admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 07:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Finished core eBPF section

Browse Source
This commit is contained in:
h3xduck
2022-05-26 15:21:00 -04:00
parent 079601ec22
commit 47be741f04
14 changed files with 492 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/bibliography/bibliography.bib
View File

@@ -251,6 +251,26 @@
url={https://lwn.net/Articles/794934/}, url={https://lwn.net/Articles/794934/},
date={2019-06-31}, date={2019-06-31},
author={Marta Rybczynska} author={Marta Rybczynska}
},
@manual{ebpf_maps_kernel,
title={eBPF maps},
url={https://www.kernel.org/doc/html/latest/bpf/maps.html}
},
@manual{ebpf_maps_rddocs,
title={eBPF maps},
url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html}
},
@manual{bpf_syscall,
title={bpf(2)- Linux manual page},
url={https://man7.org/linux/man-pages/man2/bpf.2.html}
},
@manual{ebpf_helpers,
title={bpf-helpers(7)- Linux manual page},
url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html}
} }

56
docs/document.aux
View File

@@ -71,7 +71,7 @@
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}} \providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
\newlabel{fig:classif_bpf}{{2.1}{6}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}} \newlabel{fig:classif_bpf}{{2.1}{6}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent }
\newlabel{section:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}} \newlabel{subsection:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page5} \abx@aux@cite{bpf_bsd_origin_bpf_page5}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5} \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5}
\abx@aux@cite{bpf_organicprogrammer_analysis} \abx@aux@cite{bpf_organicprogrammer_analysis}
@@ -97,7 +97,7 @@
\abx@aux@segm{0}{0}{tcpdump_page} \abx@aux@segm{0}{0}{tcpdump_page}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
\newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}} \newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent }
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}} \newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
\abx@aux@cite{ebpf_funcs_by_ver} \abx@aux@cite{ebpf_funcs_by_ver}
@@ -157,17 +157,55 @@
\abx@aux@cite{ebpf_bounded_loops} \abx@aux@cite{ebpf_bounded_loops}
\abx@aux@segm{0}{0}{ebpf_bounded_loops} \abx@aux@segm{0}{0}{ebpf_bounded_loops}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{16}{chapter.3}\protected@file@percent } \abx@aux@cite{ebpf_maps_kernel}
\abx@aux@segm{0}{0}{ebpf_maps_kernel}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.5}{\ignorespaces Table showing common fields for creating an eBPF map.\relax }}{15}{table.caption.18}\protected@file@percent }
\newlabel{table:ebpf_map_struct}{{2.5}{15}{Table showing common fields for creating an eBPF map.\relax }{table.caption.18}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.6}{\ignorespaces Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}\protected@file@percent }
\newlabel{table:ebpf_map_types}{{2.6}{15}{Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.19}{}}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\abx@aux@cite{bpf_syscall}
\abx@aux@segm{0}{0}{bpf_syscall}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}\protected@file@percent }
\newlabel{subsection:bpf_ring_buf}{{2.2.5}{16}{The eBPF ring buffer}{subsection.2.2.5}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.7}{\ignorespaces Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}\protected@file@percent }
\newlabel{table:ebpf_syscall}{{2.7}{16}{Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }{table.caption.20}{}}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\abx@aux@cite{ebpf_helpers}
\abx@aux@segm{0}{0}{ebpf_helpers}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}\protected@file@percent }
\newlabel{table:ebpf_prog_types}{{2.8}{17}{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }{table.caption.21}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}\protected@file@percent }
\newlabel{table:ebpf_helpers}{{2.9}{18}{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }{table.caption.22}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{19}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{17}{chapter.4}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{20}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{18}{chapter.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{21}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{19}{chapter.5}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{22}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{B46A2B2BB490570F1A9251B9CDF39B97} \abx@aux@read@bbl@mdfivesum{B0FAA8A56537935B1DC703B06B60D6C1}
\abx@aux@read@bblrerun
\abx@aux@refcontextdefaultsdone \abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global} \abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -204,5 +242,7 @@
\abx@aux@defaultrefcontext{0}{ebpf_verifier_kerneldocs}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_verifier_kerneldocs}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page17-22}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page17-22}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_bounded_loops}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_maps_kernel}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{bpf_syscall}{none/global//global/global}
\ttl@finishall \ttl@finishall
\gdef \@abspage@last{37} \gdef \@abspage@last{40}

