YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: Steganography: Hiding your secrets with PHP

Raúl Fraile #PHPDS15

SteganographyHiding your secrets with PHP

Page 2: Steganography: Hiding your secrets with PHP

E U Q W E X S A O S L Z U

L R T Z S R P V I Y E P N

H A F H G Z I P L M F I E

G U R I C E R T I F I E D

B L A A Q N T E T O R T T

E K I M A D H S G N O 💩 A

P O L Y G L O T A Y E S U

A J E W H I T E S P A C E

O B R F S A C I L I A P Y

S T E G A N O G R A P H Y

R A M C Y T I R W C P P A

About me

Page 3: Steganography: Hiding your secrets with PHP

Introduction to Steganography

Page 4: Steganography: Hiding your secrets with PHP

https://leanpub.com/symfony-selfstudy

Page 5: Steganography: Hiding your secrets with PHP

Steganography is the science of concealing a hidden message in plain sight in order to avoid detection.

Introduction

Page 6: Steganography: Hiding your secrets with PHP

Introduction

steganosgrapheinστựữửνός

ữράφựư̆ν

covered, concealed, protected writing

Page 7: Steganography: Hiding your secrets with PHP

Terminology

Embedding (E)

Extracting (D)

Cover (C) Message (M)

Stego-Object (S)

Key (K)

Page 8: Steganography: Hiding your secrets with PHP

• Steganography: Hide the data from a third party.

• Cryptography: Make data unreadable by a third party.

Steganography / Cryptography

Page 9: Steganography: Hiding your secrets with PHP

Prisoners’ problem

Page 10: Steganography: Hiding your secrets with PHP

• Esoteric programming language with only three lexical tokens: Space (ASCII 32), Tab (ASCII 9) and Line Feed (ASCII 10).

• Stack based language with support for I/O, flow control and arithmetic operations.

Motivation

Source: http://youtu.be/u_kqM0gn63M

Page 11: Steganography: Hiding your secrets with PHP

Motivation

Source: http://uk.businessinsider.com/david-cameron-encryption-apple-pgp-2015-1?r=US

Page 12: Steganography: Hiding your secrets with PHP

• Protection of data alteration (digital watermarking).

• Secretly communicate information.

• Anti-forensics mechanism.

Applications

Page 13: Steganography: Hiding your secrets with PHP

Techniques

Page 14: Steganography: Hiding your secrets with PHP

Classical Steganography

Page 15: Steganography: Hiding your secrets with PHP

Bacon’s Bilateral CipherA AAAAAB AAAABC AAABAD AAABBE AABAAF AABABG AABBAH AABBB

I/J ABAAAK ABAABL ABABAM ABABBN ABBAAO ABBABP ABBBAQ ABBBBR BAAAAS BAAABT BAABA

U/V BAABBW BABAAX BABABY BABBAZ BABBB

Take the red pill

BAABA AAAAA ABAAB AABAA BAABA AABBB AABAA BAAAA AABAA AAABB ABBBA ABAAA ABABA ABABA

Steganography is the art or practice of concealing messages within other messages

S t e g a n o g r a p h y i s t h e a r t o r p r a c t i c e o f c o n c e a l i n g

m e s s a g e s w i t h i n o t h e r m e s s a g e s

70

Page 16: Steganography: Hiding your secrets with PHP

• Backmasking is a technique in which a sound or message is recorded backward onto a track that is meant to be played forward.

• It is a deliberate process, whereas a message found through phonetic reversal may be unintentional.

Backmasking

Page 17: Steganography: Hiding your secrets with PHP

Backmasking

If there's a bustle in your hedgerow, don't be alarmed now, it's just a spring clean for the May queen. Yes there are two paths you can go by, but in the long run there's still time to change the road you're on.

Oh here's to my sweet Satan. The one whose little path would make me sad, whose power is satan. He'll give those with him 666, there was a little toolshed where he made us suffer, sad Satan.

