admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 07:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Continued with architecture, finished JIT, remodelled the second section of sSOTA

Browse Source
This commit is contained in:
h3xduck
2022-05-25 22:00:28 -04:00
parent 706198f95b
commit a99c3e0f7d
16 changed files with 513 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs/bibliography/bibliography.bib
View File

@@ -129,6 +129,11 @@
url={https://ebpf.io/what-is-ebpf/}
},
@manual{ebpf_io_arch,
title={eBPF Documentation: Loader and verification architecture},
url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture}
},
@manual{index_register,
title={Index register},
url={https://gunkies.org/wiki/Index_register}
@@ -160,7 +165,7 @@
@manual{ebpf_inst_set,
title={eBPF instruction set},
url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html}
}
},
@manual{8664_inst_set_specs,
title={Intel® 64 and IA-32 Architectures Software Developers Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4},
@@ -169,13 +174,57 @@
pages={507},
urldate={2022-05-13},
url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html}
}
},
@proceedings{ebpf_starovo_slides,
title={BPF in-kernel virtual machine},
url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
date={2015-02-20},
institution={PLUMgrid}
},
@proceedings{ebpf_starovo_slides_page23,
title={BPF in-kernel virtual machine},
url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
date={2015-02-20},
institution={PLUMgrid},
pages={23}
},
@manual{ebpf_JIT,
title={A JIT for packet filters},
url={https://lwn.net/Articles/437981/},
date={2011-04-12},
author={Jonathan Corbet}
},
@proceedings{ebpf_JIT_demystify_page13,
title={Demystify eBPF JIT Compiler},
url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
institution={Netronome},
author={Jiong Wang},
date={2018-09-11},
pages={13}
},
@proceedings{ebpf_JIT_demystify_page14,
title={Demystify eBPF JIT Compiler},
url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
institution={Netronome},
author={Jiong Wang},
date={2018-09-11},
pages={14}
},
@book{brendan_gregg_bpf_book_bpf_vm,
title={BPF performance tools},
author={Brendan Gregg},
url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code}
},
@manual{jit_enable_setting,
title={bpf\_jit\_enable},
url={https://sysctl-explorer.net/net/core/bpf_jit_enable/}
}
@@ -185,3 +234,4 @@

2
docs/bibliography/texput.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:47
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 19:59
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.

80
docs/document.aux
View File

@@ -63,28 +63,29 @@
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}eBPF history - Classic BPF}{5}{section.2.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{5}{figure.caption.7}\protected@file@percent }
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
\newlabel{fig:classif_bpf}{{2.1}{5}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page1}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1}
\abx@aux@cite{index_register}
\abx@aux@segm{0}{0}{index_register}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}\protected@file@percent }
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
\newlabel{fig:classif_bpf}{{2.1}{6}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}\protected@file@percent }
\newlabel{section:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page5}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5}
\abx@aux@cite{bpf_organicprogrammer_analysis}
\abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent }
\newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{7}{table.caption.9}\protected@file@percent }
\newlabel{table:bpf_inst_format}{{2.1}{7}{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.9}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page7}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7}
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
\abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}\protected@file@percent }
\newlabel{table:bpf_inst_format}{{2.1}{8}{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.9}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }}{8}{figure.caption.10}\protected@file@percent }
\newlabel{fig:bpf_instructions}{{2.3}{8}{Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}}
\abx@aux@cite{bpf_bsd_origin_bpf_page8}
@@ -95,49 +96,71 @@
\abx@aux@segm{0}{0}{tcpdump_page}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent }
\newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{9}{subsection.2.1.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent }
\newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{10}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{10}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\abx@aux@cite{ebpf_funcs_by_ver}
\abx@aux@segm{0}{0}{ebpf_funcs_by_ver}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent }
\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
\abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{brendan_gregg_bpf_book}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book}
\abx@aux@cite{ebpf_io_arch}
\abx@aux@segm{0}{0}{ebpf_io_arch}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}\protected@file@percent }
\newlabel{table:ebpf_history}{{2.2}{12}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent }
\newlabel{fig:ebpf_architecture}{{2.7}{12}{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{8664_inst_set_specs}
\abx@aux@segm{0}{0}{8664_inst_set_specs}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{ebpf_starovo_slides}
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
\abx@aux@cite{ebpf_inst_set}
\abx@aux@segm{0}{0}{ebpf_inst_set}
\abx@aux@cite{ebpf_starovo_slides}
\abx@aux@segm{0}{0}{ebpf_starovo_slides}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}\protected@file@percent }
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent }
\newlabel{table:ebpf_history}{{2.2}{11}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}\protected@file@percent }
\newlabel{table:ebpf_inst_format}{{2.3}{11}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.15}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}\protected@file@percent }
\newlabel{table:ebpf_regs}{{2.4}{12}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.16}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}\protected@file@percent }
\abx@aux@cite{ebpf_JIT}
\abx@aux@segm{0}{0}{ebpf_JIT}
\abx@aux@cite{ebpf_JIT_demystify_page13}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page13}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}\protected@file@percent }
\newlabel{subsection:ebpf_inst_set}{{2.2.1}{13}{eBPF instruction set}{subsection.2.2.1}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}\protected@file@percent }
\newlabel{table:ebpf_inst_format}{{2.3}{13}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.16}{}}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent }
\newlabel{table:ebpf_regs}{{2.4}{13}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent }
\abx@aux@cite{ebpf_JIT_demystify_page14}
\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page14}
\abx@aux@cite{jit_enable_setting}
\abx@aux@segm{0}{0}{jit_enable_setting}
\abx@aux@cite{ebpf_starovo_slides_page23}
\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23}
\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm}
\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{16}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{A0263F600A6B69AA4741D30C7A5AD15D}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{18}{chapter.5}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{5F7A9629AD8490B1B0F141D5BD6DF521}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -161,8 +184,15 @@
\abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_io_arch}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_inst_set}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_inst_set_specs}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_JIT}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page13}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page14}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{jit_enable_setting}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides_page23}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book_bpf_vm}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{33}
\gdef \@abspage@last{36}

