{"id":"https://openalex.org/W4415222958","doi":"https://doi.org/10.1109/cns66487.2025.11194984","title":"We're eBPF'd: Exploring Adversarial Manipulation of ELF Files in eBPF-Based Programmable Network Stacks","display_name":"We're eBPF'd: Exploring Adversarial Manipulation of ELF Files in eBPF-Based Programmable Network Stacks","publication_year":2025,"publication_date":"2025-09-08","ids":{"openalex":"https://openalex.org/W4415222958","doi":"https://doi.org/10.1109/cns66487.2025.11194984"},"language":"en","primary_location":{"id":"doi:10.1109/cns66487.2025.11194984","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cns66487.2025.11194984","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE Conference on Communications and Network Security (CNS)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://eprints.gla.ac.uk/360134/1/360134.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5011308607","display_name":"Joe Rose","orcid":null},"institutions":[{"id":"https://openalex.org/I7882870","display_name":"University of Glasgow","ror":"https://ror.org/00vtgdb53","country_code":"GB","type":"education","lineage":["https://openalex.org/I7882870"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Joe Rose","raw_affiliation_strings":["School of Computing Science, University of Glasgow,Glasgow,Scotland"],"affiliations":[{"raw_affiliation_string":"School of Computing Science, University of Glasgow,Glasgow,Scotland","institution_ids":["https://openalex.org/I7882870"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5091479151","display_name":"Marco M. Cook","orcid":"https://orcid.org/0000-0002-5232-2381"},"institutions":[{"id":"https://openalex.org/I7882870","display_name":"University of Glasgow","ror":"https://ror.org/00vtgdb53","country_code":"GB","type":"education","lineage":["https://openalex.org/I7882870"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Marco M. Cook","raw_affiliation_strings":["School of Computing Science, University of Glasgow,Glasgow,Scotland"],"affiliations":[{"raw_affiliation_string":"School of Computing Science, University of Glasgow,Glasgow,Scotland","institution_ids":["https://openalex.org/I7882870"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024496615","display_name":"Filip Hol\u00edk","orcid":"https://orcid.org/0000-0001-6595-0419"},"institutions":[{"id":"https://openalex.org/I7882870","display_name":"University of Glasgow","ror":"https://ror.org/00vtgdb53","country_code":"GB","type":"education","lineage":["https://openalex.org/I7882870"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Filip Holik","raw_affiliation_strings":["School of Computing Science, University of Glasgow,Glasgow,Scotland"],"affiliations":[{"raw_affiliation_string":"School of Computing Science, University of Glasgow,Glasgow,Scotland","institution_ids":["https://openalex.org/I7882870"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5021350142","display_name":"Dimitrios P. Pezaros","orcid":"https://orcid.org/0000-0003-0939-378X"},"institutions":[{"id":"https://openalex.org/I7882870","display_name":"University of Glasgow","ror":"https://ror.org/00vtgdb53","country_code":"GB","type":"education","lineage":["https://openalex.org/I7882870"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Dimitrios Pezaros","raw_affiliation_strings":["School of Computing Science, University of Glasgow,Glasgow,Scotland"],"affiliations":[{"raw_affiliation_string":"School of Computing Science, University of Glasgow,Glasgow,Scotland","institution_ids":["https://openalex.org/I7882870"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5011308607"],"corresponding_institution_ids":["https://openalex.org/I7882870"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.38146224,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"9"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.992900013923645,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.992900013923645,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9914000034332275,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.98089998960495,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/testbed","display_name":"Testbed","score":0.6983000040054321},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.6101999878883362},{"id":"https://openalex.org/keywords/stateful-firewall","display_name":"Stateful