\BOOKMARK [0][-]{chapter.1}{Introduction}{}% 1
\BOOKMARK [1][-]{section.1.1}{Motivation}{chapter.1}% 2
\BOOKMARK [1][-]{section.1.2}{Project\040objectives}{chapter.1}% 3
\BOOKMARK [1][-]{section.1.3}{Regulatory\040framework}{chapter.1}% 4
\BOOKMARK [2][-]{subsection.1.3.1}{Social\040and\040economic\040environment}{section.1.3}% 5
\BOOKMARK [2][-]{subsection.1.3.2}{Budget}{section.1.3}% 6
\BOOKMARK [1][-]{section.1.4}{Structure\040of\040the\040document}{chapter.1}% 7
\BOOKMARK [1][-]{section.1.5}{Code\040availability}{chapter.1}% 8
\BOOKMARK [0][-]{chapter.2}{Background}{}% 9
\BOOKMARK [1][-]{section.2.1}{BPF}{chapter.2}% 10
\BOOKMARK [2][-]{subsection.2.1.1}{Introduction\040to\040the\040BPF\040system}{section.2.1}% 11
\BOOKMARK [2][-]{subsection.2.1.2}{The\040BPF\040virtual\040machine}{section.2.1}% 12
\BOOKMARK [2][-]{subsection.2.1.3}{Analysis\040of\040a\040BPF\040filter\040program}{section.2.1}% 13
\BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 14
\BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040with\040tcpdump}{section.2.1}% 15
\BOOKMARK [1][-]{section.2.2}{Modern\040eBPF}{chapter.2}% 16
\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 17
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 18
\BOOKMARK [2][-]{subsection.2.2.3}{The\040eBPF\040verifier}{section.2.2}% 19
\BOOKMARK [2][-]{subsection.2.2.4}{eBPF\040maps}{section.2.2}% 20
\BOOKMARK [2][-]{subsection.2.2.5}{The\040eBPF\040ring\040buffer}{section.2.2}% 21
\BOOKMARK [2][-]{subsection.2.2.6}{The\040bpf\(\)\040syscall}{section.2.2}% 22
\BOOKMARK [2][-]{subsection.2.2.7}{eBPF\040helpers}{section.2.2}% 23
\BOOKMARK [1][-]{section.2.3}{eBPF\040program\040types}{chapter.2}% 24
\BOOKMARK [2][-]{subsection.2.3.1}{XDP}{section.2.3}% 25
\BOOKMARK [2][-]{subsection.2.3.2}{Traffic\040Control}{section.2.3}% 26
\BOOKMARK [2][-]{subsection.2.3.3}{Tracepoints}{section.2.3}% 27
\BOOKMARK [2][-]{subsection.2.3.4}{Kprobes}{section.2.3}% 28
\BOOKMARK [2][-]{subsection.2.3.5}{Uprobes}{section.2.3}% 29
\BOOKMARK [1][-]{section.2.4}{Developing\040eBPF\040programs}{chapter.2}% 30
\BOOKMARK [2][-]{subsection.2.4.1}{BCC}{section.2.4}% 31
\BOOKMARK [2][-]{subsection.2.4.2}{Bpftool}{section.2.4}% 32
\BOOKMARK [2][-]{subsection.2.4.3}{Libbpf}{section.2.4}% 33
\BOOKMARK [1][-]{section.2.5}{Security\040features\040in\040eBPF}{chapter.2}% 34
\BOOKMARK [2][-]{subsection.2.5.1}{Access\040control}{section.2.5}% 35
\BOOKMARK [1][-]{section.2.6}{Memory\040management\040in\040Linux}{chapter.2}% 36
\BOOKMARK [2][-]{subsection.2.6.1}{Memory\040pages\040and\040faults}{section.2.6}% 37
\BOOKMARK [2][-]{subsection.2.6.2}{Process\040virtual\040memory}{section.2.6}% 38
\BOOKMARK [2][-]{subsection.2.6.3}{The\040process\040stack}{section.2.6}% 39
\BOOKMARK [1][-]{section.2.7}{Attacks\040at\040the\040stack}{chapter.2}% 40