64
docs/document.bbl
View File

@@ -23,8 +23,8 @@
\list{institution}{1}{% \list{institution}{1}{%
{PricewaterhouseCoopers}% {PricewaterhouseCoopers}%
} }
\field{sortinit}{8} \field{sortinit}{1}
\field{sortinithash}{1b24cab5087933ef0826a7cd3b99e994} \field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{Cyber Threats 2021: A year in Retrospect} \field{title}{Cyber Threats 2021: A year in Retrospect}
\verb{urlraw} \verb{urlraw}
@@ -38,8 +38,8 @@
\list{institution}{1}{% \list{institution}{1}{%
{Positive Technologies}% {Positive Technologies}%
} }
\field{sortinit}{9} \field{sortinit}{1}
\field{sortinithash}{54047ffb55bdefa0694bbd554c1b11a0} \field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{3} \field{day}{3}
\field{month}{11} \field{month}{11}
@@ -211,8 +211,8 @@
\strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authorbibnamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authornamehash}{2994fc802c0b46f7289cf001e2c26cfe}
\strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe} \strng{authorfullhash}{2994fc802c0b46f7289cf001e2c26cfe}
\field{sortinit}{1} \field{sortinit}{2}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba} \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{eventtitle}{Cyber Threats 2021: A year in Retrospect} \field{eventtitle}{Cyber Threats 2021: A year in Retrospect}
\verb{urlraw} \verb{urlraw}
@@ -223,8 +223,8 @@
\endverb \endverb
\endentry \endentry
\entry{ebpf_io}{manual}{} \entry{ebpf_io}{manual}{}
\field{sortinit}{1} \field{sortinit}{2}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba} \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{eBPF Documentation} \field{title}{eBPF Documentation}
\verb{urlraw} \verb{urlraw}
@@ -252,8 +252,8 @@
\strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd} \strng{authornamehash}{b74c2671072cf5a1a1400dc035240dfd}
\strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd} \strng{authorfullhash}{b74c2671072cf5a1a1400dc035240dfd}
\field{extraname}{1} \field{extraname}{1}
\field{sortinit}{1} \field{sortinit}{2}
\field{sortinithash}{50c6687d7fc80f50136d75228e3c59ba} \field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{19} \field{day}{19}
@@ -457,8 +457,8 @@
\endverb \endverb
\endentry \endentry
\entry{tcpdump_page}{manual}{} \entry{tcpdump_page}{manual}{}
\field{sortinit}{2} \field{sortinit}{3}
\field{sortinithash}{ed39bb39cf854d5250e95b1c1f94f4ed} \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{Tcpdump and Libpcap} \field{title}{Tcpdump and Libpcap}
\verb{urlraw} \verb{urlraw}
@@ -569,8 +569,8 @@
\list{institution}{1}{% \list{institution}{1}{%
{PLUMgrid}% {PLUMgrid}%
} }
\field{sortinit}{3} \field{sortinit}{4}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9} \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{20} \field{day}{20}
\field{month}{2} \field{month}{2}
@@ -734,8 +734,8 @@
\strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1} \strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1} \strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\field{extraname}{2} \field{extraname}{2}
\field{sortinit}{4} \field{sortinit}{5}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{BPF performance tools} \field{title}{BPF performance tools}
@@ -747,8 +747,8 @@
\endverb \endverb
\endentry \endentry
\entry{ebpf_verifier_kerneldocs}{manual}{} \entry{ebpf_verifier_kerneldocs}{manual}{}
\field{sortinit}{4} \field{sortinit}{5}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{title}{eBPF verifier} \field{title}{eBPF verifier}
\verb{urlraw} \verb{urlraw}
@@ -776,8 +776,8 @@
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61} \strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61} \strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{3} \field{extraname}{3}
\field{sortinit}{4} \field{sortinit}{5}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} \field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labelnamesource}{author} \field{labelnamesource}{author}
\field{labeltitlesource}{title} \field{labeltitlesource}{title}
\field{day}{11} \field{day}{11}
@@ -821,6 +821,30 @@
\endverb \endverb
\warn{\item Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring} \warn{\item Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring}
\endentry \endentry
\entry{ebpf_maps_kernel}{manual}{}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labeltitlesource}{title}
\field{title}{eBPF maps}
\verb{urlraw}
\verb https://www.kernel.org/doc/html/latest/bpf/maps.html
\endverb
\verb{url}
\verb https://www.kernel.org/doc/html/latest/bpf/maps.html
\endverb
\endentry
\entry{bpf_syscall}{manual}{}
\field{sortinit}{5}
\field{sortinithash}{5dd416adbafacc8226114bc0202d5fdd}
\field{labeltitlesource}{title}
\field{title}{bpf(2)- Linux manual page}
\verb{urlraw}
\verb https://man7.org/linux/man-pages/man2/bpf.2.html
\endverb
\verb{url}
\verb https://man7.org/linux/man-pages/man2/bpf.2.html
\endverb
\endentry
\enddatalist \enddatalist
\endrefsection \endrefsection
\endinput \endinput

