%%INTRODUCTION @report{ransomware_paloalto, institution = {Palo Alto Networks}, title = {Ransomware Threat Report 2022}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf} }, @report{ransomware_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf} }, @report{rootkit_ptsecurity, institution = {Positive Technologies}, title = {Rootkits: evolution and detection methods}, date = {2021-11-03}, url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/} }, @online{ebpf_linux318, indextitle={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @report{bvp47_report, institution = {Pangu Lab}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @report{bpfdoor_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, pages = {37} }, @proceedings{ebpf_friends, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchainthe}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} }, @proceedings{evil_ebpf, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf} }, @online{bad_ebpf, author = {Pat Hogan}, organization= {DEFCON 27}, eventtitle = {Bad BPF - Warping reality using eBPF}, url = {https://www.youtube.com/watch?v=g6SKWT7sROQ} }, @online{ebpf_windows, title={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @online{ebpf_android, title={eBPF for Windows}, url={https://source.android.com/devices/architecture/kernel/bpf} }, @article{bpf_bsd_origin, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf} }, @article{bpf_bsd_origin_bpf_page1, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} }, @article{bpf_bsd_origin_bpf_page5, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={5} }, @article{bpf_bsd_origin_bpf_page7, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={7} }, @article{bpf_bsd_origin_bpf_page8, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={8} }, @online{ebpf_history_opensource, title={An intro to using eBPF to filter packets in the Linux kernel}, date={2017-08-11}, url={https://opensource.com/article/17/9/intro-ebpf} }, @manual{ebpf_io, title={eBPF Documentation}, url={https://ebpf.io/what-is-ebpf/} }, @manual{ebpf_io_arch, title={eBPF Documentation: Loader and verification architecture}, url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture} }, @manual{ebpf_io_verification, title={eBPF Documentation: Verification}, url={https://ebpf.io/what-is-ebpf/#verification} }, @manual{index_register, title={Index register}, url={https://gunkies.org/wiki/Index_register} } @online{bpf_organicprogrammer_analysis, title={Write a Linux packet sniffer from scratch: part two- BPF}, date={2022-03-28}, url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/} }, @manual{tcpdump_page, title={Tcpdump and Libpcap}, url={https://www.tcpdump.org} }, @manual{ebpf_funcs_by_ver, title={BPF features by Linux Kernel Version}, organization={iovisor}, url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md} }, @book{brendan_gregg_bpf_book, title={BPF performance tools}, author={Brendan Gregg}, url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/} }, @manual{ebpf_inst_set, title={eBPF instruction set}, url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html} }, @manual{8664_inst_set_specs, title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}, author={Intel}, volume={2A}, pages={507}, urldate={2022-05-13}, url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html} }, @proceedings{ebpf_starovo_slides, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid} }, @proceedings{ebpf_starovo_slides_page23, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid}, pages={23} }, @manual{ebpf_JIT, title={A JIT for packet filters}, url={https://lwn.net/Articles/437981/}, date={2011-04-12}, author={Jonathan Corbet} }, @proceedings{ebpf_JIT_demystify_page13, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={13} }, @proceedings{ebpf_JIT_demystify_page14, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={14} }, @proceedings{ebpf_JIT_demystify_page17-22, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={17-22} }, @book{brendan_gregg_bpf_book_bpf_vm, title={BPF performance tools}, author={Brendan Gregg}, url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code} }, @manual{jit_enable_setting, title={bpf\_jit\_enable}, url={https://sysctl-explorer.net/net/core/bpf_jit_enable/} }, @manual{ebpf_verifier_kerneldocs, title={eBPF verifier}, url={https://kernel.org/doc/html/latest/bpf/verifier.html} }, @online{ebpf_bounded_loops, title={Bounded loops in BPF for the 5.3 kernel}, url={https://lwn.net/Articles/794934/}, date={2019-06-31}, author={Marta Rybczynska} }, @manual{ebpf_maps_kernel, title={eBPF maps}, url={https://www.kernel.org/doc/html/latest/bpf/maps.html} }, @manual{ebpf_maps_rddocs, title={eBPF maps}, url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html} }, @manual{bpf_syscall, title={bpf(2)- Linux manual page}, url={https://man7.org/linux/man-pages/man2/bpf.2.html} }, @manual{ebpf_helpers, title={bpf-helpers(7)- Linux manual page}, url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html} }