mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
653 lines
65 KiB
TeX
653 lines
65 KiB
TeX
\relax
|
|
\providecommand\hyper@newdestlabel[2]{}
|
|
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
|
|
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
|
|
\global\let\oldcontentsline\contentsline
|
|
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
|
|
\global\let\oldnewlabel\newlabel
|
|
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
|
|
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
|
|
\AtEndDocument{\ifx\hyper@anchor\@undefined
|
|
\let\contentsline\oldcontentsline
|
|
\let\newlabel\oldnewlabel
|
|
\fi}
|
|
\fi}
|
|
\global\let\hyper@last\relax
|
|
\gdef\HyperFirstAtBeginDocument#1{#1}
|
|
\providecommand\HyField@AuxAddToFields[1]{}
|
|
\providecommand\HyField@AuxAddToCoFields[2]{}
|
|
\providecommand\babel@aux[2]{}
|
|
\@nameuse{bbl@beforestart}
|
|
\@writefile{toc}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
|
\@writefile{lof}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
|
\@writefile{lot}{\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax }
|
|
\abx@aux@refcontext{none/global//global/global}
|
|
\babel@aux{english}{}
|
|
\abx@aux@cite{ransomware_pwc}
|
|
\abx@aux@segm{0}{0}{ransomware_pwc}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.1}Motivation}{1}{section.1.1}\protected@file@percent }
|
|
\newlabel{section:motivation}{{1.1}{1}{Motivation}{section.1.1}{}}
|
|
\abx@aux@cite{rootkit_ptsecurity}
|
|
\abx@aux@segm{0}{0}{rootkit_ptsecurity}
|
|
\abx@aux@cite{ebpf_linux318}
|
|
\abx@aux@segm{0}{0}{ebpf_linux318}
|
|
\abx@aux@cite{bvp47_report}
|
|
\abx@aux@segm{0}{0}{bvp47_report}
|
|
\abx@aux@cite{bpfdoor_pwc}
|
|
\abx@aux@segm{0}{0}{bpfdoor_pwc}
|
|
\abx@aux@cite{ebpf_windows}
|
|
\abx@aux@segm{0}{0}{ebpf_windows}
|
|
\abx@aux@cite{ebpf_android}
|
|
\abx@aux@segm{0}{0}{ebpf_android}
|
|
\abx@aux@cite{evil_ebpf}
|
|
\abx@aux@segm{0}{0}{evil_ebpf}
|
|
\abx@aux@cite{bad_ebpf}
|
|
\abx@aux@segm{0}{0}{bad_ebpf}
|
|
\abx@aux@cite{ebpf_friends}
|
|
\abx@aux@segm{0}{0}{ebpf_friends}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.2}Project objectives}{3}{section.1.2}\protected@file@percent }
|
|
\newlabel{section:project_objectives}{{1.2}{3}{Project objectives}{section.1.2}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.3}Regulatory framework}{4}{section.1.3}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.1}Social and economic environment}{4}{subsection.1.3.1}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {1.3.2}Budget}{4}{subsection.1.3.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.4}Structure of the document}{4}{section.1.4}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {1.5}Code availability}{4}{section.1.5}\protected@file@percent }
|
|
\abx@aux@cite{ebpf_io}
|
|
\abx@aux@segm{0}{0}{ebpf_io}
|
|
\abx@aux@cite{bpf_bsd_origin}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin}
|
|
\abx@aux@cite{ebpf_history_opensource}
|
|
\abx@aux@segm{0}{0}{ebpf_history_opensource}
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page2}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page2}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {2}Background}{5}{chapter.2}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}BPF}{5}{section.2.1}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}\protected@file@percent }
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
|
|
\abx@aux@cite{index_register}
|
|
\abx@aux@segm{0}{0}{index_register}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}\protected@file@percent }
|
|
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
|
|
\newlabel{fig:classif_bpf}{{2.1}{6}{Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }{figure.caption.7}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent }
|
|
\newlabel{subsection:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}\protected@file@percent }
|
|
\newlabel{subsection:analysis_bpf_filter_prog}{{2.1.3}{6}{Analysis of a BPF filter program}{subsection.2.1.3}{}}
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page5}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5}
|
|
\abx@aux@cite{bpf_organicprogrammer_analysis}
|
|
\abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent }
|
|
\newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}\protected@file@percent }
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7}
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
|
|
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
|
|
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
|
|
\abx@aux@cite{tcpdump_page}
|
|
\abx@aux@segm{0}{0}{tcpdump_page}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}\protected@file@percent }
|
|
\newlabel{table:bpf_inst_format}{{2.1}{8}{BPF instruction format.\relax }{table.caption.9}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{8}{subsection.2.1.5}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }}{9}{figure.caption.10}\protected@file@percent }
|
|
\newlabel{fig:bpf_instructions}{{2.3}{9}{Supported classic BPF instructions, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
|
|
\newlabel{fig:bpf_address_mode}{{2.4}{9}{BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent }
|
|
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Modern eBPF}{10}{section.2.2}\protected@file@percent }