\BOOKMARK [2][-]{subsection.2.7.1}{Buffer\040overflow}{section.2.7}% 41
\BOOKMARK [2][-]{subsection.2.7.2}{Return\040oriented\040programming\040attacks}{section.2.7}% 42
\BOOKMARK [1][-]{section.2.8}{Networking\040fundamentals\040in\040Linux}{chapter.2}% 43
\BOOKMARK [2][-]{subsection.2.8.1}{An\040overview\040on\040the\040network\040layer}{section.2.8}% 44
\BOOKMARK [2][-]{subsection.2.8.2}{Introduction\040to\040the\040TCP\040protocol}{section.2.8}% 45
\BOOKMARK [1][-]{section.2.9}{ELF\040binaries}{chapter.2}% 46
\BOOKMARK [2][-]{subsection.2.9.1}{The\040ELF\040format\040and\040Lazy\040Binding}{section.2.9}% 47
\BOOKMARK [2][-]{subsection.2.9.2}{Hardening\040ELF\040binaries}{section.2.9}% 48
\BOOKMARK [1][-]{section.2.10}{The\040proc\040filesystem}{chapter.2}% 49
\BOOKMARK [2][-]{subsection.2.10.1}{/proc/<pid>/maps}{section.2.10}% 50
\BOOKMARK [2][-]{subsection.2.10.2}{/proc/<pid>/mem}{section.2.10}% 51
\BOOKMARK [0][-]{chapter.3}{Analysis\040of\040offensive\040capabilities}{}% 52
\BOOKMARK [1][-]{section.3.1}{eBPF\040maps\040security}{chapter.3}% 53
\BOOKMARK [1][-]{section.3.2}{Abusing\040tracing\040programs}{chapter.3}% 54
\BOOKMARK [2][-]{subsection.3.2.1}{Access\040to\040function\040arguments}{section.3.2}% 55
\BOOKMARK [2][-]{subsection.3.2.2}{Reading\040memory\040out\040of\040bounds}{section.3.2}% 56
\BOOKMARK [2][-]{subsection.3.2.3}{Overriding\040function\040return\040values}{section.3.2}% 57
\BOOKMARK [2][-]{subsection.3.2.4}{Sending\040signals\040to\040user\040programs}{section.3.2}% 58
\BOOKMARK [2][-]{subsection.3.2.5}{Takeaways}{section.3.2}% 59
\BOOKMARK [1][-]{section.3.3}{Memory\040corruption}{chapter.3}% 60
\BOOKMARK [2][-]{subsection.3.3.1}{Attacks\040and\040limitations\040of\040bpf_probe_write_user\(\)}{section.3.3}% 61
\BOOKMARK [2][-]{subsection.3.3.2}{Takeaways}{section.3.3}% 62
\BOOKMARK [1][-]{section.3.4}{Abusing\040networking\040programs}{chapter.3}% 63
\BOOKMARK [2][-]{subsection.3.4.1}{Attacks\040and\040limitations\040of\040networking\040programs}{section.3.4}% 64
\BOOKMARK [2][-]{subsection.3.4.2}{Takeaways}{section.3.4}% 65
\BOOKMARK [0][-]{chapter.4}{Design\040of\040a\040malicious\040eBPF\040rootkit}{}% 66
\BOOKMARK [1][-]{section.4.1}{Rootkit\040architecture}{chapter.4}% 67
\BOOKMARK [1][-]{section.4.2}{Library\040injection\040module}{chapter.4}% 68
\BOOKMARK [2][-]{subsection.4.2.1}{ROP\040with\040eBPF}{section.4.2}% 69
\BOOKMARK [2][-]{subsection.4.2.2}{Bypassing\040hardening\040features\040in\040ELFs}{section.4.2}% 70
\BOOKMARK [2][-]{subsection.4.2.3}{Library\040injection\040via\040GOT\040hijacking}{section.4.2}% 71
\BOOKMARK [0][-]{chapter.5}{Evaluation}{}% 72
\BOOKMARK [1][-]{section.5.1}{Developed\040capabilities}{chapter.5}% 73
\BOOKMARK [1][-]{section.5.2}{Rootkit\040use\040cases}{chapter.5}% 74
\BOOKMARK [0][-]{chapter.6}{Related\040work}{}% 75
\BOOKMARK [0][-]{chapter.6}{Bibliography}{}% 76