Steganography: Hiding your secrets with PHP

Raúl Fraile#PHPDS15
Steganography
Hiding your secrets with PHP

E U Q W E X S A O S L Z U
L R T Z S R P V I Y E P N
H A F H G Z I P L M F I E
G U R I C E R T I F I E D
B L A A Q N T E T O R T T
E K I M A D H S G N O 💩 A
P O L Y G L O T A Y E S U
A J E W H I T E S P A C E
O B R F S A C I L I A P Y
S T E G A N O G R A P H Y
R A M C Y T I R W C P P A
About me

https://leanpub.com/symfony-selfstudy

Steganography is the science of
concealing a hidden message in plain
sight in order to avoid detection.
Introduction

Introduction
steganos
graphein
στựữửνός
ữράφựư̆ν
covered, concealed, protected writing

Terminology
Embedding (E)
Extracting (D)
Cover (C) Message (M)
Stego-Object (S)
Key (K)

• Steganography: Hide the data from a
third party. 
• Cryptography: Make data unreadable
by a third party.
Steganography / Cryptography

• Esoteric programming language with
only three lexical tokens: Space (ASCII
32), Tab (ASCII 9) and Line Feed (ASCII
10).
• Stack based language with support for
I/O, ﬂow control and arithmetic
operations.
Motivation
Source: http://youtu.be/u_kqM0gn63M

Motivation
Source: http://uk.businessinsider.com/david-cameron-encryption-apple-pgp-2015-1?r=US

• Protection of data alteration (digital
watermarking).
• Secretly communicate information.
• Anti-forensics mechanism.
Applications

Bacon’s Bilateral Cipher
A AAAAA
B AAAAB
C AAABA
D AAABB
E AABAA
F AABAB
G AABBA
H AABBB
I/J ABAAA
K ABAAB
L ABABA
M ABABB
N ABBAA
O ABBAB
P ABBBA
Q ABBBB
R BAAAA
S BAAAB
T BAABA
U/V BAABB
W BABAA
X BABAB
Y BABBA
Z BABBB
Take the red pill
BAABA AAAAA ABAAB AABAA BAABA
AABBB AABAA BAAAA AABAA AAABB
ABBBA ABAAA ABABA ABABA
Steganography is the art or practice of
concealing messages within other messages
S t e g a n o g r a p h y i s t h e a r t
o r p r a c t i c e o f c o n c e a l i n g
m e s s a g e s w i t h i n o t h e r
m e s s a g e s
70

• Backmasking is a technique in which a
sound or message is recorded backward
onto a track that is meant to be played
forward.
• It is a deliberate process, whereas a
message found through phonetic
reversal may be unintentional.
Backmasking

Backmasking
If there's a bustle in your hedgerow,
don't be alarmed now, it's just a spring
clean for the May queen. Yes there are
two paths you can go by, but in the long
run there's still time to change the road
you're on.
Oh here's to my sweet Satan. The one
whose little path would make me sad,
whose power is satan. He'll give those
with him 666, there was a little
toolshed where he made us suffer, sad
Satan.

• Some brand color laser printers add tiny
yellow dots to each page, that contain
encoded printer serial numbers and
timestamps.
• Monochrome printers and copiers from
major manufacturers also include the
markings.
• Most printers' codes have not been
decoded.
Printer steganography

Printer steganography
Source: https://w2.eff.org/Privacy/printers/docucolor/

Morse code
T O R T U R E
Source: http://youtu.be/BgelmcOdS38

Digital Steganography
LSB IN IMAGES
144 141 81
10010000 10001101 01010001
Hidden message: 101001…
145 140 81
10010001 10001100 01010001
146 142 81
10010010 10001110 01010001

Piet is a programming language in which
programs look like abstract paintings.
Piet
Composition with Red, Yellow and Blue. 1921, Piet Mondrian
Source: http://www.dangermouse.net/esoteric/piet.html