175
docs/document.bbl
View File

@@ -497,6 +497,7 @@
\strng{authorbibnamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\field{extraname}{1}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labelnamesource}{author}
@@ -509,6 +510,18 @@
\verb https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/
\endverb
\endentry
\entry{ebpf_io_arch}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
\field{labeltitlesource}{title}
\field{title}{eBPF Documentation: Loader and verification architecture}
\verb{urlraw}
\verb https://ebpf.io/what-is-ebpf/#loader--verification-architecture
\endverb
\verb{url}
\verb https://ebpf.io/what-is-ebpf/#loader--verification-architecture
\endverb
\endentry
\entry{ebpf_inst_set}{manual}{}
\field{sortinit}{3}
\field{sortinithash}{a37a8ef248a93c322189792c34fc68c9}
@@ -571,6 +584,168 @@
\verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf
\endverb
\endentry
\entry{ebpf_JIT}{manual}{}
\name{author}{1}{}{%
{{hash=729670cd9d39b9b575390147a29d51d7}{%
family={Corbet},
familyi={C\bibinitperiod},
given={Jonathan},
giveni={J\bibinitperiod}}}%
}
\strng{namehash}{729670cd9d39b9b575390147a29d51d7}
\strng{fullhash}{729670cd9d39b9b575390147a29d51d7}
\strng{bibnamehash}{729670cd9d39b9b575390147a29d51d7}
\strng{authorbibnamehash}{729670cd9d39b9b575390147a29d51d7}
\strng{authornamehash}{729670cd9d39b9b575390147a29d51d7}
\strng{authorfullhash}{729670cd9d39b9b575390147a29d51d7}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{12}
\field{month}{4}
\field{title}{A JIT for packet filters}
\field{year}{2011}
\field{dateera}{ce}
\verb{urlraw}
\verb https://lwn.net/Articles/437981/
\endverb
\verb{url}
\verb https://lwn.net/Articles/437981/
\endverb
\endentry
\entry{ebpf_JIT_demystify_page13}{proceedings}{}
\name{author}{1}{}{%
{{hash=0fcaa32b080db12cbc8b11b27d05ad61}{%
family={Wang},
familyi={W\bibinitperiod},
given={Jiong},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Netronome}%
}
\strng{namehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{fullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{bibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorbibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{1}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{9}
\field{title}{Demystify eBPF JIT Compiler}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{13}
\range{pages}{1}
\verb{urlraw}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\verb{url}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\endentry
\entry{ebpf_JIT_demystify_page14}{proceedings}{}
\name{author}{1}{}{%
{{hash=0fcaa32b080db12cbc8b11b27d05ad61}{%
family={Wang},
familyi={W\bibinitperiod},
given={Jiong},
giveni={J\bibinitperiod}}}%
}
\list{institution}{1}{%
{Netronome}%
}
\strng{namehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{fullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{bibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorbibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61}
\strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61}
\field{extraname}{2}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{day}{11}
\field{month}{9}
\field{title}{Demystify eBPF JIT Compiler}
\field{year}{2018}
\field{dateera}{ce}
\field{pages}{14}
\range{pages}{1}
\verb{urlraw}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\verb{url}
\verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf
\endverb
\endentry
\entry{jit_enable_setting}{manual}{}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title}
\field{title}{bpf\_jit\_enable}
\verb{urlraw}
\verb https://sysctl-explorer.net/net/core/bpf_jit_enable/
\endverb
\verb{url}
\verb https://sysctl-explorer.net/net/core/bpf_jit_enable/
\endverb
\endentry
\entry{ebpf_starovo_slides_page23}{proceedings}{}
\list{institution}{1}{%
{PLUMgrid}%
}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labeltitlesource}{title}
\field{day}{20}
\field{month}{2}
\field{title}{BPF in-kernel virtual machine}
\field{year}{2015}
\field{dateera}{ce}
\field{pages}{23}
\range{pages}{1}
\verb{urlraw}
\verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf
\endverb
\verb{url}
\verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf
\endverb
\endentry
\entry{brendan_gregg_bpf_book_bpf_vm}{book}{}
\name{author}{1}{}{%
{{hash=b45aef384111d7e9dd71b74ba427b5f1}{%
family={Gregg},
familyi={G\bibinitperiod},
given={Brendan},
giveni={B\bibinitperiod}}}%
}
\strng{namehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{fullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{bibnamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorbibnamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1}
\strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1}
\field{extraname}{2}
\field{sortinit}{4}
\field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4}
\field{labelnamesource}{author}
\field{labeltitlesource}{title}
\field{title}{BPF performance tools}
\verb{urlraw}
\verb https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code
\endverb
\verb{url}
\verb https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code
\endverb
\endentry
\enddatalist
\endrefsection
\endinput