97
docs/document.bcf
View File

@@ -2348,49 +2348,60 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource> <bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata> </bcf:bibdata>
<bcf:section number="0"> <bcf:section number="0">
<bcf:citekey order="8">ransomware_pwc</bcf:citekey> <bcf:citekey order="12">ransomware_pwc</bcf:citekey>
<bcf:citekey order="9">rootkit_ptsecurity</bcf:citekey> <bcf:citekey order="13">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="10">ebpf_linux318</bcf:citekey> <bcf:citekey order="14">ebpf_linux318</bcf:citekey>
<bcf:citekey order="11">bvp47_report</bcf:citekey> <bcf:citekey order="15">bvp47_report</bcf:citekey>
<bcf:citekey order="12">bpfdoor_pwc</bcf:citekey> <bcf:citekey order="16">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="13">ebpf_windows</bcf:citekey> <bcf:citekey order="17">ebpf_windows</bcf:citekey>
<bcf:citekey order="14">ebpf_android</bcf:citekey> <bcf:citekey order="18">ebpf_android</bcf:citekey>
<bcf:citekey order="15">evil_ebpf</bcf:citekey> <bcf:citekey order="19">evil_ebpf</bcf:citekey>
<bcf:citekey order="16">bad_ebpf</bcf:citekey> <bcf:citekey order="20">bad_ebpf</bcf:citekey>
<bcf:citekey order="17">ebpf_friends</bcf:citekey> <bcf:citekey order="21">ebpf_friends</bcf:citekey>
<bcf:citekey order="18">ebpf_io</bcf:citekey> <bcf:citekey order="22">ebpf_io</bcf:citekey>
<bcf:citekey order="19">bpf_bsd_origin</bcf:citekey> <bcf:citekey order="23">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="20">ebpf_history_opensource</bcf:citekey> <bcf:citekey order="24">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="21">bpf_bsd_origin_bpf_page1</bcf:citekey> <bcf:citekey order="25">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="22">index_register</bcf:citekey> <bcf:citekey order="26">index_register</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin_bpf_page5</bcf:citekey> <bcf:citekey order="27">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="24">bpf_organicprogrammer_analysis</bcf:citekey> <bcf:citekey order="28">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin_bpf_page7</bcf:citekey> <bcf:citekey order="29">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page8</bcf:citekey> <bcf:citekey order="30">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="27">bpf_bsd_origin_bpf_page8</bcf:citekey> <bcf:citekey order="31">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="28">bpf_bsd_origin_bpf_page1</bcf:citekey> <bcf:citekey order="32">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="29">tcpdump_page</bcf:citekey> <bcf:citekey order="33">tcpdump_page</bcf:citekey>
<bcf:citekey order="30">ebpf_funcs_by_ver</bcf:citekey> <bcf:citekey order="34">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="31">ebpf_funcs_by_ver</bcf:citekey> <bcf:citekey order="35">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="32">brendan_gregg_bpf_book</bcf:citekey> <bcf:citekey order="36">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="33">brendan_gregg_bpf_book</bcf:citekey> <bcf:citekey order="37">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="34">ebpf_io_arch</bcf:citekey> <bcf:citekey order="38">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="35">ebpf_inst_set</bcf:citekey> <bcf:citekey order="39">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="36">8664_inst_set_specs</bcf:citekey> <bcf:citekey order="40">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="37">ebpf_inst_set</bcf:citekey> <bcf:citekey order="41">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="38">ebpf_inst_set</bcf:citekey> <bcf:citekey order="42">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="39">ebpf_starovo_slides</bcf:citekey> <bcf:citekey order="43">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="40">ebpf_inst_set</bcf:citekey> <bcf:citekey order="44">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="41">ebpf_starovo_slides</bcf:citekey> <bcf:citekey order="45">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="42">ebpf_JIT</bcf:citekey> <bcf:citekey order="46">ebpf_JIT</bcf:citekey>
<bcf:citekey order="43">ebpf_JIT_demystify_page13</bcf:citekey> <bcf:citekey order="47">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="44">ebpf_JIT_demystify_page14</bcf:citekey> <bcf:citekey order="48">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="45">jit_enable_setting</bcf:citekey> <bcf:citekey order="49">jit_enable_setting</bcf:citekey>
<bcf:citekey order="46">ebpf_starovo_slides_page23</bcf:citekey> <bcf:citekey order="50">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="47">brendan_gregg_bpf_book_bpf_vm</bcf:citekey> <bcf:citekey order="51">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
<bcf:citekey order="48">ebpf_verifier_kerneldocs</bcf:citekey> <bcf:citekey order="52">ebpf_verifier_kerneldocs</bcf:citekey>
<bcf:citekey order="49">ebpf_JIT_demystify_page17-22</bcf:citekey> <bcf:citekey order="53">ebpf_JIT_demystify_page17-22</bcf:citekey>
<bcf:citekey order="50">ebpf_bounded_loops</bcf:citekey> <bcf:citekey order="54">ebpf_bounded_loops</bcf:citekey>
<bcf:citekey order="55">ebpf_maps_kernel</bcf:citekey>
<bcf:citekey order="56">bpf_syscall</bcf:citekey>
<bcf:citekey order="57">bpf_syscall</bcf:citekey>
<bcf:citekey order="58">bpf_syscall</bcf:citekey>
<bcf:citekey order="59">bpf_syscall</bcf:citekey>
<bcf:citekey order="60">bpf_syscall</bcf:citekey>
<bcf:citekey order="61">bpf_syscall</bcf:citekey>
<bcf:citekey order="62">bpf_syscall</bcf:citekey>
<bcf:citekey order="63">ebpf_helpers</bcf:citekey>
<bcf:citekey order="64">ebpf_helpers</bcf:citekey>
<bcf:citekey order="65">ebpf_helpers</bcf:citekey>
</bcf:section> </bcf:section>
<!-- SORTING TEMPLATES --> <!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none"> <bcf:sortingtemplate name="none">

