{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:12:24Z","timestamp":1750219944141,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":30,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,9,10]],"date-time":"2023-09-10T00:00:00Z","timestamp":1694304000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2022YFB3104900"],"award-info":[{"award-number":["2022YFB3104900"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,9,10]]},"DOI":"10.1145\/3609021.3609305","type":"proceedings-article","created":{"date-parts":[[2023,8,18]],"date-time":"2023-08-18T17:13:20Z","timestamp":1692378800000},"page":"28-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Seeing the Invisible: Auditing eBPF Programs in Hypervisor with HyperBee"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8451-600X","authenticated-orcid":false,"given":"Yutian","family":"Wang","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, China"},{"name":"Tsinghua Shenzhen International Graduate School, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7581-8865","authenticated-orcid":false,"given":"Dan","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"},{"name":"Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4228-7885","authenticated-orcid":false,"given":"Li","family":"Chen","sequence":"additional","affiliation":[{"name":"Zhongguancun Laboratory, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2023,9,10]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2015. BPF Compiler Collection (BCC). https:\/\/github.com\/iovisor\/bcc  2015. BPF Compiler Collection (BCC). https:\/\/github.com\/iovisor\/bcc"},{"key":"e_1_3_2_1_2_1","unstructured":"2018. Miscellaneous eBPF Tooling. https:\/\/github.com\/nccgroup\/ebpf  2018. Miscellaneous eBPF Tooling. https:\/\/github.com\/nccgroup\/ebpf"},{"key":"e_1_3_2_1_3_1","unstructured":"2019. bpftrace. https:\/\/bpftrace.org\/  2019. bpftrace. https:\/\/bpftrace.org\/"},{"key":"e_1_3_2_1_4_1","unstructured":"2019. PREVAIL. https:\/\/github.com\/vbpf\/ebpf-verifier  2019. PREVAIL. https:\/\/github.com\/vbpf\/ebpf-verifier"},{"key":"e_1_3_2_1_5_1","unstructured":"2020. Bad BPF. https:\/\/github.com\/pathtofile\/bad-bpf  2020. Bad BPF. https:\/\/github.com\/pathtofile\/bad-bpf"},{"key":"e_1_3_2_1_6_1","unstructured":"2021. eBPF for Windows. https:\/\/github.com\/microsoft\/ebpf-for-windows  2021. eBPF for Windows. https:\/\/github.com\/microsoft\/ebpf-for-windows"},{"key":"e_1_3_2_1_7_1","unstructured":"2021. eBPFKit. https:\/\/github.com\/Gui774ume\/ebpfkit  2021. eBPFKit. https:\/\/github.com\/Gui774ume\/ebpfkit"},{"key":"e_1_3_2_1_8_1","unstructured":"2021. eBPFKit Monitor. https:\/\/github.com\/Gui774ume\/ebpfkit-monitor  2021. eBPFKit Monitor. https:\/\/github.com\/Gui774ume\/ebpfkit-monitor"},{"key":"e_1_3_2_1_9_1","unstructured":"2022. BoopKit. https:\/\/github.com\/krisnova\/boopkit  2022. BoopKit. https:\/\/github.com\/krisnova\/boopkit"},{"key":"e_1_3_2_1_10_1","unstructured":"2022. Bvp47: Top-tier Backdoor of US NSA Equation Group. https:\/\/www.pangulab.cn\/files\/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf  2022. Bvp47: Top-tier Backdoor of US NSA Equation Group. https:\/\/www.pangulab.cn\/files\/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf"},{"key":"e_1_3_2_1_11_1","unstructured":"2022. Cyber Threats 2021: A Year in Retrospect. https:\/\/www.pwc.com\/gx\/en\/issues\/cybersecurity\/cyber-threat-intelligence\/cyber-year-in-retrospect\/yir-cyber-threats-report-download.pdf  2022. Cyber Threats 2021: A Year in Retrospect. https:\/\/www.pwc.com\/gx\/en\/issues\/cybersecurity\/cyber-threat-intelligence\/cyber-year-in-retrospect\/yir-cyber-threats-report-download.pdf"},{"key":"e_1_3_2_1_12_1","unstructured":"2022. TripleCross. https:\/\/github.com\/h3xduck\/TripleCross  2022. TripleCross. https:\/\/github.com\/h3xduck\/TripleCross"},{"key":"e_1_3_2_1_13_1","unstructured":"2023. BPF Samples in Kernel 5.10 Source Tree. https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/stable\/linux.git\/tree\/samples\/bpf?h=v5.10  2023. BPF Samples in Kernel 5.10 Source Tree. https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/stable\/linux.git\/tree\/samples\/bpf?h=v5.10"},{"key":"e_1_3_2_1_14_1","unstructured":"2023. BPF Type Format (BTF). https:\/\/docs.kernel.org\/bpf\/btf.html  2023. BPF Type Format (BTF). https:\/\/docs.kernel.org\/bpf\/btf.html"},{"key":"e_1_3_2_1_15_1","unstructured":"2023. Cilium: eBPF-based Networking Observability Security. https:\/\/cilium.io\/  2023. Cilium: eBPF-based Networking Observability Security. https:\/\/cilium.io\/"},{"key":"e_1_3_2_1_16_1","unstructured":"2023. eBPF verifier. https:\/\/docs.kernel.org\/bpf\/verifier.html  2023. eBPF verifier. https:\/\/docs.kernel.org\/bpf\/verifier.html"},{"key":"e_1_3_2_1_17_1","unstructured":"2023. Falco. https:\/\/falco.org\/  2023. Falco. https:\/\/falco.org\/"},{"key":"e_1_3_2_1_18_1","unstructured":"2023. Katran. https:\/\/github.com\/facebookincubator\/katran  2023. Katran. https:\/\/github.com\/facebookincubator\/katran"},{"key":"e_1_3_2_1_19_1","unstructured":"2023. Pixie. https:\/\/px.dev\/  2023. Pixie. https:\/\/px.dev\/"},{"key":"e_1_3_2_1_20_1","unstructured":"2023. Virtio: Paravirtualized drivers for KVM\/Linux. https:\/\/www.linux-kvm.org\/page\/Virtio  2023. Virtio: Paravirtualized drivers for KVM\/Linux. https:\/\/www.linux-kvm.org\/page\/Virtio"},{"key":"e_1_3_2_1_21_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Barberis Enrico","year":"2022","unstructured":"Enrico Barberis , Pietro Frigo , Marius Muench , Herbert Bos , and Cristiano Giuffrida . 