From 559136e92e668bad440667d3e77dc8fd827d8e82 Mon Sep 17 00:00:00 2001 From: h3xduck Date: Thu, 23 Jun 2022 14:04:48 -0400 Subject: [PATCH] FINAL VERSION --- docs/.gitignore | 1 + docs/bibliography/bibliography.bib | 201 +++++++++++++++++++++++++++-- docs/chapters/annex.tex | 8 +- docs/chapters/chapter2.tex | 28 ++-- docs/chapters/chapter3.tex | 6 +- docs/chapters/chapter4.tex | 8 +- docs/document.tex | 49 +++++-- docs/document.xmpdata | 6 + 8 files changed, 258 insertions(+), 49 deletions(-) create mode 100644 docs/document.xmpdata diff --git a/docs/.gitignore b/docs/.gitignore index 5c8a277..f60d406 100644 --- a/docs/.gitignore +++ b/docs/.gitignore @@ -3,6 +3,7 @@ bibliography/texput.log !.gitignore document.pdf !document.tex +!*.xmpdata !Makefile !original_template/ !images/ diff --git a/docs/bibliography/bibliography.bib b/docs/bibliography/bibliography.bib index d6116af..54fc93f 100644 --- a/docs/bibliography/bibliography.bib +++ b/docs/bibliography/bibliography.bib @@ -1,13 +1,15 @@ @report{ransomware_paloalto, institution = {Palo Alto Networks}, title = {Ransomware Threat Report 2022}, + urldate={2022-05-19}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf} }, @report{ransomware_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, - url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf} + url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, + urldate={2022-05-19} }, @report{rootkit_ptsecurity, @@ -18,15 +20,17 @@ }, @online{ebpf_linux318, - indextitle={eBPF incorporation in the Linux Kernel 3.18}, + title={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, - url={https://kernelnewbies.org/Linux_3.18} + url={https://kernelnewbies.org/Linux_3.18}, + urldate={2022-05-19} }, @report{bvp47_report, institution = {Pangu Lab}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, + urldate={2022-05-19}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @@ -34,6 +38,7 @@ institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, + urldate={2022-05-20}, pages = {37} }, @@ -42,6 +47,7 @@ author = {Guillaume Fournier, Sylvain Afchain}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, + urldate={2022-05-22}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} }, @@ -49,6 +55,7 @@ institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchain}, organization= {DEFCON 29}, + urldate={2022-05-22}, page={23}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} @@ -58,6 +65,7 @@ institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchain}, organization= {DEFCON 29}, + urldate={2022-05-22}, page={54}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} @@ -66,12 +74,14 @@ @online{ebpf_friends_github, title={ebpfkit}, author = {Guillaume Fournier, Sylvain Afchain}, + urldate={2022-05-22}, url={https://github.com/Gui774ume/ebpfkit} }, @online{ebpf_friends_blackhat, title={With Friends Like eBPF, Who Needs Enemies?}, author={Guillaume Fournier, Sylvain Baubeau}, + urldate={2022-05-22}, date={2021-08-05}, url={https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-With-Friends-Like-EBPF-Who-Needs-Enemies.pdf} } @@ -79,6 +89,7 @@ @proceedings{evil_ebpf, institution = {NCC Group}, author = {Jeff Dileo}, + urldate={2022-05-22}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf} @@ -87,6 +98,7 @@ @online{evil_ebpf_github, institution = {NCC Group}, title = {Miscellaneous eBPF Tooling}, + urldate={2022-05-22}, url={https://github.com/nccgroup/ebpf} } @@ -94,6 +106,7 @@ institution={NCC Group}, author = {Jeff Dileo, Andy Olsen}, organization= {35C3}, + urldate={2022-05-22}, eventtitle = {Kernel Tracing With eBPF Unlocking God Mode on Linux}, url = {https://berlin-ak.ftp.media.ccc.de/congress/2018/slides-pdf/35c3-9532-kernel_tracing_with_ebpf.pdf} } @@ -101,6 +114,8 @@ @online{bad_ebpf, author = {Pat Hogan}, organization= {DEFCON 27}, + urldate={2022-05-22}, + date={2021-08-05}, eventtitle = {Bad BPF - Warping reality using eBPF}, url = {https://www.youtube.com/watch?v=g6SKWT7sROQ} }, @@ -108,16 +123,19 @@ @online{bad_ebpf_github, author={Pat Hogan}, title={Bad BPF}, + urldate={2022-05-22}, url={https://github.com/pathtofile/bad-bpf} } @online{ebpf_windows, title={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, + urldate={2022-05-22}, url={https://kernelnewbies.org/Linux_3.18} }, @online{ebpf_android, title={eBPF for Windows}, + urldate={2022-05-22}, url={https://source.android.com/devices/architecture/kernel/bpf} }, @@ -127,6 +145,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf} }, @@ -135,6 +154,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} @@ -144,6 +164,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} @@ -153,6 +174,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={5} @@ -162,6 +184,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={7} @@ -171,6 +194,7 @@ title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, + urldate={2022-05-24}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={8} @@ -179,54 +203,64 @@ @online{ebpf_history_opensource, title={An intro to using eBPF to filter packets in the Linux kernel}, date={2017-08-11}, + urldate={2022-05-25}, url={https://opensource.com/article/17/9/intro-ebpf} }, @manual{ebpf_io, title={eBPF Documentation}, + urldate={2022-05-25}, url={https://ebpf.io/what-is-ebpf/} }, @manual{ebpf_io_arch, title={eBPF Documentation: Loader and verification architecture}, + urldate={2022-05-25}, url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture} }, @manual{ebpf_io_verification, title={eBPF Documentation: Verification}, + urldate={2022-05-25}, url={https://ebpf.io/what-is-ebpf/#verification} }, @manual{index_register, title={Index register}, + urldate={2022-05-25}, url={https://gunkies.org/wiki/Index_register} } @online{bpf_organicprogrammer_analysis, title={Write