at toplevel
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 28, warning: 1 characters of junk seen at toplevel
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 35, warning: 1 characters of junk seen at toplevel
-[395] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 42, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 50, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 58, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 65, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 70, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 77, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 85, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 94, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 103, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 112, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 121, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 127, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 132, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 137, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 142, warning: 1 characters of junk seen at toplevel
-[396] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 153, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 158, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 164, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 170, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 175, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 184, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 191, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 199, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 206, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 215, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 224, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 233, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 239, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 244, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 249, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 256, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 261, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 266, warning: 1 characters of junk seen at toplevel
-[397] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 271, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 276, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 283, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 288, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 295, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 302, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 309, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 315, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 321, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 327, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 334, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 339, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 344, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 349, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 356, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 361, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 366, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 375, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 380, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 385, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 390, warning: 1 characters of junk seen at toplevel
-[398] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 395, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 400, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 405, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 410, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 419, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 428, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 433, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 438, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 443, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 449, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 459, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 466, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 473, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 482, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 487, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 492, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 501, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 508, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 515, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 520, warning: 1 characters of junk seen at toplevel
-[399] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_HXKO/f4d088b3f9f145b5c3058da33afd57d4_271142.utf8, line 529, warning: 1 characters of junk seen at toplevel
-[448] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
-[449] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
-[449] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
-[449] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
-[490] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
-[507] bbl.pm:757> INFO - Output to document.bbl
-[508] Biber.pm:128> INFO - WARNINGS: 80
+[57] biber:340> INFO - === Mon Jun  6, 2022, 21:52:43
+[70] Biber.pm:415> INFO - Reading 'document.bcf'
+[145] Biber.pm:952> INFO - Found 77 citekeys in bib section 0
+[159] Biber.pm:4340> INFO - Processing section 0
+[168] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
+[171] bibtex.pm:1689> INFO - LaTeX decoding ...
+[200] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
+[376] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 9, warning: 1 characters of junk seen at toplevel
+[376] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 15, warning: 1 characters of junk seen at toplevel
+[376] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 22, warning: 1 characters of junk seen at toplevel
+[376] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 28, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 35, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 42, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 50, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 58, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 65, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 70, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 77, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 85, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 94, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 103, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 112, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 121, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 127, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 132, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 137, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 142, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 153, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 158, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 164, warning: 1 characters of junk seen at toplevel
+[377] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 170, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 175, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 184, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 191, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 199, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 206, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 215, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 224, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 233, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 239, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 244, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 249, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 256, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 261, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 266, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 271, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 276, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 283, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 288, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 295, warning: 1 characters of junk seen at toplevel
+[378] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 302, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 309, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 315, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 321, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 327, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 334, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 339, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 344, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 349, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 356, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 361, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 366, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 375, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 380, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 385, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 390, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 395, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 400, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 405, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 410, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 419, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 428, warning: 1 characters of junk seen at toplevel
+[379] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 433, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 438, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 443, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 449, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 459, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 466, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 473, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 482, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 487, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 492, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 501, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 508, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 515, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 520, warning: 1 characters of junk seen at toplevel
+[380] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_frH7/f4d088b3f9f145b5c3058da33afd57d4_272885.utf8, line 529, warning: 1 characters of junk seen at toplevel
+[427] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
+[427] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
+[427] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
+[427] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
+[467] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
+[485] bbl.pm:757> INFO - Output to document.bbl
+[485] Biber.pm:128> INFO - WARNINGS: 80

docs/document.lof

@@ -54,4 +54,6 @@
 \addvspace {10\p@ }
 \defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }
+\defcounter {refsection}{0}\relax 
+\addvspace {10\p@ }
 \contentsfinish 

docs/document.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  6 JUN 2022 20:49
+This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27)  6 JUN 2022 21:52
 entering extended mode
  restricted \write18 enabled.
  %&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
 )
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 11.39996pt on input line 186.
-<images//Portada_Logo.png, id=229, 456.2865pt x 45.99pt>
+<images//Portada_Logo.png, id=241, 456.2865pt x 45.99pt>
 File: images//Portada_Logo.png Graphic file (type png)
 <use images//Portada_Logo.png>
 Package pdftex.def Info: images//Portada_Logo.png  used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 23.63593pt on input line 201.
 LaTeX Font Info:    Font shape `T1/txss/m/n' will be
 (Font)              scaled to size 19.70294pt on input line 205.
-<images/creativecommons.png, id=231, 338.76563pt x 118.19156pt>
+<images/creativecommons.png, id=243, 338.76563pt x 118.19156pt>
 File: images/creativecommons.png Graphic file (type png)
 <use images/creativecommons.png>
 Package pdftex.def Info: images/creativecommons.png  used on input line 215.
@@ -1213,7 +1213,7 @@ Chapter 2.
 