107
docs/document.blg
View File

@@ -1,52 +1,55 @@
[1] Config.pm:311> INFO - This is Biber 2.16 [0] Config.pm:311> INFO - This is Biber 2.16
[1] Config.pm:314> INFO - Logfile is 'document.blg' [0] Config.pm:314> INFO - Logfile is 'document.blg'
[158] biber:340> INFO - === Thu May 26, 2022, 08:37:12 [58] biber:340> INFO - === Thu May 26, 2022, 14:35:25
[187] Biber.pm:415> INFO - Reading 'document.bcf' [72] Biber.pm:415> INFO - Reading 'document.bcf'
[384] Biber.pm:952> INFO - Found 35 citekeys in bib section 0 [142] Biber.pm:952> INFO - Found 37 citekeys in bib section 0
[425] Biber.pm:4340> INFO - Processing section 0 [157] Biber.pm:4340> INFO - Processing section 0
[450] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0 [166] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[454] bibtex.pm:1689> INFO - LaTeX decoding ... [167] bibtex.pm:1689> INFO - LaTeX decoding ...
[494] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib' [183] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[694] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring [278] Utils.pm:384> WARN - Entry 'ebpf_bounded_loops' (bibliography/bibliography.bib): Invalid format '2019-06-31' of date field 'date' - ignoring
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 9, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 9, warning: 1 characters of junk seen at toplevel
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 15, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 15, warning: 1 characters of junk seen at toplevel
[702] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 22, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 22, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 28, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 28, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 35, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 35, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 42, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 42, warning: 1 characters of junk seen at toplevel
[703] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 50, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 50, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 58, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 58, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 65, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 65, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 70, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 70, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 77, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 77, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 85, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 85, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 94, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 94, warning: 1 characters of junk seen at toplevel
[704] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 103, warning: 1 characters of junk seen at toplevel [281] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 103, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 112, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 112, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 121, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 121, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 127, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 127, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 132, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 132, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 137, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 137, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 142, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 142, warning: 1 characters of junk seen at toplevel
[705] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 153, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 153, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 158, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 158, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 164, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 164, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 170, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 170, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 175, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 175, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 184, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 184, warning: 1 characters of junk seen at toplevel
[706] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 191, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 191, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 199, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 199, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 206, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 206, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 215, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 215, warning: 1 characters of junk seen at toplevel
[707] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 224, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 224, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 233, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 233, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 239, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 239, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 244, warning: 1 characters of junk seen at toplevel [282] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 244, warning: 1 characters of junk seen at toplevel
[708] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ZtQU/f4d088b3f9f145b5c3058da33afd57d4_137201.utf8, line 249, warning: 1 characters of junk seen at toplevel [283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 249, warning: 1 characters of junk seen at toplevel
[776] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized' [283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 256, warning: 1 characters of junk seen at toplevel
[776] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable' [283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 261, warning: 1 characters of junk seen at toplevel
[776] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US' [283] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_g5IR/f4d088b3f9f145b5c3058da33afd57d4_143582.utf8, line 266, warning: 1 characters of junk seen at toplevel
[776] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US' [308] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[831] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8' [309] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[859] bbl.pm:757> INFO - Output to document.bbl [309] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[859] Biber.pm:128> INFO - WARNINGS: 36 [309] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[332] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[341] bbl.pm:757> INFO - Output to document.bbl
[341] Biber.pm:128> INFO - WARNINGS: 39