Page 18: Steganography: Hiding your secrets with PHP

• Some brand color laser printers add tiny yellow dots to each page, that contain encoded printer serial numbers and timestamps.

• Monochrome printers and copiers from major manufacturers also include the markings.

• Most printers' codes have not been decoded.

Printer steganography

Page 19: Steganography: Hiding your secrets with PHP

Printer steganography

Source: https://w2.eff.org/Privacy/printers/docucolor/

Page 20: Steganography: Hiding your secrets with PHP

Morse code

Page 21: Steganography: Hiding your secrets with PHP

Morse code

T O R T U R E

Source: http://youtu.be/BgelmcOdS38

Page 22: Steganography: Hiding your secrets with PHP

Digital Steganography

Page 23: Steganography: Hiding your secrets with PHP

Digital SteganographyLSB IN IMAGES

144 141 81

10010000 10001101 01010001

Hidden message: 101001…

145 140 81

10010001 10001100 01010001

146 142 81

10010010 10001110 01010001

Page 24: Steganography: Hiding your secrets with PHP

Piet is a programming language in which programs look like abstract paintings.

Piet

Composition with Red, Yellow and Blue. 1921, Piet Mondrian

Source: http://www.dangermouse.net/esoteric/piet.html

Page 25: Steganography: Hiding your secrets with PHP

525

PietDarkness change

Hue change None 1 2

None push pop

1 step add substract multiply

2 steps divide mod not

3 steps greater pointer switch

4 steps duplicate roll in(number)

5 steps in(char) out(number) out(char)

DP right CC left

$ npiet example1.png

? 5

25

5

Page 26: Steganography: Hiding your secrets with PHP

Piet

Page 27: Steganography: Hiding your secrets with PHP

• We already have filesystems with support for encryption, so they only can be read with the password. But… the attacker may obtain it illegally or torture the user to give it up.

• The steganographic filesystem goes one step further: it does not even show the existence of sensitive information (even when raw sectors of the hard disc are accessed).

Steganographic filesystem

Page 28: Steganography: Hiding your secrets with PHP

Steganographic filesystem

0 1 2 3 4 5 6 7 8

1.txt 2

2.txt 5

3.txt 7

3 4 EOF EOF EOF6 8

Boot FATFilesystem

Boot FATFilesystem-level encryption

PartitionSteganographic filesystem

Page 29: Steganography: Hiding your secrets with PHP

• Network steganography uses communication protocols and are harder to detect.

• Techniques:

• Steganophony: Delayed or corrupted packets that would normally be ignored by the receiver.

• WLAN Steganography: Transmission of steganograms in Wireless Local Area Networks

Network Steganography

Page 30: Steganography: Hiding your secrets with PHP

• Custom HTTP headers to include geeky messages or as a recruiting tool.

• For example, booking.com:

• X-Recruiting: Like HTTP headers? C o m e w r i t e o u r s : h t t p s : / /workingatbooking.com

HTTP headers

Page 31: Steganography: Hiding your secrets with PHP

SkyDe (Skype Hide)

Source: http://arxiv.org/pdf/1301.3632.pdf

Page 32: Steganography: Hiding your secrets with PHP

• S t e g a n o g r a p h i c m e t h o d f o r t h e BitTorrent P2P file transfer service.

• It is based on modifying the order of data packets in the peer-peer data exchange protocol.

• Steganographic bandwidth of up to 270 b/s while introducing little transmission distortion and providing difficult detectability.

StegTorrent

Page 33: Steganography: Hiding your secrets with PHP

StegTorrent

Source: http://www.computer.org/csdl/proceedings/spw/2013/5017/00/5017a151-abs.html

0 1 …

4 5

2

6

3

7

1100 10

Page 34: Steganography: Hiding your secrets with PHP

• Spammimic embeds a message into spam.

• There is tons of spam. Also, real spam is usually dumb, so it's sometimes hard to tell if it was written by a human or a machine.