|
|
\newlabel{section:modern_ebpf}{{2.2}{10}{Modern eBPF}{section.2.2}{}}
|
|
\abx@aux@cite{ebpf_funcs_by_ver}
|
|
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
|
|
\abx@aux@cite{ebpf_funcs_by_ver}
|
|
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
|
|
\abx@aux@cite{brendan_gregg_bpf_book}
|
|
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
|
|
\abx@aux@cite{brendan_gregg_bpf_book}
|
|
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
|
|
\abx@aux@cite{ebpf_io_arch}
|
|
\abx@aux@segm{0}{0}{ebpf_io_arch}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
|
|
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent }
|
|
\newlabel{table:ebpf_history}{{2.2}{11}{Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
|
|
\abx@aux@cite{ebpf_inst_set}
|
|
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
|
\abx@aux@cite{8664_inst_set_specs}
|
|
\abx@aux@segm{0}{0}{8664_inst_set_specs}
|
|
\abx@aux@cite{ebpf_inst_set}
|
|
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
|
\abx@aux@cite{ebpf_inst_set}
|
|
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
|
\abx@aux@cite{ebpf_starovo_slides}
|
|
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
|
|
\abx@aux@cite{ebpf_inst_set}
|
|
\abx@aux@segm{0}{0}{ebpf_inst_set}
|
|
\abx@aux@cite{ebpf_starovo_slides}
|
|
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
|
|
\abx@aux@cite{ebpf_JIT}
|
|
\abx@aux@segm{0}{0}{ebpf_JIT}
|
|
\abx@aux@cite{ebpf_JIT_demystify_page13}
|
|
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page13}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent }
|
|
\newlabel{fig:ebpf_architecture}{{2.7}{12}{eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{12}{subsection.2.2.1}\protected@file@percent }
|
|
\newlabel{subsection:ebpf_inst_set}{{2.2.1}{12}{eBPF instruction set}{subsection.2.2.1}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}\protected@file@percent }
|
|
\newlabel{table:ebpf_inst_format}{{2.3}{12}{eBPF instruction format.\relax }{table.caption.16}{}}
|
|
\abx@aux@cite{ebpf_JIT_demystify_page14}
|
|
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page14}
|
|
\abx@aux@cite{jit_enable_setting}
|
|
\abx@aux@segm{0}{0}{jit_enable_setting}
|
|
\abx@aux@cite{ebpf_starovo_slides_page23}
|
|
\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23}
|
|
\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm}
|
|
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent }
|
|
\newlabel{table:ebpf_regs}{{2.4}{13}{eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{13}{subsection.2.2.3}\protected@file@percent }
|
|
\newlabel{subsection:ebpf_verifier}{{2.2.3}{13}{The eBPF verifier}{subsection.2.2.3}{}}
|
|
\abx@aux@cite{ebpf_verifier_kerneldocs}
|
|
\abx@aux@segm{0}{0}{ebpf_verifier_kerneldocs}
|
|
\abx@aux@cite{ebpf_JIT_demystify_page17-22}
|
|
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page17-22}
|
|
\abx@aux@cite{ebpf_bounded_loops}
|
|
\abx@aux@segm{0}{0}{ebpf_bounded_loops}
|
|
\abx@aux@cite{ebpf_maps_kernel}
|
|
\abx@aux@segm{0}{0}{ebpf_maps_kernel}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{14}{subsection.2.2.4}\protected@file@percent }
|
|
\newlabel{subsection:ebpf_maps}{{2.2.4}{14}{eBPF maps}{subsection.2.2.4}{}}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{bpf_syscall}
|
|
\abx@aux@segm{0}{0}{bpf_syscall}
|
|
\abx@aux@cite{ebpf_helpers}
|
|
\abx@aux@segm{0}{0}{ebpf_helpers}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
|
|
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Common fields for creating an eBPF map.\relax }{table.caption.18}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
|
|
\newlabel{table:ebpf_map_types}{{2.6}{15}{Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.19}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{15}{subsection.2.2.5}\protected@file@percent }
|
|
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{15}{The eBPF ring buffer}{subsection.2.2.5}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{15}{subsection.2.2.6}\protected@file@percent }
|
|
\newlabel{subsection:bpf_syscall}{{2.2.6}{15}{The bpf() syscall}{subsection.2.2.6}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{15}{subsection.2.2.7}\protected@file@percent }
|
|
\newlabel{subsection:ebpf_helpers}{{2.2.7}{15}{eBPF helpers}{subsection.2.2.7}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
|
|
\newlabel{table:ebpf_syscall}{{2.7}{16}{Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}\protected@file@percent }
|
|
\newlabel{table:ebpf_prog_types}{{2.8}{16}{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
|
|
\abx@aux@cite{ebpf_helpers}
|
|
\abx@aux@segm{0}{0}{ebpf_helpers}
|
|
\abx@aux@cite{ebpf_helpers}
|
|
\abx@aux@segm{0}{0}{ebpf_helpers}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}\protected@file@percent }
|
|
\newlabel{table:ebpf_helpers}{{2.9}{17}{Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
|
|
\abx@aux@cite{xdp_gentle_intro}
|
|
\abx@aux@segm{0}{0}{xdp_gentle_intro}
|
|
\abx@aux@cite{xdp_manual}
|
|
\abx@aux@segm{0}{0}{xdp_manual}
|
|
\abx@aux@cite{tc_differences}
|
|
\abx@aux@segm{0}{0}{tc_differences}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.3}eBPF program types}{18}{section.2.3}\protected@file@percent }
|
|
\newlabel{section:ebpf_prog_types}{{2.3}{18}{eBPF program types}{section.2.3}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}XDP}{18}{subsection.2.3.1}\protected@file@percent }