143
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 08:37 This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 26 MAY 2022 15:20
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -1096,7 +1096,7 @@ File: t1txss.fd 2000/12/15 v3.1
) )
LaTeX Font Info: Font shape `T1/txss/m/n' will be LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186. (Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=93, 456.2865pt x 45.99pt> <images//Portada_Logo.png, id=109, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png) File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png> <use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190. Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1109,7 +1109,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201. (Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205. (Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=95, 338.76563pt x 118.19156pt> <images/creativecommons.png, id=111, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png) File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png> <use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215. Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1220,7 +1220,7 @@ Chapter 2.
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412. defined on input line 412.
<images//classic_bpf.jpg, id=297, 588.1975pt x 432.61626pt> <images//classic_bpf.jpg, id=343, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg) File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg> <use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426. Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
@@ -1228,38 +1228,36 @@ Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
[5 [5
] [6 <./images//classic_bpf.jpg>] ] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=316, 403.5075pt x 451.6875pt> <images//cbpf_prog.jpg, id=362, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg) File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg> <use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453. Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt. (pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[7 <./images/cBPF_prog.jpg>] [7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=326, 380.92313pt x 475.27562pt> <images//bpf_instructions.png, id=372, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png) File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png> <use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 493. Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt. (pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>] [8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=336, 417.05812pt x 313.67188pt> <images//bpf_address_mode.png, id=382, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png) File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png> <use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509. Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt. (pdftex.def) Requested size: 227.62204pt x 171.19905pt.
LaTeX Font Info: Font shape `T1/txr/b/it' in size <12> not available
(Font) Font shape `T1/txr/bx/it' tried instead on input line 517.
[9 <./images//bpf_address_mode.png>] [9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=348, 534.99875pt x 454.69875pt> <images//tcpdump_example.png, id=394, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png) File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png> <use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 524. Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt. (pdftex.def) Requested size: 284.52756pt x 241.82869pt.
<images//cBPF_prog_ex_sol.png, id=351, 242.9075pt x 321.2pt> <images//cBPF_prog_ex_sol.png, id=397, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png) File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png> <use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535. Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt. (pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>] [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=371, 739.76375pt x 472.76625pt> <images//ebpf_arch.jpg, id=416, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg) File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg> <use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574. Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
@@ -1275,57 +1273,109 @@ Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]], the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]],
[] []
[14] [15] [14]
Overfull \hbox (30.83617pt too wide) in paragraph at lines 677--686
[][]
[]
LaTeX Warning: Reference `table:ebpf_maps' on page 15 undefined on input line 6
90.
Overfull \hbox (11.26865pt too wide) in paragraph at lines 690--691
\T1/txr/m/n/12 de-vel-op-ment of our rootkit, we will mainly fo-cus on hash map
s (BPF_MAP_TYPE_HASH),
[]
[15]
LaTeX Warning: Reference `table:bpf_syscall' on page 16 undefined on input line
700.
Overfull \hbox (42.01218pt too wide) in paragraph at lines 703--719
[][]
[]
[16]
LaTeX Warning: Reference `section:TODO' on page 17 undefined on input line 746.
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 749.
Overfull \hbox (34.64395pt too wide) in paragraph at lines 749--750
\T1/txr/m/n/12 have free ac-cess to), the eBPF sys-tem of-fers a set of lim-ite
d func-tions called helpers[],
[]
Overfull \hbox (13.5802pt too wide) in paragraph at lines 756--784
[][]
[]
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 784.
LaTeX Font Info: Font shape `T1/txr/b/n' in size <10.95> not available
(Font) Font shape `T1/txr/bx/n' tried instead on input line 784.
LaTeX Warning: Citation 'ebpf_helpers' on page 17 undefined on input line 784.
[17] [18]
Chapter 3. Chapter 3.
[16 [19
] ]
Chapter 4. Chapter 4.
[17 [20
] ]
Chapter 5. Chapter 5.
[18 [21
] ]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 6 LaTeX Font Info: Trying to load font information for T1+txtt on input line 8
97. 30.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1 File: t1txtt.fd 2000/12/15 v3.1
) )
Overfull \hbox (5.34976pt too wide) in paragraph at lines 698--698 Overfull \hbox (5.34976pt too wide) in paragraph at lines 831--831
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[] / yir -[] cyber -[] threats -[]
[] []
[19 [22
] ]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 698--698 Overfull \hbox (6.22696pt too wide) in paragraph at lines 831--831
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github . -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[] []
Overfull \hbox (7.34976pt too wide) in paragraph at lines 698--698 Overfull \hbox (7.34976pt too wide) in paragraph at lines 831--831
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[] [][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 . -[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[] []
Overfull \hbox (21.24973pt too wide) in paragraph at lines 698--698 Overfull \hbox (21.24973pt too wide) in paragraph at lines 831--831
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 . mmit _ 2015feb20 .
[] []
[20] [23]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 698--698 Overfull \hbox (9.14975pt too wide) in paragraph at lines 831--831
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code % \T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other % 2C % 20i ,[] %20other %
[] []
[21] [1 [24] [1
] ]
@@ -1336,7 +1386,7 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored een already used, duplicate ignored
<to be read again> <to be read again>
\relax \relax
l.714 \end{document} l.847 \end{document}
[2 [2
] (./document.aux) ] (./document.aux)
@@ -1344,33 +1394,38 @@ l.714 \end{document}
LaTeX Warning: There were undefined references. LaTeX Warning: There were undefined references.
Package rerunfilecheck Info: File `document.out' has not changed. Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 1F4132EC47FF9B036E3940F1818CC401;1613. (rerunfilecheck) Checksum: 64ACDA339F3877D1BEB5B5524019D5C5;1913.
Package biblatex Warning: Please (re)run Biber on the file:
(biblatex) document
(biblatex) and rerun LaTeX afterwards.
Package logreq Info: Writing requests to 'document.run.xml'. Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'. \openout1 = `document.run.xml'.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
27378 strings out of 481209 27408 strings out of 481209
436516 string characters out of 5914747 437163 string characters out of 5914747
1175713 words of memory out of 5000000 1177845 words of memory out of 5000000
43783 multiletter control sequences out of 15000+600000 43800 multiletter control sequences out of 15000+600000
456974 words of font info for 103 fonts, out of 8000000 for 9000 457008 words of font info for 103 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191 36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,3095s stack positions out of 5000i,500n,10000p,200000b,80000s 88i,11n,90p,1029b,3095s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv {/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}</usr/share/texliv
e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis e/texmf-dist/fonts/type1/public/txfonts/rtcxi.pfb></usr/share/texlive/texmf-dis
t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ t/fonts/type1/public/txfonts/rtcxr.pfb></usr/share/texlive/texmf-dist/fonts/typ
e1/public/txfonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx e1/public/txfonts/rtxb.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/tx
fonts/rtxr.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt. fonts/rtxi.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/rtxr.p
pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/sh fb></usr/share/texlive/texmf-dist/fonts/type1/public/txfonts/t1xtt.pfb></usr/sh
are/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/ are/texlive/texmf-dist/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texlive/
texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/ onts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/u
times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.p rw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb> .pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (37 pages, 578756 bytes). Output written on document.pdf (40 pages, 593575 bytes).
PDF statistics: PDF statistics:
613 PDF objects out of 1000 (max. 8388607) 691 PDF objects out of 1000 (max. 8388607)
109 named destinations out of 1000 (max. 500000) 123 named destinations out of 1000 (max. 500000)
234 words of extra memory for PDF output out of 10000 (max. 10000000) 266 words of extra memory for PDF output out of 10000 (max. 10000000)