 LaTeX Warning: Reference `section:TODO' on page 5 undefined on input line 412.
 
-<images//classic_bpf.jpg, id=598, 588.1975pt x 432.61626pt>
+<images//classic_bpf.jpg, id=616, 588.1975pt x 432.61626pt>
 File: images//classic_bpf.jpg Graphic file (type jpg)
 <use images//classic_bpf.jpg>
 Package pdftex.def Info: images//classic_bpf.jpg  used on input line 426.
@@ -1221,36 +1221,36 @@ Package pdftex.def Info: images//classic_bpf.jpg  used on input line 426.
 [5
 
 ] [6 <./images//classic_bpf.jpg>]
-<images//cbpf_prog.jpg, id=616, 403.5075pt x 451.6875pt>
+<images//cbpf_prog.jpg, id=634, 403.5075pt x 451.6875pt>
 File: images//cbpf_prog.jpg Graphic file (type jpg)
 <use images//cbpf_prog.jpg>
 Package pdftex.def Info: images//cbpf_prog.jpg  used on input line 453.
 (pdftex.def)             Requested size: 227.62204pt x 254.80415pt.
  [7 <./images/cBPF_prog.jpg>]
-<images//bpf_instructions.png, id=626, 380.92313pt x 475.27562pt>
+<images//bpf_instructions.png, id=644, 380.92313pt x 475.27562pt>
 File: images//bpf_instructions.png Graphic file (type png)
 <use images//bpf_instructions.png>
 Package pdftex.def Info: images//bpf_instructions.png  used on input line 493.
 (pdftex.def)             Requested size: 227.62204pt x 283.99998pt.
  [8 <./images//bpf_instructions.png>]
-<images//bpf_address_mode.png, id=637, 417.05812pt x 313.67188pt>
+<images//bpf_address_mode.png, id=655, 417.05812pt x 313.67188pt>
 File: images//bpf_address_mode.png Graphic file (type png)
 <use images//bpf_address_mode.png>
 Package pdftex.def Info: images//bpf_address_mode.png  used on input line 509.
 (pdftex.def)             Requested size: 227.62204pt x 171.19905pt.
  [9 <./images//bpf_address_mode.png>]
-<images//tcpdump_example.png, id=649, 534.99875pt x 454.69875pt>
+<images//tcpdump_example.png, id=667, 534.99875pt x 454.69875pt>
 File: images//tcpdump_example.png Graphic file (type png)
 <use images//tcpdump_example.png>
 Package pdftex.def Info: images//tcpdump_example.png  used on input line 524.
 (pdftex.def)             Requested size: 284.52756pt x 241.82869pt.
-<images//cBPF_prog_ex_sol.png, id=652, 242.9075pt x 321.2pt>
+<images//cBPF_prog_ex_sol.png, id=670, 242.9075pt x 321.2pt>
 File: images//cBPF_prog_ex_sol.png Graphic file (type png)
 <use images//cBPF_prog_ex_sol.png>
 Package pdftex.def Info: images//cBPF_prog_ex_sol.png  used on input line 535.
 (pdftex.def)             Requested size: 170.71652pt x 225.74026pt.
  [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
-<images//ebpf_arch.jpg, id=670, 739.76375pt x 472.76625pt>
+<images//ebpf_arch.jpg, id=688, 739.76375pt x 472.76625pt>
 File: images//ebpf_arch.jpg Graphic file (type jpg)
 <use images//ebpf_arch.jpg>
 Package pdftex.def Info: images//ebpf_arch.jpg  used on input line 574.
@@ -1302,7 +1302,7 @@ Overfull \hbox (13.5802pt too wide) in paragraph at lines 759--789
  []
 
 [17]
-<images//xdp_diag.jpg, id=750, 649.42625pt x 472.76625pt>
+<images//xdp_diag.jpg, id=768, 649.42625pt x 472.76625pt>
 File: images//xdp_diag.jpg Graphic file (type jpg)
 <use images//xdp_diag.jpg>
 Package pdftex.def Info: images//xdp_diag.jpg  used on input line 805.
@@ -1313,7 +1313,7 @@ Overfull \hbox (5.80417pt too wide) in paragraph at lines 868--880
  []
 
 [20] [21] [22] [23]
-<images//libbpf_prog.jpg, id=809, 543.02875pt x 502.87875pt>
+<images//libbpf_prog.jpg, id=827, 543.02875pt x 502.87875pt>
 File: images//libbpf_prog.jpg Graphic file (type jpg)
 <use images//libbpf_prog.jpg>
 Package pdftex.def Info: images//libbpf_prog.jpg  used on input line 978.
@@ -1325,26 +1325,26 @@ LaTeX Warning: Reference `TODO' on page 25 undefined on input line 1006.
 [25 <./images//libbpf_prog.jpg>] [26]
 Chapter 3.
 
