Network Working Group A. Surtees Request for Comments: 4465 M. West Category: Informational Siemens/Roke Manor Research June 2006
Signaling Compression (SigComp) Torture Tests
Status of This Memo
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document provides a set of "torture tests" for implementers of the Signaling Compression (SigComp) protocol. The torture tests check each of the SigComp Universal Decompressor Virtual Machine instructions in turn, focusing in particular on the boundary and error cases that are not generally encountered when running well-behaved compression algorithms. Tests are also provided for other SigComp entities such as the dispatcher and the state handler.
Surtees & West Informational [Page 1]
RFC 4465 SigComp Torture Tests June 2006
Table of Contents
1. Introduction ....................................................3 2. Torture Tests for UDVM ..........................................4 2.1. Bit Manipulation ...........................................4 2.2. Arithmetic .................................................5 2.3. Sorting ....................................................7 2.4. SHA-1 ......................................................8 2.5. LOAD and MULTILOAD .........................................9 2.6. COPY ......................................................11 2.7. COPY-LITERAL and COPY-OFFSET ..............................12 2.8. MEMSET ....................................................14 2.9. CRC .......................................................15 2.10. INPUT-BITS ...............................................16 2.11. INPUT-HUFFMAN ............................................17 2.12. INPUT-BYTES ..............................................19 2.13. Stack Manipulation .......................................20 2.14. Program Flow .............................................22 2.15. State Creation ...........................................23 2.16. STATE-ACCESS .............................................26 3. Torture Tests for Dispatcher ...................................28 3.1. Useful Values .............................................28 3.2. Cycles Checking ...........................................31 3.3. Message-based Transport ...................................32 3.4. Stream-based Transport ....................................34 3.5. Input Past the End of a Message ...........................36 4. Torture Tests for State Handler ................................38 4.1. SigComp Feedback Mechanism ................................38 4.2. State Memory Management ...................................41 4.3. Multiple Compartments .....................................44 4.4. Accessing RFC 3485 State ..................................49 4.5. Bytecode State Creation ...................................50 5. Security Considerations ........................................53 6. Acknowledgements ...............................................53 7. Normative References ...........................................53 Appendix A. UDVM Bytecode for the Torture Tests ..................54 A.1. Instructions ..............................................54 A.1.1. Bit Manipulation ...................................54 A.1.2. Arithmetic .........................................55 A.1.3. Sorting ............................................55 A.1.4. SHA-1 ..............................................56 A.1.5. LOAD and MULTILOAD .................................56 A.1.6. COPY ...............................................56 A.1.7. COPY-LITERAL and COPY-OFFSET .......................57 A.1.8. MEMSET .............................................57 A.1.9. CRC ................................................57 A.1.10. INPUT-BITS ........................................57 A.1.11. INPUT-HUFFMAN .....................................58
Surtees & West Informational [Page 2]
RFC 4465 SigComp Torture Tests June 2006
A.1.12. INPUT-BYTES .......................................58 A.1.13. Stack Manipulation ................................58 A.1.14. Program Flow ......................................59 A.1.15. State Creation ....................................59 A.1.16. STATE-ACCESS ......................................60 A.2. Dispatcher Tests ..........................................61 A.2.1. Useful Values ......................................61 A.2.2. Cycles Checking ...................................62 A.2.3. Message-based Transport ............................62 A.2.4. Stream-based Transport .............................62 A.2.5. Input Past the End of a Message ....................63 A.3. State Handler Tests .......................................64 A.3.1. SigComp Feedback Mechanism .........................64 A.3.2. State Memory Management ............................64 A.3.3. Multiple Compartments ..............................65 A.3.4. Accessing RFC 3485 State ...........................66 A.3.5. Bytecode State Creation ............................66
This document provides a set of "torture tests" for implementers of the SigComp protocol, RFC 3320 [2]. The idea behind SigComp is to standardize a Universal Decompressor Virtual Machine (UDVM) that can be programmed to understand the output of many well-known compressors including DEFLATE and LZW. The bytecode for the chosen decompressor is uploaded to the UDVM as part of the SigComp message flow.
The SigComp User's Guide [1] gives examples of a number of different algorithms that can be used by the SigComp protocol. However, the bytecode for the corresponding decompressors is relatively well behaved and does not test the boundary and error cases that may potentially be exploited by malicious SigComp messages.
This document is divided into a number of sections, each containing a piece of code designed to test a particular function of one of the SigComp entities (UDVM, dispatcher, and state handler). The specific boundary and error cases tested by the bytecode are also listed, as are the output the code should produce and the number of UDVM cycles that should be used.
Each test runs in the SigComp minimum decompression memory size (that is, 2K), within the minimum number of cycles per bit (that is, 16) and in tests where state is stored 2K state memory size is needed.
The following sections each provide code to test one or more UDVM instructions. In the interests of readability, the code is given using the SigComp assembly language: a description of how to convert this assembly code into UDVM bytecode can be found in the SigComp User's Guide [1].
The raw UDVM bytecode for each torture test is given in Appendix A.
Each section also lists the number of UDVM cycles required to execute the code. Note that this figure only takes into account the cost of executing each UDVM instruction (in particular, it ignores the fact that the UDVM can gain extra cycles as a result of inputting more data).
This section gives assembly code to test the AND, OR, NOT, LSHIFT, and RSHIFT instructions. When the instructions have a multitype operand, the code tests the case where the multitype contains a fixed integer value, and the case where it contains a memory address at which the 2-byte operand value can be found. In addition, the code is designed to test that the following boundary cases have been correctly implemented:
1. The instructions overwrite themselves with the result of the bit manipulation operation, in which case execution continues normally.
2. The LSHIFT or RSHIFT instructions shift bits beyond the 2-byte boundary, in which case the bits must be discarded.
3. The UDVM registers byte_copy_left and byte_copy_right are used to store the results of the bit manipulation operations. Since no byte copying is taking place, these registers should behave in exactly the same manner as ordinary UDVM memory addresses.