a Linux packet sniffer from scratch: part two- BPF}, date={2022-03-28}, + urldate={2022-05-25}, url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/} }, @manual{tcpdump_page, title={Tcpdump and Libpcap}, + urldate={2022-05-25}, url={https://www.tcpdump.org} }, @manual{ebpf_funcs_by_ver, title={BPF features by Linux Kernel Version}, organization={iovisor}, + urldate={2022-05-25}, url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md} }, @book{brendan_gregg_bpf_book, title={BPF performance tools}, author={Brendan Gregg}, + urldate={2022-05-27}, url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/} }, @manual{ebpf_inst_set, title={eBPF instruction set}, + urldate={2022-05-27}, url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html} }, @@ -236,13 +270,15 @@ volume={2A}, pages={507}, urldate={2022-05-13}, + urldate={2022-05-27}, url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html} }, @proceedings{ebpf_starovo_slides, - title={BPF – in-kernel virtual machine}, + title={BPF - in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, + urldate={2022-05-27}, institution={PLUMgrid} }, @@ -250,6 +286,7 @@ title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, + urldate={2022-05-27}, institution={PLUMgrid}, pages={23} }, @@ -258,6 +295,7 @@ title={A JIT for packet filters}, url={https://lwn.net/Articles/437981/}, date={2011-04-12}, + urldate={2022-05-27}, author={Jonathan Corbet} }, @@ -267,6 +305,7 @@ institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, + urldate={2022-05-27}, pages={13} }, @@ -275,6 +314,7 @@ url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, + urldate={2022-05-27}, date={2018-09-11}, pages={14} }, @@ -285,22 +325,26 @@ institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, + urldate={2022-05-27}, pages={17-22} }, @book{brendan_gregg_bpf_book_bpf_vm, title={BPF performance tools}, author={Brendan Gregg}, + urldate={2022-05-27}, url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code} }, @manual{jit_enable_setting, title={bpf\_jit\_enable}, + urldate={2022-05-27}, url={https://sysctl-explorer.net/net/core/bpf_jit_enable/} }, @manual{ebpf_verifier_kerneldocs, title={eBPF verifier}, + urldate={2022-05-29}, url={https://kernel.org/doc/html/latest/bpf/verifier.html} }, @@ -308,43 +352,51 @@ title={Bounded loops in BPF for the 5.3 kernel}, url={https://lwn.net/Articles/794934/}, date={2019-06-30}, + urldate={2022-05-29}, author={Marta Rybczynska} }, @manual{ebpf_maps_kernel, title={eBPF maps}, + urldate={2022-05-29}, url={https://www.kernel.org/doc/html/latest/bpf/maps.html} }, @manual{ebpf_maps_rddocs, title={eBPF maps}, + urldate={2022-05-29}, url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html} }, @manual{bpf_syscall, title={bpf(2)- Linux manual page}, + urldate={2022-05-29}, url={https://man7.org/linux/man-pages/man2/bpf.2.html} }, @manual{ebpf_helpers, title={bpf-helpers(7)- Linux manual page}, + urldate={2022-05-29}, url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html} }, @online{xdp_gentle_intro, title={A Gentle Introduction to XDP}, date={2022-02-03}, + urldate={2022-06-01}, url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/}, author={Daniel Lavie} }, @manual{xdp_manual, title={XDP actions}, + urldate={2022-06-01}, url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html} }, @online{tc_differences, title={tc/BPF and XDP/BPF}, + urldate={2022-06-01}, url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/}, date={2019-03-13}, author={Hangbin} @@ -354,11 +406,13 @@ title={Understanding tc “direct action” mode for BPF}, url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/}, date={2020-04-11}, + urldate={2022-06-01}, author={Quentin Monnet} }, @online{tc_docs_complete, title={Traffic Control HOWTO}, + urldate={2022-06-01}, url={http://linux-ip.net/articles/Traffic-Control-HOWTO/}, author={Martin A. Brown}, date={2006-10-01} @@ -367,17 +421,20 @@ @online{tc_ret_list_complete, title={Linux kernel source tree}, url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h}, + urldate={2022-06-01}, indextitle={index : kernel/git/torvalds/linux.git} }, @manual{tp_kernel, title={Using the Linux Kernel Tracepoints}, + urldate={2022-06-01}, url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html}, author={Mathieu Desnoyers} }, @manual{kprobe_manual, title={Kernel Probes (Kprobes)}, + urldate={2022-06-01}, author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu}, url={https://www.kernel.org/doc/html/latest/trace/kprobes.html} }, @@ -386,38 +443,45 @@ title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes}, author={Nick Alcock}, date={2021-06-06}, + urldate={2022-06-01}, url={https://lwn.net/Articles/862021/} }, @online{bcc_github, title={BPF Compiler Collection (BCC)}, + urldate={2022-06-01}, url={https://github.com/iovisor/bcc} }, @online{libbpf_upstream, title={BPF next kernel tree}, + urldate={2022-06-01}, url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next} }, @online{libbpf_github, - indextitle={libbpf GitHub}, + title={libbpf GitHub}, + urldate={2022-06-01}, url={https://github.com/libbpf/libbpf} }, @online{libbpf_core, title={BPF Portability and CO-RE}, url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html}, + urldate={2022-06-01}, author={Andrii Nakryiko}, date={2020-02-19} }, @manual{ebpf_kernel_flags, title={Installing BCC: Kernel Configuration}, + urldate={2022-06-02}, url={https://github.com/iovisor/bcc/blob/master/INSTALL.md} }, @manual{ubuntu_caps, title={capabilities - overview of Linux capabilities}, + urldate={2022-06-02}, url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html} }, @@ -426,42 +490,50 @@ author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, + urldate={2022-06-02}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}, pages={9} }, @online{ebpf_caps_intro, title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}, + urldate={2022-06-02}, url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/} }, @online{ebpf_caps_lwn, title={capability: introduce CAP\_BPF and CAP\_TRACING}, + urldate={2022-06-02}, url={https://lwn.net/Articles/797807/} }, @online{unprivileged_ebpf, title={Reconsidering unprivileged BPF}, + urldate={2022-06-03}, url={https://lwn.net/Articles/796328/} }, @online{cve_unpriv_ebpf, title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}, + urldate={2022-06-03}, url={https://www.openwall.com/lists/oss-security/2022/01/11/4} }, @online{unpriv_ebpf_ubuntu, title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}, + urldate={2022-06-03}, url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047} }, @online{unpriv_ebpf_redhat, title={CVE-2022-0002}, + urldate={2022-06-03}, url={https://access.redhat.com/security/cve/cve-2021-4001} }, @online{unpriv_ebpf_suse, title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default}, + urldate={2022-06-03}, url={https://www.suse.com/support/kb/doc/?id=000020545} }, @@ -471,6 +543,7 @@ AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={148}, date={2018-01-28}, + urldate={2022-06-03}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @@ -480,26 +553,31 @@ AMD64 Architecture Processor Supplement}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}, + urldate={2022-06-03}, pages={15} }, @online{ebpf_override_return, title={BPF-based error injection for the kernel}, + urldate={2022-06-06}, url={https://lwn.net/Articles/740146/} }, @online{code_kernel_open, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-06}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192} }, @online{code_kernel_syscall, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-06}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233} }, @online{fault_injection, title={Injecting faults into the kernel}, + urldate={2022-06-06}, url={https://lwn.net/Articles/209257/}, date={2006-11-04} }, @@ -510,6 +588,7 @@ to Memory Management in Linux}, url={https://events19.linuxfoundation.org/wp-content/uploads/2017/12/MM-101-Introduction-to-Linux-Memory-Management-Christoph-Lameter-Jump-Trading-LLC-1.pdf}, date={2017-12-01}, author={Christopher Lameter}, + urldate={2022-06-06}, organization={The Linux Foundation Open Source Summit}, institution={Jump Trading LLC} }, @@ -517,6 +596,7 @@ to Memory Management in Linux}, @online{page_faults, title={Understanding page faults and memory swap-in/outs}, url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry}, + urldate={2022-06-06}, date={2019-08-19}, author={Doug Breaker} }, @@ -524,6 +604,7 @@ to Memory Management in Linux}, @online{mem_arch_proc, title={Stack-based Buffer Overflow - Part 1}, url={https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html}, + urldate={2022-06-06}, date={2021-05-23}, author={Marcos Sánchez Bajo} }, @@ -534,16 +615,19 @@ AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={18}, date={2018-01-28}, + urldate={2022-06-06}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @online{write_helper_non_fault, title={probe\_write\_common\_error}, + urldate={2022-06-06}, url={https://www.spinics.net/lists/bpf/msg16795.html} }, @online{code_vfs_read, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-07}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476} }, @@ -553,6 +637,7 @@ AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={19-22}, date={2018-01-28}, + urldate={2022-06-06}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @@ -560,6 +645,7 @@ AMD64 Architecture Processor Supplement}, title={The Network Layers Explained [with examples]}, author={Alienor}, date={2018-11-28}, + urldate={2022-06-08}, url={https://www.plixer.com/blog/network-layers-explained/} }, @@ -567,11 +653,13 @@ AMD64 Architecture Processor Supplement}, title={Transmission Control Protocol}, date={2022-04-19}, organization={IBM}, + urldate={2022-06-08}, url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol} }, @online{tcp_handshake, title={Three-Way Handshake}, + urldate={2022-06-08}, url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake} }, @@ -579,6 +667,7 @@ AMD64 Architecture Processor Supplement}, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, + urldate={2022-06-08}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}, pages={69-74} @@ -590,22 +679,26 @@ AMD64 Architecture Processor Supplement}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}, + urldate={2022-06-08}, pages={37} }, @online{rop_prog_finder, title={ROPgadget Tool}, + urldate={2022-06-08}, url={https://github.com/JonathanSalwan/ROPgadget} }, @online{glibc, title={The GNU C library}, + urldate={2022-06-08}, url={https://www.gnu.org/software/libc/} }, @online{plt_got_technovelty, title={PLT and GOT - the key to code sharing and dynamic libraries}, author={Ian Wienand}, + urldate={2022-06-08}, url={https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html}, date={2011-05-11} }, @@ -613,28 +706,33 @@ AMD64 Architecture Processor Supplement}, @online{plt_got_overlord, title={GOT and PLT for pwning.