2022 . Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks . In 31st USENIX Security Symposium (USENIX Security 22) . USENIX Association, Boston, MA, 971--988. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/barberis Enrico Barberis, Pietro Frigo, Marius Muench, Herbert Bos, and Cristiano Giuffrida. 2022. Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 971--988. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/barberis"},{"key":"e_1_3_2_1_22_1","unstructured":"Jonathan Corbet. 2021. Toward signed BPF programs. https:\/\/lwn.net\/Articles\/853489\/  Jonathan Corbet. 2021. Toward signed BPF programs. https:\/\/lwn.net\/Articles\/853489\/"},{"key":"e_1_3_2_1_23_1","unstructured":"Jeff Dileo. 2019. Evil eBPF: Practical Abuses of an In-Kernel Bytecode Runtime. https:\/\/defcon.org\/html\/defcon-27\/dc-27-speakers.html#Dileo  Jeff Dileo. 2019. Evil eBPF: Practical Abuses of an In-Kernel Bytecode Runtime. https:\/\/defcon.org\/html\/defcon-27\/dc-27-speakers.html#Dileo"},{"key":"e_1_3_2_1_24_1","unstructured":"Jeff Dileo and Andy Olsen. 2018. Kernel Tracing With eBPF: Unlocking God Mode on Linux. https:\/\/berlin-ak.ftp.media.ccc.de\/congress\/2018\/slides-pdf\/35c3-9532-kernel_tracing_with_ebpf.pdf  Jeff Dileo and Andy Olsen. 2018. Kernel Tracing With eBPF: Unlocking God Mode on Linux. https:\/\/berlin-ak.ftp.media.ccc.de\/congress\/2018\/slides-pdf\/35c3-9532-kernel_tracing_with_ebpf.pdf"},{"key":"e_1_3_2_1_25_1","unstructured":"Guillaume Fournier Sylvain Afchain and Sylvain Baubeau. 2021. eBPF I thought we were friends! https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#fournier  Guillaume Fournier Sylvain Afchain and Sylvain Baubeau. 2021. eBPF I thought we were friends! https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#fournier"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314590"},{"key":"e_1_3_2_1_27_1","volume-title":"Warping Reality: Creating and countering the next generation of Linux rootkits using eBPF. https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#path","author":"Hogan Pat","year":"2021","unstructured":"Pat Hogan . 2021 . Warping Reality: Creating and countering the next generation of Linux rootkits using eBPF. https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#path Pat Hogan. 2021. Warping Reality: Creating and countering the next generation of Linux rootkits using eBPF. https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#path"},{"key":"e_1_3_2_1_28_1","volume-title":"Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat. https:\/\/blogs.blackberry.com\/en\/2022\/06\/symbiote-a-new-nearly-impossible-to-detect-linux-threat","author":"Kennedy Joakim","year":"2022","unstructured":"Joakim Kennedy . 2022 . Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat. https:\/\/blogs.blackberry.com\/en\/2022\/06\/symbiote-a-new-nearly-impossible-to-detect-linux-threat Joakim Kennedy. 2022. Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat. https:\/\/blogs.blackberry.com\/en\/2022\/06\/symbiote-a-new-nearly-impossible-to-detect-linux-threat"},{"key":"e_1_3_2_1_29_1","volume-title":"An Analysis of Speculative Type Confusion Vulnerabilities in the Wild. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Kirzner Ofek","year":"2021","unstructured":"Ofek Kirzner and Adam Morrison . 2021 . An Analysis of Speculative Type Confusion Vulnerabilities in the Wild. In 30th USENIX Security Symposium (USENIX Security 21) . USENIX Association, 2399--2416. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/kirzner Ofek Kirzner and Adam Morrison. 2021. An Analysis of Speculative Type Confusion Vulnerabilities in the Wild. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2399--2416. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/kirzner"},{"key":"e_1_3_2_1_30_1","unstructured":"Marcos Sanchez. 2022. An analysis of offensive capabilities of eBPF and implementation of a rootkit. Bachelor Thesis.  Marcos Sanchez. 2022. An analysis of offensive capabilities of eBPF and implementation of a rootkit. Bachelor Thesis."}],"event":{"name":"eBPF '23: 1st Workshop on eBPF and Kernel Extensions","sponsor":["SIGCOMM ACM Special Interest Group on Data Communication"],"location":"New York NY USA","acronym":"eBPF '23"},"container-title":["Proceedings of the 1st Workshop on eBPF and Kernel Extensions"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3609021.3609305","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:57Z","timestamp":1750182537000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3609021.3609305"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,10]]},"references-count":30,"alternative-id":["10.1145\/3609021.3609305","10.1145\/3609021"],"URL":"https:\/\/doi.org\/10.1145\/3609021.3609305","relation":{},"subject":[],"published":{"date-parts":[[2023,9,10]]},"assertion":[{"value":"2023-09-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}