Surtees & West Informational [Page 4]
RFC 4465 SigComp Torture Tests June 2006
at (64)
:a pad (2) :b pad (2)
at (128)
JUMP (start) ; Jump to address 255
at (255)
:start
; The multitypes are values ; $start = 448 (first 2 bytes of AND instr) AND ($start, 21845) ; 448 & 21845 = 320 = 0x0140 OR ($a, 42) ; 0 | 42 = 42 = 0x002a NOT ($b) ; ~0 = 65535 = 0xffff LSHIFT ($a, 3) ; 42 << 3 = 336 = 0x0150 RSHIFT ($b, 65535) ; 65535 >> 65535 = 0 = 0x0000
This section gives assembly code to test the ADD, SUBTRACT, MULTIPLY, DIVIDE, and REMAINDER instructions. The code is designed to test that the following boundary cases have been correctly implemented:
1. The instructions overwrite themselves with the result of the arithmetic operation, resulting in continuation as if the bytes were not bytecode.
Surtees & West Informational [Page 5]
RFC 4465 SigComp Torture Tests June 2006
2. The result does not lie between 0 and 2^16 - 1 inclusive, in which case it must be taken modulo 2^16.
3. The divisor in the DIVIDE or REMAINDER instructions is 0 (in which case decompression failure must occur).
at (64)
:a pad (2) :b pad (2) :type pad (1) :type_lsb pad (1)
; If the message is 0x01, $type = 0 ; so decompression failure occurs at ; REMAINDER ($b, $type)
; If the message is 0x02, $type = 1 so ; $b becomes 0 and decompression failure ; occurs at DIVIDE ($a, $b)
END-MESSAGE (0, 0, 0, 0, 0, 0, 0)
If the compressed message is 0x00, then the output of the code is 0x0000 0000 0000 0004 and the execution cost should be 25 UDVM cycles. However, if the compressed message is 0x01 or 0x02, then decompression failure occurs.
This section gives assembly code to test the SORT-ASCENDING and SORT- DESCENDING instructions. The code is designed to test that the following boundary cases have been correctly implemented:
1. The sorting instructions sort integers with the same value, in which case the original ordering of the integers must be preserved.
The output of the code is 0x466f 7264 2c20 796f 7527 7265 2074 7572 6e69 6e67 2069 6e74 6f20 6120 7065 6e67 7569 6e2e 2053 746f 7020 6974 2e, and the number of cycles required is 371.
This section gives assembly code to test the SHA-1 instruction. The code performs four tests on the SHA-1 algorithm itself and, in addition, checks the following boundary cases specific to the UDVM:
1. The input string for the SHA-1 hash is obtained by byte copying over an area of the UDVM memory.
2. The SHA-1 hash overwrites its own input string.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :hash_value pad (20)
Consequently, after the first MULTILOAD the values of $start are the following:
Input $start before 2nd MULTILOAD 0x00 128 0x01 overlap_end = 177 = last byte of 2nd MULTILOAD instruction 0x02 overlap_start = 162 = 7 bytes before 2nd MULTILOAD instruction
Surtees & West Informational [Page 10]
RFC 4465 SigComp Torture Tests June 2006
Consequently, execution of the 2nd MULTILOAD (and any remaining code) gives the following:
Input Outcome 0x00 MULTILOAD reads and writes operand by operand. The output is 0x0084 0084 0086 0086 002a 0080 002a 002a, and the cost of executing the code is 36 UDVM cycles.
0x01 The first write of the MULTILOAD instruction would overwrite the last byte of the final MULTILOAD operand, so decompression failure occurs.
0x02 The last write of the MULTILOAD would overwrite the MULTILOAD opcode, so decompression failure occurs.
This section gives assembly code to test the COPY instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. The COPY instruction copies data from both outside the circular buffer and inside the circular buffer within the same operation.
2. The COPY instruction performs byte-by-byte copying (i.e., some of the later bytes to be copied are themselves written into the UDVM memory by the COPY instruction currently being executed).
3. The COPY instruction overwrites itself and continues executing.
4. The COPY instruction overwrites the UDVM registers byte_copy_left and byte_copy_right.
5. The COPY instruction writes to and reads from the right of the buffer beginning at byte_copy_right.
6. The COPY instruction implements byte copying rules when the destination wraps around the buffer.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2)
Surtees & West Informational [Page 11]
RFC 4465 SigComp Torture Tests June 2006
at (128) ; Set up buffer between addresses 64 & 128 LOAD (32, 16384) LOAD (byte_copy_left, 64) LOAD (byte_copy_right, 128)
COPY (32, 128, 33) ; Copy byte by byte starting to the left of ; the buffer, into the buffer and wrapping ; the buffer (inc overwriting the ; boundaries)
LOAD (64, 16640) ; Change the start of the buffer to be ; beyond bytecode
COPY (64, 85, 65) ; Copy to the left of the buffer, ; overwriting this instruction
This section gives assembly code to test the COPY-LITERAL and COPY- OFFSET instructions. The code is designed to test similar boundary cases to the code for the COPY instruction, as well as the following condition specific to COPY-LITERAL and COPY-OFFSET:
Surtees & West Informational [Page 12]
RFC 4465 SigComp Torture Tests June 2006
1. The COPY-LITERAL or COPY-OFFSET instruction overwrites the value of its destination.
2. The COPY-OFFSET instruction reads from an offset that wraps around the buffer (i.e., the offset is larger than the distance between byte_copy_left and the destination).