}, author={David Tomaschik}, + urldate={2022-06-08}, url={https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html}, date={2017-03-19} }, @manual{elf, title={ELF}, + urldate={2022-06-08}, url={https://wiki.osdev.org/ELF} }, @online{pie_exploit, title={Position Independent Code}, + urldate={2022-06-08}, url={https://ir0nstone.gitbook.io/notes/types/stack/pie} }, @online{aslr_pie_intro, title={aslr/pie intro}, + urldate={2022-06-08}, url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro} }, @online{relro_redhat, title={Hardening ELF binaries using Relocation Read-Only (RELRO)}, author={Huzaifa Sidhpurwala}, + urldate={2022-06-08}, date={2019-01-28}, url={https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro} }, @@ -643,93 +741,109 @@ AMD64 Architecture Processor Supplement}, title={R.I.P ROP: CET Internals in Windows 20H1}, author={Yarden Shafir, Alex Ionescu}, date={2020-05-01}, + urldate={2022-06-08}, url={https://windows-internals.com/cet-on-windows/} }, @online{cet_linux, title={Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration}, author={Michael Larabel}, + urldate={2022-06-08}, date={2021-07-21}, url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29} }, @online{canary_exploit, title={Stack Canaries}, + urldate={2022-06-08}, url={https://ir0nstone.gitbook.io/notes/types/stack/canaries} }, @online{rawtcp_lib, title={RawTCP\_Lib}, author={Marcos Sánchez Bajo}, + urldate={2022-06-10}, url={https://github.com/h3xduck/RawTCP_Lib} }, @manual{proc_fs, title={proc(5) — Linux manual page}, + urldate={2022-06-10}, url={https://man7.org/linux/man-pages/man5/proc.5.html} }, @online{proc_mem_write, title={enable writing to /proc/pid/mem}, + urldate={2022-06-12}, url={https://lwn.net/Articles/433326/} }, @online{reverse_shell, title={Reverse Shell}, + urldate={2022-06-12}, url={https://www.imperva.com/learn/application-security/reverse-shell/} }, @online{sudoers_man, title={die.net sudoers(5) - Linux man page}, + urldate={2022-06-13}, url={https://linux.die.net/man/5/sudoers} }, @online{syscall_reference, title={Linux Syscall Reference (64bit)}, + urldate={2022-06-13}, url={https://syscalls64.paolostivanin.com/} }, @online{code_kernel_execve, - indextitle={Linux kernel code}, + title={Linux kernel code}, + urldate={2022-06-13}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/exec.c#L2054} }, @online{environ, title={How to Set and List Environment Variables in Linux}, - date={2021-06-03}, + date={2021-06-13}, url={https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/} }, @online{execve_man, title={execve(2) — Linux manual page}, + urldate={2022-06-13}, url={https://man7.org/linux/man-pages/man2/execve.2.html} }, @online{bpf_probe_write_user_errors, title={[iovisor-dev] Accessing user memory and minor page faults}, date = {2017-08-06}, + urldate={2022-06-15}, url={https://lists.linuxfoundation.org/pipermail/iovisor-dev/2017-September/001035.html} }, @online{c_standard_main, title={Main function}, + urldate={2022-06-15}, url={https://en.cppreference.com/w/c/language/main_function} }, @online{busybox_argv, title={BusyBox Examples}, + urldate={2022-06-15}, url={https://en.wikipedia.org/wiki/BusyBox#Examples} }, @online{ips, title={What is an intrusion prevention system?}, organization={VMware}, + urldate={2022-06-16}, url={https://www.vmware.com/topics/glossary/content/intrusion-prevention-system.html} }, @online{port_knocking, title={Port Knocking -- Network Authentication Across Closed Ports}, author={Martin Krzywinski}, + urldate={2022-06-16}, url={https://www.muppetwhore.net/sysadmin/html/v12/i06/a2.htm} }, @@ -738,11 +852,13 @@ AMD64 Architecture Processor Supplement}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, pages={49}, + urldate={2022-06-16}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @online{pangu_lab, title={Welcome to Pangu Research Lab}, + urldate={2022-06-16}, url={https://pangukaitian.github.io/pangu/?lg=en} }, @@ -750,12 +866,14 @@ AMD64 Architecture Processor Supplement}, title={TFC 793}, institution={Information Sciences Institute, University of Southern California}, date={1981-09-01}, + urldate={2022-06-16}, url={https://datatracker.ietf.org/doc/html/rfc793} }, @online{tcp_syn_payload, title={TCP Fast Open: expediting web services}, date={2012-08-01}, + urldate={2022-06-16}, author={Michael Kerrisk}, url={https://lwn.net/Articles/508865/} }, @@ -765,28 +883,33 @@ AMD64 Architecture Processor Supplement}, date={2011-10-01}, author={David Hucaby, David Garneau, Anthony Sequeira}, pages={436}, + urldate={2022-06-17}, url={https://books.google.es/books?id=-lvwaqFbIS8C&dq=syn+packet+firewall+ignore+payload} }, @online{hive_implant, title={(U) Hive Engineering Development Guide}, date = {2014-10-15}, + urldate={2022-06-17}, url={https://wikileaks.org/vault7/document/hive-DevelopersGuide/hive-DevelopersGuide.pdf} }, @online{crc, title={Cyclic redundancy check}, organization={Wikipedia}, + urldate={2022-06-17}, url={https://en.wikipedia.org/wiki/Cyclic_redundancy_check} }, @online{file_descriptors, title={File Descriptor}, + urldate={2022-06-17}, url={http://www.cse.cuhk.edu.hk/~ericlo/teaching/os/lab/11-FS/fd.html} }, @online{raw_sockets, title={raw(7) — Linux manual page}, + urldate={2022-06-18}, urlhttps://man7.org/linux/man-pages/man7/raw.7.html={} }, @@ -794,6 +917,7 @@ AMD64 Architecture Processor Supplement}, title={How To Add Jobs To cron Under Linux or UNIX}, date={2022-06-02}, author={Vivek Gite}, + urldate={2022-06-18}, url={https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/} }, @@ -801,32 +925,38 @@ AMD64 Architecture Processor Supplement}, title={Linux Jargon Buster: What are Daemons in Linux?