mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
68 lines
5.4 KiB
Plaintext
68 lines
5.4 KiB
Plaintext
\boolfalse {citerequest}\boolfalse {citetracker}\boolfalse {pagetracker}\boolfalse {backtracker}\relax
|
|
\babel@toc {english}{}
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.1}{\ignorespaces BPF instruction format.\relax }}{8}{table.caption.9}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.2}{\ignorespaces Relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.3}{\ignorespaces eBPF instruction format.\relax }}{12}{table.caption.16}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.4}{\ignorespaces eBPF registers and their purpose in the BPF VM. \cite {ebpf_inst_set} \cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.5}{\ignorespaces Common fields for creating an eBPF map.\relax }}{15}{table.caption.18}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.6}{\ignorespaces Types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.7}{\ignorespaces Types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.8}{\ignorespaces Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{16}{table.caption.21}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.9}{\ignorespaces Common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{17}{table.caption.22}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.10}{\ignorespaces Relevant XDP return values.\relax }}{18}{table.caption.24}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.11}{\ignorespaces Relevant XDP-exclusive eBPF helpers.\relax }}{19}{table.caption.25}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.12}{\ignorespaces Relevant TC return values. Full list can be consulted at \cite {tc_ret_list_complete}.\relax }}{20}{table.caption.26}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.13}{\ignorespaces Relevant TC-exclusive eBPF helpers.\relax }}{21}{table.caption.27}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.14}{\ignorespaces BPF skeleton functions.\relax }}{25}{table.caption.29}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.15}{\ignorespaces Kernel compilation flags for eBPF.\relax }}{26}{table.caption.30}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.16}{\ignorespaces Capabilities needed for eBPF.\relax }}{27}{table.caption.31}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.17}{\ignorespaces Values for unprivileged eBPF kernel parameter.\relax }}{27}{table.caption.32}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.18}{\ignorespaces Relevant registers in x86\_64 for the stack and control flow and their purpose.\relax }}{32}{table.caption.38}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.19}{\ignorespaces Relevant TCP flags and their purpose.\relax }}{43}{table.caption.47}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.20}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{45}{table.caption.50}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.21}{\ignorespaces Tools used for analysis of ELF programs.\relax }}{46}{table.caption.51}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.22}{\ignorespaces Security features in C compilers used in the study.\relax }}{48}{table.caption.56}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {2.23}{\ignorespaces Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }}{50}{table.caption.57}%
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.59}%
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {4.1}{\ignorespaces Arguments and return value of function \_\_libc\_malloc.\relax }}{77}{table.caption.73}%
|
|
\defcounter {refsection}{0}\relax
|
|
\contentsline {table}{\numberline {4.2}{\ignorespaces Arguments of function \_\_libc\_dlopen\_mode.\relax }}{78}{table.caption.74}%
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\defcounter {refsection}{0}\relax
|
|
\addvspace {10\p@ }
|
|
\contentsfinish
|