-Overfull \hbox (15.27466pt too wide) in paragraph at lines 1027--1055
+Overfull \hbox (15.27466pt too wide) in paragraph at lines 1029--1057
  [][] 
  []
 
 [27
 
 ]
-Overfull \hbox (144.2746pt too wide) in paragraph at lines 1067--1068
+Overfull \hbox (144.2746pt too wide) in paragraph at lines 1069--1070
 []\T1/txr/bx/n/12 Unprivileged users \T1/txr/m/n/12 can only load and at-tach e
 BPF pro-grams of type BPF_PROG_TYPE_SOCKET_FILTER[[][]53[][]],
  []
 
 [28]
-Overfull \hbox (33.33205pt too wide) in paragraph at lines 1093--1094
+Overfull \hbox (33.33205pt too wide) in paragraph at lines 1095--1096
 []\T1/txr/m/n/12 Therefore, eBPF net-work pro-grams usu-ally re-quire both CAP_
 BPF and CAP_NET_ADMIN,
  []
 
 [29]
-Overfull \hbox (18.75664pt too wide) in paragraph at lines 1123--1124
+Overfull \hbox (18.75664pt too wide) in paragraph at lines 1125--1126
 \T1/txr/m/n/12 can also ex-plore all the avail-able maps in the sys-tem by us-i
 ng the BPF_MAP_GET_NEXT_ID
  []
@@ -1356,264 +1356,273 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
 File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz)
 )
 Package hyperref Info: bookmark level for unknown lstlisting defaults to 0 on i
-nput line 1139.
+nput line 1141.
  [30]
 LaTeX Font Info:    Trying to load font information for T1+txtt on input line 1
-139.
+141.
 
 (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
 File: t1txtt.fd 2000/12/15 v3.1
 )
 LaTeX Font Info:    Font shape `T1/txtt/b/n' in size <10> not available
-(Font)              Font shape `T1/txtt/bx/n' tried instead on input line 1141.
+(Font)              Font shape `T1/txtt/bx/n' tried instead on input line 1143.
 
  [31] [32]
-Overfull \hbox (55.2727pt too wide) in paragraph at lines 1283--1284
+Overfull \hbox (55.2727pt too wide) in paragraph at lines 1285--1286
 \T1/txr/m/n/12 As we in-tro-duced in the pre-vi-ous sub-sec-tion, the bpf_probe
 _read_user() and bpf_probe_read_kernel()
  []
 
 [33]
-Overfull \hbox (47.97661pt too wide) in paragraph at lines 1292--1293
+
+LaTeX Warning: Reference `subsection_bpf_probe_write_apps' on page 34 undefined
+ on input line 1289.
+
+
+Overfull \hbox (47.97661pt too wide) in paragraph at lines 1294--1295
 \T1/txr/m/n/12 helper. It will only work if the ker-nel was com-piled with the 
 CON-FIG_BPF_KPROBE_OVERRIDE
  []
 
 [34]
-Overfull \hbox (62.0767pt too wide) in paragraph at lines 1334--1335
+Overfull \hbox (62.0767pt too wide) in paragraph at lines 1336--1337
 \T1/txr/m/n/12 the bounds of func-tion pa-ram-e-ters via the helpers bpf_probe_
 read_user() and bpf_probe_read_kernel().
  []
 