10
docs/document.lot
View File

@@ -13,6 +13,16 @@
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}% \contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.5}{\ignorespaces Table showing common fields for creating an eBPF map.\relax }}{15}{table.caption.18}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.6}{\ignorespaces Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite {bpf_syscall}\relax }}{15}{table.caption.19}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.7}{\ignorespaces Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite {bpf_syscall}\relax }}{16}{table.caption.20}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.8}{\ignorespaces Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite {bpf_syscall}.\relax }}{17}{table.caption.21}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.9}{\ignorespaces Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite {ebpf_helpers}.\relax }}{18}{table.caption.22}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ } \addvspace {10\p@ }
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\addvspace {10\p@ } \addvspace {10\p@ }

14
docs/document.out
View File

@@ -11,12 +11,16 @@
\BOOKMARK [2][-]{subsection.2.1.2}{The\040BPF\040virtual\040machine}{section.2.1}% 11 \BOOKMARK [2][-]{subsection.2.1.2}{The\040BPF\040virtual\040machine}{section.2.1}% 11
\BOOKMARK [2][-]{subsection.2.1.3}{Analysis\040of\040a\040BPF\040filter\040program}{section.2.1}% 12 \BOOKMARK [2][-]{subsection.2.1.3}{Analysis\040of\040a\040BPF\040filter\040program}{section.2.1}% 12
\BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13 \BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13
\BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040-\040tcpdump}{section.2.1}% 14 \BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040with\040tcpdump}{section.2.1}% 14
\BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15 \BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15
\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 16 \BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 16
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17 \BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17
\BOOKMARK [2][-]{subsection.2.2.3}{The\040eBPF\040verifier}{section.2.2}% 18 \BOOKMARK [2][-]{subsection.2.2.3}{The\040eBPF\040verifier}{section.2.2}% 18
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 19 \BOOKMARK [2][-]{subsection.2.2.4}{eBPF\040maps}{section.2.2}% 19
\BOOKMARK [0][-]{chapter.4}{Results}{}% 20 \BOOKMARK [2][-]{subsection.2.2.5}{The\040eBPF\040ring\040buffer}{section.2.2}% 20
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 21 \BOOKMARK [2][-]{subsection.2.2.6}{The\040bpf\(\)\040syscall}{section.2.2}% 21
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 22 \BOOKMARK [2][-]{subsection.2.2.7}{eBPF\040helpers}{section.2.2}% 22
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 23
\BOOKMARK [0][-]{chapter.4}{Results}{}% 24
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 25
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 26

BIN
docs/document.pdf
View File

Binary file not shown.

4
docs/document.run.xml
View File

@@ -41,7 +41,7 @@
> >
]> ]>
<requests version="1.0"> <requests version="1.0">
<internal package="biblatex" priority="9" active="0"> <internal package="biblatex" priority="9" active="1">
<generic>latex</generic> <generic>latex</generic>
<provides type="dynamic"> <provides type="dynamic">
<file>document.bcf</file> <file>document.bcf</file>
@@ -63,7 +63,7 @@
<file>english.lbx</file> <file>english.lbx</file>
</requires> </requires>
</internal> </internal>
<external package="biblatex" priority="5" active="0"> <external package="biblatex" priority="5" active="1">
<generic>biber</generic> <generic>biber</generic>
<cmdline> <cmdline>
<binary>biber</binary> <binary>biber</binary>

BIN
docs/document.synctex.gz
View File

Binary file not shown.

