admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-27 03:43:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed motivation

Browse Source
This commit is contained in:
h3xduck
2022-05-20 22:58:33 -04:00
parent 2065c2e131
commit b1933069ae
12 changed files with 294 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/document.tex
View File

@@ -335,10 +335,12 @@ These rootkits are usually the most attractive (and difficult to build) option f
Historically, kernel-mode rootkits have been tightly associated with espionage activities on governments and research institutes by Advanced Persistent Threat (APT) groups\cite{rootkit_ptsecurity}, state-sponsored or criminal organizations specialized on long-term operations to gather intelligence and gain unauthorized persistent access to computer systems. Although rootkits' functionality is tailored for each specific attack, a common set of techniques and procedures can be identified being used by these organizations. However, during the last years, a new technology called eBPF has been found to be the target of the latest innovation on the development of rootkits.
%eBPF is
eBPF is a technology incorporated in the 3.18 version of the Linux kernel\cite{ebpf_linux318}, which provides the possibility of running code in the kernel without the need of loading a kernel module. Programs are created in a restrictive version of the C language and compiled into eBPF bytecode, which is loaded into the kernel via a new bpf() system call. After a mandatory step of verification by the kernel in which the code is checked to be safe to run, the bytecode is compiled into native machine instructions. These programs can then get access to kernel-exclusive functionalities including network traffic filtering, system calls hooking or tracing.
Although eBPF has built an outstanding environment for the creation of networking and tracing tools, its ability to run kernel programs without the need to load a kernel module has attracted the attention of multiple APTs. In fact, on February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that remained unnoticed from 2013 that uses eBPF for its networking functionality and that infected telecommunications, scientific and military systems worldwide\cite{bvp47_report}. More recently, PwC reports about a China-based threat actor that has targeted telecommunications systems with a eBPF-based backdoor\cite{bpfdoor_pwc}.
Taking all the previous background into account, and attending to the previous work on this matter by Jeff Dileo from NCC Group at DEFCON 27\cite{evil_ebpf} and by Guillaume Fournier and Sylvain Afchainthe from Datadog at DEFCON 29\cite{ebpf_friends}, we can confidently claim that there is a growing interest on researching the capabilities of eBPF in the context of offensive security, in particular given its potential on becoming a common component of modern rootkits. Additionally, there currently exists official efforts to extend the eBPF technology into Windows\cite{ebpf_windows} and Android systems\cite{ebpf_android}, which extends the mentioned risks to new platforms.
%On February 2022, the Chinese security team Pangu Lab reported about a NSA backdoor that uses eBPF