}, date={2021-06-05}, author={Bill Dyer}, + urldate={2022-06-18}, url={https://itsfoss.com/linux-daemons/} }, @online{code_kernel_getdents64, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L351} }, @online{getdents_man, title={getdents(2) — Linux manual page}, + urldate={2022-06-19}, url={https://man7.org/linux/man-pages/man2/getdents.2.html} }, @online{code_kernel_linux_dirent64, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/dirent.h#L5} }, @online{code_kerel_getdents_buffer_alignation, - indextitle={Linux kernel source code}, + title={Linux kernel source code}, + urldate={2022-06-19}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L313} }, @online{xcellerator_getdents, title={Linux Rootkits Part 6: Hiding Directories}, date={2020-09-19}, + urldate={2022-06-19}, author={TheXcellerator}, url={https://xcellerator.github.io/posts/linux_rootkits_06/} }, @@ -834,28 +964,33 @@ AMD64 Architecture Processor Supplement}, @online{embracethered_getdents, title={Offensive BPF: Understanding and using bpf\_probe\_write\_user}, date={2021-10-20}, + urldate={2022-06-19}, author={Johann Rehberger}, url={https://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/} }, @online{dtype_dirent, title={Format of a Directory Entry}, + urldate={2022-06-19}, url={https://www.gnu.org/software/libc/manual/html_node/Directory-Entries.html} }, @online{virtualbox_page, title={VirtualBox}, + urldate={2022-06-21}, url={https://www.virtualbox.org/} }, @online{bridged_networking, title={Bridgeg Networking}, + urldate={2022-06-21}, url={https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/network_bridged.html} }, @online{nat_comptia, title={What Is NAT?}, institution={CompTIA}, + urldate={2022-06-21}, url={https://www.comptia.org/content/guides/what-is-network-address-translation} }, @@ -863,6 +998,7 @@ AMD64 Architecture Processor Supplement}, title={Increasing Linux kernel integrity}, author={Michael Boelen}, date={2015-05-12}, + urldate={2022-06-22}, url={https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/} }, @@ -870,6 +1006,7 @@ AMD64 Architecture Processor Supplement}, title={Blackhat Academy}, author={Blackhat Academy}, date={2012-03-15}, + urldate={2022-06-22}, url={https://resources.infosecinstitute.com/topic/jynx2-sneak-peek-analysis/} }, @@ -878,6 +1015,7 @@ AMD64 Architecture Processor Supplement}, author={Sally Vandeven}, date={2014-03-26}, pages={18-19}, + urldate={2022-06-22}, url={https://www.giac.org/paper/gcia/8751/rootkit-detection-ossec/126976} }, @@ -886,6 +1024,7 @@ AMD64 Architecture Processor Supplement}, Userland Linux Rootkits}, pages={3-6}, date={2022-03-13}, + urldate={2022-06-22}, url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf} }, @@ -894,59 +1033,70 @@ Userland Linux Rootkits}, Userland Linux Rootkits}, pages={23-27}, date={2022-03-13}, + urldate={2022-06-22}, url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf} }, @online{jynx_github, title={Jynx-kit}, author={BlackHatAcademy.org}, + urldate={2022-06-22}, url={https://github.com/chokepoint/jynxkit} }, @online{jynx2_github, title={Jynx-kit (2)}, author={BlackHatAcademy.org}, + urldate={2022-06-22}, url={https://github.com/chokepoint/Jynx2} }, @online{azazel_github, title={Azazel}, + urldate={2022-06-22}, url={https://github.com/chokepoint/azazel} }, @online{azazel_wiki, title={Azazel}, + urldate={2022-06-22}, url={https://web.archive.org/web/20141102234744/http://blackhatlibrary.net/Azazel#Hooking_Methods} }, @online{ld_preload_detect, title={Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload}, date={2022-05-18}, + urldate={2022-06-22}, url={https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload/} }, @online{suckit_rootkit, - indextitle={SucKIT rootkit}, + title={SucKIT rootkit}, + urldate={2022-06-22}, url={https://github.com/CSLDepend/exploits/blob/master/Rootkit_tools/suckit2priv.tar.gz} }, @online{suckit_lasamhna, title={Linux Kernel Rootkits}, + urldate={2022-06-22}, url={https://www.la-samhna.de/library/rootkits/basics.html#FLOW} }, @online{dev_kmem, title={kmem(4) - Linux man page}, + urldate={2022-06-22}, url={https://linux.die.net/man/4/kmem} }, @online{dev_kmem_debian, title={mem(4)}, + urldate={2022-06-22}, url={https://manpages.debian.org/buster-backports/manpages/port.4.en.html} }, @online{dev_kmem_off_default, title={Change CONFIG\_DEVKMEM default value to n}, + urldate={2022-06-22}, url={https://lore.kernel.org/all/20161007035719.GB17183@kroah.com/T/} }, @@ -958,17 +1108,20 @@ Userland Linux Rootkits}, @online{incibe_rootkit_lkm, title={Malware in Linux: Kernel-mode-rootkits}, author={Antonio López}, + urldate={2022-06-22}, date={2015-03-26}, url={https://www.incibe-cert.es/en/blog/kernel-rootkits-en} }, @online{reptile_github, title={Reptile}, + urldate={2022-06-22}, url={https://github.com/f0rb1dd3n/Reptile} }, @online{usermode_helper_lkm, title={call\_usermodehelper, Module Loading}, + urldate={2022-06-22}, url={https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper.html} }, @@ -976,17 +1129,20 @@ Userland Linux Rootkits}, title={RASP rings in a new Java application security paradigm}, author={Hussein Badakhchani}, date={2016-10-20}, + urldate={2022-06-22}, url={https://www.infoworld.com/article/3125515/rasp-rings-in-a-new-java-application-security-paradigm.html} }, @online{sql_injection, title={SQL Injection}, + urldate={2022-06-22}, url={https://www.w3schools.com/sql/sql_injection.asp} }, @online{boopkit, title={Boopkit}, author={Kris Nóva}, + urldate={2022-06-22}, url={https://github.com/kris-nova/boopkit} }, @@ -994,12 +1150,14 @@ Userland Linux Rootkits}, title={Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat}, institution={The BlackBerry Research & Intelligence Team}, date={2022-06-09}, + urldate={2022-06-22}, url={https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat} }, @online{pentest_redteam, title={Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues}, date={2016-06-23}, + urldate={2022-06-22}, author={Kirk Hayes}, url={https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/} }, @@ -1007,6 +1165,7 @@ Userland Linux Rootkits}, @online{nist_cyber, title={Framework for Improving Critical Infrastructure Cybersecurity}, date={2018-04-16}, + urldate={2022-06-22}, institution={National Institute of Standards and Technology}, url={https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf} }, @@ -1014,71 +1173,84 @@ Userland Linux Rootkits}, @online{mitre_blog, title={ATT\&CK 101}, author={Blake Strom}, + urldate={2022-06-22}, date={2018-08-21}, url={https://medium.com/mitre-attack/att-ck-101-17074d3bc62} }, @online{mitre_blog_2, title={What Is the MITRE ATT\&CK Framework?