Netizens with extreme privacy needs got a new tool for their cyber utility
belts recently with the release of an application that lets users hide
secret messages in virtually any executable computer program, without
changing the program's size or affecting its operation.
The tool is called "Hydan," an old English word for the act of hiding
something, and it's part of a research project by Columbia University
computer science masters student Rakan El-Khalil, who showed off the program
to a small group of open-source programmers and hackers gathered at the
second annual CodeCon conference in San Francisco on Sunday.
Hydan is a novel development in the field of steganography -- the science of
burying secret messages in seemingly innocuous content. Popular stego
programs operate on image and music files, where a secret missive can be
hidden without altering the content enough to be perceived by human senses.
But because they contain instructions for a computer's processor, executable
files are less forgiving of tampering. Improperly changing a single bit of
executable code can render an application completely unusable.
El-Khalil's research focused on redundancies in the Intel x86 instruction
set -- places where at least two different instructions are effectively the
same. Each choice between two redundant options can represent a single bit
of data. "The problem with program binaries is there is just not a lot of
redundancy in them," said El-Khalil.
He found some of that useful redundancy in the instructions that tell the
computer to add or subtract.
A computer instruction to add the number 50 to another value, for example,
can be replaced with an instruction to subtract the number -50 instead.
Mathematically, the instructions are the same. In choosing between the two,
a stego program can get one bit of covert storage out of each addition or
subtraction operation in the executable -- without changing the way the
application runs, or adding a single byte to its size. "If we use a scenario
in which addition is zero, and subtraction is one, we can just go through
and flip them as needed," El-Khalil explained.
El-Khalil concedes that the method is imperfect -- an application that's
been impressed with a secret message has considerably more "negative
subtractions" than an unadulterated program, making it easy to pick out
through a statistical analysis. Hydan could also break programs that are
self-modifying or employ other unconventional techniques. And it's less
efficient than stego programs for image and sound files: good steganography
for a JPEG file can hide one byte of storage in 17 bytes of image, while
Hydan's ratio is one byte of storage to 150 bytes of code.
Future versions of Hydan will
boost that capacity by finding different places to code data, such as in the
order of a program's functions, and the order in which arguments are passed
to those functions. For now, the application is still powerful enough to
secretly stash the United States Constitution and the Declaration of
Independence in a single copy of Microsoft Word.
Beyond the covert uses, the technology could be used to attach a digital
signature to an application, or to embed an executable with a virtual
CODECON CONTINUES THROUGH MONDAY.
Held at a San Francisco nightclub and featuring a schedule filled with
practical cryptography, anonymity technologies and open-source, CodeCon is a small and decidedly non-commercial technology conference. Most of the projects presented are volunteer efforts that coders work on in their spare time, or between jobs,
which makes the conference uniquely immune from the ravages of a down
economy. "I'm told we're the only tech conference that's actually grown in
the last year," says organizer Len Sassaman. By Kevin Poulsen