69
docs/document.bcf
View File

@@ -2348,37 +2348,46 @@
<bcf:datasource type="file" datatype="bibtex" glob="false">bibliography/bibliography.bib</bcf:datasource>
</bcf:bibdata>
<bcf:section number="0">
<bcf:citekey order="6">ransomware_pwc</bcf:citekey>
<bcf:citekey order="7">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="8">ebpf_linux318</bcf:citekey>
<bcf:citekey order="9">bvp47_report</bcf:citekey>
<bcf:citekey order="10">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="11">ebpf_windows</bcf:citekey>
<bcf:citekey order="12">ebpf_android</bcf:citekey>
<bcf:citekey order="13">evil_ebpf</bcf:citekey>
<bcf:citekey order="14">bad_ebpf</bcf:citekey>
<bcf:citekey order="15">ebpf_friends</bcf:citekey>
<bcf:citekey order="16">ebpf_io</bcf:citekey>
<bcf:citekey order="17">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="18">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="19">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="20">index_register</bcf:citekey>
<bcf:citekey order="21">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="22">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="24">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="27">tcpdump_page</bcf:citekey>
<bcf:citekey order="28">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="29">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="30">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="31">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="32">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="33">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="34">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="8">ransomware_pwc</bcf:citekey>
<bcf:citekey order="9">rootkit_ptsecurity</bcf:citekey>
<bcf:citekey order="10">ebpf_linux318</bcf:citekey>
<bcf:citekey order="11">bvp47_report</bcf:citekey>
<bcf:citekey order="12">bpfdoor_pwc</bcf:citekey>
<bcf:citekey order="13">ebpf_windows</bcf:citekey>
<bcf:citekey order="14">ebpf_android</bcf:citekey>
<bcf:citekey order="15">evil_ebpf</bcf:citekey>
<bcf:citekey order="16">bad_ebpf</bcf:citekey>
<bcf:citekey order="17">ebpf_friends</bcf:citekey>
<bcf:citekey order="18">ebpf_io</bcf:citekey>
<bcf:citekey order="19">bpf_bsd_origin</bcf:citekey>
<bcf:citekey order="20">ebpf_history_opensource</bcf:citekey>
<bcf:citekey order="21">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="22">index_register</bcf:citekey>
<bcf:citekey order="23">bpf_bsd_origin_bpf_page5</bcf:citekey>
<bcf:citekey order="24">bpf_organicprogrammer_analysis</bcf:citekey>
<bcf:citekey order="25">bpf_bsd_origin_bpf_page7</bcf:citekey>
<bcf:citekey order="26">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="27">bpf_bsd_origin_bpf_page8</bcf:citekey>
<bcf:citekey order="28">bpf_bsd_origin_bpf_page1</bcf:citekey>
<bcf:citekey order="29">tcpdump_page</bcf:citekey>
<bcf:citekey order="30">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="31">ebpf_funcs_by_ver</bcf:citekey>
<bcf:citekey order="32">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="33">brendan_gregg_bpf_book</bcf:citekey>
<bcf:citekey order="34">ebpf_io_arch</bcf:citekey>
<bcf:citekey order="35">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="36">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="36">8664_inst_set_specs</bcf:citekey>
<bcf:citekey order="37">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="38">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="39">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="40">ebpf_inst_set</bcf:citekey>
<bcf:citekey order="41">ebpf_starovo_slides</bcf:citekey>
<bcf:citekey order="42">ebpf_JIT</bcf:citekey>
<bcf:citekey order="43">ebpf_JIT_demystify_page13</bcf:citekey>
<bcf:citekey order="44">ebpf_JIT_demystify_page14</bcf:citekey>
<bcf:citekey order="45">jit_enable_setting</bcf:citekey>
<bcf:citekey order="46">ebpf_starovo_slides_page23</bcf:citekey>
<bcf:citekey order="47">brendan_gregg_bpf_book_bpf_vm</bcf:citekey>
</bcf:section>
<!-- SORTING TEMPLATES -->
<bcf:sortingtemplate name="none">