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :destination pad (2) :offset pad (2)
at (128) ; Set up circular buffer, source, and ; destination LOAD (32, 16640) LOAD (byte_copy_left, 64) LOAD (byte_copy_right, 128) LOAD (destination, 33)
COPY-LITERAL (32, 128, $destination) ; Copy from the left of the ; buffer overwriting bcl, bcr, and ; destination wrapping around the buffer OUTPUT (64, 8) ; Check destination has been updated ; Output 0x4141 4141 0061 4141
LOAD (byte_copy_left, 72) ; Set up new circular buffer LOAD (byte_copy_right, 82) LOAD (destination, 82) ; Set destination to byte_copy_right
MEMSET (72, 10, 65, 1) ; Fill the buffer with 0x41 - 4A
COPY-OFFSET (2, 6, $destination) ; Copy from within circular ; buffer to outside buffer
LOAD (offset, 6) COPY-OFFSET ($offset, 4, $destination) ; Copy from byte_copy_right ; so reading outside buffer
Surtees & West Informational [Page 13]
RFC 4465 SigComp Torture Tests June 2006
OUTPUT ($byte_copy_right, 10) ; Output 0x494A 4142 4344 494A 4142, ; which is 'IJABCDIJAB' LOAD (destination, 80) ; Put destination within the ; buffer COPY-OFFSET (4, 4, $destination) ; Copy where destination wraps OUTPUT (destination, 2) ; Output 0x004A
COPY-OFFSET (5, 4, $destination) ; Copy where offset wraps from ; left back around to the right OUTPUT (destination, 2) ; Output 0x004E OUTPUT ($byte_copy_left, 10) ; Output the circular buffer ; 0x4748 4845 4647 4748 4546, ; which is 'GHHEFGGHEF'
END-MESSAGE (0, 0, 0, 0, 0, 0, 0)
The output of the code is above, and the cost of execution is 216 UDVM cycles.
This section gives assembly code to test the MEMSET instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. The MEMSET instruction overwrites the registers byte_copy_left and byte_copy_right.
2. The output values of the MEMSET instruction do not lie between 0 and 255 inclusive (in which case they must be taken modulo 2^8).
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2)
at (128)
LOAD (byte_copy_left, 128) ; sets up a circular buffer LOAD (byte_copy_right, 129) ; of 1 byte between 0x0080 and 0x0081
MEMSET (64, 129, 0, 1) ; fills up the memory in the range ; 0x0040-0x007f with 0x00, ... 0x3f; ; then it writes successively at ; 0x0080 the following values 0x40, ... 0x80 ; as a side effect, the values of ; bcl and bcr are modified.
Surtees & West Informational [Page 14]
RFC 4465 SigComp Torture Tests June 2006
; before and during the MEMSET: ; byte_copy_left: 0x0080 byte_copy_right: 0x0081 ; after the MEMSET: ; byte_copy_left: 0x0001 byte_copy_right: 0x0203
MEMSET (129, 15, 64, 15) ; fills the memory range 0x0080-0x008f ; with values 0x40, 0x4f, ... 0xf4, 0x03, 0x12. ; as a side effect, it overwrites a ; part of the code including itself
This section gives assembly code to test the CRC instruction. The code does not test any specific boundary cases (as there do not appear to be any) but focuses instead on verifying the CRC algorithm.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :crc_value pad (2) :crc_string_a pad (24) :crc_string_b pad (20)
at (128)
MEMSET (crc_string_a, 24, 1, 1) ; sets up between 0x0046 and 0x005d ; a byte string containing 0x01, ; 0x02, ... 0x18
MEMSET (crc_string_b, 20, 128, 1) ; sets up between 0x005e and 0x0071 ; a byte string containing 0x80, ; 0x81, ... 0x93
INPUT-BYTES (2, crc_value, decompression_failure) ; reads in 2 bytes representing ; the CRC value of the byte string ; of 44 bytes starting at 0x0046
Surtees & West Informational [Page 15]
RFC 4465 SigComp Torture Tests June 2006
CRC ($crc_value, crc_string_a, 44, decompression_failure) ; computes the CRC value of the ; byte string crc_string_a ; concatenated with byte string ; crc_string_b (with a total ; length of 44 bytes). ; if the computed value does ; not match the 2-byte value read ; previously, the program ends ; with DECOMPRESSION-FAILURE. END-MESSAGE (0, 0, 0, 0, 0, 0, 0)
:decompression_failure DECOMPRESSION-FAILURE
If the compressed message is 0x62cb, then the code should successfully terminate with no output, and with a total execution cost of 95 UDVM cycles. For different 2-byte compressed messages, the code should terminate with a decompression failure.
This section gives assembly code to test the INPUT-BITS instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. The INPUT-BITS instruction changes between any of the four possible bit orderings defined by the input_bit_order register.
2. The INPUT-BITS instruction inputs 0 bits.
3. The INPUT-BITS instruction requests data that lies beyond the end of the compressed message.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :input_bit_order pad (2) :result pad (2)
Surtees & West Informational [Page 16]
RFC 4465 SigComp Torture Tests June 2006
at (128)
:start
INPUT-BITS ($input_bit_order, result, end_of_message) ; reads in ; exactly as many bits as the 2-byte ; value written in the input_bit_order ; register, get out of the loop when ; no more bits are available at input.
OUTPUT (result, 2) ; outputs as a 2-byte integer ; the previously read bits
ADD ($input_bit_order, 1) ; if at the beginning of this loop the ; register input_bit_order is 0, REMAINDER ($input_bit_order, 7) ; then its value varies periodically ; like this: 2, 4, 6, 1, 3, 5, 7. ADD ($input_bit_order, 1) ; that gives for the FHP bits: 010, ; 100, 110, 001, 011, 101, 111
JUMP (start) ; run the loop once more
:end_of_message
END-MESSAGE (0, 0, 0, 0, 0, 0, 0)
An example of a compressed message is 0x932e ac71, which decompresses to give the output 0x0000 0002 0002 0013 0000 0003 001a 0038. Executing the code costs 66 UDVM cycles.
This section gives assembly code to test the INPUT-HUFFMAN instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. The INPUT-HUFFMAN instruction changes between any of the four possible bit orderings defined by the input_bit_order register.