|
|
\newlabel{subsection:xdp}{{2.3.1}{18}{XDP}{subsection.2.3.1}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}\protected@file@percent }
|
|
\newlabel{table:xdp_actions_av}{{2.10}{18}{Relevant XDP return values.\relax }{table.caption.24}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Traffic Control}{18}{subsection.2.3.2}\protected@file@percent }
|
|
\newlabel{subsection:tc}{{2.3.2}{18}{Traffic Control}{subsection.2.3.2}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}\protected@file@percent }
|
|
\newlabel{fig:xdp_diag}{{2.8}{19}{XDP and TC modules integration in the network processing module of the Linux kernel.\relax }{figure.caption.23}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}\protected@file@percent }
|
|
\newlabel{table:xdp_helpers}{{2.11}{19}{Relevant XDP-exclusive eBPF helpers.\relax }{table.caption.25}{}}
|
|
\abx@aux@cite{tc_docs_complete}
|
|
\abx@aux@segm{0}{0}{tc_docs_complete}
|
|
\abx@aux@cite{tc_direct_action}
|
|
\abx@aux@segm{0}{0}{tc_direct_action}
|
|
\abx@aux@cite{tc_ret_list_complete}
|
|
\abx@aux@segm{0}{0}{tc_ret_list_complete}
|
|
\abx@aux@cite{tc_ret_list_complete}
|
|
\abx@aux@segm{0}{0}{tc_ret_list_complete}
|
|
\abx@aux@cite{tp_kernel}
|
|
\abx@aux@segm{0}{0}{tp_kernel}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}\protected@file@percent }
|
|
\newlabel{table:tc_actions}{{2.12}{20}{Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }{table.caption.26}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Tracepoints}{20}{subsection.2.3.3}\protected@file@percent }
|
|
\newlabel{subsection:tracepoints}{{2.3.3}{20}{Tracepoints}{subsection.2.3.3}{}}
|
|
\abx@aux@cite{kprobe_manual}
|
|
\abx@aux@segm{0}{0}{kprobe_manual}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}\protected@file@percent }
|
|
\newlabel{table:tc_helpers}{{2.13}{21}{Relevant TC-exclusive eBPF helpers.\relax }{table.caption.27}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.4}Kprobes}{21}{subsection.2.3.4}\protected@file@percent }
|
|
\abx@aux@cite{kallsyms_kernel}
|
|
\abx@aux@segm{0}{0}{kallsyms_kernel}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.5}Uprobes}{22}{subsection.2.3.5}\protected@file@percent }
|
|
\abx@aux@cite{bcc_github}
|
|
\abx@aux@segm{0}{0}{bcc_github}
|
|
\abx@aux@cite{libbpf_github}
|
|
\abx@aux@segm{0}{0}{libbpf_github}
|
|
\abx@aux@cite{libbpf_upstream}
|
|
\abx@aux@segm{0}{0}{libbpf_upstream}
|
|
\abx@aux@cite{libbpf_core}
|
|
\abx@aux@segm{0}{0}{libbpf_core}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.4}Developing eBPF programs}{23}{section.2.4}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}BCC}{23}{subsection.2.4.1}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Bpftool}{23}{subsection.2.4.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.3}Libbpf}{24}{subsection.2.4.3}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}\protected@file@percent }
|
|
\newlabel{fig:libbpf}{{2.9}{25}{Compilation and loading process of a program developed with libbpf.\relax }{figure.caption.28}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}\protected@file@percent }
|
|
\newlabel{table:libbpf_skel}{{2.14}{25}{BPF skeleton functions.\relax }{table.caption.29}{}}
|
|
\abx@aux@cite{ubuntu_caps}
|
|
\abx@aux@segm{0}{0}{ubuntu_caps}
|
|
\abx@aux@cite{evil_ebpf_p9}
|
|
\abx@aux@segm{0}{0}{evil_ebpf_p9}
|
|
\abx@aux@cite{ebpf_caps_intro}
|
|
\abx@aux@segm{0}{0}{ebpf_caps_intro}
|
|
\abx@aux@cite{ebpf_caps_lwn}
|
|
\abx@aux@segm{0}{0}{ebpf_caps_lwn}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.5}Security features in eBPF}{26}{section.2.5}\protected@file@percent }
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}\protected@file@percent }
|
|
\newlabel{table:ebpf_kernel_flags}{{2.15}{26}{Kernel compilation flags for eBPF.\relax }{table.caption.30}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.5.1}Access control}{26}{subsection.2.5.1}\protected@file@percent }
|
|
\newlabel{subsection:access_control}{{2.5.1}{26}{Access control}{subsection.2.5.1}{}}
|
|
\abx@aux@cite{unprivileged_ebpf}
|
|
\abx@aux@segm{0}{0}{unprivileged_ebpf}
|
|
\abx@aux@cite{cve_unpriv_ebpf}
|
|
\abx@aux@segm{0}{0}{cve_unpriv_ebpf}
|
|
\abx@aux@cite{unpriv_ebpf_ubuntu}
|
|
\abx@aux@segm{0}{0}{unpriv_ebpf_ubuntu}
|
|
\abx@aux@cite{unpriv_ebpf_suse}
|
|
\abx@aux@segm{0}{0}{unpriv_ebpf_suse}
|
|
\abx@aux@cite{unpriv_ebpf_redhat}
|
|
\abx@aux@segm{0}{0}{unpriv_ebpf_redhat}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.16}{\ignorespaces Capabilities needed for eBPF.\relax }}{27}{table.caption.31}\protected@file@percent }
|
|
\newlabel{table:ebpf_caps_current}{{2.16}{27}{Capabilities needed for eBPF.\relax }{table.caption.31}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.17}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{27}{table.caption.32}\protected@file@percent }
|
|
\newlabel{table:unpriv_ebpf_values}{{2.17}{27}{Values for unprivileged eBPF kernel parameter.\relax }{table.caption.32}{}}
|
|
\abx@aux@cite{mem_page_arch}
|
|
\abx@aux@segm{0}{0}{mem_page_arch}
|
|
\abx@aux@cite{page_faults}
|
|