81
docs/document.blg
View File

@@ -1,38 +1,47 @@
[0] Config.pm:311> INFO - This is Biber 2.16
[0] Config.pm:314> INFO - Logfile is 'document.blg'
[59] biber:340> INFO - === Tue May 24, 2022, 20:47:37
[72] Biber.pm:415> INFO - Reading 'document.bcf'
[141] Biber.pm:952> INFO - Found 25 citekeys in bib section 0
[156] Biber.pm:4340> INFO - Processing section 0
[164] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[166] bibtex.pm:1689> INFO - LaTeX decoding ...
[177] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 9, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 15, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 22, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 28, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 35, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 42, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 50, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 58, warning: 1 characters of junk seen at toplevel
[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 65, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 70, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 77, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 85, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 94, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 103, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 112, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 121, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 127, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 132, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 143, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 148, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 154, warning: 1 characters of junk seen at toplevel
[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 160, warning: 1 characters of junk seen at toplevel
[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[284] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[284] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[300] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[306] bbl.pm:757> INFO - Output to document.bbl
[307] Biber.pm:128> INFO - WARNINGS: 22
[57] biber:340> INFO - === Wed May 25, 2022, 21:58:47
[69] Biber.pm:415> INFO - Reading 'document.bcf'
[139] Biber.pm:952> INFO - Found 32 citekeys in bib section 0
[153] Biber.pm:4340> INFO - Processing section 0
[161] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0
[163] bibtex.pm:1689> INFO - LaTeX decoding ...
[176] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib'
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 9, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 15, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 22, warning: 1 characters of junk seen at toplevel
[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 28, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 35, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 42, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 50, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 58, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 65, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 70, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 77, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 85, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 94, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 103, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 112, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 121, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 127, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 132, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 137, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 148, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 153, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 159, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 165, warning: 1 characters of junk seen at toplevel
[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 170, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 179, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 186, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 194, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 201, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 210, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 219, warning: 1 characters of junk seen at toplevel
[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 225, warning: 1 characters of junk seen at toplevel
[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable'
[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized'
[291] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US'
[291] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US'
[311] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8'
[320] bbl.pm:757> INFO - Output to document.bbl
[320] Biber.pm:128> INFO - WARNINGS: 31

6
docs/document.lof
View File

@@ -5,7 +5,7 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{5}{figure.caption.7}%
\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}%
\defcounter {refsection}{0}\relax
@@ -15,7 +15,9 @@
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{10}{figure.caption.13}%
\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

