Hydan: Information Hiding in Program Binaries (fwd)

bear <bear@bolt.sonic.net>
15 Aug 2004 22:15:19 -0400

          From comp.compilers

Related articles
Hydan: Information Hiding in Program Binaries (fwd) bear@bolt.sonic.net (bear) (2004-08-15)
| List of all articles for this month |

From: bear <bear@bolt.sonic.net>
Newsgroups: comp.compilers
Date: 15 Aug 2004 22:15:19 -0400
Organization: Compilers Central
Keywords: tools, assembler
Posted-Date: 15 Aug 2004 22:15:19 EDT


Hydan [hI-dn]:

                Old english, to hide or conceal.


                Hydan steganographically conceals a message into an
                application. It exploits redundancy in the i386 instruction
                set by defining sets of functionally equivalent instructions.
                It then encodes information in machine code by using the
                appropriate instructions from each set.


                                - Application filesize remains unchanged
                                - Message is blowfish encrypted with a user-supplied
                                    passphrase before being embedded
                                - Encoding rate: 1/110

                Primary uses for Hydan:

                                - Covert Communication: embedding data into binaries
                                    creates a covert channel that can be used to
                                    exchange secret messages.

                                - Signing: a program's cryptographic signature can
                                    be embedded into itself. The recipient of the
                                    binary can then verify that it has not been
                                    tampered with (virus or trojan), and is really
                                    from who it claims to be from. This check can be
                                    built into the OS for user transparency.

                                - Watermarking: a watermark can be embedded to
                                    uniquely identify binaries for copyright purposes,
                                    or as part of a DRM scheme. Note: this usage is not
                                    recommended as Hydan implements fragile watermarks.

                If you think of anything else, do let me know :)

Platforms Supported:

                - {Net, Free}BSD i386 ELF
                - Linux i386 ELF
                - Windows XP PE/COFF


                Version 0.13


                Update: I've finally updated the hydan code, after a long time off.
                The encoding rate has been improved to 1/110 (thanks to a tip from
                sandeep!), and the code is now much cleaner too. In the mean time,
                hydan has been presented at:

                                CansecWest 04
                                BlackHat Vegas 04
                                DefCon 04

                A paper is to be published soon as well:
                                Hydan: Hiding Information in Program Binaries
                                Rakan El-Khalil and Angelos D. Keromytis.

                Which is to appear in the proceedings of the 6th International
                Conference on Information and Communications Security (ICICS),
                Malaga, Spain. To be published in Springer Verlag's LNCS.

                Hydan was initially presented at CodeCon on 02/23/2003.

                The following is a list of articles online from that presentation:

                                - The Register: Hydan Seek
                                    (same article at BusinessWeek, and SecurityFocus)
                                - Slashdot: Program Hides Secret Messages in Executables
                                    (could it be? crazyboy survived slashdotting?)
                                - Punto-Informatico: Un tool cela segreti nei programmi
                                    (intl coverage! been getting a lot of hits from them)
                                - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue
                                    (and not in the snake-oil section either ;)

Like my Work?

                Buy me books!


                Rakan El-Khalil <rfe3 at columbia dot edu>

Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.