Download presentation
Presentation is loading. Please wait.
1
Information Hiding in Program Binaries Rakan El-Khalil xvr xvr net
2
Warning: Steganography vs. Stenography.
3
Intro Information hiding overview Theoretical aspects of Software marking In practice… Applications
4
Types of Information Hiding Steganography Covert channels Anonymity Copyright marking Robust marks Fingerprinting Watermarking [imperceptible or visible] Fragile marks
![Types of Information Hiding Steganography Covert channels Anonymity Copyright marking Robust marks Fingerprinting Watermarking [imperceptible or visible] Fragile marks](http://images.slideplayer.com./15/4814358/slides/slide_4.jpg "Types of Information Hiding Steganography Covert channels Anonymity Copyright marking Robust marks Fingerprinting Watermarking [imperceptible or visible] Fragile marks")
5
General Methods Security through obscurity Mostly used historically Sometimes used today Camouflage Hiding in plain sight Hiding the location of the embedded data Spreading the hidden information
6
Strength Evaluation Data-Rate Stealth Resilience
7
Attacks Subtractive Distortive Additive w
8
Attacks Subtractive Distortive Additive w
9
Attacks Subtractive Distortive Additive w w’
10
Attacks Subtractive Distortive Additive w w+w’ w’
11
Mediums Sound Image Video Text Relational Databases Sets of Numbers Etc…
12
Binary Info Hiding Overview Low redundancy medium Static marks Dynamic marks
13
Static Data Marks char mark[] = “All your base…” switch (a) { case 1: return “are”; case 2: return “belong”; case 3: return “to us”; … } Etc…
![Static Data Marks char mark[] = All your base… switch (a) { case 1: return are ; case 2: return belong ; case 3: return to us ; … } Etc…](http://images.slideplayer.com./15/4814358/slides/slide_13.jpg "Static Data Marks char mark[] = All your base… switch (a) { case 1: return are ; case 2: return belong ; case 3: return to us ; … } Etc…")
14
Static Code Marks { int gonads, strife; gonads = 1; strife = 1; printf (“weeeeee”); } { int gonads, strife; printf (“weeeeee”); gonads = 1; strife = 1; }
15
Static Code Marks [cont.] … if(…) goto a if(…) goto d if(…) goto b a b c d
![Static Code Marks [cont.] … if(…) goto a if(…) goto d if(…) goto b a b c d](http://images.slideplayer.com./15/4814358/slides/slide_15.jpg "Static Code Marks [cont.] … if(…) goto a if(…) goto d if(…) goto b a b c d")
16
Static Code Marks [fin.] Pro: easy to implement Con: easy to break.
![Static Code Marks [fin.] Pro: easy to implement Con: easy to break.](http://images.slideplayer.com./15/4814358/slides/slide_16.jpg "Static Code Marks [fin.] Pro: easy to implement Con: easy to break.")
17
Dynamic Marks Mark stored in program’s execution state Types of marks: Data structure Execution trace Easter egg
18
Easter Egg
19
Dynamic Data Structure Var[0] = 0x01010101; Var[1] = 0x03030303; Var[2] = 0x02020202; Var[3] = 0x04040404; Var[0] = 0x54686520; Var[1] = 0x47726561; Var[2] = 0x74204d61; Var[3] = 0x68697200; Op1 OpN … “The Great Mahir” Input1 InputN
![Dynamic Data Structure Var[0] = 0x ; Var[1] = 0x ; Var[2] = 0x ; Var[3] = 0x ; Var[0] = 0x ; Var[1] = 0x ; Var[2] = 0x74204d61; Var[3] = 0x ; Op1 OpN … The Great Mahir Input1 InputN](http://images.slideplayer.com./15/4814358/slides/slide_19.jpg "Dynamic Data Structure Var[0] = 0x ; Var[1] = 0x ; Var[2] = 0x ; Var[3] = 0x ; Var[0] = 0x ; Var[1] = 0x ; Var[2] = 0x74204d61; Var[3] = 0x ; Op1 OpN … The Great Mahir Input1 InputN")