130
docs/document.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:52
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 21:59
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1
)
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 11.39996pt on input line 186.
<images//Portada_Logo.png, id=85, 456.2865pt x 45.99pt>
<images//Portada_Logo.png, id=93, 456.2865pt x 45.99pt>
File: images//Portada_Logo.png Graphic file (type png)
<use images//Portada_Logo.png>
Package pdftex.def Info: images//Portada_Logo.png used on input line 190.
@@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 23.63593pt on input line 201.
LaTeX Font Info: Font shape `T1/txss/m/n' will be
(Font) scaled to size 19.70294pt on input line 205.
<images/creativecommons.png, id=87, 338.76563pt x 118.19156pt>
<images/creativecommons.png, id=95, 338.76563pt x 118.19156pt>
File: images/creativecommons.png Graphic file (type png)
<use images/creativecommons.png>
Package pdftex.def Info: images/creativecommons.png used on input line 215.
@@ -1210,88 +1210,116 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356
[3] [4]
Chapter 2.
<images//classic_bpf.jpg, id=278, 588.1975pt x 432.61626pt>
LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un
defined on input line 412.
<images//classic_bpf.jpg, id=297, 588.1975pt x 432.61626pt>
File: images//classic_bpf.jpg Graphic file (type jpg)
<use images//classic_bpf.jpg>
Package pdftex.def Info: images//classic_bpf.jpg used on input line 423.
Package pdftex.def Info: images//classic_bpf.jpg used on input line 426.
(pdftex.def) Requested size: 341.43306pt x 251.12224pt.
[5
<./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=290, 403.5075pt x 451.6875pt>
] [6 <./images//classic_bpf.jpg>]
<images//cbpf_prog.jpg, id=316, 403.5075pt x 451.6875pt>
File: images//cbpf_prog.jpg Graphic file (type jpg)
<use images//cbpf_prog.jpg>
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 450.
Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453.
(pdftex.def) Requested size: 227.62204pt x 254.80415pt.
[6] [7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=307, 380.92313pt x 475.27562pt>
[7 <./images/cBPF_prog.jpg>]
<images//bpf_instructions.png, id=326, 380.92313pt x 475.27562pt>
File: images//bpf_instructions.png Graphic file (type png)
<use images//bpf_instructions.png>
Package pdftex.def Info: images//bpf_instructions.png used on input line 490.
Package pdftex.def Info: images//bpf_instructions.png used on input line 493.
(pdftex.def) Requested size: 227.62204pt x 283.99998pt.
[8 <./images//bpf_instructions.png>]
<images//bpf_address_mode.png, id=316, 417.05812pt x 313.67188pt>
<images//bpf_address_mode.png, id=336, 417.05812pt x 313.67188pt>
File: images//bpf_address_mode.png Graphic file (type png)
<use images//bpf_address_mode.png>
Package pdftex.def Info: images//bpf_address_mode.png used on input line 506.
Package pdftex.def Info: images//bpf_address_mode.png used on input line 509.
(pdftex.def) Requested size: 227.62204pt x 171.19905pt.
LaTeX Font Info: Font shape `T1/txr/b/it' in size <12> not available
(Font) Font shape `T1/txr/bx/it' tried instead on input line 514.
<images//tcpdump_example.png, id=323, 534.99875pt x 454.69875pt>
(Font) Font shape `T1/txr/bx/it' tried instead on input line 517.
[9 <./images//bpf_address_mode.png>]
<images//tcpdump_example.png, id=348, 534.99875pt x 454.69875pt>
File: images//tcpdump_example.png Graphic file (type png)
<use images//tcpdump_example.png>
Package pdftex.def Info: images//tcpdump_example.png used on input line 521.
Package pdftex.def Info: images//tcpdump_example.png used on input line 524.
(pdftex.def) Requested size: 284.52756pt x 241.82869pt.
[9 <./images//bpf_address_mode.png>]
<images//cBPF_prog_ex_sol.png, id=333, 242.9075pt x 321.2pt>
<images//cBPF_prog_ex_sol.png, id=351, 242.9075pt x 321.2pt>
File: images//cBPF_prog_ex_sol.png Graphic file (type png)
<use images//cBPF_prog_ex_sol.png>
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 532.
Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535.
(pdftex.def) Requested size: 170.71652pt x 225.74026pt.
[10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>]
Overfull \hbox (3.10062pt too wide) in paragraph at lines 586--603
[10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>]
<images//ebpf_arch.jpg, id=371, 739.76375pt x 472.76625pt>
File: images//ebpf_arch.jpg Graphic file (type jpg)
<use images//ebpf_arch.jpg>
Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574.
(pdftex.def) Requested size: 426.79134pt x 272.75464pt.
[12 <./images//ebpf_arch.jpg>]
Overfull \hbox (3.10062pt too wide) in paragraph at lines 601--618
[][]
[]
[11] [12]
[13]
Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628
[]\T1/txr/m/n/12 Therefore, when us-ing JIT com-pil-ing (a set-ting de-fined by
the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]],
[]
[14]
Chapter 3.
[13
]
Chapter 4.
[14
]
Chapter 5.
[15
]
Chapter 4.
[16
]
Chapter 5.
[17
]
LaTeX Font Info: Trying to load font information for T1+txtt on input line 6
45.
76.
(/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd
File: t1txtt.fd 2000/12/15 v3.1
)
Overfull \hbox (5.34976pt too wide) in paragraph at lines 646--646
Overfull \hbox (5.34976pt too wide) in paragraph at lines 677--677
\T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect
/ yir -[] cyber -[] threats -[]
[]
[16
[18
]
Overfull \hbox (6.22696pt too wide) in paragraph at lines 646--646
Overfull \hbox (6.22696pt too wide) in paragraph at lines 677--677
[]\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi
-sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 646--646
Overfull \hbox (7.34976pt too wide) in paragraph at lines 677--677
[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[]
-[] verification -[] architecture$[][]\T1/txr/m/n/12 .
[]
Overfull \hbox (21.24973pt too wide) in paragraph at lines 677--677
\T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu
mmit _ 2015feb20 .
[]
[17] [1
[19]
Overfull \hbox (9.14975pt too wide) in paragraph at lines 677--677
\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code %
2C % 20i ,[] %20other %
[]
[20] [1
]
@@ -1302,30 +1330,24 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b
een already used, duplicate ignored
<to be read again>
\relax
l.662 \end{document}
l.693 \end{document}
[2
] (./document.aux)
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
LaTeX Warning: There were undefined references.
Package rerunfilecheck Warning: File `document.out' has changed.
(rerunfilecheck) Rerun to get outlines right
(rerunfilecheck) or use package `bookmark'.
Package rerunfilecheck Info: Checksums for `document.out':
(rerunfilecheck) Before: 260AE7FF5C653A434FB11872FD491CEC;1464
(rerunfilecheck) After: 78EEF05F3FA16DD01514ABFEEF3266FA;1536.
Package rerunfilecheck Info: File `document.out' has not changed.
(rerunfilecheck) Checksum: 66497A77734FDFAA905ECBF53B99BCD1;1610.
Package logreq Info: Writing requests to 'document.run.xml'.
\openout1 = `document.run.xml'.
)
Here is how much of TeX's memory you used:
27329 strings out of 481209
434770 string characters out of 5914747
1172582 words of memory out of 5000000
43751 multiletter control sequences out of 15000+600000
27367 strings out of 481209
436043 string characters out of 5914747
1175417 words of memory out of 5000000
43776 multiletter control sequences out of 15000+600000
456974 words of font info for 103 fonts, out of 8000000 for 9000
36 hyphenation exceptions out of 8191
88i,11n,90p,1029b,3093s stack positions out of 5000i,500n,10000p,200000b,80000s
@@ -1340,9 +1362,9 @@ texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb></usr/share/texlive/texmf-dist/f
onts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/
times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.p
fb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on document.pdf (33 pages, 495134 bytes).
Output written on document.pdf (36 pages, 573346 bytes).
PDF statistics:
523 PDF objects out of 1000 (max. 8388607)
93 named destinations out of 1000 (max. 500000)
213 words of extra memory for PDF output out of 10000 (max. 10000000)
591 PDF objects out of 1000 (max. 8388607)
105 named destinations out of 1000 (max. 500000)
234 words of extra memory for PDF output out of 10000 (max. 10000000)

