%%INTRODUCTION @report{ransomware_paloalto, institution = {Palo Alto Networks}, title = {Ransomware Threat Report 2022}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf} }, @report{ransomware_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf} }, @report{rootkit_ptsecurity, institution = {Positive Technologies}, title = {Rootkits: evolution and detection methods}, date = {2021-11-03}, url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/} }, @online{ebpf_linux318, indextitle={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @report{bvp47_report, institution = {Pangu Lab}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @report{bpfdoor_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, pages = {37} }, @proceedings{ebpf_friends, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchainthe}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} }, @proceedings{evil_ebpf, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf} }, @online{bad_ebpf, author = {Pat Hogan}, organization= {DEFCON 27}, eventtitle = {Bad BPF - Warping reality using eBPF}, url = {https://www.youtube.com/watch?v=g6SKWT7sROQ} }, @online{ebpf_windows, title={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @online{ebpf_android, title={eBPF for Windows}, url={https://source.android.com/devices/architecture/kernel/bpf} }, @article{bpf_bsd_origin, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf} }, @article{bpf_bsd_origin_bpf_page1, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} }, @article{bpf_bsd_origin_bpf_page5, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={5} }, @article{bpf_bsd_origin_bpf_page7, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={7} }, @article{bpf_bsd_origin_bpf_page8, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={8} }, @online{ebpf_history_opensource, title={An intro to using eBPF to filter packets in the Linux kernel}, date={2017-08-11}, url={https://opensource.com/article/17/9/intro-ebpf} }, @manual{ebpf_io, title={eBPF Documentation}, url={https://ebpf.io/what-is-ebpf/} }, @manual{ebpf_io_arch, title={eBPF Documentation: Loader and verification architecture}, url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture} }, @manual{ebpf_io_verification, title={eBPF Documentation: Verification}, url={https://ebpf.io/what-is-ebpf/#verification} }, @manual{index_register, title={Index register}, url={https://gunkies.org/wiki/Index_register} } @online{bpf_organicprogrammer_analysis, title={Write a Linux packet sniffer from scratch: part two- BPF}, date={2022-03-28}, url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/} }, @manual{tcpdump_page, title={Tcpdump and Libpcap}, url={https://www.tcpdump.org} }, @manual{ebpf_funcs_by_ver, title={BPF features by Linux Kernel Version}, organization={iovisor}, url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md} }, @book{brendan_gregg_bpf_book, title={BPF performance tools}, author={Brendan Gregg}, url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/} }, @manual{ebpf_inst_set, title={eBPF instruction set}, url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html} }, @manual{8664_inst_set_specs, title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}, author={Intel}, volume={2A}, pages={507}, urldate={2022-05-13}, url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html} }, @proceedings{ebpf_starovo_slides, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid} }, @proceedings{ebpf_starovo_slides_page23, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid}, pages={23} }, @manual{ebpf_JIT, title={A JIT for packet filters}, url={https://lwn.net/Articles/437981/}, date={2011-04-12}, author={Jonathan Corbet} }, @proceedings{ebpf_JIT_demystify_page13, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={13} }, @proceedings{ebpf_JIT_demystify_page14, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={14} }, @proceedings{ebpf_JIT_demystify_page17-22, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={17-22} }, @book{brendan_gregg_bpf_book_bpf_vm, title={BPF performance tools}, author={Brendan Gregg}, url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code} }, @manual{jit_enable_setting, title={bpf\_jit\_enable}, url={https://sysctl-explorer.net/net/core/bpf_jit_enable/} }, @manual{ebpf_verifier_kerneldocs, title={eBPF verifier}, url={https://kernel.org/doc/html/latest/bpf/verifier.html} }, @online{ebpf_bounded_loops, title={Bounded loops in BPF for the 5.3 kernel}, url={https://lwn.net/Articles/794934/}, date={2019-06-30}, author={Marta Rybczynska} }, @manual{ebpf_maps_kernel, title={eBPF maps}, url={https://www.kernel.org/doc/html/latest/bpf/maps.html} }, @manual{ebpf_maps_rddocs, title={eBPF maps}, url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html} }, @manual{bpf_syscall, title={bpf(2)- Linux manual