 [35]
-<images//mem_arch_pages.jpg, id=993, 593.21625pt x 434.62375pt>
+<images//mem_arch_pages.jpg, id=1010, 593.21625pt x 434.62375pt>
 File: images//mem_arch_pages.jpg Graphic file (type jpg)
 <use images//mem_arch_pages.jpg>
-Package pdftex.def Info: images//mem_arch_pages.jpg  used on input line 1347.
+Package pdftex.def Info: images//mem_arch_pages.jpg  used on input line 1349.
 (pdftex.def)             Requested size: 369.88582pt x 271.00914pt.
  [36]
-<images//mem_major_page_fault.jpg, id=1001, 639.38875pt x 425.59pt>
+<images//mem_major_page_fault.jpg, id=1018, 639.38875pt x 425.59pt>
 File: images//mem_major_page_fault.jpg Graphic file (type jpg)
 <use images//mem_major_page_fault.jpg>
 Package pdftex.def Info: images//mem_major_page_fault.jpg  used on input line 1
-357.
+359.
 (pdftex.def)             Requested size: 312.9803pt x 208.32661pt.
  [37 <./images//mem_arch_pages.jpg>]
-<images//mem_minor_page_fault.jpg, id=1008, 654.445pt x 555.07375pt>
+<images//mem_minor_page_fault.jpg, id=1025, 654.445pt x 555.07375pt>
 File: images//mem_minor_page_fault.jpg Graphic file (type jpg)
 <use images//mem_minor_page_fault.jpg>
 Package pdftex.def Info: images//mem_minor_page_fault.jpg  used on input line 1
-365.
+367.
 (pdftex.def)             Requested size: 312.9803pt x 265.45834pt.
-<images//memory.jpg, id=1009, 310.15875pt x 519.9425pt>
+<images//memory.jpg, id=1026, 310.15875pt x 519.9425pt>
 File: images//memory.jpg Graphic file (type jpg)
 <use images//memory.jpg>
-Package pdftex.def Info: images//memory.jpg  used on input line 1376.
+Package pdftex.def Info: images//memory.jpg  used on input line 1378.
 (pdftex.def)             Requested size: 170.71652pt x 286.18347pt.
  [38 <./images//mem_major_page_fault.jpg> <./images//mem_minor_page_fault.jpg>]
  [39 <./images//memory.jpg>]
-<images//stack_pres.jpg, id=1023, 707.64375pt x 283.0575pt>
+<images//stack_pres.jpg, id=1040, 707.64375pt x 283.0575pt>
 File: images//stack_pres.jpg Graphic file (type jpg)
 <use images//stack_pres.jpg>
-Package pdftex.def Info: images//stack_pres.jpg  used on input line 1399.
+Package pdftex.def Info: images//stack_pres.jpg  used on input line 1401.
 (pdftex.def)             Requested size: 398.33858pt x 159.33606pt.
 
 [40 <./images//stack_pres.jpg>]
-<images//stack_ops.jpg, id=1032, 524.96124pt x 694.595pt>
+<images//stack_ops.jpg, id=1049, 524.96124pt x 694.595pt>
 File: images//stack_ops.jpg Graphic file (type jpg)
 <use images//stack_ops.jpg>
-Package pdftex.def Info: images//stack_ops.jpg  used on input line 1433.
+Package pdftex.def Info: images//stack_ops.jpg  used on input line 1435.
 (pdftex.def)             Requested size: 284.52756pt x 376.47473pt.
-<images//stack_before.jpg, id=1033, 712.6625pt x 315.1775pt>
+<images//stack_before.jpg, id=1050, 712.6625pt x 315.1775pt>
 File: images//stack_before.jpg Graphic file (type jpg)
 <use images//stack_before.jpg>
-Package pdftex.def Info: images//stack_before.jpg  used on input line 1444.
+Package pdftex.def Info: images//stack_before.jpg  used on input line 1446.
 (pdftex.def)             Requested size: 398.33858pt x 176.16635pt.
  [41 <./images//stack_ops.jpg>]
-<images//stack.jpg, id=1038, 707.64375pt x 381.425pt>
+<images//stack.jpg, id=1055, 707.64375pt x 381.425pt>
 File: images//stack.jpg Graphic file (type jpg)
 <use images//stack.jpg>
-Package pdftex.def Info: images//stack.jpg  used on input line 1451.
+Package pdftex.def Info: images//stack.jpg  used on input line 1453.
 (pdftex.def)             Requested size: 398.33858pt x 214.70816pt.
  [42 <./images//stack_before.jpg> <./images//stack.jpg>] [43]
-Overfull \hbox (3.09538pt too wide) in paragraph at lines 1495--1496
+Overfull \hbox (3.09538pt too wide) in paragraph at lines 1497--1498
 \T1/txr/m/n/12 trac-ing pro-grams can read any user mem-ory lo-ca-tion with the
  bpf_probe_read_user()
  []
 
 [44]
-<images//stack_scan_write_tech.jpg, id=1084, 829.0975pt x 315.1775pt>
+<images//stack_scan_write_tech.jpg, id=1101, 829.0975pt x 315.1775pt>
 File: images//stack_scan_write_tech.jpg Graphic file (type jpg)
 <use images//stack_scan_write_tech.jpg>
 Package pdftex.def Info: images//stack_scan_write_tech.jpg  used on input line 
-1511.
+1513.
 (pdftex.def)             Requested size: 455.24408pt x 173.0548pt.
 
-Overfull \hbox (28.45273pt too wide) in paragraph at lines 1511--1512
+Overfull \hbox (28.45273pt too wide) in paragraph at lines 1513--1514
  [][] 
  []
 
 
-LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1533.
+LaTeX Warning: Reference `TODO' on page 45 undefined on input line 1535.
 