138
docs/document.tex
View File

@@ -431,7 +431,7 @@ BPF was introduced in 1992 by Steven McCanne and Van Jacobson in the paper "The
Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet via the Network Interface Controller (NIC) driver, it would first be analysed by BPF filters, which are programs directly developed by the user. This filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual. Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet via the Network Interface Controller (NIC) driver, it would first be analysed by BPF filters, which are programs directly developed by the user. This filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual.
\subsection{The BPF virtual machine} \label{section:bpf_vm} \subsection{The BPF virtual machine} \label{subsection:bpf_vm}
In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components: In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components:
\begin{itemize} \begin{itemize}
\item \textbf{An accumulator register}, used to store intermediate values of operations. \item \textbf{An accumulator register}, used to store intermediate values of operations.
@@ -442,7 +442,7 @@ In a technical level, BPF comprises both the BPF filter programs developed by th
\subsection{Analysis of a BPF filter program} \label{subsection:analysis_bpf_filter_prog} \subsection{Analysis of a BPF filter program} \label{subsection:analysis_bpf_filter_prog}
As we mentioned in section \ref{section:bpf_vm}, the components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function: As we mentioned in section \ref{subsection:bpf_vm}, the components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function:
\begin{itemize} \begin{itemize}
\item If it returns \textit{true}, the kernel copies the packet to the application. \item If it returns \textit{true}, the kernel copies the packet to the application.
\item If it returns \textit{false}, the packet is not accepted by the filter (and thus the network stack will be the next to operate it). \item If it returns \textit{false}, the packet is not accepted by the filter (and thus the network stack will be the next to operate it).
@@ -514,7 +514,7 @@ Figure \ref{fig:bpf_instructions} shows how BPF instructions are defined accordi
The column \textit{addr modes} in figure \ref{fig:bpf_instructions} describes how the parameters of a BPF instruction are referenced depending on the opcode. The address modes are detailed in figure \ref{fig:bpf_address_mode}. As it can be observed, paremeters may consist of immediate values, offsets to memory positions or on the packet, the index register or combinations of the previous. The column \textit{addr modes} in figure \ref{fig:bpf_instructions} describes how the parameters of a BPF instruction are referenced depending on the opcode. The address modes are detailed in figure \ref{fig:bpf_address_mode}. As it can be observed, paremeters may consist of immediate values, offsets to memory positions or on the packet, the index register or combinations of the previous.
\subsection{An example of BPF filter - \textit{tcpdump}} \subsection{An example of BPF filter with tcpdump}
At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment\cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump}\cite{tcpdump_page}. At the time, by filtering packets before they are handled by the kernel instead of using an user-level application, BPF offered a performance improvement between 10 and 150 times the state-of-the art technologies of the moment\cite{bpf_bsd_origin_bpf_page1}. Since then, multiple popular tools began to use BPF, such as the network tracing tool \textit{tcpdump}\cite{tcpdump_page}.
\textit{tcpdump} is a command-line tool that enables to capture and analyse the network traffic going through the system. It works by setting filters on a network interface, so that it shows the packets that are accepted by the filter. Still today, \textit{tcpdump} uses BPF for the filter implementation. We will now show an example of BPF code used by \textit{tcpdump} to implement a simple filter: \textit{tcpdump} is a command-line tool that enables to capture and analyse the network traffic going through the system. It works by setting filters on a network interface, so that it shows the packets that are accepted by the filter. Still today, \textit{tcpdump} uses BPF for the filter implementation. We will now show an example of BPF code used by \textit{tcpdump} to implement a simple filter:
@@ -652,9 +652,139 @@ These checks are performed by two main algorithms:
\end{itemize} \end{itemize}
\subsection{eBPF maps} \subsection{eBPF maps}
An eBPF map is a generic storage for eBPF programs used to share data between user and kernel space, to maintain persistent data between eBPF calls and to share information between multiple eBPF programs\cite{ebpf_maps_kernel}.
A map consists of a key + value tuple. Both fields can have an arbitrary data type, the map only needs to know the length of the key and the value field at its creation\cite{bpf_syscall}. Programs can lookup or delete elements in the map by specifying its key, and insert new ones by supplying the element value and they key to store it with.
Therefore, creating a map requires a struct with the following fields:
\begin{table}[H]
\begin{tabular}{|c|c|}
\hline
FIELD & VALUE\\
\hline
type & Type of eBPF map. Described in table \ref{table:ebpf_map_types}\\
key\_size & Size of the data structure to use as a key\\
value\_size & Size of the data structure to use as value field\\
max\_entries & Maximum number of elements in the map\\
\hline
\end{tabular}
\caption{Table showing common fields for creating an eBPF map.}
\label{table:ebpf_map_struct}
\end{table}
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
TYPE & DESCRIPTION\\
\hline
BPF\_MAP\_TYPE\_HASH & A hast table-like storage, elements are stored in tuples.\\
BPF\_MAP\_TYPE\_ARRAY & Elements are stored in an array.\\
BPF\_MAP\_TYPE\_RINGBUF & Map providing alerts from kernel to user space, covered in subsection \ref{subsection:bpf_ring_buf}\\
\hline
\end{tabular}
\caption{Table showing types of eBPF maps. Only those used in our rootkit are displayed, the full list can be consulted in the man page \cite{bpf_syscall}}
\label{table:ebpf_map_types}
\end{table}
Table \ref{table:ebpf_maps} describes the main types of eBPF maps that are available for use. During the development of our rootkit, we will mainly focus on hash maps (BPF\_MAP\_TYPE\_HASH), provided that they are simple to use and we do not require of any special storage for our research purposes.
\subsection{The eBPF ring buffer} \label{subsection:bpf_ring_buf}
eBPF ring buffers are a special kind of eBPF maps, providing a one-way directional communication system, going from an eBPF program in the kernel to an user space program that subscribes to its events.
%TODO DIAGRAM OF A TYPICAL RING BUFFER
\subsection{The bpf() syscall}
The bpf() syscall is used to issue commands from user space to kernel space in eBPF programs. This syscall is multiplexor, meaning that it can perform a great range of actions, changing its behaviour depending on the parameters.
The main operations that can be issued are described in table \ref{table:bpf_syscall}:
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{5cm}|>{\centering\arraybackslash}p{5cm}|}
\hline
COMMAND & ATTRIBUTE & DESCRIPTION\\
\hline
\hline
BPF\_MAP\_CREATE & Struct with map info as defined in table \ref{table:ebpf_map_struct} & Create a new map\\
\hline
BPF\_MAP\_LOOKUP\_ELEM & Struct with key to search in the map & Get the element on the map with an specific key\\
\hline
BPF\_MAP\_UPDATE\_ELEM & Struct with key and new value & Update the element of an specific key with a new value\\
\hline
BPF\_MAP\_DELETE\_ELEM & Struct with key to search in the map & Delete the element on the map with an specific key\\
\hline
BPF\_PROG\_LOAD & Struct describing the type of eBPF program to load & Load an eBPF program in the kernel\\
\hline
\end{tabular}
\caption{Table showing types of syscall actions. Only those relevant to our research are shown the full list and attribute details can be consulted in the man page \cite{bpf_syscall}}
\label{table:ebpf_syscall}
\end{table}
With respect to the program type indicated with BPF\_PROG\_LOAD, this parameter indicates the type of eBPF program, setting the context in the kernel in which it will run, and to which modules it will have access to. The types of programs relevant for our research are described in table \ref{table:ebpf_prog_types}.
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{5cm}|}
\hline
PROGRAM TYPE & DESCRIPTION\\
\hline
\hline
BPF\_PROG\_TYPE\_KPROBE & Program to instrument code to an attached kprobe\\
\hline
BPF\_PROG\_TYPE\_UPROBE & Program to instrument code to an attached uprobe\\
\hline
BPF\_PROG\_TYPE\_TRACEPOINT & Program to instrument code to a syscall tracepoint\\
\hline
BPF\_PROG\_TYPE\_XDP & Program to filter, redirect and monitor network events from the Xpress Data Path\\
\hline
BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events using the Traffic Control classifier\\
\hline
\end{tabular}
\caption{Table showing types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite{bpf_syscall}.}
\label{table:ebpf_prog_types}
\end{table}
In section \ref{section:TODO}, we will proceed to analyse in detail the different program types and what capabilities` they offer.
\subsection{eBPF helpers}
Our last component to cover of the eBPF architecture are the eBPF helpers. Since eBPF programs have limited accessibility to kernel functions (which kernel modules commonly have free access to), the eBPF system offers a set of limited functions called helpers\cite{ebpf_helpers}, which are used by eBPF programs to perform certain actions and interact with the context on which they are run. The list of helpers a program can call varies between eBPF program types, since different programs run in different contexts.
It is important to highlight that, just like commands issued via the bpf() syscall can only be issued from the user space, eBPF helpers correspond to the kernel-side of eBPF program exclusively. Note that we will also find a symmetric correspondence to those functions of the bpf() syscall related to map operations (since these are accessible both from user and kernel space).
Table \ref{table:ebpf_helpers} lists the most relevant general-purpose eBPF helpers we will use during the development of our project. We will later detail those helpers exclusive to an specific eBPF program type in the sections on which they are studied.
\begin{table}[H]
\begin{tabular}{|c|>{\centering\arraybackslash}p{10cm}|}
\hline
eBPF helper & DESCRIPTION\\
\hline
\hline
bpf\_map\_lookup\_elem() & Query an element with a certain key in a map\\
\hline
bpf\_map\_delete\_elem() & Delete an element with a certain key in a map\\
\hline
bpf\_map\_update\_elem() & Update the value of the element with a certain key in a map\\
\hline
bpf\_probe\_read\_user() & Attempt to safely read data at an specific user address into a buffer\\
\hline
bpf\_probe\_read\_kernel() & Attempt to safely read data at an specific kernel address into a buffer\\
\hline
bpf\_trace\_printk() & Similarly to printk() in kernel modules, writes buffer in \/sys\/kernel\/debug\/tracing\/trace\_pipe\\
\hline
bpf\_get\_current\_pid\_tgid() & Get the process process id (PID) and thread group id (TGID)\\
\hline
bpf\_get\_current\_comm() & Get the name of the executable\\
\hline
bpf\_probe\_write\_user() & Attempt to write data at a user memory address\\
\hline
bpf\_override\_return() & Override return value of a probed function\\
\hline
bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify to subscribers\\
\hline
\end{tabular}
\caption{Table showing common eBPF helpers. Only those relevant to our research are shown. Those helpers exclusive to an specific program type are not listed. The full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.}
\label{table:ebpf_helpers}
\end{table}