2. The INPUT-HUFFMAN instruction inputs 0 bits.
3. The INPUT-HUFFMAN instruction requests data that lies beyond the end of the compressed message.
Surtees & West Informational [Page 17]
RFC 4465 SigComp Torture Tests June 2006
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :input_bit_order pad (2) :result pad (2)
An example of a compressed message is 0x932e ac71 66d8 6f, which decompresses to give the output 0x0000 0003 0008 04d7 0002 0003 0399 30fe. Executing the code costs 84 UDVM cycles.
As the code is run, the input_bit_order changes through all possible values to check usage of the H and P bits. The number of bits to input each time is taken from the value of input_bit_order. The sequence is the following:
This section gives assembly code to test the INPUT-BYTES instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. The INPUT-BYTES instruction inputs 0 bytes.
2. The INPUT-BYTES instruction requests data that lies beyond the end of the compressed message.
3. The INPUT-BYTES instruction is used after part of a byte has been input (e.g., by the INPUT-BITS instruction).
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :input_bit_order pad (2) :result pad (2) :output_start pad (4) :output_end
An example of a compressed message is 0x932e ac71 66d8 6fb1 592b dc9a 9734 d847 a733 874e 1bcb cd51 b5dc 9659 9d6a, which decompresses to give the output 0x0000 932e 0001 b166 d86f b100 1a2b 0003 9a97 34d8 0007 0001 3387 4e00 08dc 9651 b5dc 9600 599d 6a. Executing the code costs 130 UDVM cycles.
As the code is run, the input_bit_order changes through all possible values to check usage of the F and P bits. The number of bits or bytes to input each time is taken from the value of input_bit_order. For each INPUT-BYTES instruction, the remaining bits of the byte are thrown away. The P-bit always changes on the byte boundary so no bits are thrown away. The sequence is the following:
This section gives assembly code to test the PUSH, POP, CALL, and RETURN instructions. The code is designed to test that the following boundary cases have been correctly implemented:
1. The stack manipulation instructions overwrite the UDVM register stack_location.
2. The CALL instruction specifies a reference operand rather than an absolute value.
3. The PUSH instruction pushes the value contained in stack_fill onto the stack.
4. The stack_location register contains an odd integer.
Surtees & West Informational [Page 20]
RFC 4465 SigComp Torture Tests June 2006
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :input_bit_order pad (2) :stack_location pad (2) :next_address pad (2)
POP (64) ; Pop value 66 from address 70 to address 64 POP ($stack_location) ; Pop value 1 from address 68 to address 66 ; so stack_fill is overwritten to be 1 POP (stack_location) ; Pop value 1 from address 68 to address 70
; write bytes so that 433 and 434 ; contain 0x01c0 = 448 and ; 435 and 436 contain 0x0180 = 384
RETURN ; pop 383 from the stack and jump ; there = 384, which is lsb of ; stack_fill, which now contains 25, ; which is UDVM instruction RETURN ; pop 448 from the stack and jump ; there at (448)
END-MESSAGE (0, 0, 0, 0, 0, 0, 0)
The output of the code is 0x0003 0002 0001 0042 0042 0000 0001 0001, and a total of 40 UDVM cycles are used.
This section gives assembly code to test the JUMP, COMPARE, and SWITCH instructions. The code is designed to test that the following boundary cases have been correctly implemented:
1. The address operands are specified as references to memory addresses rather than as absolute values.
at (64)
:next_address pad (2) :counter pad (1) :counter_lsb pad (1) :switch_counter pad (2)
This section gives assembly code to test the STATE-CREATE and STATE- FREE instructions. The code is designed to test that the following boundary cases have been correctly implemented:
1. An item of state is created that duplicates an existing state item.
2. An item of state is freed when the state has not been created.
3. An item of state is created and then freed by the same message.
4. The STATE-FREE instruction frees a state item by sending fewer bytes of the state_identifier than the minimum_access_length.
Surtees & West Informational [Page 23]
RFC 4465 SigComp Torture Tests June 2006
5. The STATE-FREE instruction has partial_identifier_length operand shorter than 6 or longer than 20.
6. The STATE-FREE instruction specifies a partial_identifier that matches with two state items in the compartment.
7. The bytes of the identifier are written to the position specified in the STATE-FREE instruction after the STATE-FREE instruction has been run (and before END-MESSAGE).
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :states pad (1) :states_lsb pad (1) :min_len pad (1) :min_len_lsb pad (1)
Upon reaching the END-MESSAGE instruction, the UDVM does not output any decompressed data, but instead may make one or more state creation or state free requests to the state handler. Assuming that the application does not veto the state creation request (and that sufficient state memory is available) the code results in 0, 1, or 2 state items being present in the compartment.
The following table lists ten different compressed messages, the states created and freed by each, the number of states left after each message, and the number of UDVM cycles used. There are 3 state creation instructions:
create state_a, which has hash identifier1 create state_b (in END-MESSAGE), which is identical to state_a
Surtees & West Informational [Page 25]
RFC 4465 SigComp Torture Tests June 2006
create state_a2, which has a different identifier, but the first 6 bytes are the same as those of identifier1.
This section gives assembly code to test the STATE-ACCESS instruction. The code is designed to test that the following boundary cases have been correctly implemented:
1. A subset of the bytes contained in a state item is copied to the UDVM memory.
2. Bytes are copied from beyond the end of the state value.
3. The state_instruction operand is set to 0.
4. The state cannot be accessed because the partial state identifier is too short.
5. The state identifier is overwritten by the state item being accessed.
The following bytecode needs to be run first to set up the state for the rest of the test.
; The bytes between state_start and state_end are derived from ; translation of the following mnemonic code: ; ; at (512) ; OUTPUT (data, 4) ; END-MESSAGE (0,0,0,0,0,0,0) ; :data ; byte (116, 101, 115, 116)
If the compressed message is 0x00, then the output of the code is 0x7465 7374, and a total of 26 UDVM cycles are used. If the compressed message is 0x01, then the output of the code is also 0x7465 7374 but in this case using a total of 15 UDVM cycles. If the compressed message is 0x02, 0x03, or 0x04, then decompression failure occurs.