 [45 <./images//stack_scan_write_tech.jpg>] [46]
-<images//frame.jpg, id=1120, 695.59875pt x 705.63625pt>
+<images//frame.jpg, id=1137, 695.59875pt x 705.63625pt>
 File: images//frame.jpg Graphic file (type jpg)
 <use images//frame.jpg>
-Package pdftex.def Info: images//frame.jpg  used on input line 1569.
+Package pdftex.def Info: images//frame.jpg  used on input line 1571.
 (pdftex.def)             Requested size: 398.33858pt x 404.07954pt.
  [47] [48 <./images//frame.jpg>]
-<images//tcp_conn.jpg, id=1139, 452.69125pt x 405.515pt>
+<images//tcp_conn.jpg, id=1156, 452.69125pt x 405.515pt>
 File: images//tcp_conn.jpg Graphic file (type jpg)
 <use images//tcp_conn.jpg>
-Package pdftex.def Info: images//tcp_conn.jpg  used on input line 1617.
+Package pdftex.def Info: images//tcp_conn.jpg  used on input line 1619.
 (pdftex.def)             Requested size: 341.43306pt x 305.84947pt.
 [49]
-Overfull \hbox (30.78944pt too wide) in paragraph at lines 1622--1623
+Overfull \hbox (30.78944pt too wide) in paragraph at lines 1624--1625
 []\T1/txr/m/n/12 As we can ob-serve in the fig-ure, the hosts in-ter-change a s
 e-quence of <SYN>, <SYN+ACK>,
  []
 
-<images//tcp_retransmission.jpg, id=1147, 523.9575pt x 485.815pt>
+<images//tcp_retransmission.jpg, id=1164, 523.9575pt x 485.815pt>
 File: images//tcp_retransmission.jpg Graphic file (type jpg)
 <use images//tcp_retransmission.jpg>
 Package pdftex.def Info: images//tcp_retransmission.jpg  used on input line 163
-3.
+5.
 (pdftex.def)             Requested size: 341.43306pt x 316.58401pt.
 [50 <./images//tcp_conn.jpg>] [51 <./images//tcp_retransmission.jpg>]
-<images//tcp_exfiltrate_retrans.jpg, id=1165, 633.36626pt x 475.7775pt>
+<images//tcp_exfiltrate_retrans.jpg, id=1182, 633.36626pt x 475.7775pt>
 File: images//tcp_exfiltrate_retrans.jpg Graphic file (type jpg)
 <use images//tcp_exfiltrate_retrans.jpg>
 Package pdftex.def Info: images//tcp_exfiltrate_retrans.jpg  used on input line
- 1670.
+ 1672.
 (pdftex.def)             Requested size: 426.79134pt x 320.60597pt.
  [52]
 [53 <./images//tcp_exfiltrate_retrans.jpg>] [54]
 Chapter 4.
 [55
 
-]
+] [56]
 Chapter 5.
-[56
+[57
 
 ]
-Overfull \hbox (5.34976pt too wide) in paragraph at lines 1713--1713
+Chapter 6.
+[58
+
+]
+Overfull \hbox (5.34976pt too wide) in paragraph at lines 1752--1752
 \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect 
 / yir -[] cyber -[] threats -[]
  []
 
-[57
+[59
 
 
 ]
-Overfull \hbox (6.22696pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (6.22696pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
 -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
  []
 
 
-Overfull \hbox (7.34976pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (7.34976pt too wide) in paragraph at lines 1752--1752
 [][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
 -[] verification -[] architecture$[][]\T1/txr/m/n/12 . 
  []
 
 
-Overfull \hbox (21.24973pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (21.24973pt too wide) in paragraph at lines 1752--1752
 \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
 mmit _ 2015feb20 .
  []
 
-[58]
-Overfull \hbox (9.14975pt too wide) in paragraph at lines 1713--1713
+[60]
+Overfull \hbox (9.14975pt too wide) in paragraph at lines 1752--1752
 \T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
  2C % 20i ,[] %20other %
  []
 
 
-Overfull \hbox (6.49615pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (6.49615pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/n/12 D. Lavie. ^^P  A gen-tle in-tro-duc-tion to xdp.^^Q (Feb. 3, 2
 022), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
  []
 
-[59]
-Overfull \hbox (0.76683pt too wide) in paragraph at lines 1713--1713
+[61]
+Overfull \hbox (0.76683pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/n/12 ^^P  Bpf next ker-nel tree.^^Q (), [On-line]. Avail-able: [][]
 $\T1/txtt/m/n/12 https : / / kernel . googlesource .
  []
 
 
-Overfull \hbox (14.49278pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (14.49278pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/it/12 Capabilities - overview of linux ca-pa-bil-i-ties\T1/txr/m/n/
 12 . [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 http : / / manpages .
  []
 