18
docs/document.toc
View File

@@ -27,7 +27,7 @@
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}% \contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}% \contentsline {subsection}{\numberline {2.1.5}An example of BPF filter with tcpdump}{10}{subsection.2.1.5}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}% \contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
@@ -37,11 +37,19 @@
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}% \contentsline {subsection}{\numberline {2.2.3}The eBPF verifier}{14}{subsection.2.2.3}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{16}{chapter.3}% \contentsline {subsection}{\numberline {2.2.4}eBPF maps}{15}{subsection.2.2.4}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{17}{chapter.4}% \contentsline {subsection}{\numberline {2.2.5}The eBPF ring buffer}{16}{subsection.2.2.5}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{18}{chapter.5}% \contentsline {subsection}{\numberline {2.2.6}The bpf() syscall}{16}{subsection.2.2.6}%
\defcounter {refsection}{0}\relax \defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{19}{chapter.5}% \contentsline {subsection}{\numberline {2.2.7}eBPF helpers}{17}{subsection.2.2.7}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{19}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{20}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{21}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{22}{chapter.5}%
\contentsfinish \contentsfinish

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool> <xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-26T08:37:14-04:00</xmp:ModifyDate> <xmp:ModifyDate>2022-05-26T15:20:31-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-26T08:37:14-04:00</xmp:CreateDate> <xmp:CreateDate>2022-05-26T15:20:31-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-26T08:37:14-04:00</xmp:MetadataDate> <xmp:MetadataDate>2022-05-26T15:20:31-04:00</xmp:MetadataDate>
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/"> <rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID> <xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:4B646A0C-EF73-31AE-E3CE-25CCB1559897</xmpMM:InstanceID> <xmpMM:InstanceID>uuid:63BE8BF9-C164-486C-D049-AC9DA0AFDF0D</xmpMM:InstanceID>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
</x:xmpmeta> </x:xmpmeta>