3. Torture Tests for Dispatcher
The following sections give code to test the various functions of the SigComp dispatcher.
This section gives assembly code to test that the SigComp "Useful Values" are correctly initialized in the UDVM memory. It also tests that the UDVM is correctly terminated if the bytecode uses too many UDVM cycles or tries to write beyond the end of the available memory.
Surtees & West Informational [Page 28]
RFC 4465 SigComp Torture Tests June 2006
The code tests that the following boundary cases have been correctly implemented:
1. The bytecode uses exactly as many UDVM cycles as are available (in which case no problems should arise) or one cycle too many (in which case decompression failure should occur). A liberal implementation could allow more cycles to be used than are strictly available, in which case decompression failure will not occur. This is an implementation choice. If this choice is made, the implementer must be sure that the cycles are checked eventually and that decompression failure does occur when bytecode uses an excessive number of cycles. This is tested in Section 3.2.
2. The bytecode writes to the highest memory address available (in which case no problems should arise) or to the memory address immediately following the highest available address (in which case decompression failure must occur).
:udvm_memory_size pad (2) :cycles_per_bit pad (2) :sigcomp_version pad (2) :partial_state_id_length pad (2) :state_length pad (2)
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :remaining_cycles pad (2) :check_memory pad (1) :check_memory_lsb pad (1) :check_cycles pad (1) :check_cycles_lsb pad (1)
at (127) :decompression_failure at (128) ; Set up a 1-byte buffer LOAD (byte_copy_left, 32) LOAD (byte_copy_right, 33)
:test_version
; Input a byte containing the version of SigComp being run INPUT-BYTES (1, check_memory_lsb, decompression_failure) COMPARE ($sigcomp_version, $check_memory, decompression_failure, test_state_access, decompression_failure)
:test_length_equals_zero ; No state was accessed so state_length ; should be zero (first message) COMPARE ($state_length, 0, decompression_failure, end, decompression_failure)
:test_state_length ; State was accessed so state_length ; should be 960 COMPARE ($state_length, 960, decompression_failure, test_udvm_memory, decompression_failure)
:test_udvm_memory ; Copy one byte to ; udvm_memory_size + input - 1 ; Succeed when input byte is 0x00 ; Fail when input byte is 0x01
; Work out the total number of cycles available to the UDVM ; total_UDVM_cycles = cycles_per_bit * (8 * message_size + 1000) ; ; = cycles_per_bit * (8 * (partial_state_id_length + 3) + 1000)
SUBTRACT ($remaining_cycles, cycles_used_by_bytecode) COPY (32, $remaining_cycles, 32) ; Copy to use up all cycles available + input byte ; Succeeds when input byte = 0x00 ; Fail when input byte = 0x01
:end ; Create 960 bytes of state for future ; reference END-MESSAGE (0, 0, 960, 64, 128, 6, 0)
The bytecode must be executed a total of four times in order to fully test the SigComp Useful Values. In the first case, the bytecode is uploaded as part of the SigComp message with a 1-byte compressed message corresponding to the version of SigComp being run. This causes the UDVM to request creation of a new state item and uses a total of 968 UDVM cycles.
Subsequent tests access this state by uploading the state identifier as part of the SigComp message. Note that the SigComp message should not contain a returned feedback item (as this would cause the bytecode to calculate the total number of available UDVM cycles incorrectly).
A 3-byte compressed message is required for the second and subsequent cases, the first byte of which is the version of SigComp in use, 0xnn. If the message is 0xnn0000, then the UDVM should successfully terminate using exactly the number of available UDVM cycles. However, if the message is 0xnn0001, then the UDVM should use too many cycles and hence terminate with decompression failure. Furthermore, if the message is 0xnn0100, then decompression failure must occur because the UDVM attempts to write beyond its available memory.
As discussed in Section 3.1, it is possible to write an implementation that takes a liberal approach to checking the cycles used and allows some extra cycles. The implementer must be sure that decompression failure does not occur too early and that in the case of excessive use of cycles, decompression failure does eventually occur. This test checks that:
1. Decompression failure occurs eventually when there is an infinite loop.
Surtees & West Informational [Page 31]
RFC 4465 SigComp Torture Tests June 2006
at (64) :byte_copy_left pad (2) :byte_copy_right pad (2) :value pad (2) :copy_next pad (2)
at(128) MULTILOAD (byte_copy_left, 4, 32, 41, 0, 34) ; Set up a 10-byte buffer
; Set the value to copy ; Copy it 100 times, ; output the value, ; increment the counter :loop COPY (value, 2, $byte_copy_left) COPY-OFFSET (2, 100, $copy_next) OUTPUT (value, 2) ADD ($value, 1) JUMP (loop)
If the cycles are counted exactly and cycles per bit (cpb) = 16, then decompression failure will occur at COPY-OFFSET when value = 180 = 0xB4. If cpb = 32, then decompression failure will occur when value = 361 = 0x0169. If they are not counted exactly, then decompression failure MUST occur eventually.
This section provides a set of messages to test the SigComp header over a message-based transport such as UDP. The messages test that the following boundary cases have been correctly implemented:
1. The UDVM bytecode is copied to different areas of the UDVM memory.
2. The decompression memory size is set to an incorrect value.
3. The SigComp message is too short.
4. The destination address is invalid.
The basic version of the code used in the test is given below. Note that the code is designed to calculate the decompression memory size based on the Useful Values provided to the UDVM:
Surtees & West Informational [Page 32]
RFC 4465 SigComp Torture Tests June 2006
:udvm_memory_size pad (2) :cycles_per_bit pad (2) :sigcomp_version pad (2) :partial_state_id_length pad (2) :state_length pad (2)
at (128)
:code_start
; udvm_memory_size for message-based transport ; = DMS - total_message_size
set (header_size, 3) set (code_size, (code_end - code_start)) set (total_message_size, (header_size + code_size))
A number of complete SigComp messages are given below, each containing some or all of the above code. In each case, it is indicated whether the message will successfully output the decompression memory size or whether it will cause a decompression failure to occur (together with the reason for the failure):
The messages should be decompressed in the order given to check that an error in one message does not interfere with the successful decompression of subsequent messages.