20
Dynamic Graph Watermarking Generate a number n = P x Q Watermark is the graph topology Eg: Radix-5 encoding 25 4 + 05 3 + 35 2 + 25 1 + 25 0 = 7*191 = 1337 4 3 2 10
21
Dynamic Execution Trace 80480d3: 85 db test %ebx,%ebx 80480d5: 7e 29 jle 0x8048100 80480d7: 83 7d 08 00 cmpl $0x0,0x8(%ebp) 80480db: 74 23 je 0x8048105 80480dd: 8b 45 08 mov 0x8(%ebp),%eax 80480e0: a3 40 bc 08 08 mov %eax,0x808bc40 80480e5: 80 38 00 cmpb $0x0,(%eax) … 8048100: b8 00 00 00 00 mov $0x0,%eax 8048105: 85 c0 test %eax,%eax 8048107: 74 0c je 0x8048115 8048109: 83 c4 f4 add $0xfffffff4,%esp
22
Attacks Semantics preserving transformations { char c1, c2, c3; c1 = ‘u’; c2 = ‘n’; c3 = ‘f’; } char c1, c2, c3; int i; for (i=1; i <= 3; i++) { switch (i) { case 1: c1 = ‘u’ - 2; break; case 2: c2 = ‘n’ - 1; c1++; break; case 3: c3 = ‘f’; c1++; c2++; break; }}
23
Attacks on Dynamic Marking Add extra pointers Rename and reorder fields Add levels of indirection
24
In Practice… Difference between bytecode [Java,.Net, etc] and machine code [x86 asm]. Data vs. Code Problem.
![In Practice… Difference between bytecode [Java,.Net, etc] and machine code [x86 asm].](http://images.slideplayer.com./15/4814358/slides/slide_24.jpg "Data vs. Code Problem..")
25
In Practice Can’t use advanced techniques. Little work done on machine code watermarking.
26
Virus Intro Virus Code Program Entry Point Control Hijacking Control Return
27
Virus Code Obfuscation Encrypted Fixed decryption routine Changing virus body Polymorphic Mutation engine that randomizes decryption routine Metamorphic No decryptor Randomizes its code
28
Metamorphic Tricks Register Swapping: 89 c4 mov %eax,%eax 80 3e 2f cmpb $0x2f,(%esi) 75 09 jne 0x80480fa 8d 52 01 lea 0x1(%esi),%ebx 46 inc %esi 80 3e 00 cmpb $0x0,(%esi) 89 f6 mov %esi,%esi 80 38 2f cmpb $0x2f,(%eax) 75 09 jne 0x80480fa 8d 48 01 lea 0x1(%eax),%ecx 40 inc %eax 80 38 00 cmpb $0x0,(%eax)
29
More Tricks Instruction substitutions Changing of data values Nop and garbage insertions Branch reversals Alternate opcode encodings …
30
Hydan Generic information hiding tool Works with instruction substitution
31
Hydan Demo
32
Example Substitutions 83 c0 40: add %eax, $0x40 83 e8 c0: sub %eax, $-0x40 85 c0: test %eax, %eax 09 c0: or %eax, %eax 0b c0: or %eax, %eax 21 c0: and %eax, %eax 0 1 01 10 11 00
33
Hydan Examples [cont.] Embed 0100 into a listing: 83 c4 10 add %esp,$0x10 21 c0 and %eax,%eax 74 10 je 0x804cbc0 83 ec 04 sub %esp,$0x4 50 push %eax 83 c4 10 add %esp,$0x10 ob c0 or %eax,%eax 74 10 je 0x804cbc0 83 c4 fc add %esp,$-0x4 50 push %eax 0 10 0
![Hydan Examples [cont.] Embed 0100 into a listing: 83 c4 10 add %esp,$0x10 21 c0 and %eax,%eax je 0x804cbc0 83 ec 04 sub %esp,$0x4 50 push %eax 83 c4 10 add %esp,$0x10 ob c0 or %eax,%eax je 0x804cbc0 83 c4 fc add %esp,$-0x4 50 push %eax](http://images.slideplayer.com./15/4814358/slides/slide_33.jpg "Hydan Examples [cont.] Embed 0100 into a listing: 83 c4 10 add %esp,$0x10 21 c0 and %eax,%eax je 0x804cbc0 83 ec 04 sub %esp,$0x4 50 push %eax 83 c4 10 add %esp,$0x10 ob c0 or %eax,%eax je 0x804cbc0 83 c4 fc add %esp,$-0x4 50 push %eax")
34
Extra Security Techniques Message Whitening: ASCII text easily recognizable Text encrypted with Blowfish in CBC mode Length masked with SHA hash of password
35
Random Walk:
36