Spammimic

Page 35: Steganography: Hiding your secrets with PHP

Spammimic

Dear Professional , Your email address has been submitted to us indicating your interest in our newsletter ! This is a one time mailing there is no need to request removal if you won't want any more ! This mail is being sent in compliance with Senate bill 2516 , Title 9 , Section 303 . Do NOT confuse us with Internet scam artists . Why work for somebody else when you can become rich in 16 days . Have you ever noticed most everyone has a cellphone and nearly every commercial on television has a .com on in it ! Well, now is your chance to capitalize on this ! We will help you decrease perceived waiting time by 190% and deliver goods right to the customer's doorstep ! The best thing about our system is that it is absolutely risk free for you ! But don't believe us . Mrs Simpson of Maryland tried us and says "I was skeptical but it worked for me" . We assure you that we operate within all applicable laws ! We implore you - act now ! Sign up a friend and you get half off . Thanks .

Message: attack

Source: http://www.spammimic.com

Disappearing Cryptography. Information Hiding: Steganography & Watermarking

Page 36: Steganography: Hiding your secrets with PHP

Steganalysis

Page 37: Steganography: Hiding your secrets with PHP

• Steganalysis is the study of detecting messages hidden using steganography.

• The goal of steganalysis is to identify suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.

• The problem is generally handled with statistical analysis.

Steganalysis

Page 38: Steganography: Hiding your secrets with PHP

Steganalysis

144 141 81

10010000 10001101 01010001

Random

0

0,2

0,4

0,6

0,8

0 1

Page 39: Steganography: Hiding your secrets with PHP

What about PHP?

Page 40: Steganography: Hiding your secrets with PHP

Binary strings

• In PHP, strings are just a sequence of bytes (C char type).

• PHP stores the length of strings explicitly. Unlike C it does not need a zero termination to find the end of a string.

Page 41: Steganography: Hiding your secrets with PHP

5

l l oh e*val

len

Binary strings

typedef union _zvalue_value { long lval; double dval; struct { char *val; int len; } str; HashTable *ht; zend_object_value obj; } zvalue_value;

6

\091 21314 0123 88

$str[5]

Big endian: 14 - 0Little endian: 0 - 14

strlen()

Page 42: Steganography: Hiding your secrets with PHP

pack()/unpack()

• pack() packs data into a binary string according to a given format.

• unpack() unpacks from a binary string into an array according to a given format.

Page 43: Steganography: Hiding your secrets with PHP

pack()/unpack()

$now = new \DateTime();

$id1 = 0x1f; $id2 = 0x8b; $cm = 0x08; $flags = 0x00; $mtime = $now->getTimestamp(); //0x54c13374

/* * Format: * - C4: 4 bytes. * - V: Unsigned long, 32 bit, little endian byte order */ $binStr = pack('C4V', $id1, $id2, $cm, $flags, $mtime);

file_put_contents(__DIR__ . '/test.gz', $binStr);

74 3308 001f 8b c1 54

Page 44: Steganography: Hiding your secrets with PHP

pack()/unpack()

$gzip = file_get_contents(__DIR__ . '/test.gz');

/* * Format: * - C2: 2 bytes (id1, id2). * - C1: 1 byte (cm), 1 byte (flags). * - V: Unsigned long, 32 bit, little endian byte order */ list($id1, $id2, $cm, $flags, $mtime) = array_values( unpack('C2id/C1cm/C1flags/Vmtime', $gzip) );

var_dump( dechex($id1), // 1f dechex($id2), // 8b dechex($cm), // 8 dechex($flags), // 0 dechex($mtime) // 54c13374 );

Page 45: Steganography: Hiding your secrets with PHP

Bitwise operators

• Bitwise operators allow evaluation and manipulation of specific bits within an integer.

• PHP provides 6 bitwise operators: &, |, ^, ~, << and >>.