The two messages that successfully decompress each use a total of 5 UDVM cycles.
This section provides a byte stream to test the SigComp header and delimiters over a stream-based transport such as TCP. The byte stream tests all of the boundary cases covered in Section 3.2, as well as the following cases specific to stream-based transports:
1. Quoted bytes are used by the record marking scheme.
2. Multiple delimiters are used between the same pair of messages.
3. Unnecessary delimiters are included at the start of the stream.
The basic version of the code used in the test is given below. Note that the code is designed to calculate the decompression memory size based on the Useful Values provided to the UDVM:
:udvm_memory_size pad (2) :cycles_per_bit pad (2) :sigcomp_version pad (2) :partial_state_id_length pad (2) :state_length pad (2)
at (128)
; udvm_memory_size for stream based transport = DMS / 2
When the complete byte stream is supplied to the decompressor dispatcher, the record marking scheme must use the delimiters to partition the stream into two distinct SigComp messages. Both of these messages successfully output the decompression memory size (as a 2-byte value), followed by 5 consecutive 0xff bytes to test that the record marking scheme is working correctly. A total of 11 UDVM cycles are used in each case.
It must also be checked that the dispatcher can handle the same error cases as covered in Section 3.2. Each of the following byte streams should cause a decompression failure to occur for the reason stated:
Byte stream: Reason for failure:
0xf8ff ff Message too short
0xf800 ffff Message too short
0xf801 8108 0002 2200 0222 a092 0523 ffff Message too short 0x0000 0000 0000 00ff 00ff 03ff ffff
This section gives assembly code to test that the implementation correctly handles input past the end of a SigComp message. The code is designed to test that the following boundary cases have been correctly implemented:
1. An INPUT instruction requests data that lies beyond the end of the message. In this case, the dispatcher should not return any data to the UDVM. Moreover, the message bytes held by the dispatcher should still be available for retrieval by subsequent INPUT instructions.
2. The INPUT-BYTES instruction is used after part of a byte has been input (e.g., by the INPUT-BITS instruction). In this case, the remaining partial byte must be discarded, even if the INPUT-BYTES instruction requests data that lies beyond the end of the message.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :input_bit_order pad (2) :result pad (1) :result_lsb pad (6) :right
INPUT-BYTES (7, result, next_bytes) ; This should fail, throw away ; 7 bits with value Ox7a and ; jump to next_bytes
:decompression_failure1 DECOMPRESSION-FAILURE ; This instruction is never ; executed but is used to ; separate success and failure ; to input bytes.
:next_bytes
; Read 7 bits - this removes the byte alignment of the message
; If the bits have not been thrown away where they should be, then ; the message will be 1 byte longer than necessary and the output ; will be incorrect.
If the compressed message is 0xfffa 0068 6921, then the code terminates successfully with the output 0x6869 21, and a total of 23 UDVM cycles are used. However, if the compressed message is 0xfffa 0068 69, then decompression failure occurs (at the final INPUT-BITS).
4. Torture Tests for State Handler
The following sections give code to test the various functions of the SigComp state handler.
This section gives assembly code to test the SigComp feedback mechanism. The code is designed to test that the following boundary cases have been correctly implemented:
1. Both the short and the long versions of the SigComp feedback item are used.
2. The chain of returned SigComp parameters is terminated by a non- zero value.
at (64)
:type pad (1) :type_lsb pad (1)
:requested_feedback_location pad (1) :requested_feedback_length pad (1) :requested_feedback_bytes pad (127)
:returned_parameters_location pad (2) :length_of_partial_state_id_a pad (1) :partial_state_identifier_a pad (6) :length_of_partial_state_id_b pad (1) :partial_state_identifier_b pad (12) :length_of_partial_state_id_c pad (1) :partial_state_identifier_c pad (20) :terminate_returned_parameters pad (1)
align (128)
set (q_bit, 1) set (s_bit, 0) set (i_bit, 0) set (flags, (((4 * q_bit) + (2 * s_bit)) + i_bit))
When the above code is executed, it supplies a requested feedback item to the state handler. If the compressed message is 0x00, then the short (1-byte) version of the feedback is used. Executing the bytecode in this case costs a total of 52 UDVM cycles. Assuming that the feedback request is successful, the feedback item should be returned in the first SigComp message to be sent in the reverse direction. The SigComp message returning the feedback should begin as follows:
+---+---+---+---+---+---+---+---+ | 1 1 1 1 1 1 | X | first header byte +---+---+---+---+---+---+---+---+ | 0 | 127 | returned feedback field +---+---+---+---+---+---+---+---+
So the first 2 bytes of the returning SigComp message should be 0xfn7f where n = c, d, e, or f (the choice of n is determined by the compressor generating the returning SigComp message, which is not under the control of the above code).
If the compressed message is 0x01, then the long version of the feedback item is used. Executing the bytecode in this case costs a total of 179 UDVM cycles and the SigComp message returning the feedback should begin as follows:
+---+---+---+---+---+---+---+---+ | 1 1 1 1 1 1 | X | first header byte +---+---+---+---+---+---+---+---+ | 1 | 127 | returned feedback length +---+---+---+---+---+---+---+---+ | 1 | ^ +---+---+---+---+---+---+---+---+ | | 2 | | +---+---+---+---+---+---+---+---+ | 3 | returned feedback field +---+---+---+---+---+---+---+---+
So the first 129 bytes of the SigComp message should be 0xfnff 0102 0304 ... 7e7f where n = c, d, e, or f as above.
