-
0x835
Steganography
2013-11-07
Grenoble INP
Ensimag
http://www.ensimag.fr/
-
Introduction
2 SecurIMAG - Stegano – 0x835 – 2013/11/07
Steganography is the process of hiding one medium of
communication (text,
sound, image, …) within another without changing in original
format.
From the Greek word steganos meaning « covered » and the
Greek
word graphie meaning « writing ».
Steganography
covered writing
-
Some properties
3 SecurIMAG - Stegano – 0x835 – 2013/11/07
Steganography → process of hiding of a secret message
Anyone else viewing the message will fail to know it contains
hidden or
encrypted data
Differences between cryptography and steganography:
Crypto → information is known to exist
data is encoded such a way that only the intended recipient can
read it (normally...)
Stegano → we don't know that information is hidden...
data are some times encrypted
-
History
4 SecurIMAG - Stegano – 0x835 – 2013/11/07
- Tattooed shaved heads
- Ancient Greeks used wax-covered tablets
- More modern methods:
* George Sand & Alfred de Mussetl« Quand je mets à vos pieds
un éternel hommage,lVoulez-vousqu'un instant je change de visage
?
lVous avezcapturé les sentiments d'un cœurlQue pour adorer forma
le Créateur.lJe vous chéris, amour, et ma plume en délire
lCouchesur le papier ce que je n'ose dire.lAvec soin de mes vers
lisez les premiers mots,
lVous saurezquel remède apporterà mes maux. »
* Invisible ink
-
History
5 SecurIMAG - Stegano – 0x835 – 2013/11/07
- Other modern methods
World War TwoFishing freshwater bends and saltwater coasts
rewards anyone feeling
stressed. Resourceful anglers usually find masterful leapers fun
and admit
swordfish rank overwhelming anyday.
lBy taking the third letter in each word, the following message
emerges :
Send Lawyers, Guns, and Money.
Invisible ink « decoded » with UV Lamp
Use of computers
- for images: Least Significant Bit (LSB)
- for audio data: LBE, SSE, EDH- for network data: icmp, http or
dns hidden channel
-
Least Significant Bit – LSB (bmp, png, ...)
6 SecurIMAG - Stegano – 0x835 – 2013/11/07
- Image = array of numbers that represent light intensities
at
various points (pixels)
- Primary colors: Red, Green and Blue. Each primary color is
represented by 1 byte (8 bits).
- 24-bit images use 3 bytes per pixel
- If information is stored in the least significant bit (LSB) of
each
byte, 3 bits can be stored in each pixel
- Image will look identical to the human eye !!!
-
Least Significant Bit – LSB (bmp, png, ...)
7 SecurIMAG - Stegano – 0x835 – 2013/11/07
Illustration of a pixel
LSB
-
Least Significant Bit – LSB (bmp, png, ...)
8 SecurIMAG - Stegano – 0x835 – 2013/11/07
Some tools
And some others...
EZ-Stego
Snow
S-Tools
Camouflage
Image Hide
DEMO !!!
-
Encoding secret messages in Audio (wav, mp3, ...)
9 SecurIMAG - Stegano – 0x835 – 2013/11/07
LBE (Low Bit Encoding): kind of LSB for images
SSE (Spread Spectrum Encoding): we add noise (in which there
will be the
message) to the original sound
EDH (Echo Data Hiding): in melodies there are often some echoes
associated
to the original sound. The distance between those two sounds can
be used to
hide information.
« Perception mask »: we hide a sound behind another most
powerfull but with
the same intensity
-
Attacks
10 SecurIMAG - Stegano – 0x835 – 2013/11/07
Two types of attacks
Passive attack
Attacker will try to detect the embedded message
Active attack
Attacker will try to destroy/modify the embedded message
Known carrier attack: The original cover media and stego media
both are
available for analysis
Steganography only attack: only stego media is available for
analysis
Known message attack: hidden message is known
Known steganography attack: cover media, stego media and
steganography
tool or algorithm are known
-
PDF Steganography
11 SecurIMAG - Stegano – 0x835 – 2013/11/07
Genesis of the idea
- PNG something other than LSB (need to know the structure)
- JPG ?
- Why not PDF ?