Page 46: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1

0 0 00 0 11 1&

0 0 00 0 00 1

1010x650145

0b01100101

2000xc80310

0b11001000

640x400100

0b01000000

Page 47: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1

0 0 00 0 11 1|

1 0 11 0 11 1

1010x650145

0b01100101

2000xc80310

0b11001000

2370xed0355

0b11101101

Page 48: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1

0 0 00 0 11 1^

1 0 11 0 11 0

1010x650145

0b01100101

2000xc80310

0b11001000

1730xad0255

0b10101101

Page 49: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1 2<<101

0x650145

0b01100101

4040x1940624

0b1010110100

1 0 11 0 11 0 0 0

x << y == x * pow(2, y)

Page 50: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1 2>>101

0x650145

0b01100101

250x19031

0b00011001

1 1 00 0 0 0 1

x << y == x / pow(2, y)

Page 51: Steganography: Hiding your secrets with PHP

Bitwise operators

1 0 11 0 00 1~101

0x650145

0b01100101

1540x9a0232

0b10011010

1 1 01 0 0 1 0

Page 52: Steganography: Hiding your secrets with PHP

Bitwise operators

0X14

$flag & 0x04Read flag

Set flag

Unset flag

$flag | 0x04

$flag & ~0x04

0 0 0 1 0 1 0 00 0 0 0 0 1 0 0 &

0 0 0 0 0 1 0 0

0 0 0 1 0 1 0 00 0 0 0 0 1 0 0 |

0 0 0 1 0 1 0 0

0 0 0 1 0 1 0 01 1 1 1 1 0 1 1 &

0 0 0 1 0 0 0 0

0 0 0 1 0 1 0 0

Page 53: Steganography: Hiding your secrets with PHP

Demo #1: Hiding messages in GZIP file headers

Page 54: Steganography: Hiding your secrets with PHP

GZIP file format

CM FLGID1 ID2 MTIME XFL OS

CRC32 ISIZE

COMPRESSED STREAM

FTEXT FHCRC FEXTRA FNAME FCOMMENT

\0FILE NAME

Source: https://tools.ietf.org/html/rfc1952

Page 55: Steganography: Hiding your secrets with PHP

Demo #1.1Embedding messages into

GZIP FNAME header

/demos/demo1/demo1_1raulfraile/steganography_talk

Page 56: Steganography: Hiding your secrets with PHP

Demo #1: GZIP

Page 57: Steganography: Hiding your secrets with PHP

Demo #2: Hiding data into images

Page 58: Steganography: Hiding your secrets with PHP

• PHP extension to use the

• It provides high level function to deal directly with pixels (they will be used to encode data), such as imagecolorat() and imagesetpixel().

GD extension

Source: http://libgd.bitbucket.org/

Page 59: Steganography: Hiding your secrets with PHP

Demo #2.1Embedding text data into images (+ steganalysis)

/demos/demo2/demo2_1raulfraile/steganography_talk

Page 60: Steganography: Hiding your secrets with PHP

Demo #2.2Embedding images into images (+ steganalysis)

/demos/demo2/demo2_2raulfraile/steganography_talk

Page 61: Steganography: Hiding your secrets with PHP

Hiding code into codeDemo #3

Page 62: Steganography: Hiding your secrets with PHP

• A polyglot is a program written in a valid form of multiple programming languages.

• Generally are written in a combination of C (which allows redefinition of tokens with a preprocessor) and a scripting language.

Polyglot programs

Page 63: Steganography: Hiding your secrets with PHP

polyglot.pl.php.py.rb.cpp

Polyglot programs

#/*<?php eval('echo "PHP Code\n";'); __halt_compiler();?> */

#include <stdio.h> /*

print ((("b" + "0" == 0) and eval('"Perl Code\n"')) or (0 and "Ruby Code\n" or "Python Code"));

__DATA__ = 1 """"" __END__

===== . ===== */

#ifdef __cplusplus char msg[9] = {'C','+','+',' ','C','o','d','e', '\n'}; #else char msg[7] = {'C',' ','C','o','d','e', '\n'}; #endif

int main() { int i; for(i = 0; i < 9; ++i) putchar(msg[i]); return 0;}

Source: https://gist.github.com/SaswatPadhi/2872457

Page 64: Steganography: Hiding your secrets with PHP

Demo #3.1Embedding PHP code using

__halt_compiler()

/demos/demo3/demo3_1raulfraile/steganography_talk

Page 65: Steganography: Hiding your secrets with PHP

__halt_compiler()

• Halts the execution of the compiler.