\abx@aux@segm{0}{0}{page_faults}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.6}Memory management in Linux}{28}{section.2.6}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.1}Memory pages and faults}{28}{subsection.2.6.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.10}{\ignorespaces Memory translation of virtual pages to physical pages.\relax }}{28}{figure.caption.33}\protected@file@percent }
|
|
\newlabel{fig:mem_arch_pages}{{2.10}{28}{Memory translation of virtual pages to physical pages.\relax }{figure.caption.33}{}}
|
|
\abx@aux@cite{mem_arch_proc}
|
|
\abx@aux@segm{0}{0}{mem_arch_proc}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces Major page fault after a page was removed from RAM.\relax }}{29}{figure.caption.34}\protected@file@percent }
|
|
\newlabel{fig:mem_major_page_fault}{{2.11}{29}{Major page fault after a page was removed from RAM.\relax }{figure.caption.34}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.2}Process virtual memory}{29}{subsection.2.6.2}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}\protected@file@percent }
|
|
\newlabel{fig:mem_minor_page_fault}{{2.12}{30}{Minor page fault after a fork() in which the page table was not copied completely.\relax }{figure.caption.35}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}\protected@file@percent }
|
|
\newlabel{fig:mem_proc_arch}{{2.13}{30}{Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }{figure.caption.36}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.6.3}The process stack}{31}{subsection.2.6.3}\protected@file@percent }
|
|
\newlabel{subsection:stack}{{2.6.3}{31}{The process stack}{subsection.2.6.3}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces Simplified stack representation showing only stack frames.\relax }}{31}{figure.caption.37}\protected@file@percent }
|
|
\newlabel{fig:stack_pres}{{2.14}{31}{Simplified stack representation showing only stack frames.\relax }{figure.caption.37}{}}
|
|
\abx@aux@cite{8664_params_abi_p18}
|
|
\abx@aux@segm{0}{0}{8664_params_abi_p18}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}\protected@file@percent }
|
|
\newlabel{table:systemv_abi_other}{{2.18}{32}{Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }{table.caption.38}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.15}{\ignorespaces Representation of push and pop operations in the stack.\relax }}{33}{figure.caption.39}\protected@file@percent }
|
|
\newlabel{fig:stack_ops}{{2.15}{33}{Representation of push and pop operations in the stack.\relax }{figure.caption.39}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}\protected@file@percent }
|
|
\newlabel{fig:stack_before}{{2.16}{33}{Stack representation right before starting the function call process.\relax }{figure.caption.40}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.17}{\ignorespaces Stack representation right after the function preamble.\relax }}{34}{figure.caption.41}\protected@file@percent }
|
|
\newlabel{fig:stack}{{2.17}{34}{Stack representation right after the function preamble.\relax }{figure.caption.41}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.7}Attacks at the stack}{35}{section.2.7}\protected@file@percent }
|
|
\newlabel{section:attacks_stack}{{2.7}{35}{Attacks at the stack}{section.2.7}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.1}Buffer overflow}{35}{subsection.2.7.1}\protected@file@percent }
|
|
\newlabel{subsection: buf_overflow}{{2.7.1}{35}{Buffer overflow}{subsection.2.7.1}{}}
|
|
\newlabel{code:vuln_overflow}{{2.1}{35}{Program vulnerable to buffer overflow}{lstlisting.2.1}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.1}Program vulnerable to buffer overflow.}{35}{lstlisting.2.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.18}{\ignorespaces Execution hijack overwriting saved rip value.\relax }}{36}{figure.caption.42}\protected@file@percent }
|
|
\newlabel{fig:stack_ret_hij_simple}{{2.18}{36}{Execution hijack overwriting saved rip value.\relax }{figure.caption.42}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.19}{\ignorespaces Stack buffer overflow overwriting ret value.\relax }}{37}{figure.caption.43}\protected@file@percent }
|
|
\newlabel{fig:buffer_overflow}{{2.19}{37}{Stack buffer overflow overwriting ret value.\relax }{figure.caption.43}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.20}{\ignorespaces Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }}{38}{figure.caption.44}\protected@file@percent }
|
|
\newlabel{fig:buffer_overflow_shellcode}{{2.20}{38}{Executing arbitrary code exploiting a buffer overflow vulnerability.\relax }{figure.caption.44}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.7.2}Return oriented programming attacks}{38}{subsection.2.7.2}\protected@file@percent }
|
|
\newlabel{subsection:rop}{{2.7.2}{38}{Return oriented programming attacks}{subsection.2.7.2}{}}
|
|
\abx@aux@cite{rop_prog_finder}
|
|
\abx@aux@segm{0}{0}{rop_prog_finder}
|
|
\newlabel{code:rop_ex}{{2.2}{39}{Sample program to run using ROP}{lstlisting.2.2}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.2}Sample program to run using ROP.}{39}{lstlisting.2.2}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.21}{\ignorespaces Steps for executing code sample using ROP.\relax }}{40}{figure.caption.45}\protected@file@percent }
|
|
\newlabel{fig:rop_compund}{{2.21}{40}{Steps for executing code sample using ROP.\relax }{figure.caption.45}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.8}Networking fundamentals in Linux}{40}{section.2.8}\protected@file@percent }
|
|