page}, url={https://man7.org/linux/man-pages/man2/bpf.2.html} }, @manual{ebpf_helpers, title={bpf-helpers(7)- Linux manual page}, url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html} }, @online{xdp_gentle_intro, title={A Gentle Introduction to XDP}, date={2022-02-03}, url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/}, author={Daniel Lavie} }, @manual{xdp_manual, title={XDP actions}, url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html} }, @online{tc_differences, title={tc/BPF and XDP/BPF}, url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/}, date={2019-03-13}, author={Hangbin} }, @online{tc_direct_action, title={Understanding tc “direct action” mode for BPF}, url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/}, date={2020-04-11}, author={Quentin Monnet} }, @online{tc_docs_complete, title={Traffic Control HOWTO}, url={http://linux-ip.net/articles/Traffic-Control-HOWTO/}, author={Martin A. Brown}, date={2006-10-01} }, @online{tc_ret_list_complete, title={Linux kernel source tree}, url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h}, indextitle={index : kernel/git/torvalds/linux.git} }, @manual{tp_kernel, title={Using the Linux Kernel Tracepoints}, url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html}, author={Mathieu Desnoyers} }, @manual{kprobe_manual, title={Kernel Probes (Kprobes)}, author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu}, url={https://www.kernel.org/doc/html/latest/trace/kprobes.html} }, @online{kallsyms_kernel, title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes}, author={Nick Alcock}, date={2021-06-06}, url={https://lwn.net/Articles/862021/} }, @online{bcc_github, title={BPF Compiler Collection (BCC)}, url={https://github.com/iovisor/bcc} }, @online{libbpf_upstream, title={BPF next kernel tree}, url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next} }, @online{libbpf_github, indextitle={libbpf GitHub}, url={https://github.com/libbpf/libbpf} }, @online{libbpf_core, title={BPF Portability and CO-RE}, url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html}, author={Andrii Nakryiko}, date={2020-02-19} }, @manual{ebpf_kernel_flags, title={Installing BCC: Kernel Configuration}, url={https://github.com/iovisor/bcc/blob/master/INSTALL.md} }, @manual{ubuntu_caps, title={capabilities - overview of Linux capabilities}, url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html} }, @proceedings{evil_ebpf_p9, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}, pages={9} }, @online{ebpf_caps_intro, title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}, url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/} }, @online{ebpf_caps_lwn, title={capability: introduce CAP\_BPF and CAP\_TRACING}, url={https://lwn.net/Articles/797807/} }, @online{unprivileged_ebpf, title={Reconsidering unprivileged BPF}, url={https://lwn.net/Articles/796328/} }, @online{cve_unpriv_ebpf, title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}, url={https://www.openwall.com/lists/oss-security/2022/01/11/4} }, @online{unpriv_ebpf_ubuntu, title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}, url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047} }, @online{unpriv_ebpf_redhat, title={CVE-2022-0002}, url={https://access.redhat.com/security/cve/cve-2021-4001} }, @online{unpriv_ebpf_suse, title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default}, url={https://www.suse.com/support/kb/doc/?id=000020545} }, @manual{8664_params_abi, title={System V Application Binary Interface AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={148}, date={2018-01-28}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @proceedings{ebpf_friends_p15, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchainthe}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}, pages={15} }, @online{ebpf_override_return, title={BPF-based error injection for the kernel}, url={https://lwn.net/Articles/740146/} }, @online{code_kernel_open, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192} }, @online{code_kernel_open, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233} }, @online{fault_injection, title={Injecting faults into the kernel}, url={https://lwn.net/Articles/209257/}, date={2006-11-04} }, @online{mem_page_arch, title={Memory Management 101: Introduction to Memory Management in Linux}, url={https://events19.linuxfoundation.org/wp-content/uploads/2017/12/MM-101-Introduction-to-Linux-Memory-Management-Christoph-Lameter-Jump-Trading-LLC-1.pdf}, date={2017-12-01}, author={Christopher Lameter}, organization={The Linux Foundation Open Source Summit}, institution={Jump Trading LLC} }, @online{page_faults, title={Understanding page faults and memory swap-in/outs}, url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry}, date={2019-08-19}, author={Doug Breaker} }