Next
Previous
Contents
We implement a simple virtual machine in the kernel module. This
machine runs over a TCP packet and handles an internal state, composed of:
-
An instruction pointer in the code.
-
A TCP Options buffer.
-
Several "registers":
flags, mss, wscale, win,
ack and df
corresponding to TCP header fields of the same name for a
potential reply packet.
The code understood by the virtual machine is made of intruction
on 32 bits (in the machine's endian) composed of a mnemonic (8
bits), an option (4 bits) and an operand (20 bits), like below:
0 7 8 11 12 31
+---------------+--------+---------------------------------------+
| Mnemonic | Option | Operand |
+---------------+--------+---------------------------------------+
TEST
Code : 01
Test the object defined by the option. If the test is true, the
instruction pointer goes from instruction i to instruction
i+2. If the test is false, the program continues at
instruction i+1.
The test options available are the following:
- TCP Option (0)
: True if the passed TCP option in the operand is present in the
original packet.
- Any TCP Flags (1)
: True if one of the TCP flags passed in the operand are enabled
in the original packet.
- All TCP Flags (2)
: True if all the TCP flags passed in the operand are enabled
in the original packet.
- Ack (3)
: True if the original packet ACK value is equal to the operand.
- Listen (4)
: True if the destination port of the original packet is listening locally.
JMP
Code : 02
Program continues running at the instruction which address is the operand.
PUT
Code : 03
Adds a TCP option in the TCP options buffer. The inserted TCP
option is in the operand and its source is determined by the
instruction option.
The following options are available:
- Copy (0)
: The inserted TCP option is copied from the original packet if found.
- Insert (1)
: The inserted TCP option is copied from the internal
registers. This is only possible for the mss,
wscale and timestamp options.
SET
Code : 04
Sets the value of an internal register in the virtual machine. The
register and the type of operation are determined by the option. The
value is in the operand.
The following options are available:
- flags (0)
: Sets the flag registers to the operand value.
- ack (1)
: Sets the ack registers to the operand value.
- df (2)
: Sets the df ("Don't Fragment") registers to the operand value.
- win (3)
: Sets the win registers to the operand value.
- mss (4)
: Sets the mss registers to the operand value.
- wscale (5)
: Sets the wscale registers to the operand value.
- timestamp (6)
: Sets the timestamp (local timestamp value) register to
the operand value.
- relative ack (9)
: Sets the ack registers to the operand value added to
the original packet value.
- relative df (10)
: Sets the df ("Don't Fragment") registers to the operand value added to
the original packet value.
- relative win (11)
: Sets the win registers to the operand value added to
the original packet value.
- relative mss (12)
: Sets the mss registers to the operand value added to
the original packet value.
- relative wscale (13)
: Sets the wscale registers to the operand value added to
the original packet value.
- relative timestamp (14)
: Sets the timestamp (local timestamp value) register to
the operand value added with the current usable value for the local
timestamp.
RET
Code : 05
Terminates the program execution and returns the operand.
The available operands are:
- Accept (1)
: Terminates execution and make the packet continue its path.
- Drop (2)
: Terminates execution and drop packet.
- Reply (3)
: Terminates execution, build a reply TCP packet from the virtual
machine state and send it.
For the various instructions that accept TCP options, the
following TCP options are available:
- eol (0)
- nop (1)
- mss (2)
- wscale (3)
- sackOK (4)
- sack (5)
- echo (6)
- echoreply (7)
- timestamp (8)
- pocOK (9)
- pocSP (10)
- CC (11)
- CC.NEW (12)
- CC.ECHO (13)
- acreq (14)
- acdata (15)
Next
Previous
Contents