}, + urldate={2022-06-22}, url={https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html} }, @online{mitre_matrix_linux, title={ATT\&CK Matrix for Enterprise}, + urldate={2022-06-22}, url={https://attack.mitre.org/matrices/enterprise/linux/} }, @online{glass_analyst, title={Cyber Security Analist salary in Madrid}, + urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-cyber-security-analyst-sueldo-SRCH_IL.0,6_IM1030_KO7,29.htm} }, @online{glass_manager, title={Project Manager salary in Madrid}, + urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-project-manager-sueldo-SRCH_IL.0,6_IM1030_KO7,22.htm?clickSource=searchBtn} }, @online{glass_programmer, title={Programmer salary in Madrid}, + urldate={2022-06-22}, url={https://www.glassdoor.es/Sueldos/madrid-programmer-sueldo-SRCH_IL.0,6_IM1030_KO7,17.htm?clickSource=searchBtn} }, @online{ebpfkit_monitor_github, title={ebpfkit-monitor}, author = {Guillaume Fournier, Sylvain Afchain}, + urldate={2022-06-22}, url={https://github.com/Gui774ume/ebpfkit-monitor} }, @online{lkm_signing, title={Kernel module signing facility}, + urldate={2022-06-22}, url={https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html} }, @online{bpf_signing, title={Toward signed BPF programs}, author={Jonathan Corbet}, + urldate={2022-06-22}, date={2021-04-22}, url={https://lwn.net/Articles/853489/} }, @online{arch_linux_sign, title={Signed kernel modules}, + urldate={2022-06-22}, url={https://wiki.archlinux.org/title/Signed_kernel_modules} }, @online{triplecross_github, title={TripleCross}, + urldate={2022-06-23}, author={Marcos Sánchez Bajo}, url={https://github.com/h3xduck/TripleCross} }, @online{repo_simple_timer, title={simple\_timer.c}, + urldate={2022-06-23}, url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/simple_timer.c} }, @online{repo_execve_hijack, title={simple\_timer.c}, + urldate={2022-06-23}, url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/execve_hijack.c} }, @@ -1086,6 +1258,7 @@ Userland Linux Rootkits}, title={What is a downgrade attack and how to prevent it}, author={Borislav Kiprin}, date={2022-04-18}, + urldate={2022-06-23}, url={https://crashtest-security.com/downgrade-attack/} } diff --git a/docs/chapters/annex.tex b/docs/chapters/annex.tex index 11c3185..cd73766 100644 --- a/docs/chapters/annex.tex +++ b/docs/chapters/annex.tex @@ -5,10 +5,9 @@ % %Including bpftool commands here to be referenced. Is it a good idea? - -\chapter* {Appendix A - Bpftool commands} \label{annex:bpftool_flags_kernel} +\appendix +\chapter* {Appendix A - eBPF-related kernel compilation flags} \label{annex:bpftool_flags_kernel} \pagenumbering{gobble} % Las páginas de los anexos no se numeran -\section*{eBPF-related kernel compilation flags} \begin{lstlisting}[language=bash] $ bpftool feature \end{lstlisting} @@ -50,9 +49,8 @@ CONFIG_HZ is set to 250 \end{verbatim} -\chapter* {Appendix B - Readelf commands} \label{annex:readelf_commands} +\chapter* {Appendix B - Section headers in ELF file} \label{annex:readelf_commands} \pagenumbering{gobble} % Las páginas de los anexos no se numeran -\section*{Section headers in ELF file} \label{annexsec:readelf_sec_headers} \begin{lstlisting}[language=bash, caption={List of ELF section headers with readelf tool of a program compiled with GCC.}, label={code:elf_sections}] $ readelf -S simple_timer There are 36 section headers, starting at offset 0x4120: diff --git a/docs/chapters/chapter2.tex b/docs/chapters/chapter2.tex index 918274b..93e1ebc 100644 --- a/docs/chapters/chapter2.tex +++ b/docs/chapters/chapter2.tex @@ -352,7 +352,7 @@ BPF\_PROG\_TYPE\_XDP & Program to filter, redirect and monitor network events fr BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events using the Traffic Control classifier\\ \hline \end{tabular} -\caption{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite{bpf_syscall}.} +\caption{Relevant types of eBPF programs. Full list and attribute details can be consulted in the man page \cite{bpf_syscall}.} \label{table:ebpf_prog_types} \end{table} @@ -396,7 +396,7 @@ bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\ \hline \end{tabular} -\caption{Relevant common eBPF helpers. Those helpers exclusive to an specific program type are not listed. Full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.} +\caption{Relevant common eBPF helpers. Helpers exclusive to an specific program type are not listed. Full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.