8
docs/document.lot
View File

@@ -5,13 +5,13 @@
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{7}{table.caption.9}%
\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}%
\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}%
\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}%
\defcounter {refsection}{0}\relax
\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}%
\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}%
\defcounter {refsection}{0}\relax
\addvspace {10\p@ }
\defcounter {refsection}{0}\relax

11
docs/document.out
View File

@@ -13,9 +13,10 @@
\BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13
\BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040-\040tcpdump}{section.2.1}% 14
\BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15
\BOOKMARK [2][-]{subsection.2.2.1}{Architecture\040of\040eBPF}{section.2.2}% 16
\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 16
\BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 18
\BOOKMARK [0][-]{chapter.4}{Results}{}% 19
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 20
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 21
\BOOKMARK [2][-]{subsection.2.2.3}{eBPF\040architecture}{section.2.2}% 18
\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 19
\BOOKMARK [0][-]{chapter.4}{Results}{}% 20
\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 21
\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 22

BIN
docs/document.pdf
View File

Binary file not shown.

BIN
docs/document.synctex.gz
View File

Binary file not shown.

51
docs/document.tex
View File

@@ -409,8 +409,11 @@ The rootkit will work in a fresh-install of a Linux system with the following ch
% I WILL NOT INCLUDE A ROOTKIT BACKGROUND, considering that a deep study of that is not fully relevant for us. I explained what it is, its two main types (should we include bootkits, maybe?) and its relation with eBPF in the introduction, since it is needed to introduce the overall context. Should we do otherwise?
This chapter is dedicated to an study of the eBPF technology. Firstly, we will analyse its origins, understanding what it is and how it works, and discuss the reasons why it is a necessary component of the Linux kernel today. Afterwards, we will cover the main features of eBPF in detail. Finally, an study of the existing alternatives for developing eBPF applications will be also included.
Although during our discussion of the offensive capabilities of eBPF in section\ref{section:analysis_offensive_capabilities} we use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it.
\section{eBPF history - Classic BPF}
% Is it ok to have sections / chapters without individual intros?
In this section we will detail the origins of eBPF in the Linux kernel. By offering us background into the earlier versions of the system, the goal is to acquire insight on the design decisions included in modern versions of eBPF.
\subsection{Introduction to the BPF system}
Nowadays eBPF is not officially considered to be an acronym anymore\cite{ebpf_io}, but it remains largely known as "extended Berkeley Packet Filters", given its roots in the Berkeley Packet Filter (BPF) technology, now known as classic BPF.
@@ -425,11 +428,11 @@ BPF was introduced in 1992 by Steven McCanne and Van Jacobson in the paper "The
\label{fig:classif_bpf}
\end{figure}
Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet, it would first be analysed by BPF filters, programs directly developed by the user. The filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual.
Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet via the Network Interface Controller (NIC) driver, it would first be analysed by BPF filters, which are programs directly developed by the user. This filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual.
\subsection{The BPF virtual machine}
In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}. Therefore, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components:
\subsection{The BPF virtual machine} \label{section:bpf_vm}
In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components:
\begin{itemize}
\item \textbf{An accumulator register}, used to store intermediate values of operations.
\item \textbf{An index register}, used to modify operand addresses, it is usually incorporated to optimize vector operations\cite{index_register}.
@@ -439,7 +442,7 @@ In a technical level, BPF comprises both the BPF filter programs developed by th
\subsection{Analysis of a BPF filter program}
The components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function:
As we mentioned in section \ref{section:bpf_vm}, the components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function:
\begin{itemize}
\item If it returns \textit{true}, the kernel copies the packet to the application.
\item If it returns \textit{false}, the packet is not accepted by the filter (and thus the network stack will be the next to operate it).
@@ -525,7 +528,7 @@ At the time, by filtering packets before they are handled by the kernel instead
