Download - Steganography: Hiding your secrets with PHP
E U Q W E X S A O S L Z U
L R T Z S R P V I Y E P N
H A F H G Z I P L M F I E
G U R I C E R T I F I E D
B L A A Q N T E T O R T T
E K I M A D H S G N O 💩 A
P O L Y G L O T A Y E S U
A J E W H I T E S P A C E
O B R F S A C I L I A P Y
S T E G A N O G R A P H Y
R A M C Y T I R W C P P A
About me
Steganography is the science of concealing a hidden message in plain sight in order to avoid detection.
Introduction
• Steganography: Hide the data from a third party.
• Cryptography: Make data unreadable by a third party.
Steganography / Cryptography
• Esoteric programming language with only three lexical tokens: Space (ASCII 32), Tab (ASCII 9) and Line Feed (ASCII 10).
• Stack based language with support for I/O, flow control and arithmetic operations.
Motivation
Source: http://youtu.be/u_kqM0gn63M
Motivation
Source: http://uk.businessinsider.com/david-cameron-encryption-apple-pgp-2015-1?r=US
• Protection of data alteration (digital watermarking).
• Secretly communicate information.
• Anti-forensics mechanism.
Applications
Bacon’s Bilateral CipherA AAAAAB AAAABC AAABAD AAABBE AABAAF AABABG AABBAH AABBB
I/J ABAAAK ABAABL ABABAM ABABBN ABBAAO ABBABP ABBBAQ ABBBBR BAAAAS BAAABT BAABA
U/V BAABBW BABAAX BABABY BABBAZ BABBB
Take the red pill
BAABA AAAAA ABAAB AABAA BAABA AABBB AABAA BAAAA AABAA AAABB ABBBA ABAAA ABABA ABABA
Steganography is the art or practice of concealing messages within other messages
S t e g a n o g r a p h y i s t h e a r t o r p r a c t i c e o f c o n c e a l i n g
m e s s a g e s w i t h i n o t h e r m e s s a g e s
70
• Backmasking is a technique in which a sound or message is recorded backward onto a track that is meant to be played forward.
• It is a deliberate process, whereas a message found through phonetic reversal may be unintentional.
Backmasking
Backmasking
If there's a bustle in your hedgerow, don't be alarmed now, it's just a spring clean for the May queen. Yes there are two paths you can go by, but in the long run there's still time to change the road you're on.
Oh here's to my sweet Satan. The one whose little path would make me sad, whose power is satan. He'll give those with him 666, there was a little toolshed where he made us suffer, sad Satan.
• Some brand color laser printers add tiny yellow dots to each page, that contain encoded printer serial numbers and timestamps.
• Monochrome printers and copiers from major manufacturers also include the markings.
• Most printers' codes have not been decoded.
Printer steganography
Digital SteganographyLSB IN IMAGES
144 141 81
10010000 10001101 01010001
Hidden message: 101001…
145 140 81
10010001 10001100 01010001
146 142 81
10010010 10001110 01010001
Piet is a programming language in which programs look like abstract paintings.
Piet
Composition with Red, Yellow and Blue. 1921, Piet Mondrian
Source: http://www.dangermouse.net/esoteric/piet.html
525
PietDarkness change
Hue change None 1 2
None push pop
1 step add substract multiply
2 steps divide mod not
3 steps greater pointer switch
4 steps duplicate roll in(number)
5 steps in(char) out(number) out(char)
DP right CC left
$ npiet example1.png
? 5
25
5
• We already have filesystems with support for encryption, so they only can be read with the password. But… the attacker may obtain it illegally or torture the user to give it up.
• The steganographic filesystem goes one step further: it does not even show the existence of sensitive information (even when raw sectors of the hard disc are accessed).
Steganographic filesystem
Steganographic filesystem
0 1 2 3 4 5 6 7 8
1.txt 2
2.txt 5
3.txt 7
3 4 EOF EOF EOF6 8
Boot FATFilesystem
Boot FATFilesystem-level encryption
PartitionSteganographic filesystem
• Network steganography uses communication protocols and are harder to detect.
• Techniques:
• Steganophony: Delayed or corrupted packets that would normally be ignored by the receiver.
• WLAN Steganography: Transmission of steganograms in Wireless Local Area Networks
Network Steganography
• Custom HTTP headers to include geeky messages or as a recruiting tool.
• For example, booking.com:
• X-Recruiting: Like HTTP headers? C o m e w r i t e o u r s : h t t p s : / /workingatbooking.com
HTTP headers
• S t e g a n o g r a p h i c m e t h o d f o r t h e BitTorrent P2P file transfer service.
• It is based on modifying the order of data packets in the peer-peer data exchange protocol.