PNG
Lossless data compression (DEFLATE) → zlib (same as ZIP
file)
DEFLATE = LZ77 + Huffman
PNG header: 89 50 4E 47 0D 0A 1A 0A (8 bytes)
Blocks = chunks
Critical chunks: IHDR, PLTE, IDAT and IEND
Ancillary chunks: tEXt, zTXt and iTXt
-
Chunks
12 SecurIMAG - Stegano – 0x835 – 2013/11/07
IHDR (0x49484452)
must be the first chunk; it contains the image's width, height,
and bit
depth
PLTE (0x504C5445) (not necessarily present, only if colour type
= 3)
contains the palette; list of colors
IDAT (0x49444154)contains the image, which may be split among
multiple IDAT chunks
IEND (0x49454E44)
IEND marks the image end
-
Chunks
13 SecurIMAG - Stegano – 0x835 – 2013/11/07
IHDR (0x49484452)
must be the first chunk; it contains the image's width, height,
and bit
depth
PLTE (0x504C5445) (not necessarily present, only if colour type
= 3)
contains the palette; list of colors
IDAT (0x49444154)contains the image, which may be split among
multiple IDAT chunks
IEND (0x49454E44)
IEND marks the image end
tEXt, zTXt and iTXt can be used to hide information (latin-1,
DEFLATE, UTF-8)
because not read by decoders (because optional)
-
JPG and PDF
14 SecurIMAG - Stegano – 0x835 – 2013/11/07
JPG:
- lossy compression (compresses data by losing some of it)
- difficult to do it and already done by some tools
PDF
- why not? We use this type of file increasingly!- what about
his structure?
-
PDF structure
15 SecurIMAG - Stegano – 0x835 – 2013/11/07
There are different structures (explicit and implicit ones)
Structure divided into 4 parts:
Header
%PDF-1.x
Body (objects)
1 0 obj % entry point
>
endobj
-
PDF structure
16 SecurIMAG - Stegano – 0x835 – 2013/11/07
Xref table (position of the objects)xref
0 3
0000000000 65535 f
0000000010 00000 n
0000000079 00000 n
Trailertrailer
>
startxref
492
%%EOF
-
PDF Reader
17 SecurIMAG - Stegano – 0x835 – 2013/11/07
1) reads 1st line (PDF version)
2) will go to the end (check %%EOF)
3) will go one line above (offset of xref table)
4) builds xref table in memory and see /Catalog
Start of the document
It is a tree in fact!!!
-
Object syntax
18 SecurIMAG - Stegano – 0x835 – 2013/11/07
There are 9 types of objects:
Number: e.g. 3
Indirect reference (n r R): references an object, e.g. 5 0 R. If
the objects
doesn't exist this is equivalent to the Null object (see
below).Name (/Name): names are identifiers.
Dictionary (>): this is a unordered list of (Name,Object)
pairs. They
are essentially hash tables.
-
Object syntax
19 SecurIMAG - Stegano – 0x835 – 2013/11/07
There are 9 types of objects:
Number: e.g. 3
Indirect reference (n r R): references an object, e.g. 5 0 R. If
the objects
doesn't exist this is equivalent to the Null object (see
below).Name (/Name): names are identifiers.
Dictionary (>): this is a unordered list of (Name,Object)
pairs. They
are essentially hash tables.
Array ([ x y z ... ]): an ordered list of objects, e.g. [ 0 0
200 200 ].
String Object ((text)): text.Stream (> stream ... endstream):
embedded data, can be
compressed. It starts with a dictionary that describes the
stream such as its
length or the encoding (/Filter) is uses.
Boolean: true or false.Null Object: null.
-
PDF structure
20 SecurIMAG - Stegano – 0x835 – 2013/11/07
What about the updates?
DEMO!!!
How does it work?
Different types of compression filters:
ASCII 85, JPX Filter,
LZW Filter, etc.
-
Malicious PDF
21 SecurIMAG - Stegano – 0x835 – 2013/11/07
Some bad guys are also trying to make bufferoverflows with your
pdf reader!!!To take control of your PC!!!!
-
PDF structure
22 SecurIMAG - Stegano – 0x835 – 2013/11/07
Mecanism
Hide the object in the PDF!!!
MSG
AES
Filter PDF
-
My tool
23 SecurIMAG - Stegano – 0x835 – 2013/11/07
-
Conclusion
24 SecurIMAG - Stegano – 0x835 – 2013/11/07
Questions?
-
Bibliography
25 SecurIMAG - Stegano – 0x835 – 2013/11/07
Some useful links
Stegano
conceptshttp://partners.adobe.com/public/developer/tips/topic_tip31.html
http://en.wikipedia.org/wiki/Steganography
http://www.slideshare.net/yprajapati/steganography-11960186
Malicious
PDFhttps://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-
pdf-analysis-33443
http://partners.adobe.com/public/developer/tips/topic_tip31.htmlhttp://en.wikipedia.org/wiki/Steganographyhttp://www.slideshare.net/yprajapati/steganography-11960186http://www.slideshare.net/yprajapati/steganography-11960186http://www.slideshare.net/yprajapati/steganography-11960186https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443