-[60]
-Overfull \hbox (53.32059pt too wide) in paragraph at lines 1713--1713
+[62]
+Overfull \hbox (53.32059pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 148. [On-line]. 
 Avail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (33.3497pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (33.3497pt too wide) in paragraph at lines 1752--1752
 \T1/txtt/m/n/12 20CON % 2029 % 20presentations / Guillaume % 20Fournier % 20Syl
 vain % 20Afchain %
  []
 
 
-Overfull \hbox (9.33742pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (9.33742pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/n/12 Avail-able: [][]$\T1/txtt/m/n/12 https : / / events19 . linuxfou
 ndation . org / wp -[] content / uploads /
  []
 
 
-Overfull \hbox (18.44974pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (18.44974pt too wide) in paragraph at lines 1752--1752
 \T1/txtt/m/n/12 2017 / 12 / MM -[] 101 -[] Introduction -[] to -[] Linux -[] Me
 mory -[] Management -[] Christoph -[]
  []
 
 
-Overfull \hbox (5.92503pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (5.92503pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/n/12 D. Breaker. ^^P  Un-der-stand-ing page faults and mem-ory swap
 -in/outs.^^Q (Aug. 19, 2019),
  []
 
 
-Overfull \hbox (40.56133pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (40.56133pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/n/12 able: [][]$\T1/txtt/m/n/12 https : / / h3xduck . github . io / e
 xploit / 2021 / 05 / 23 / stackbufferoverflow -[]
  []
 
 
-Overfull \hbox (47.32059pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (47.32059pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/it/12 sup-ple-ment\T1/txr/m/n/12 , Jan. 28, 2018, p. 18. [On-line]. A
 vail-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
-[61]
-Overfull \hbox (11.10025pt too wide) in paragraph at lines 1713--1713
+[63]
+Overfull \hbox (11.10025pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/n/12 DE-F-CON 27, pp. 69^^U74. [On-line]. Avail-able: [][]$\T1/txtt/m
 /n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (39.98859pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (39.98859pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/it/12 ment\T1/txr/m/n/12 , Jan. 28, 2018, pp. 19^^U22. [On-line]. Ava
 il-able: [][]$\T1/txtt/m/n/12 https : / / raw . githubusercontent .
  []
 
 
-Overfull \hbox (21.2149pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (21.2149pt too wide) in paragraph at lines 1752--1752
 \T1/txr/m/n/12 line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / www . plixer
  . com / blog / network -[] layers -[] explained/$[][]\T1/txr/m/n/12 . 
  []
 
 
-Overfull \hbox (4.29944pt too wide) in paragraph at lines 1713--1713
+Overfull \hbox (4.29944pt too wide) in paragraph at lines 1752--1752
 []\T1/txr/m/n/12 ^^P  Trans-mis-sion con-trol pro-to-col,^^Q IBM. (Apr. 19, 202
 2), [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https :
  []
 
-[62] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
+[64] (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
 File: lstlang1.sty 2020/03/24 1.8d listings language file
 )
 (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
@@ -1624,7 +1633,7 @@ File: lstlang1.sty 2020/03/24 1.8d listings language file
 been already used, duplicate ignored
 <to be read again> 
                    \relax 
-l.1773 \end{document}
+l.1812 \end{document}
                       [2
 
 ] (./document.aux)
@@ -1632,16 +1641,16 @@ l.1773 \end{document}
 LaTeX Warning: There were undefined references.
 
 Package rerunfilecheck Info: File `document.out' has not changed.
-(rerunfilecheck)             Checksum: 92AAE055ABF4033A3038C889397F3EC1;4293.
+(rerunfilecheck)             Checksum: 0534197E5E0256674903E8AAF25F54B0;4578.
 Package logreq Info: Writing requests to 'document.run.xml'.
 \openout1 = `document.run.xml'.
 
  ) 
 Here is how much of TeX's memory you used:
- 28510 strings out of 481209
- 454701 string characters out of 5914747
- 1353298 words of memory out of 5000000
- 44633 multiletter control sequences out of 15000+600000
+ 28520 strings out of 481209
+ 454854 string characters out of 5914747
+ 1353349 words of memory out of 5000000
+ 44638 multiletter control sequences out of 15000+600000
  459242 words of font info for 106 fonts, out of 8000000 for 9000
  36 hyphenation exceptions out of 8191
  88i,12n,90p,1029b,3693s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1657,9 +1666,9 @@ e/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/texmf-dist
 /urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/u
 tmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr
 /share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on document.pdf (81 pages, 1439700 bytes).
+Output written on document.pdf (83 pages, 1445236 bytes).
 PDF statistics:
- 1522 PDF objects out of 1728 (max. 8388607)
- 367 named destinations out of 1000 (max. 500000)
- 581 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 1548 PDF objects out of 1728 (max. 8388607)
+ 372 named destinations out of 1000 (max. 500000)
+ 605 words of extra memory for PDF output out of 10000 (max. 10000000)
 