• Steganographic bandwidth of up to 270 b/s while introducing little transmission distortion and providing difficult detectability.
StegTorrent
StegTorrent
Source: http://www.computer.org/csdl/proceedings/spw/2013/5017/00/5017a151-abs.html
0 1 …
4 5
2
6
3
7
1100 10
• Spammimic embeds a message into spam.
• There is tons of spam. Also, real spam is usually dumb, so it's sometimes hard to tell if it was written by a human or a machine.
Spammimic
Spammimic
Dear Professional , Your email address has been submitted to us indicating your interest in our newsletter ! This is a one time mailing there is no need to request removal if you won't want any more ! This mail is being sent in compliance with Senate bill 2516 , Title 9 , Section 303 . Do NOT confuse us with Internet scam artists . Why work for somebody else when you can become rich in 16 days . Have you ever noticed most everyone has a cellphone and nearly every commercial on television has a .com on in it ! Well, now is your chance to capitalize on this ! We will help you decrease perceived waiting time by 190% and deliver goods right to the customer's doorstep ! The best thing about our system is that it is absolutely risk free for you ! But don't believe us . Mrs Simpson of Maryland tried us and says "I was skeptical but it worked for me" . We assure you that we operate within all applicable laws ! We implore you - act now ! Sign up a friend and you get half off . Thanks .
Message: attack
Source: http://www.spammimic.com
Disappearing Cryptography. Information Hiding: Steganography & Watermarking
• Steganalysis is the study of detecting messages hidden using steganography.
• The goal of steganalysis is to identify suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.
• The problem is generally handled with statistical analysis.
Steganalysis
Binary strings
• In PHP, strings are just a sequence of bytes (C char type).
• PHP stores the length of strings explicitly. Unlike C it does not need a zero termination to find the end of a string.
5
l l oh e*val
len
Binary strings
typedef union _zvalue_value { long lval; double dval; struct { char *val; int len; } str; HashTable *ht; zend_object_value obj; } zvalue_value;
6
\091 21314 0123 88
$str[5]
Big endian: 14 - 0Little endian: 0 - 14
strlen()
pack()/unpack()
• pack() packs data into a binary string according to a given format.
• unpack() unpacks from a binary string into an array according to a given format.
pack()/unpack()
$now = new \DateTime();
$id1 = 0x1f; $id2 = 0x8b; $cm = 0x08; $flags = 0x00; $mtime = $now->getTimestamp(); //0x54c13374
/* * Format: * - C4: 4 bytes. * - V: Unsigned long, 32 bit, little endian byte order */ $binStr = pack('C4V', $id1, $id2, $cm, $flags, $mtime);
file_put_contents(__DIR__ . '/test.gz', $binStr);
74 3308 001f 8b c1 54
pack()/unpack()
$gzip = file_get_contents(__DIR__ . '/test.gz');
/* * Format: * - C2: 2 bytes (id1, id2). * - C1: 1 byte (cm), 1 byte (flags). * - V: Unsigned long, 32 bit, little endian byte order */ list($id1, $id2, $cm, $flags, $mtime) = array_values( unpack('C2id/C1cm/C1flags/Vmtime', $gzip) );
var_dump( dechex($id1), // 1f dechex($id2), // 8b dechex($cm), // 8 dechex($flags), // 0 dechex($mtime) // 54c13374 );
Bitwise operators
• Bitwise operators allow evaluation and manipulation of specific bits within an integer.
• PHP provides 6 bitwise operators: &, |, ^, ~, << and >>.
Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1&
0 0 00 0 00 1
1010x650145
0b01100101
2000xc80310
0b11001000
640x400100
0b01000000
Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1|
1 0 11 0 11 1
1010x650145
0b01100101
2000xc80310
0b11001000
2370xed0355
0b11101101
Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1^
1 0 11 0 11 0
1010x650145
0b01100101
2000xc80310
0b11001000
1730xad0255
0b10101101
Bitwise operators
1 0 11 0 00 1 2<<101
0x650145
0b01100101
4040x1940624
0b1010110100
1 0 11 0 11 0 0 0
x << y == x * pow(2, y)
Bitwise operators
1 0 11 0 00 1 2>>101
0x650145
0b01100101
250x19031
0b00011001
1 1 00 0 0 0 1
x << y == x / pow(2, y)
Bitwise operators
0X14
$flag & 0x04Read flag
Set flag
Unset flag
$flag | 0x04
$flag & ~0x04
0 0 0 1 0 1 0 00 0 0 0 0 1 0 0 &
0 0 0 0 0 1 0 0
0 0 0 1 0 1 0 00 0 0 0 0 1 0 0 |
0 0 0 1 0 1 0 0
0 0 0 1 0 1 0 01 1 1 1 1 0 1 1 &
0 0 0 1 0 0 0 0
0 0 0 1 0 1 0 0
GZIP file format
CM FLGID1 ID2 MTIME XFL OS
CRC32 ISIZE
COMPRESSED STREAM
FTEXT FHCRC FEXTRA FNAME FCOMMENT
\0FILE NAME
Source: https://tools.ietf.org/html/rfc1952
Demo #1.1Embedding messages into
GZIP FNAME header
/demos/demo1/demo1_1raulfraile/steganography_talk
• PHP extension to use the
• It provides high level function to deal directly with pixels (they will be used to encode data), such as imagecolorat() and imagesetpixel().