} \label{table:ebpf_helpers} \end{table} @@ -625,25 +625,25 @@ As we have shown in Section \ref{section:modern_ebpf}, eBPF has been an active p \textbf{FLAG} & \textbf{VALUE} & \textbf{DESCRIPTION}\\ \hline \hline -\multicolumn{1}{|c|}{CONFIG\_BPF} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Basic BPF compilation (mandatory)}\\ +\multicolumn{1}{|c|}{CONFIG\_BPF} & \multicolumn{1}{c|}{y} & \multirow{2}{*}{Basic BPF compilation (mandatory)}\\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_BPF\_SYSCALL} & \multicolumn{1}{|c|}{m} & \\ +\multicolumn{1}{|c|}{CONFIG\_BPF\_SYSCALL} & \multicolumn{1}{c|}{m} & \\ \hline -\multicolumn{1}{|c|}{CONFIG\_NET\_ACT\_BPF} & \multicolumn{1}{|c|}{m} & \multirow{2}{*}{Traffic Control functionality}\\ +\multicolumn{1}{|c|}{CONFIG\_NET\_ACT\_BPF} & \multicolumn{1}{c|}{m} & \multirow{2}{*}{Traffic Control functionality}\\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_NET\_CLS\_BPF} & \multicolumn{1}{|c|}{y} & \\ +\multicolumn{1}{|c|}{CONFIG\_NET\_CLS\_BPF} & \multicolumn{1}{c|}{y} & \\ \hline -\multicolumn{1}{|c|}{CONFIG\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Enable JIT compliation}\\ +\multicolumn{1}{|c|}{CONFIG\_BPF\_JIT} & \multicolumn{1}{c|}{y} & \multirow{2}{*}{Enable JIT compliation}\\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_HAVE\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \\ +\multicolumn{1}{|c|}{CONFIG\_HAVE\_BPF\_JIT} & \multicolumn{1}{c|}{y} & \\ \hline -\multicolumn{1}{|c|}{CONFIG\_BPF\_EVENTS} & \multicolumn{1}{|c|}{y} & \multirow{4}{*}{Enable kprobes, uprobes and tracepoints}\\ +\multicolumn{1}{|c|}{CONFIG\_BPF\_EVENTS} & \multicolumn{1}{c|}{y} & \multirow{4}{*}{Enable kprobes, uprobes and tracepoints}\\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_KPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\ +\multicolumn{1}{|c|}{CONFIG\_KPROBE\_EVENTS} & \multicolumn{1}{c|}{y} & \\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_UPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\ +\multicolumn{1}{|c|}{CONFIG\_UPROBE\_EVENTS} & \multicolumn{1}{c|}{y} & \\ \cline{1-2} -\multicolumn{1}{|c|}{CONFIG\_TRACING} & \multicolumn{1}{|c|}{y} & \\ +\multicolumn{1}{|c|}{CONFIG\_TRACING} & \multicolumn{1}{c|}{y} & \\ \hline CONFIG\_XDP\_SOCKETS & y & Enable XDP\\ \hline @@ -652,7 +652,7 @@ CONFIG\_XDP\_SOCKETS & y & Enable XDP\\ \label{table:ebpf_kernel_flags} \end{table} -Table \ref{table:ebpf_kernel_flags} is based on BCC's documentation, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in Annex \ref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF. +Table \ref{table:ebpf_kernel_flags} is based on BCC's documentation, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in \nameref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF. \subsection{Access control} \label{subsection:access_control} @@ -1066,7 +1066,7 @@ GDB-peda & The Python Exploit Development Assistance for GDB, allows for multipl Firstly, we will analyse the main sections we can find in an ELF executable. We will approach this study using a sample program that has been compiled using Clang/LLVM, and that consists on a simple timer that counts twice up to number 3, available at our repository \cite{repo_simple_timer}. -The commands used for this analysis and complete list of headers can be found in Annex \ref{annexsec:readelf_sec_headers}. The most relevant sections we found at the program are described in Table \ref{table:elf_sec_headers}: +The commands used for this analysis and complete list of headers can be found in \nameref{annex:readelf_commands}. The most relevant sections we found at the program are described in Table \ref{table:elf_sec_headers}: \begin{table}[htbp] \begin{tabular}{|>{\centering\arraybackslash}p{1cm}|>{\centering\arraybackslash}p{9cm}|>{\centering\arraybackslash}p{2cm}|} diff --git a/docs/chapters/chapter3.tex b/docs/chapters/chapter3.tex index d77188e..1f80e98 100644 --- a/docs/chapters/chapter3.tex +++ b/docs/chapters/chapter3.tex @@ -78,7 +78,7 @@ By observing the value of the registers, we can extract the parameters of the or \begin{table}[H] \begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|} \hline -\multicolumn{2}{|c|}{User interface}\\ +\multicolumn{2}{|c|}{\textbf{USER INTERFACE}}\\ \hline \textbf{REGISTER} & \textbf{PURPOSE}\\ \hline @@ -101,9 +101,9 @@ rax & Return value\\ \quad \begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|} \hline -\multicolumn{2}{|c|}{Kernel interface}\\ +\multicolumn{2}{|c|}{\textbf{KERNEL INTERFACE}}\\ \hline -Register & Purpose\\ +\textbf{REGISTER} & \textbf{PURPOSE}\\ \hline \hline rdi & 1st argument\\ diff --git a/docs/chapters/chapter4.tex b/docs/chapters/chapter4.tex index d747ca8..75e0690 100644 --- a/docs/chapters/chapter4.tex +++ b/docs/chapters/chapter4.tex @@ -310,13 +310,13 @@ Once we know the address of the functions we want our shellcode to call, we can \item Restore the original value of the registers, and jump back to the original system call which the glibc function intended to call. \end{enumerate} -The complete developed shellcode and its opcodes can be found in Appendix \ref{annex:shellcode}. +The complete developed shellcode and its opcodes can be found in \nameref{annex:shellcode}. \textbf{Stage 3: Injecting shellcode in a code cave}\\ Once we have developed our shellcode, and before overwriting the value of GOT, we need to find a memory section where to write our shellcode, so that we can executing the necessary instructions to inject our malicious library. This area must be large enough to fit our shellcode, and it must be marked as executable. -Because of DEP/NX, we cannot use the stack for executing code. On top of that, as we can observe in the section header dump at Appendix \ref{annexsec:readelf_sec_headers}, for security reasons all sections are nowadays marked either writeable or executable, but never both simultaneously. +Because of DEP/NX, we cannot use the stack for executing code. On top of that, as we can observe in the section header dump at \nameref{annex:readelf_commands}, for security reasons all sections are nowadays marked either writeable or executable, but never both simultaneously. Therefore, we will use the proc filesystem which we introduced in Section \ref{section:proc_filesystem}. By using the file under \textit{/proc//maps}, we will easily identify the address range of those memory sections marked as executable, and by using the file \textit{/proc//mem}, we will write our shellcode into that memory section, bypassing the absence of a write flag. @@ -1470,6 +1470,8 @@ SECRETDIR & DT\_REG (4) & Secret directory where the rootkit hides its files.