Hydan: Information Hiding in Program Binaries

12 Aug 2004

      http://crazyboy.com/hydan/

Hydan [hI-dn]:

        Old english, to hide or conceal.

Intro:

        Hydan steganographically conceals a message into an
        application. It exploits redundancy in the i386 instruction
        set by defining sets of functionally equivalent instructions.
        It then encodes information in machine code by using the
        appropriate instructions from each set.

        Features:

                - Application filesize remains unchanged
                - Message is blowfish encrypted with a user-supplied
                  passphrase before being embedded
                - Encoding rate: 1/110

        Primary uses for Hydan:

                - Covert Communication: embedding data into binaries
                  creates a covert channel that can be used to
                  exchange secret messages.

                - Signing: a program's cryptographic signature can
                  be embedded into itself. The recipient of the
                  binary can then verify that it has not been
                  tampered with (virus or trojan), and is really
                  from who it claims to be from. This check can be
                  built into the OS for user transparency.

                - Watermarking: a watermark can be embedded to
                  uniquely identify binaries for copyright purposes,
                  or as part of a DRM scheme. Note: this usage is not
                  recommended as Hydan implements fragile watermarks.

        If you think of anything else, do let me know :)

Platforms Supported:

        - {Net, Free}BSD i386 ELF
        - Linux i386 ELF
        - Windows XP PE/COFF

Download:

        Version 0.13

News:

        Update: I've  finally updated the hydan code, after a long time off.
        The encoding rate has been improved to 1/110 (thanks to a tip from
        sandeep!), and the code is now much cleaner too. In the mean time,
        hydan has been presented at:

                CansecWest 04
                BlackHat Vegas 04
                DefCon 04

        A paper is to be published soon as well:
                Hydan:  Hiding Information in Program Binaries
                Rakan El-Khalil and Angelos D. Keromytis.

        Which is to appear in the proceedings of the 6th International
        Conference on Information and Communications Security (ICICS),
        Malaga, Spain. To be published in Springer Verlag's LNCS.

        Hydan was initially presented at CodeCon on 02/23/2003.

        The following is a list of articles online from that presentation:

                - The Register: Hydan Seek
                  (same article at BusinessWeek, and SecurityFocus)
                - Slashdot: Program Hides Secret Messages in Executables
                  (could it be? crazyboy survived slashdotting?)
                - Punto-Informatico: Un tool cela segreti nei programmi
                  (intl coverage! been getting a lot of hits from them)
                - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue
                  (and not in the snake-oil section either ;)

Like my Work?

        Buy me books!

Contact:

        Rakan El-Khalil <rfe3 at columbia dot edu>

-- 
-----------------
R. A. Hettinga 
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'