firewall","score":0.5813000202178955},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.5644999742507935},{"id":"https://openalex.org/keywords/forwarding-plane","display_name":"Forwarding plane","score":0.5162000060081482},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5144000053405762},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4212999939918518},{"id":"https://openalex.org/keywords/enhanced-data-rates-for-gsm-evolution","display_name":"Enhanced Data Rates for GSM Evolution","score":0.41190001368522644},{"id":"https://openalex.org/keywords/packet-processing","display_name":"Packet processing","score":0.38600000739097595},{"id":"https://openalex.org/keywords/address-space","display_name":"Address space","score":0.3776000142097473}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7940999865531921},{"id":"https://openalex.org/C31395832","wikidata":"https://www.wikidata.org/wiki/Q1318674","display_name":"Testbed","level":2,"score":0.6983000040054321},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.6101999878883362},{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.5813000202178955},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.5644999742507935},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.5350000262260437},{"id":"https://openalex.org/C10597312","wikidata":"https://www.wikidata.org/wiki/Q5473302","display_name":"Forwarding plane","level":3,"score":0.5162000060081482},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5144000053405762},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.44830000400543213},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4212999939918518},{"id":"https://openalex.org/C162307627","wikidata":"https://www.wikidata.org/wiki/Q204833","display_name":"Enhanced Data Rates for GSM Evolution","level":2,"score":0.41190001368522644},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.40700000524520874},{"id":"https://openalex.org/C2779581428","wikidata":"https://www.wikidata.org/wiki/Q7122997","display_name":"Packet processing","level":3,"score":0.38600000739097595},{"id":"https://openalex.org/C144240696","wikidata":"https://www.wikidata.org/wiki/Q367204","display_name":"Address space","level":2,"score":0.3776000142097473},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.36959999799728394},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.3637000024318695},{"id":"https://openalex.org/C77270119","wikidata":"https://www.wikidata.org/wiki/Q1655198","display_name":"Software-defined networking","level":2,"score":0.35589998960494995},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.3546000123023987},{"id":"https://openalex.org/C74366991","wikidata":"https://www.wikidata.org/wiki/Q2755335","display_name":"Network processor","level":3,"score":0.3495999872684479},{"id":"https://openalex.org/C159631557","wikidata":"https://www.wikidata.org/wiki/Q1546066","display_name":"Networking hardware","level":2,"score":0.3400999903678894},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.3310000002384186},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.3197000026702881},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.2969000041484833},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.2962000072002411},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.289900004863739},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.2766999900341034},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2728999853134155},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.27070000767707825},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.265500009059906},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.2603999972343445},{"id":"https://openalex.org/C162319229","wikidata":"https://www.wikidata.org/wiki/Q175263","display_name":"Data structure","level":2,"score":0.2581999897956848},{"id":"https://openalex.org/C138236772","wikidata":"https://www.wikidata.org/wiki/Q25098575","display_name":"Edge device","level":3,"score":0.25360000133514404},{"id":"https://openalex.org/C2777062904","wikidata":"https://www.wikidata.org/wiki/Q545406","display_name":"Toolchain","level":3,"score":0.2533000111579895}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/cns66487.2025.11194984","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cns66487.2025.11194984","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE Conference on Communications and Network Security (CNS)","raw_type":"proceedings-article"},{"id":"pmh:oai:eprints.gla.ac.uk:360134","is_oa":true,"landing_page_url":"https://eprints.gla.ac.uk/360134/1/360134.pdf","pdf_url":null,"source":{"id":"https://openalex.org/S4210235606","display_name":"ENLIGHTEN (Jurnal Bimbingan dan Konseling Islam)","issn_l":"2622-8912","issn":["2622-8912","2622-8920"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"PeerReviewed"}],"best_oa_location":{"id":"pmh:oai:eprints.gla.ac.uk:360134","is_oa":true,"landing_page_url":"https://eprints.gla.ac.uk/360134/1/360134.pdf","pdf_url":null,"source":{"id":"https://openalex.org/S4210235606","display_name":"ENLIGHTEN (Jurnal Bimbingan dan Konseling Islam)","issn_l":"2622-8912","issn":["2622-8912","2622-8920"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"PeerReviewed"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W1573161722","https://openalex.org/W1994342242","https://openalex.org/W2001128841","https://openalex.org/W2108104525","https://openalex.org/W2345846953","https://openalex.org/W2607983412","https://openalex.org/W2612997776","https://openalex.org/W2790865812","https://openalex.org/W2816958343","https://openalex.org/W2973100365","https://openalex.org/W3011196476","https://openalex.org/W3012454270","https://openalex.org/W3022696292","https://openalex.org/W3082741490","https://openalex.org/W3096663727","https://openalex.org/W3106738334","https://openalex.org/W3205859170","https://openalex.org/W4289655071","https://openalex.org/W4308642904","https://openalex.org/W4311032089","https://openalex.org/W4385192336","https://openalex.org/W4386243279","https://openalex.org/W4387886135","https://openalex.org/W4402272547","https://openalex.org/W4407638986","https://openalex.org/W4411688763"],"related_works":[],"abstract_inverted_index":{"Programmable":[0],"Data":[1],"Planes":[2],"(PDP)":[3],"have":[4,22],"enabled":[5,84],"customised":[6],"per-packet":[7],"forwarding":[8],"behaviour":[9],"deployed":[10],"directly":[11],"on":[12],"programmable":[13],"silicon.":[14],"While":[15],"the":[16,59,70,79,87,96,106,117,123,136,162,178],"widely":[17],"studied":[18],"P4":[19],"data":[20,26,71],"planes":[21],"proven":[23],"highly-effective":[24],"for":[25,55,156],"centre":[27],"environments,":[28],"they":[29],"lack":[30,88],"flexible":[31],"and":[32,40,63,95,116,147,170],"stateful":[33],"functionality,":[34],"particularly":[35],"needed":[36],"in":[37,153,183,191],"edge":[38],"device":[39],"host":[41],"networking":[42],"environments.":[43],"eBPF":[44,126,154],"is":[45],"currently":[46],"getting":[47],"significant":[48],"traction":[49],"as":[50],"a":[51,185,188],"network":[52,132,192],"programmability":[53,83],"alternative":[54],"such":[56],"environments":[57],"through":[58,85,165,187],"deployment":[60],"of":[61,81,89,98,125,138,150,180],"Executable":[62],"Linkable":[64],"Format":[65],"(ELF)":[66],"files":[67,152],"to":[68,104,130],"define":[69],"plane":[72],"behaviour.":[73],"However,":[74],"security":[75],"concerns":[76],"arise":[77],"from":[78],"combination":[80],"high":[82],"eBPF,":[86],"integrity":[90],"checking":[91],"within":[92,122],"ELF":[93,113,151],"files,":[94],"exposure":[97],"southbound":[99],"interfaces":[100],"(node-local":[101],"or":[102],"network-wide)":[103],"control":[105],"PDP.":[107],"In":[108],"this":[109],"paper,":[110],"we":[111],"investigate":[112],"file":[114],"manipulation":[115,146],"derived":[118],"novel":[119],"attack":[120,141],"vectors":[121],"context":[124],"software":[127],"PDP":[128,157],"implementations":[129],"disrupt":[131],"operations.":[133],"We":[134,160],"demonstrate":[135],"efficacy":[137],"four":[139],"proposed":[140],"types":[142],"that":[143],"target":[144],"binary":[145],"runtime":[148],"injection":[149],"programs":[155],"packet":[158],"management.":[159],"evaluate":[161],"adversarial":[163],"effects":[164],"an":[166],"emulated":[167],"testbed":[168],"environment,":[169],"discuss":[171],"practical":[172],"countermeasures.":[173],"Our":[174],"primary":[175],"results":[176],"indicate":[177],"effectiveness":[179],"these":[181],"attacks":[182],"creating":[184],"denial-of-service":[186],"100%":[189],"increase":[190],"packets":[193],"across":[194],"all":[195],"nodes.":[196]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-10-16T00:00:00"}