docs/document.lot

@@ -50,4 +50,6 @@
 \addvspace {10\p@ }
 \defcounter {refsection}{0}\relax 
 \addvspace {10\p@ }
+\defcounter {refsection}{0}\relax 
+\addvspace {10\p@ }
 \contentsfinish 

docs/document.out

@@ -51,6 +51,9 @@
 \BOOKMARK [2][-]{subsection.3.4.2}{Introduction\040to\040the\040TCP\040protocol}{section.3.4}% 51
 \BOOKMARK [2][-]{subsection.3.4.3}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 52
 \BOOKMARK [2][-]{subsection.3.4.4}{Conclusion}{section.3.4}% 53
-\BOOKMARK [0][-]{chapter.4}{Results}{}% 54
-\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 55
-\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 56
+\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 54
+\BOOKMARK [1][-]{section.4.1}{Library\040injection\040via\040.GOT\040hijacking}{chapter.4}% 55
+\BOOKMARK [2][-]{subsection.4.1.1}{Introduction\040to\040attacks\040in\040the\040stack}{section.4.1}% 56
+\BOOKMARK [0][-]{chapter.5}{Results}{}% 57
+\BOOKMARK [0][-]{chapter.6}{Conclusion\040and\040future\040work}{}% 58
+\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 59

docs/document.tex

@@ -346,7 +346,7 @@ Although eBPF has built an outstanding environment for the creation of networkin
 Moreover, there currently exists official efforts to extend the eBPF technology into Windows\cite{ebpf_windows} and Android systems\cite{ebpf_android}, which spreads the mentioned risks to new platforms. Therefore, we can confidently claim that there is a growing interest on researching the capabilities of eBPF in the context of offensive security, in particular given its potential on becoming a common component found of modern rootkits. This knowledge would be valuable to the computer security community, both in the context of pen-testing and for analysts which need to know about the latest trends in malware to prepare their defences.
 
 
-\section{Project objectives}
+\section{Project objectives} \label{section:project_objectives}
 The main objective of this project is to compile a comprehensive report of the capabilities in the eBPF technology that could be weaponized by a malicious actor. In particular, we will be focusing on functionalities present in the Linux platform, given the maturity of eBPF on these environments and which therefore offers a wider range of possibilities. We will be approaching this study from the perspective of a threat actor, meaning that we will develop an eBPF-based rootkit which shows these capabilities live in a current Linux system, including proof of concepts (PoC) showing an specific feature, and also by building a realistic rootkit system which weaponizes these PoCs and operates malicious activities. 
 
 %According to the library guide, previous research should be around here. %Is it the best place tho?
@@ -1018,6 +1018,8 @@ Therefore, given the previous background, this chapter is dedicated to an analys
 \item Exploring networking capabilities with eBPF packet filters.
 \end{itemize}
 
+
+%TODO if this is finally not included, change the intro
 Finally, we will study in detail some of the malicious applications that previous researchers have proposed to take advantage of these capabilities of eBPF. In the next chapter, we will proceed to elaborate on these ideas, find new purposes and design our own rootkit.
 
 \section{Security features in eBPF}
@@ -1474,7 +1476,7 @@ As we mentioned, the stack stores function parameters, return addresses and loca
 \item Since the function arguments where pushed into the stack, they are popped now.
 \end{enumerate}
 
-\subsection{Attacks and limitations of bpf\_probe\_write\_user()} \label{subsection_bpf_probe_write_apps}
+\subsection{Attacks and limitations of bpf\_probe\_write\_user()} \label{subsection:bpf_probe_write_apps}
 Provided the background into memory architecture and the stack operation, we will now study the offensive capabilities of the bpf\_probe\_write\_user() helper and which restrictions are imposed into its use by eBPF programs.
 
 The bpf\_probe\_write\_user() helper, when used from a tracing eBPF program, can write into any memory address in the user space of the process responsible from calling the hooked function. However, the write operation fails has some restrictions:
@@ -1685,6 +1687,38 @@ Ultimately, the capabilities discussed in this section unlock complete freedom f
 \item A \textbf{backdoor}, a stealthy program which listens on the network interface and waits for secret instructions from a remote attacker-controlled client program. This backdoor can have \textbf{Command and Control (C2)} capabilities, meaning that it can process commands sent by the attacker and received at the backdoor, executing a series of actions corresponding to the request received, and (when needed) answering the attacker with the result of the command.
 \end{itemize}
 