\\ % Just ran out of time to implement this case properly, realized too late this was a thing. Still mentioning it here Also, it is of interest to study what would happen if the directory entry to hide was not in the middle of the buffer, but rather it was the first one to be written. In this case, we cannot modify the d\_reclen of the previous entry to trick the user into skipping an entry. In order to illustrate this case, we are providing another technique (although this functionality is not available in the rootkit currently). Figure \ref{fig:getdents_firstentry} illustrates this alternative process. +As we can observe in the figure, this technique is based on removing the directory entry completely and overwriting it with all of the subsequent entries. After this change, only the return value of the system call would need to be changed (since now the buffer is shorter). + \begin{figure}[htbp] \centering \includegraphics[width=15cm]{getdents_firstentry.png} @@ -1477,5 +1479,5 @@ Also, it is of interest to study what would happen if the directory entry to hid \label{fig:getdents_firstentry} \end{figure} -As we can observe in the figure, this technique is based on removing the directory entry completely and overwriting it with all of the subsequent entries. After this change, only the return value of the system call would need to be changed (since now the buffer is shorter), + diff --git a/docs/document.tex b/docs/document.tex index 9f3b6d5..8bc3f88 100644 --- a/docs/document.tex +++ b/docs/document.tex @@ -47,15 +47,23 @@ hmargin=3cm \usepackage{fancyhdr} \usepackage{tikz} + % FOOTER -\pagestyle{fancy} +\fancypagestyle{fancy}{ \fancyhf{} \renewcommand{\headrulewidth}{1pt} \fancyhead{} \fancyhead[LO]{CHAPTER \thechapter} \fancyhead[RO]{\rightmark} \rfoot{\thepage} -\fancypagestyle{plain}{\pagestyle{fancy}} +} + +\fancypagestyle{plain}{ + %\fancyhf{} + \pagestyle{plainnofancy} + %\renewcommand{\headrulewidth}{0pt} +} + \fancypagestyle{plainnofancy}% {% \fancyhf{} @@ -73,6 +81,14 @@ hmargin=3cm \renewcommand{\footrulewidth}{0pt} } + + + +%% +\pagestyle{plainnofancy} + + + % TITLES \usepackage{titlesec} \usepackage{titletoc} @@ -189,7 +205,7 @@ hmargin=3cm \renewcommand{\lstlistingname}{\uppercase{Code}} % IEEE BIBLIOGRAPHY -\usepackage[backend=biber, style=ieee, isbn=false,sortcites, maxbibnames=5, minbibnames=1]{biblatex} +\usepackage[backend=biber, style=ieee, isbn=false,sortcites, maxbibnames=5, minbibnames=1 ]{biblatex} \addbibresource{bibliography/bibliography.bib} @@ -279,9 +295,20 @@ technology also available by default in most distributions. It is intended for b % DEDICATION %---------- \chapter*{Dedication} - +\thispagestyle{plainnofancy} \setcounter{page}{5} - \thispagestyle{plainnofancy} + + +These lines are dedicated to those who have stayed by my side not only during the development of this thesis, but also during these last four years. + +I would like to thank my mother, father and sister. Without you any of this would have been ever possible. Thank you for teaching me the value of hard work and continuing to do so every day. Your patience, love and support are undoubtedly invaluable. + +Thanks, too, to all with whom I have shared part of this long journey. Brandon, Carlos, Miguel and the rest, it would definitely have been different without you. + +Finally, my special appreciation goes to my thesis supervisor Dr. Estévez Tapiador. I could not have had a project I was more excited about. Thank you for trusting me with this opportunity, and thanks for your commitment these months. + + + \vfill \newpage @@ -296,9 +323,10 @@ technology also available by default in most distributions. It is intended for b %-- %General indexes %- + \tableofcontents - - +\clearpage +%\pagestyle{fancy} \newpage \thispagestyle{empty} @@ -308,7 +336,7 @@ technology also available by default in most distributions. It is intended for b % List of figures %- \listoffigures -\thispagestyle{fancy} + \newpage \thispagestyle{empty} @@ -318,7 +346,6 @@ technology also available by default in most distributions. It is intended for b % List of tables %- \listoftables -\thispagestyle{fancy} \newpage % página en blanco o de cortesía \thispagestyle{empty} @@ -327,9 +354,9 @@ technology also available by default in most distributions. It is intended for b %---------- % INTRODUCTION %---------- - \clearpage \pagenumbering{arabic} +\pagestyle{fancy} % This prevents the underscores going out of the margins \renewcommand\_{\textunderscore\allowbreak} @@ -356,8 +383,10 @@ technology also available by default in most distributions. It is intended for b %\nocite{*} % Si quieres que aparezcan en la bibliografía todos los documentos que la componen (también los que no estén citados en el texto) descomenta está lína \clearpage +\pagestyle{plainnofancy} \addcontentsline{toc}{chapter}{Bibliography} +\sloppy \printbibliography diff --git a/docs/document.xmpdata b/docs/document.xmpdata new file mode 100644 index 0000000..d362fc3 --- /dev/null +++ b/docs/document.xmpdata @@ -0,0 +1,6 @@ +\Title{An analysis of offensive capabilities of eBPF and implementation of a rootkit} +\Author{Marcos Sánchez Bajo} +\Copyright{\copyright Marcos Sánchez. Some rights reserved. This document is under terms of Creative Commons license Attribution - Non Commercial - Non Derivatives.} +\CopyrightURL{http://creativecommons.org/licenses/by-nc-nd/3.0/es/} +\Keywords{Backdoor\sep Berkeley Packet Filter\sep Implant\sep Command and Control\sep Linux kernel\sep Malware\sep Computer security} +\Subject{Computer Science}