Flag Collision Detection: Some ‘equivalent’ instructions set flags differently: Eg: add vs. sub What to do? Scan forwards. xorl %eax, %eax addl $0xffffff, %eax xorl %eax, %eax subl $0x1, %eax %eax: -1, OF = 0, CF = 0 %eax: -1, OF = 0, CF = 1
37
Codebook Embedding: Build a codebook of equivalent instructions: 2 insns --> 1 bit 4 insns --> 2 bits 8 insns --> 3 bits What happens if we have 7 insns? Encoding Rate: { log 2 (N): N is a power of 2 log 2 (N-1): otherwise
38
Hydan Issues Detectable Instructions are not created equal Low bandwidth 1/110 vs. Outguess’ 1/17 Easy to tamper with Breaks SMC
39
Statistics
40
Future Work: Reordering Given a list of n objects: Can embed: floor [ log 2 (n!) ] bits: NBits 21 44 815 1644 32117 64295
![Future Work: Reordering Given a list of n objects: Can embed: floor [ log 2 (n!) ] bits: NBits](http://images.slideplayer.com./15/4814358/slides/slide_40.jpg "Future Work: Reordering Given a list of n objects: Can embed: floor [ log 2 (n!) ] bits: NBits")
42
Reordering Method How does one encode data with an ordering? Eg: n = 3: 000 abc 001 acb 010 bac 011 bca 100 cab 101 cba
43
Encoding Algorithm More specifically: floor [ log 2 (n!) ] bits of input Take input and decompose it along its factorials. Each factor represents the index of item in the sorted substring. Eg: n = 4, input = 110110 Floor [ log2(4!) ] 4bits First 4 bits: 1101 == 13 Decomposition: 13 == 2*3! + 0*2! + 1*1! Resulting string: abcd cabd cabd cadb
![Encoding Algorithm More specifically: floor [ log 2 (n!) ] bits of input Take input and decompose it along its factorials.](http://images.slideplayer.com./15/4814358/slides/slide_43.jpg " Each factor represents the index of item in the sorted substring. Eg: n = 4, input = Floor [ log2(4!) ] 4bits First 4 bits: 1101 == 13 Decomposition: 13 == 2*3. + 0*2. + 1*1. Resulting string: abcd cabd cabd cadb.")
44
Decoding Algorithm Similarly: floor [ log 2 (strlen(input)!) ] bits of output Take input string and decompose it along its factorials. Each factor represents the index of item in the sorted substring. Eg: input = cadb Floor [ log2(4!) ] 4bits Decomposition: 2*3! + 0*2! + 1*1! == 13 Result: 1101
![Decoding Algorithm Similarly: floor [ log 2 (strlen(input)!) ] bits of output Take input string and decompose it along its factorials.](http://images.slideplayer.com./15/4814358/slides/slide_44.jpg " Each factor represents the index of item in the sorted substring. Eg: input = cadb Floor [ log2(4!) ] 4bits Decomposition: 2*3. + 0*2. + 1*1. == 13 Result:")
45
Reorderables What can be reordered? Functions Independent instructions Arguments Register allocation Data …
46
Instruction Reordering mov $2, %eax mov $3, %ebx push %ecx call $0x8056213 mov $2, %eax mov $3, %ebx push %ecx mov $2, %eax push %ecx mov $3, %ebx mov $2, %eax push %ecx mov $3, %ebx push %ecx mov $2, %eax push %ecx mov $2, %eax mov $3, %ebx push %ecx mov $3, %ebx mov $2, %eax 000001010011100101
47
Instruction Reordering Problem mov $2, %eax mov $3, %ebx push %ecx call $0x808000
48
Insn Reordering Prob [cont] Need to use a VM to emulate: All Execution paths Stack Heap
![Insn Reordering Prob [cont] Need to use a VM to emulate: All Execution paths Stack Heap](http://images.slideplayer.com./15/4814358/slides/slide_48.jpg "Insn Reordering Prob [cont] Need to use a VM to emulate: All Execution paths Stack Heap")
49
Uses Traditional info hiding Security Polymorphism
50
Conclusion + QA
Similar presentations