As well as testing the requested and returned feedback items, the above code also announces values for each of the SigComp parameters. The supplied version of the code announces only the minimum possible values for the cycles_per_bit, decompression_memory_size, state_memory_size, and SigComp_version (although this can easily be adjusted to test different values for these parameters).
Surtees & West Informational [Page 40]
RFC 4465 SigComp Torture Tests June 2006
The code should also announce the availability of state items with the following partial state identifiers:
Note that different implementations may make use of the announcement information in different ways. It is a valid implementation choice to simply ignore all of the announcement data and use only the minimum resources that are guaranteed to be available to all endpoints. However, the above code is useful for checking that an endpoint interprets the announcement data correctly (in particular ensuring that it does not mistakenly use resources that have not in fact been announced).
The following section gives assembly code to test the memory management features of the state handler. The code checks that the correct states are retained by the state handler when insufficient memory is available to store all of the requested states.
The code is designed to test that the following boundary cases have been correctly implemented:
1. A state item is created that exceeds the total state_memory_size for the compartment.
2. States are created with a non-zero state_retention_priority.
3. A new state item is created that has a lower state_retention_priority than existing state items in the compartment.
For the duration of this test, it is assumed that all states will be saved in a single compartment with a state_memory_size of 2048 bytes.
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :order pad (2) :type pad (1) :type_lsb pad (1) :state_length pad (2) :state_retention_priority pad (2)
; Finish with the value (order_data + 6*n) in order where ; n is the input value 0x00, 0x01, or 0x02 ; type = order + 6 ; These values are used to index into the 'order_data' ; that is used to work out state retention priorities and lengths
:order_data ; This data is used to generate the retention priority ; and state length of each state creation.
word (0, 1, 2, 3, 4, 3, 2, 1, 0)
:state_identifier_a
byte (142, 234, 75, 67, 167, 135)
:state_identifier_b
byte (249, 1, 14, 239, 86, 123)
:state_identifier_c
byte (35, 154, 52, 107, 21, 166)
Surtees & West Informational [Page 43]
RFC 4465 SigComp Torture Tests June 2006
:state_identifier_d
byte (180, 15, 192, 228, 77, 44)
:state_identifier_e
byte (212, 162, 33, 71, 230, 10)
:large_state_identifier
byte (239, 242, 188, 15, 182, 175)
The above code must be executed a total of 7 times in order to complete the test. Each time the code is executed, a 1-byte compressed message should be provided as below. The effects of the messages are given below. States are described in the form (name, x, y) where name corresponds to the name of the identifier in the mnemonic code, x is the length of the state, and y is the retention priority of the state.
Message: Effect: #cycles: 0x00 create states: 811 (a,0,0), (b,256,1), (c,512,2) 0x01 create states: 2603 (d,768,3), (e,1024,4) - deleting a, b, c 0x02 create states: 811 (c,512,2), - deleting d (b,256,1), (a,0,0) 0x03 access states a,b,c,e 1805 0x04 access state d - not present so decompression failure 0x05 create states: 2057 (large, 2048,0) - deleting a, b, c, e 0x06 access large state 1993
Note that as new states are created, some of the existing states will be pushed out of the compartment due to lack of memory.
This section gives assembly code to test the interaction between multiple SigComp compartments. The code is designed to test that the following boundary cases have been correctly implemented:
Surtees & West Informational [Page 44]
RFC 4465 SigComp Torture Tests June 2006
1. The same state item is saved in more than one compartment.
2. A state item stored in multiple compartments has the same state identifier but a different state_retention_priority in each case.
3. A state item is deleted from one compartment but still belongs to a different compartment.
4. A state item belonging to multiple compartments is deleted from every compartment to which it belongs.
The test requires a total of three compartments to be available, which will be referred to as Compartment 0, Compartment 1, and Compartment 2. Each of the three compartments should have a state_memory_size of 2048 bytes.
The assembly code for the test is given below:
at (64)
:byte_copy_left pad (2) :byte_copy_right pad (2) :type pad (1) :type_lsb pad (1)
; create state again, beginning in different place in buffer ; starting byte identified by $type according to input: ; Input 0x00 0x01 0x02
Surtees & West Informational [Page 45]
RFC 4465 SigComp Torture Tests June 2006
; $type 515 516 517
ADD ($type, 3) STATE-CREATE (448, $type, 0, 6, 0)
; create a third time beginning in different place again ; starting byte identified by $type according to input: ; Input 0x00 0x01 0x02 ; $type 516 517 515
set (temp_one, (state_start + 2)) ; = 514 set (temp_two, (state_start + 3)) ; = 515 set (temp_three, (state_end - 1)) ; = 518
:state_identifier_a ; start state at 512
byte (172, 166, 11, 142, 178, 131)
:state_identifier_b ; start state at 513
byte (157, 191, 175, 198, 61, 210)
:state_identifier_c ; start state at 514
byte (52, 197, 217, 29, 83, 97)
:state_identifier_d ; start state at 515
byte (189, 214, 186, 42, 198, 90)
:state_identifier_e ; start state at 516
byte (71, 194, 24, 20, 238, 7)
:state_identifier_f ; start state at 517
byte (194, 117, 148, 29, 215, 161)
:state_identifier_g ; start state at 518
byte (72, 135, 156, 141, 233, 14)
Surtees & West Informational [Page 47]
RFC 4465 SigComp Torture Tests June 2006
The above code must be executed a total of 9 times in order to complete the test. Each time the code is executed, a 1-byte compressed message N should be provided, taking the values 0x00 to 0x08 in ascending order (so the compressed message should be 0x00 the first time the code is run, 0x01 the second, and so on).
If the code makes a state creation request, then the state must be saved in Compartment (N modulo 3).
When the compressed message is 0x00, 0x01, or 0x02, the code makes four state creation requests in compartments 0, 1, and 2, respectively. This creates a total of seven distinct state items referred to as State a through State g. The states should be distributed among the three compartments as illustrated in Figure 1 (note that some states belong to more than one compartment).