Figure \ref{fig:bpf_tcpdump_example} shows how tcpdump sets a filter to display traffic directed to all interfaces (\textit{-i any}) directed to port 80. Flag \textit{-d} instructs tcpdump to display BPF bytecode.
In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} is the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port.
In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} describes the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port.
\begin{figure}[H]
\centering
@@ -535,8 +538,9 @@ In the example, using the \textit{jf} and \textit{jt} fields, we can label the n
\end{figure}
\section{Analysis of modern eBPF}
\subsection{Architecture of eBPF}
The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today.
This section discusses the current state of modern eBPF in the Linux kernel. By building on the previous architecture described in classic BPF, we will be able to provide a comprehensive picture of the underlying infrastructure in which eBPF relies today.
The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Similarly to how BPF filters were included in the networking module of the Linux kernel, we will now study the necessary changes made in the kernel to support these new program types. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today.
\begin{table}[H]
\begin{tabular}{|c|c|c|}
@@ -548,7 +552,6 @@ Description & Kernel version & Year\\
\textit{BPF+}: New JIT assembler & 3.0 & 2011\\
\textit{eBPF}: Added eBPF support & 3.15 & 2014\\
\textit New bpf() syscall & 3.18 & 2014\\
\textit eBPF for sockets & 3.19 & 2015\\
\textit Introduction of eBPF maps & 3.19 & 2015\\
\textit eBPF attached to kprobes & 4.1 & 2015\\
\textit Introduction of Traffic Control & 4.5 & 2016\\
@@ -564,6 +567,18 @@ Description & Kernel version & Year\\
As it can be observed in the table above, the main breakthrough happened in the 3.15 version, where Alexei Starovoitov, along with Daniel Borkmann, decided to expand the capabilities of BPF by remodelling the BPF instruction set and overall architecture\cite{brendan_gregg_bpf_book}.
Figure \ref{fig:ebpf_architecture} offers an overview of the current eBPF architecture. During the subsequent subsections, we will proceed to explain its components in detail.
\begin{figure}[H]
\centering
\includegraphics[width=15cm]{ebpf_arch.jpg}
\caption{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite{brendan_gregg_bpf_book} and \cite{ebpf_io_arch}.}
\label{fig:ebpf_architecture}
\end{figure}
\subsection{eBPF instruction set} \label{subsection:ebpf_inst_set}
The eBPF update included a complete remodel of the instruction set architecture (ISA) of the BPF VM. Therefore, eBPF programs will need to follow the new architecture in order to be interpreted as valid and executed.
\begin{table}[H]
\begin{tabular}{|c|c|c|c|c|c|}
\hline
@@ -577,7 +592,7 @@ BITS & 32 & 16 & 4 & 4 & 8\\
\end{table}
Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}.
Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}. Similarly, the instruction set is extended to be similar to the one typically found on x86\_64 systems, the complete list can be consulted in the official documentation\cite{ebpf_inst_set}.
%Should I talk about assembly or this more in detail?
With respect to the BPF VM registers, they get extended from 32 to 64 bits of length, and the number of registers is incremented to 10, instead of the original accumulator and index registers. These registers are also adapted to be similar to those in assembly, as it is shown in table \ref{table:ebpf_regs}.
@@ -605,7 +620,23 @@ r10 & rbp & Frame pointer for stack, read only\\
\end{table}
\subsection{JIT compilation}
The p
We mentioned in subsection \ref{subsection:ebpf_inst_set} that eBPF registers and instructions describe an almost one-to-one correspondence to those in x86 assembly. This is in fact not a coincidence, but rather it is with the purpose of improving a functionality that was included in Linux kernel 3.0, called Just-in-Time (JIT) compilation\cite{ebpf_JIT}\cite{ebpf_JIT_demystify_page13}.
JIT compiling is an extra step that optimizes the execution speed of eBPF programs. It consists of translating BPF bytecode into machine-specific instructions, so that they run as fast as native code in the kernel. Machine instructions are generated during runtime, written directly into executable memory and executed there\cite{ebpf_JIT_demystify_page14}.
Therefore, when using JIT compiling (a setting defined by the variable \textit{bpf\_jit\_enable}\cite{jit_enable_setting}, BPF registers are translated into machine-specific registers following their one-to-one mapping and bytecode instructions are translated into machine-specific instructions\cite{ebpf_starovo_slides_page23}. There no longer exists an interpretation step by the BPF VM, since we can execute the code directly\cite{brendan_gregg_bpf_book_bpf_vm}.
The programs developed during this project will always have JIT compiling active.
\subsection{eBPF architecture}
Provided the instruction set architecture (ISA) described in section