\abx@aux@cite{network_layers}
|
|
\abx@aux@segm{0}{0}{network_layers}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.1}An overview on the network layer}{41}{subsection.2.8.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.22}{\ignorespaces Ethernet frame with TCP/IP packet.\relax }}{41}{figure.caption.46}\protected@file@percent }
|
|
\newlabel{fig:frame}{{2.22}{41}{Ethernet frame with TCP/IP packet.\relax }{figure.caption.46}{}}
|
|
\abx@aux@cite{tcp_reliable}
|
|
\abx@aux@segm{0}{0}{tcp_reliable}
|
|
\abx@aux@cite{tcp_handshake}
|
|
\abx@aux@segm{0}{0}{tcp_handshake}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.8.2}Introduction to the TCP protocol}{42}{subsection.2.8.2}\protected@file@percent }
|
|
\newlabel{subsection:tcp}{{2.8.2}{42}{Introduction to the TCP protocol}{subsection.2.8.2}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}\protected@file@percent }
|
|
\newlabel{table:tcp_flags}{{2.19}{43}{Relevant TCP flags and their purpose.\relax }{table.caption.47}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.23}{\ignorespaces TCP 3-way handshake.\relax }}{43}{figure.caption.48}\protected@file@percent }
|
|
\newlabel{fig:tcp_conn}{{2.23}{43}{TCP 3-way handshake.\relax }{figure.caption.48}{}}
|
|
\abx@aux@cite{elf}
|
|
\abx@aux@segm{0}{0}{elf}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.24}{\ignorespaces TCP packet retransmission on timeout.\relax }}{44}{figure.caption.49}\protected@file@percent }
|
|
\newlabel{fig:tcp_retransmission}{{2.24}{44}{TCP packet retransmission on timeout.\relax }{figure.caption.49}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.9}ELF binaries}{44}{section.2.9}\protected@file@percent }
|
|
\newlabel{section:elf}{{2.9}{44}{ELF binaries}{section.2.9}{}}
|
|
\abx@aux@cite{plt_got_overlord}
|
|
\abx@aux@segm{0}{0}{plt_got_overlord}
|
|
\abx@aux@cite{plt_got_technovelty}
|
|
\abx@aux@segm{0}{0}{plt_got_technovelty}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.1}The ELF format and Lazy Binding}{45}{subsection.2.9.1}\protected@file@percent }
|
|
\newlabel{subsection:elf_lazy_binding}{{2.9.1}{45}{The ELF format and Lazy Binding}{subsection.2.9.1}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}\protected@file@percent }
|
|
\newlabel{table:elf_tools}{{2.20}{45}{Tools used for analysis of ELF programs.\relax }{table.caption.50}{}}
|
|
\newlabel{code:lazy_bind_1}{{2.3}{45}{Call to PLT stub seen from objdump}{lstlisting.2.3}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {2.3}Call to PLT stub seen from objdump.}{45}{lstlisting.2.3}\protected@file@percent }
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}\protected@file@percent }
|
|
\newlabel{table:elf_sec_headers}{{2.21}{46}{Tools used for analysis of ELF programs.\relax }{table.caption.51}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.25}{\ignorespaces PLT stub for timerfd\_settime, seen from gdb-peda.\relax }}{47}{figure.caption.52}\protected@file@percent }
|
|
\newlabel{fig:lazy_bind_2}{{2.25}{47}{PLT stub for timerfd\_settime, seen from gdb-peda.\relax }{figure.caption.52}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}\protected@file@percent }
|
|
\newlabel{fig:lazy_bind_3}{{2.26}{47}{Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }{figure.caption.53}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}\protected@file@percent }
|
|
\newlabel{fig:lazy_bind_4}{{2.27}{47}{Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }{figure.caption.54}{}}
|
|
\abx@aux@cite{aslr_pie_intro}
|
|
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}\protected@file@percent }
|
|
\newlabel{fig:lazy_bind_5}{{2.28}{48}{Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }{figure.caption.55}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.9.2}Hardening ELF binaries}{48}{subsection.2.9.2}\protected@file@percent }
|
|
\newlabel{subsection:hardening_elf}{{2.9.2}{48}{Hardening ELF binaries}{subsection.2.9.2}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}\protected@file@percent }
|
|
\newlabel{table:compilers}{{2.22}{48}{Security features in C compilers used in the study.\relax }{table.caption.56}{}}
|
|
\abx@aux@cite{aslr_pie_intro}
|
|
\abx@aux@segm{0}{0}{aslr_pie_intro}
|
|
\abx@aux@cite{relro_redhat}
|
|
\abx@aux@segm{0}{0}{relro_redhat}
|
|
\abx@aux@cite{cet_windows}
|
|
\abx@aux@segm{0}{0}{cet_windows}
|
|
\abx@aux@cite{cet_linux}
|
|
\abx@aux@segm{0}{0}{cet_linux}
|
|
\abx@aux@cite{proc_fs}
|
|
\abx@aux@segm{0}{0}{proc_fs}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.10}The proc filesystem}{50}{section.2.10}\protected@file@percent }
|
|
\newlabel{section:proc_filesystem}{{2.10}{50}{The proc filesystem}{section.2.10}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.23}{\ignorespaces Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }}{50}{table.caption.57}\protected@file@percent }
|
|
\newlabel{table:yama_values}{{2.23}{50}{Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }{table.caption.57}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.1}/proc/<pid>/maps}{50}{subsection.2.10.1}\protected@file@percent }
|
|
\newlabel{subsection:proc_maps}{{2.10.1}{50}{/proc/<pid>/maps}{subsection.2.10.1}{}}
|
|
\abx@aux@cite{proc_fs}
|
|
\abx@aux@segm{0}{0}{proc_fs}
|
|
\abx@aux@cite{proc_mem_write}
|
|