When the compressed message is 0x03 or 0x04, the code overwrites all of the states in Compartments 0 and 1, respectively. This means that States a, b, and e will be unavailable because they are no longer present in any of the three compartments.
When the compressed message is 0x05, the code checks that the States c, d, f, and g are still available. Decompression should terminate successfully in this case.
When the compressed message is 0x06, 0x07, or 0x08, the code attempts to access States a, b, and e, respectively. Decompression failure should occur in this case because the relevant states are no longer available.
The cost in UDVM cycles for each compressed message is given below (except for messages 0x06, 0x07, and 0x08 where decompression failure should to occur):
This section gives assembly code to test storing bytecode using END-MESSAGE and later loading the bytecode using a partial state identifier within the SigComp header. The assembly code is designed to test the following cases:
1. The bytes to be saved are changed after the state create request has been made.
2. The uploaded bytecode is modified before execution.
3. The bytecode is loaded using the partial state identifier and is modified before execution.
4. The bytecode is loaded to an address lower than 128, using the partial state identifier.
5. The bytecode is loaded using the partial state identifier. Part of the loaded memory is reserved area, which is overwritten after loading the bytecode.
6. The loading of the bytecode fails because the partial state identifier is too short.
Surtees & West Informational [Page 50]
RFC 4465 SigComp Torture Tests June 2006
at (30) :save_area1 set (saved_instr1, (save_area1 + (code_start2 - start_saved))) ; = 33
at (80) :save_area2 set (saved_instr2, (save_area2 + (code_start2 - start_saved))) ; = 83
at (128) :code_start
COPY (start_saved, saved_len, save_area1) ; copy 'ok2', OUTPUT (save_area2,3) END-MESSAGE ; to position 30 and create as state STATE-CREATE (saved_len, save_area1, saved_instr1, 6, 10)
set (modify1, (save_area1 + 5)) ; = 35 LOAD (modify1, 0x1e03) ; modify save_area2 to be save_area1 in the ; created state
COPY (start_saved, saved_len, save_area2) STATE-CREATE (saved_len, save_area2, saved_instr2, 20, 10) STATE-CREATE (saved_len, save_area2, saved_instr2, 12, 10) ; copy 'ok2', OUTPUT (save_area2,3) END-MESSAGE ; to position 80 and create as state twice with ; min access len 20 and 12
JUMP (modify)
:ok1 byte (0x4f, 0x4b, 0x31)
set (after_output_minus1, (after_output - 1))
:modify INPUT-BYTES (1, after_output_minus1, decompression_failure) ; Input overwrites the next instruction OUTPUT (ok1, 3) ; Now is OUTPUT (ok1, 2) so output is 0x4f4b
:after_output
; Save from ok1 to the opcode of END-MESSAGE
set (modify_len, ((after_output + 1) - ok1)) ; = 13
Surtees & West Informational [Page 51]
RFC 4465 SigComp Torture Tests June 2006
END-MESSAGE (0, 0, modify_len, ok1, modify, 6, 10) ; Save 'ok1', INPUT-BYTES, OUTPUT as state
Second message: access and run last state saved by previous message - 'ok1', INPUT-BYTES, OUTPUT, END-MESSAGE.
0xf905 b88c e72c 9103
Third message: access and run state from save_area2 with 12 bytes of state identifier - 'ok2', INPUT-BYTES, OUTPUT, END-MESSAGE.
0xfb24 63cd ff5c f8c7 6df6 a289 ff
Fourth message: access and run state from save_area1. The state is 'ok2', INPUT-BYTES, OUTPUT, END-MESSAGE but the first two bytes should be overwritten when initialising UDVM memory.
Surtees & West Informational [Page 52]
RFC 4465 SigComp Torture Tests June 2006
0xf95b 4b43 d567 83
Fifth message: attempt to access state from save_area2 with fewer than 20 bytes of state identifier.
0xf9de 8126 1199 1f
5. Security Considerations
This document describes torture tests for the SigComp protocol RFC 3320 [2]. Consequently, the security considerations for this document match those of SigComp.
In addition, the torture tests include tests for a significant number of "boundary and error cases" for execution of the UDVM bytecode. Boundary and error problems are common vectors for security attacks, so ensuring that a UDVM implementation executes this set of torture tests correctly should contribute to the security of the implementation.
6. Acknowledgements
Thanks to Richard Price and Pekka Pessi for test contributions and to Pekka Pessi and Cristian Constantin, who served as committed working group document reviewers.
[1] Surtees, A. and M. West, "Signaling Compression (SigComp) Users' Guide", RFC 4464, May 2006.
[2] Price, R., Bormann, C., Christoffersson, J., Hannu, H., Liu, Z., and J. Rosenberg, "Signaling Compression (SigComp)", RFC 3320, January 2003.
[3] Garcia-Martin, M., Bormann, C., Ott, J., Price, R., and A.B. Roach, "The Session Initiation Protocol (SIP) and Session Description Protocol (SDP) Static Dictionary for Signaling Compression (SigComp)", RFC 3485, February 2003.
[4] Roach, A.B., "A Negative Acknowledgement Mechanism for Signaling Compression", RFC 4077, May 2005.
The following sections list the raw UDVM bytecode generated for each test. The bytecode is presented in the form of a complete SigComp message, including the appropriate header. It is followed by input messages, the output they produce, and where the decompression succeeds the number of cycles used.
In some cases, the test is designed to be run several times with different compressed messages appended to the code. In the cases where multiple whole messages are used for a test, e.g., Appendix A.2.3, these are supplied. In the case where decompression failure occurs, the high-level reason for it is given as a reason code defined in NACK [4].
Note that the different assemblers can output different bytecode for the same piece of assembly code, so a valid assembler can produce results different from those presented below. However, the following bytecode should always generate the same results on any UDVM.
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).