20
docs/document.toc
View File

@@ -23,23 +23,25 @@
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}%
\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}%
\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{9}{subsection.2.1.5}%
\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}%
\defcounter {refsection}{0}\relax
\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}%
\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}%
\defcounter {refsection}{0}\relax
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}%
\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}%
\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}%
\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}%
\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{16}{chapter.5}%
\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}%
\defcounter {refsection}{0}\relax
\contentsline {chapter}{Bibliography}{18}{chapter.5}%
\contentsfinish

BIN
docs/images/ebpf_arch.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

8
docs/pdfa.xmpi
View File

@@ -73,15 +73,15 @@
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>LaTeX with hyperref</xmp:CreatorTool>
<xmp:ModifyDate>2022-05-24T20:52:21-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-24T20:52:21-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-24T20:52:21-04:00</xmp:MetadataDate>
<xmp:ModifyDate>2022-05-25T21:59:30-04:00</xmp:ModifyDate>
<xmp:CreateDate>2022-05-25T21:59:30-04:00</xmp:CreateDate>
<xmp:MetadataDate>2022-05-25T21:59:30-04:00</xmp:MetadataDate>
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpRights = "http://ns.adobe.com/xap/1.0/rights/">
</rdf:Description>
<rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
<xmpMM:DocumentID>uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:7FB75CFF-80A8-7F24-B8F1-755FFABF2F4A</xmpMM:InstanceID>
<xmpMM:InstanceID>uuid:AED25E85-D80C-CF5E-E310-D04CC694E463</xmpMM:InstanceID>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>