\abx@aux@segm{0}{0}{proc_mem_write}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.29}{\ignorespaces File /proc/<pid>/maps of a sample program.\relax }}{51}{figure.caption.58}\protected@file@percent }
|
|
\newlabel{fig:proc_maps_sample}{{2.29}{51}{File /proc/<pid>/maps of a sample program.\relax }{figure.caption.58}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.2}/proc/<pid>/mem}{51}{subsection.2.10.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\newlabel{chapter:analysis_offensive_capabilities}{{3}{52}{Analysis of offensive capabilities}{chapter.3}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}\protected@file@percent }
|
|
\newlabel{code:format_kprobe}{{3.1}{53}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{53}{lstlisting.3.1}\protected@file@percent }
|
|
\newlabel{code:format_uprobe}{{3.2}{53}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{53}{lstlisting.3.2}\protected@file@percent }
|
|
\newlabel{code:format_tracepoint}{{3.3}{53}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{53}{lstlisting.3.3}\protected@file@percent }
|
|
\newlabel{code:format_ptregs}{{3.4}{53}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{53}{lstlisting.3.4}\protected@file@percent }
|
|
\abx@aux@cite{8664_params_abi}
|
|
\abx@aux@segm{0}{0}{8664_params_abi}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.59}\protected@file@percent }
|
|
\newlabel{table:systemv_abi}{{3.1}{54}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.59}{}}
|
|
\newlabel{code:sys_enter_read_tp_format}{{3.5}{54}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{54}{lstlisting.3.5}\protected@file@percent }
|
|
\newlabel{code:sys_enter_read_tp}{{3.6}{55}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{55}{lstlisting.3.6}\protected@file@percent }
|
|
\abx@aux@cite{ebpf_friends_p15}
|
|
\abx@aux@segm{0}{0}{ebpf_friends_p15}
|
|
\abx@aux@cite{ebpf_override_return}
|
|
\abx@aux@segm{0}{0}{ebpf_override_return}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}\protected@file@percent }
|
|
\newlabel{subsection:out_read_bounds}{{3.2.2}{56}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{56}{subsection.3.2.3}\protected@file@percent }
|
|
\abx@aux@cite{code_kernel_open}
|
|
\abx@aux@segm{0}{0}{code_kernel_open}
|
|
\abx@aux@cite{code_kernel_open}
|
|
\abx@aux@segm{0}{0}{code_kernel_open}
|
|
\abx@aux@cite{code_kernel_syscall}
|
|
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
|
\abx@aux@cite{code_kernel_syscall}
|
|
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
|
\abx@aux@cite{fault_injection}
|
|
\abx@aux@segm{0}{0}{fault_injection}
|
|
\newlabel{code:override_return_1}{{3.7}{57}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{57}{lstlisting.3.7}\protected@file@percent }
|
|
\newlabel{code:override_return_2}{{3.8}{57}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{57}{lstlisting.3.8}\protected@file@percent }
|
|
\abx@aux@cite{ebpf_helpers}
|
|
\abx@aux@segm{0}{0}{ebpf_helpers}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Takeaways}{58}{subsection.3.2.5}\protected@file@percent }
|
|
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{58}{Takeaways}{subsection.3.2.5}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}\protected@file@percent }
|
|
\newlabel{section:mem_corruption}{{3.3}{58}{Memory corruption}{section.3.3}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{58}{subsection.3.3.1}\protected@file@percent }
|
|
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{58}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
|
|
\abx@aux@cite{write_helper_non_fault}
|
|
\abx@aux@segm{0}{0}{write_helper_non_fault}
|
|
\abx@aux@cite{code_vfs_read}
|
|
\abx@aux@segm{0}{0}{code_vfs_read}
|
|
\abx@aux@cite{code_vfs_read}
|
|
\abx@aux@segm{0}{0}{code_vfs_read}
|
|
\abx@aux@cite{evil_ebpf_p6974}
|
|
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
|
\newlabel{code:vfs_read}{{3.9}{59}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{59}{lstlisting.3.9}\protected@file@percent }
|
|
\abx@aux@cite{8664_params_abi_p1922}
|
|
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.60}\protected@file@percent }
|
|
\newlabel{fig:stack_scan_write_tech}{{3.1}{60}{Overview of stack scanning and writing technique.\relax }{figure.caption.60}{}}
|
|
\newlabel{code:stack_scan_write_tech}{{3.10}{60}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{60}{lstlisting.3.10}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Takeaways}{61}{subsection.3.3.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}\protected@file@percent }
|
|
\newlabel{section:abusing_networking}{{3.4}{62}{Abusing networking programs}{section.3.4}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.61}\protected@file@percent }
|
|
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{64}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.61}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Takeaways}{65}{subsection.3.4.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{66}{section.4.1}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{67}{figure.caption.62}\protected@file@percent }
|
|
\newlabel{fig:rootkit}{{4.1}{67}{Overview of the rootkit subsystems and components.\relax }{figure.caption.62}{}}
|
|
\abx@aux@cite{rawtcp_lib}
|
|
\abx@aux@segm{0}{0}{rawtcp_lib}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{69}{figure.caption.63}\protected@file@percent }
|
|
\newlabel{fig:rootkit_files}{{4.2}{69}{Rootkit programs and scripts.\relax }{figure.caption.63}{}}