525
Piet
Darkness change
Hue change None 1 2
None push pop
1 step add substract multiply
2 steps divide mod not
3 steps greater pointer switch
4 steps duplicate roll in(number)
5 steps in(char) out(number) out(char)
DP right CC left
$ npiet example1.png
? 5
25
5

• We already have filesystems with support
for encryption, so they only can be read
with the password. But… the attacker
may obtain it illegally or torture the user
to give it up.
• The steganographic filesystem goes one
step further: it does not even show the
existence of sensitive information (even
when raw sectors of the hard disc are
accessed).
Steganographic filesystem

Steganographic ﬁlesystem
0 1 2 3 4 5 6 7 8
1.txt 2
2.txt 5
3.txt 7
3 4 EOF EOF EOF6 8
Boot FATFilesystem
Boot FATFilesystem-level encryption
PartitionSteganographic ﬁlesystem

• Network steganography uses communication
protocols and are harder to detect.
• Techniques:
• Steganophony: Delayed or corrupted
packets that would normally be ignored by
the receiver.
• WLAN Steganography: Transmission of
steganograms in Wireless Local Area
Networks
Network Steganography

• Custom HTTP headers to include geeky
messages or as a recruiting tool.
• For example, booking.com:
• X-Recruiting: Like HTTP headers?
C o m e w r i t e o u r s : h t t p s : / /
workingatbooking.com
HTTP headers

SkyDe (Skype Hide)
Source: http://arxiv.org/pdf/1301.3632.pdf

• St e ga n o g r a p h i c m e t h o d fo r t h e
BitTorrent P2P ﬁle transfer service.
• It is based on modifying the order of
data packets in the peer-peer data
exchange protocol.
• Steganographic bandwidth of up to 270
b/s while introducing little transmission
distortion and providing difﬁcult
detectability.
StegTorrent

StegTorrent
Source: http://www.computer.org/csdl/proceedings/spw/2013/5017/00/5017a151-abs.html
0 1 …
4 5
2
6
3
7
1100 10

• Spammimic embeds a message into
spam.
• There is tons of spam. Also, real spam is
usually dumb, so it's sometimes hard to
tell if it was written by a human or a
machine.
Spammimic

Spammimic
Dear Professional , Your email address has been submitted
to us indicating your interest in our newsletter !
This is a one time mailing there is no need to request
removal if you won't want any more ! This mail is being
sent in compliance with Senate bill 2516 , Title 9
, Section 303 . Do NOT confuse us with Internet scam
artists . Why work for somebody else when you can become
rich in 16 days . Have you ever noticed most everyone
has a cellphone and nearly every commercial on television
has a .com on in it ! Well, now is your chance to capitalize
on this ! We will help you decrease perceived waiting
time by 190% and deliver goods right to the customer's
doorstep ! The best thing about our system is that
it is absolutely risk free for you ! But don't believe
us . Mrs Simpson of Maryland tried us and says "I was
skeptical but it worked for me" . We assure you that
we operate within all applicable laws ! We implore
you - act now ! Sign up a friend and you get half off
. Thanks .
Message: attack
Source: http://www.spammimic.com
Disappearing Cryptography.
Information Hiding: Steganography & Watermarking

• Steganalysis is the study of detecting
messages hidden using steganography.
• The goal of steganalysis is to identify
suspected packages, determine whether
or not they have a payload encoded into
them, and, if possible, recover that
payload.
• The problem is generally handled with
statistical analysis.
Steganalysis

Steganalysis
144 141 81
10010000 10001101 01010001
Random
0
0,2
0,4
0,6
0,8
0 1

Binary strings
• In PHP, strings are just a sequence of
bytes (C char type).
• PHP stores the length of strings
explicitly. Unlike C it does not need a
zero termination to ﬁnd the end of a
string.