+%TODO maybe a conclusion for this section?
+
+
+%Maybe not the best title
+\chapter{Design of a malicious eBPF rootkit}
+In the previous chapter, we discussed the functionality of eBPF programs from a security standpoint, detailing which helpers and program types are particularly useful for developing malicious programs, and analysing some techniques (stack scanning, overwriting packets together with TCP retransmissions) which helps us circumvent some of the restrictions of eBPF and find new attack vectors.
+
+Taking as a basis these capabilities, this chapter is now dedicated to a comprehensive description of the advanced techniques and functionalities implemented in our eBPF rootkit, which show how these capabilities can lead to the creation of a real malicious application. As we mentioned during the project objectives, our goals for our rootkit include the following:
+\begin{itemize}
+\item Hijacking the execution of user programs while they are running, injecting libraries and executing malicious code, without impacting their normal execution.
+\item Featuring a command-and-control module powered by a network backdoor, which can be operated from a remote client. This backdoor should be controlled with stealth in mind, featuring similar mechanisms to those present in rootkits found in the wild.
+\item Tampering with user data at system calls, resulting in running malware-like programs and for other malicious purposes.
+\item Achieving stealth, hiding rootkit-related files from the user.
+\item Achieving rootkit persistence, the rootkit should run after a complete system reboot.
+\
+\end{itemize}
+%TODO maybe this is the place to mention that, on top of those, explaining some of the DEFCON techniques will be done too. Im particular interested on the one of hiding the kernel log message of bpf_probe_write_user and on ROP.
+
+We will be exploring each functionality individually, presenting the necessary background on each of them, and offering a final comprehensive view on how each of the systems work.
+
+\section{Library injection via .GOT hijacking}
+In this section, we will discuss how to hijack an user process running in the system so that it executes arbitrary code instructed from an eBPF program. For this, we will be injecting a library which will be executed by taking advantage of the architecture of an executable program (the .GOT section in ELFs) and using the stack scanning technique covered in section \ref{subsection:bpf_probe_write_apps}. This injection will be stealthy(it must not crash the process), and will be able to hijack privileged programs such as systemd, so that the code is executed as root.
+
+We will also research how to circumvent the protections which modern compilers have set in order to prevent similar attacks (when performed without eBPF).
+
+This technique has some advantages and disadvantages to the one described by Jeff Dileo at DEFCON 27, which we will briefly cover before presenting ours. A comparison between them will also be offered.
+
+\subsection{Introduction to attacks in the stack}
+
+
+
+
 
 
 

docs/document.toc

@@ -107,9 +107,15 @@
 \defcounter {refsection}{0}\relax 
 \contentsline {subsection}{\numberline {3.4.4}Conclusion}{53}{subsection.3.4.4}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {4}Results}{55}{chapter.4}%
+\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{55}{chapter.4}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{\numberline {5}Conclusion and future work}{56}{chapter.5}%
+\contentsline {section}{\numberline {4.1}Library injection via .GOT hijacking}{55}{section.4.1}%
 \defcounter {refsection}{0}\relax 
-\contentsline {chapter}{Bibliography}{57}{chapter.5}%
+\contentsline {subsection}{\numberline {4.1.1}Introduction to attacks in the stack}{56}{subsection.4.1.1}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{\numberline {5}Results}{57}{chapter.5}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{\numberline {6}Conclusion and future work}{58}{chapter.6}%
+\defcounter {refsection}{0}\relax 
+\contentsline {chapter}{Bibliography}{59}{chapter.6}%
 \contentsfinish 

docs/pdfa.xmpi

@@ -73,15 +73,15 @@
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> 
    <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> 
-   <xmp:ModifyDate>2022-06-06T20:49:24-04:00</xmp:ModifyDate> 
-   <xmp:CreateDate>2022-06-06T20:49:24-04:00</xmp:CreateDate> 
-   <xmp:MetadataDate>2022-06-06T20:49:24-04:00</xmp:MetadataDate> 
+   <xmp:ModifyDate>2022-06-06T21:52:46-04:00</xmp:ModifyDate> 
+   <xmp:CreateDate>2022-06-06T21:52:46-04:00</xmp:CreateDate> 
+   <xmp:MetadataDate>2022-06-06T21:52:46-04:00</xmp:MetadataDate> 
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> 
   </rdf:Description> 
   <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> 
    <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> 
-   <xmpMM:InstanceID>uuid:26A5E47A-114F-F7CD-5787-82CC4D0D8429</xmpMM:InstanceID> 
+   <xmpMM:InstanceID>uuid:94CDBB45-6A30-6CCE-B5DD-1D475DAA515D</xmpMM:InstanceID> 
   </rdf:Description> 
  </rdf:RDF> 
 </x:xmpmeta>