|
|
\abx@aux@cite{evil_ebpf_p6974}
|
|
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
|
\abx@aux@cite{evil_ebpf_p6974}
|
|
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection module}{70}{section.4.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{70}{subsection.4.2.1}\protected@file@percent }
|
|
\newlabel{subsection:rop_ebpf}{{4.2.1}{70}{ROP with eBPF}{subsection.4.2.1}{}}
|
|
\abx@aux@cite{glibc}
|
|
\abx@aux@segm{0}{0}{glibc}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{71}{figure.caption.64}\protected@file@percent }
|
|
\newlabel{fig:rop_evil_ebpf_1}{{4.3}{71}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.64}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{72}{figure.caption.65}\protected@file@percent }
|
|
\newlabel{fig:rop_evil_ebpf_2}{{4.4}{72}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.65}{}}
|
|
\abx@aux@cite{canary_exploit}
|
|
\abx@aux@segm{0}{0}{canary_exploit}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{73}{figure.caption.66}\protected@file@percent }
|
|
\newlabel{fig:rop_evil_ebpf_3}{{4.5}{73}{Stack data is restored and program continues its execution.\relax }{figure.caption.66}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{73}{subsection.4.2.2}\protected@file@percent }
|
|
\newlabel{subsection:hardening_bypass}{{4.2.2}{73}{Bypassing hardening features in ELFs}{subsection.4.2.2}{}}
|
|
\abx@aux@cite{pie_exploit}
|
|
\abx@aux@segm{0}{0}{pie_exploit}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{74}{figure.caption.67}\protected@file@percent }
|
|
\newlabel{fig:alsr_offset}{{4.6}{74}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.67}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{75}{subsection.4.2.3}\protected@file@percent }
|
|
\newlabel{subsection:got_attack}{{4.2.3}{75}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }}{76}{figure.caption.68}\protected@file@percent }
|
|
\newlabel{fig:lib_stage1}{{4.7}{76}{Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }{figure.caption.68}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces Call to the glibc function, using objdump.\relax }}{76}{figure.caption.69}\protected@file@percent }
|
|
\newlabel{fig:firstcall}{{4.8}{76}{Call to the glibc function, using objdump.\relax }{figure.caption.69}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.9}{\ignorespaces PLT stub generated with gcc compiler, using objdump.\relax }}{76}{figure.caption.70}\protected@file@percent }
|
|
\newlabel{fig:plt_gcc}{{4.9}{76}{PLT stub generated with gcc compiler, using objdump.\relax }{figure.caption.70}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.10}{\ignorespaces PLT stub generated with clang compiler, using objdump.\relax }}{77}{figure.caption.71}\protected@file@percent }
|
|
\newlabel{fig:plt_clang}{{4.10}{77}{PLT stub generated with clang compiler, using objdump.\relax }{figure.caption.71}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.11}{\ignorespaces Timerfd\_settime function at glibc, using objdump.\relax }}{77}{figure.caption.72}\protected@file@percent }
|
|
\newlabel{fig:settime_glibc}{{4.11}{77}{Timerfd\_settime function at glibc, using objdump.\relax }{figure.caption.72}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Arguments and return value of function \_\_libc\_malloc.\relax }}{77}{table.caption.73}\protected@file@percent }
|
|
\newlabel{table:libc_malloc}{{4.1}{77}{Arguments and return value of function \_\_libc\_malloc.\relax }{table.caption.73}{}}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Arguments of function \_\_libc\_dlopen\_mode.\relax }}{78}{table.caption.74}\protected@file@percent }
|
|
\newlabel{table:libc_dlopen_mode}{{4.2}{78}{Arguments of function \_\_libc\_dlopen\_mode.\relax }{table.caption.74}{}}
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.12}{\ignorespaces Functions at glibc with ASLR active.\relax }}{78}{figure.caption.75}\protected@file@percent }
|
|
\newlabel{fig:aslr_bypass_example}{{4.12}{78}{Functions at glibc with ASLR active.\relax }{figure.caption.75}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{81}{chapter.5}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{81}{section.5.1}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{81}{section.5.2}\protected@file@percent }
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{82}{chapter.6}\protected@file@percent }
|
|
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
|
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
|
\newlabel{chapter:related_work}{{6}{82}{Related work}{chapter.6}{}}
|
|
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{83}{chapter.6}\protected@file@percent }
|
|
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.77}{}}
|
|
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.78}{}}
|
|
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.78}{}}
|
|
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
|
|
\newlabel{annex:shellcode}{{6}{}{Appendix C - Library injection shellcode}{chapter*.79}{}}
|
|
\newlabel{code:shellcode}{{6.2}{}{Shellcode for library injection and its opcodes}{lstlisting.6.2}{}}
|
|
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.2}Shellcode for library injection and its opcodes.}{}{lstlisting.6.2}\protected@file@percent }
|
|
\abx@aux@read@bbl@mdfivesum{C88931983EB38C795A3D36AB8548A2C9}