GD extension
Source: http://libgd.bitbucket.org/
Demo #2.1Embedding text data into images (+ steganalysis)
/demos/demo2/demo2_1raulfraile/steganography_talk
Demo #2.2Embedding images into images (+ steganalysis)
/demos/demo2/demo2_2raulfraile/steganography_talk
• A polyglot is a program written in a valid form of multiple programming languages.
• Generally are written in a combination of C (which allows redefinition of tokens with a preprocessor) and a scripting language.
Polyglot programs
polyglot.pl.php.py.rb.cpp
Polyglot programs
#/*<?php eval('echo "PHP Code\n";'); __halt_compiler();?> */
#include <stdio.h> /*
print ((("b" + "0" == 0) and eval('"Perl Code\n"')) or (0 and "Ruby Code\n" or "Python Code"));
__DATA__ = 1 """"" __END__
===== . ===== */
#ifdef __cplusplus char msg[9] = {'C','+','+',' ','C','o','d','e', '\n'}; #else char msg[7] = {'C',' ','C','o','d','e', '\n'}; #endif
int main() { int i; for(i = 0; i < 9; ++i) putchar(msg[i]); return 0;}
Source: https://gist.github.com/SaswatPadhi/2872457
Demo #3.1Embedding PHP code using
__halt_compiler()
/demos/demo3/demo3_1raulfraile/steganography_talk
__halt_compiler()
• Halts the execution of the compiler.
• The byte position of the data start is given by the __COMPILER_HALT_OFFSET__ constant.
• PHAR files make use of this function to separate the stub (loader functionality) and the rest of the file (manifest, files and signature).
__halt_compiler()
23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p|68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::|6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph|61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell|6f 20 77 6f 72 6c 64 21 27 3b 0a 0a 5f 5f 48 41 |o world!';..__HA|4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?|3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............|00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t|78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.|a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r|61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A|e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....|00 00 47 42 4d 42 |..GBMB|
Source: http://www.slideshare.net/raulfraile/kernelinfect-creating-a-cryptovirus-for-symfony2-apps
Demo #3.2Hiding messages using whitespace characters
/demos/demo3/demo3_2raulfraile/steganography_talk
Demo #3.4Embedding Whitespace code in
empty lines of Docblocks
/demos/demo3/demo3_4raulfraile/steganography_talk
Whitespace
• Esoteric programming language with only three lexical tokens: Space (ASCII 32), Tab (ASCII 9) and Line Feed (ASCII 10).
• Stack based language with support for I /O, flow control and arithmetic operations.
nikic/php-parser
• A PHP parser written in PHP.
• Useful for static code analysis, manipulation and generation.
• Converts PHP code into an AST (Abstract Syntax Tree).
• Uses a PHP 5.6 compliant grammar (backwards compatible with PHP 5.2+). Also, emulates tokens from different versions of the one running (for example, parse 5.6 code from 5.3).
Source: https://github.com/nikic/PHP-Parser
nikic/php-parser
Assignment
Variable Lnumber
If
Equal Statements
Echo
condition
Name: test Value: 1
LnumberValue: 1
VariableName: test
left right
StringValue: ok
$test = 1; if (1 == $test) { echo 'ok'; }
hello_world.ws
nikic/php-parser
$code = <<<CODE <?php \$test = 1; if (1 == \$test) { echo 'ok'; } CODE;
$parser = new PhpParser\Parser( new PhpParser\Lexer\Emulative );
$ast = $parser->parse($code);
nikic/php-parser
• The parser provides two main components:
• NodeTraverser: For traversing and visiting the node tree.
• PrettyPrinter: To compile the AST back to PHP code.
Questions?
raulfraile
Credits: https://www.flickr.com/photos/ignotus/16132533706
https://www.flickr.com/photos/sporkqueen/2525132547https://www.flickr.com/photos/kjarrett/15428375607
https://www.iconfinder.com/iconsets/hawcons