• The byte position of the data start is given by the __COMPILER_HALT_OFFSET__ constant.

• PHAR files make use of this function to separate the stub (loader functionality) and the rest of the file (manifest, files and signature).

Page 66: Steganography: Hiding your secrets with PHP

__halt_compiler()

23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p|68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::|6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph|61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell|6f 20 77 6f 72 6c 64 21 27 3b 0a 0a 5f 5f 48 41 |o world!';..__HA|4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?|3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............|00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t|78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.|a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r|61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A|e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....|00 00 47 42 4d 42 |..GBMB|

Source: http://www.slideshare.net/raulfraile/kernelinfect-creating-a-cryptovirus-for-symfony2-apps

Page 67: Steganography: Hiding your secrets with PHP

Demo #3.2Hiding messages using whitespace characters

/demos/demo3/demo3_2raulfraile/steganography_talk

Page 68: Steganography: Hiding your secrets with PHP

Demo #3.3Hiding code using

whitespace characters

/demos/demo3/demo3_3raulfraile/steganography_talk

Page 69: Steganography: Hiding your secrets with PHP

Demo #3.4Embedding Whitespace code in

empty lines of Docblocks

/demos/demo3/demo3_4raulfraile/steganography_talk

Page 70: Steganography: Hiding your secrets with PHP

Whitespace

• Esoteric programming language with only three lexical tokens: Space (ASCII 32), Tab (ASCII 9) and Line Feed (ASCII 10).

• Stack based language with support for I /O, flow control and arithmetic operations.

Page 71: Steganography: Hiding your secrets with PHP

hello_world.ws

Whitespace

Source: http://compsoc.dur.ac.uk/whitespace/

Page 72: Steganography: Hiding your secrets with PHP

nikic/php-parser

• A PHP parser written in PHP.

• Useful for static code analysis, manipulation and generation.

• Converts PHP code into an AST (Abstract Syntax Tree).

• Uses a PHP 5.6 compliant grammar (backwards compatible with PHP 5.2+). Also, emulates tokens from different versions of the one running (for example, parse 5.6 code from 5.3).

Source: https://github.com/nikic/PHP-Parser

Page 73: Steganography: Hiding your secrets with PHP

nikic/php-parser

Assignment

Variable Lnumber

If

Equal Statements

Echo

condition

Name: test Value: 1

LnumberValue: 1

VariableName: test

left right

StringValue: ok

$test = 1; if (1 == $test) { echo 'ok'; }

Page 74: Steganography: Hiding your secrets with PHP

hello_world.ws

nikic/php-parser

$code = <<<CODE <?php \$test = 1; if (1 == \$test) { echo 'ok'; } CODE;

$parser = new PhpParser\Parser( new PhpParser\Lexer\Emulative );

$ast = $parser->parse($code);

Page 75: Steganography: Hiding your secrets with PHP

nikic/php-parser

• The parser provides two main components:

• NodeTraverser: For traversing and visiting the node tree.

• PrettyPrinter: To compile the AST back to PHP code.

Page 76: Steganography: Hiding your secrets with PHP

Questions?

raulfraile

[email protected]

Credits: https://www.flickr.com/photos/ignotus/16132533706

https://www.flickr.com/photos/sporkqueen/2525132547https://www.flickr.com/photos/kjarrett/15428375607

https://www.iconfinder.com/iconsets/hawcons


Related Documents