Hydan [hI-dn]:

       Old english, to hide or conceal.


       Hydan steganographically conceals a message into an
       application. It exploits redundancy in the i386 instruction
       set by defining sets of functionally equivalent instructions.
       It then encodes information in machine code by using the
       appropriate instructions from each set.


               - Application filesize remains unchanged
               - Message is blowfish encrypted with a user-supplied
                 passphrase before being embedded
               - Encoding rate: 1/110

       Primary uses for Hydan:

               - Covert Communication: embedding data into binaries
                 creates a covert channel that can be used to
                 exchange secret messages.

               - Signing: a program's cryptographic signature can
                 be embedded into itself. The recipient of the
                 binary can then verify that it has not been
                 tampered with (virus or trojan), and is really
                 from who it claims to be from. This check can be
                 built into the OS for user transparency.

               - Watermarking: a watermark can be embedded to
                 uniquely identify binaries for copyright purposes,
                 or as part of a DRM scheme. Note: this usage is not
                 recommended as Hydan implements fragile watermarks.

       If you think of anything else, do let me know :)

Platforms Supported:

       - {Net, Free}BSD i386 ELF
       - Linux i386 ELF
       - Windows XP PE/COFF


       Version 0.13


       Update: I've finally updated the hydan code, after a long time off.
       The encoding rate has been improved to 1/110 (thanks to a tip from
       sandeep!), and the code is now much cleaner too. In the mean time,
       hydan has been presented at:

               CansecWest 04
               BlackHat Vegas 04
               DefCon 04

       A paper is to be published soon as well:
               Hydan: Hiding Information in Program Binaries
               Rakan El-Khalil and Angelos D. Keromytis.

       Which is to appear in the proceedings of the 6th International
       Conference on Information and Communications Security (ICICS)
       Malaga, Spain. To be published in Springer Verlag's LNCS.

       Hydan was initially presented at CodeCon on 02/23/2003.

       The following is a list of articles online from that presentation:

               - The Register: Hydan Seek
                 (same article at BusinessWeek, and SecurityFocus)
               - Slashdot: Program Hides Secret Messages in Executables
                 (could it be? crazyboy survived slashdotting?)
               - Punto-Informatico: Un tool cela segreti nei programmi
                 (intl coverage! been getting a lot of hits from them)
               - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue
                 (and not in the snake-oil section either ;)

Like my Work?

       Buy me books!


       Rakan El-Khalil <rfe3 at columbia dot edu>