|
|
\abx@aux@refcontextdefaultsdone
|
|
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_linux318}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bvp47_report}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpfdoor_pwc}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_windows}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_android}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{evil_ebpf}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bad_ebpf}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_friends}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_io}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_history_opensource}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page2}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page1}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{index_register}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page5}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_organicprogrammer_analysis}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page8}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_bsd_origin_bpf_page7}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_io_arch}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_inst_set}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{8664_inst_set_specs}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_JIT}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page13}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page14}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{jit_enable_setting}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides_page23}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book_bpf_vm}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_verifier_kerneldocs}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page17-22}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_maps_kernel}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bpf_syscall}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_helpers}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{xdp_gentle_intro}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{xdp_manual}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tc_differences}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tc_docs_complete}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tc_direct_action}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tc_ret_list_complete}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tp_kernel}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{kprobe_manual}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{kallsyms_kernel}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{bcc_github}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{libbpf_github}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{libbpf_upstream}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{libbpf_core}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ubuntu_caps}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{evil_ebpf_p9}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_caps_intro}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_caps_lwn}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{unprivileged_ebpf}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{cve_unpriv_ebpf}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_ubuntu}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_suse}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{unpriv_ebpf_redhat}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{mem_page_arch}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{page_faults}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{mem_arch_proc}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{8664_params_abi_p18}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{rop_prog_finder}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{network_layers}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tcp_reliable}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{tcp_handshake}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{elf}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{plt_got_overlord}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{plt_got_technovelty}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{aslr_pie_intro}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{relro_redhat}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{cet_windows}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{cet_linux}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{proc_fs}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{proc_mem_write}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{code_kernel_open}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{code_kernel_syscall}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{fault_injection}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{write_helper_non_fault}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{evil_ebpf_p6974}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{rawtcp_lib}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{glibc}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
|
|
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
|
|
\ttl@finishall
|
|
\gdef \@abspage@last{112}
|