<http://crazyboy.com/hydan/> Hydan [hI-dn]: Old english, to hide or conceal. Intro: Hydan steganographically conceals a message into an application. It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions. It then encodes information in machine code by using the appropriate instructions from each set. Features: - Application filesize remains unchanged - Message is blowfish encrypted with a user-supplied passphrase before being embedded - Encoding rate: 1/110 Primary uses for Hydan: - Covert Communication: embedding data into binaries creates a covert channel that can be used to exchange secret messages. - Signing: a program's cryptographic signature can be embedded into itself. The recipient of the binary can then verify that it has not been tampered with (virus or trojan), and is really from who it claims to be from. This check can be built into the OS for user transparency. - Watermarking: a watermark can be embedded to uniquely identify binaries for copyright purposes, or as part of a DRM scheme. Note: this usage is not recommended as Hydan implements fragile watermarks. If you think of anything else, do let me know :) Platforms Supported: - {Net, Free}BSD i386 ELF - Linux i386 ELF - Windows XP PE/COFF Download: Version 0.13 News: Update: I've finally updated the hydan code, after a long time off. The encoding rate has been improved to 1/110 (thanks to a tip from sandeep!), and the code is now much cleaner too. In the mean time, hydan has been presented at: CansecWest 04 BlackHat Vegas 04 DefCon 04 A paper is to be published soon as well: Hydan: Hiding Information in Program Binaries Rakan El-Khalil and Angelos D. Keromytis. Which is to appear in the proceedings of the 6th International Conference on Information and Communications Security (ICICS), Malaga, Spain. To be published in Springer Verlag's LNCS. Hydan was initially presented at CodeCon on 02/23/2003. The following is a list of articles online from that presentation: - The Register: Hydan Seek (same article at BusinessWeek, and SecurityFocus) - Slashdot: Program Hides Secret Messages in Executables (could it be? crazyboy survived slashdotting?) - Punto-Informatico: Un tool cela segreti nei programmi (intl coverage! been getting a lot of hits from them) - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue (and not in the snake-oil section either ;) Like my Work? Buy me books! Contact: Rakan El-Khalil <rfe3 at columbia dot edu> -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'