5
l l oh e*val
len
Binary strings
typedef union _zvalue_value {
long lval;
double dval;
struct {
char *val;
int len;
} str;
HashTable *ht;
zend_object_value obj;
} zvalue_value;
6
091 21314 0123 88
$str[5]
Big endian: 14 - 0
Little endian: 0 - 14
strlen()

pack()/unpack()
• pack() packs data into a binary string
according to a given format.
• unpack() unpacks from a binary string
into an array according to a given
format.

pack()/unpack()
$now = new DateTime();
$id1 = 0x1f;
$id2 = 0x8b;
$cm = 0x08;
$flags = 0x00;
$mtime = $now->getTimestamp(); //0x54c13374
/*
* Format:
* - C4: 4 bytes.
* - V: Unsigned long, 32 bit, little endian byte order
*/
$binStr = pack('C4V', $id1, $id2, $cm, $flags, $mtime);
file_put_contents(__DIR__ . '/test.gz', $binStr);
74 3308 001f 8b c1 54

pack()/unpack()
$gzip = file_get_contents(__DIR__ . '/test.gz');
/*
* Format:
* - C2: 2 bytes (id1, id2).
* - C1: 1 byte (cm), 1 byte (flags).
* - V: Unsigned long, 32 bit, little endian byte order
*/
list($id1, $id2, $cm, $flags, $mtime) = array_values(
unpack('C2id/C1cm/C1flags/Vmtime', $gzip)
);
var_dump(
dechex($id1), // 1f
dechex($id2), // 8b
dechex($cm), // 8
dechex($flags), // 0
dechex($mtime) // 54c13374
);

Bitwise operators
• Bitwise operators allow evaluation and
manipulation of speciﬁc bits within an
integer.
• PHP provides 6 bitwise operators: &, |, ^,
~, << and >>.

Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1
&
0 0 00 0 00 1
101
0x65
0145
0b01100101
200
0xc8
0310
0b11001000
64
0x40
0100
0b01000000

Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1
|
1 0 11 0 11 1
101
0x65
0145
0b01100101
200
0xc8
0310
0b11001000
237
0xed
0355
0b11101101

Bitwise operators
1 0 11 0 00 1
0 0 00 0 11 1
^
1 0 11 0 11 0
101
0x65
0145
0b01100101
200
0xc8
0310
0b11001000
173
0xad
0255
0b10101101

Bitwise operators
1 0 11 0 00 1 2<<
101
0x65
0145
0b01100101
404
0x194
0624
0b1010110100
1 0 11 0 11 0 0 0
x << y == x * pow(2, y)

Bitwise operators
1 0 11 0 00 1 2>>
101
0x65
0145
0b01100101
25
0x19
031
0b00011001
1 1 00 0 0 0 1
x << y == x / pow(2, y)

Bitwise operators
1 0 11 0 00 1
~
101
0x65
0145
0b01100101
154
0x9a
0232
0b10011010
1 1 01 0 0 1 0

Bitwise operators
0X14
$flag & 0x04Read flag
Set flag
Unset flag
$flag | 0x04
$flag & ~0x04
0 0 0 1 0 1 0 0
0 0 0 0 0 1 0 0
&
0 0 0 0 0 1 0 0
0 0 0 1 0 1 0 0
0 0 0 0 0 1 0 0
|
0 0 0 1 0 1 0 0
0 0 0 1 0 1 0 0
1 1 1 1 1 0 1 1
&
0 0 0 1 0 0 0 0
0 0 0 1 0 1 0 0

Demo #1: Hiding messages in
GZIP ﬁle headers

GZIP ﬁle format
CM FLGID1 ID2 MTIME XFL OS
CRC32 ISIZE
COMPRESSED STREAM
FTEXT FHCRC FEXTRA FNAME FCOMMENT
0FILE NAME
Source: https://tools.ietf.org/html/rfc1952

Demo #1.1
Embedding messages into
GZIP FNAME header
/demos/demo1/demo1_1
raulfraile/steganography_talk

Demo #2: Hiding data
into images

• PHP extension to use the
• It provides high level function to deal
directly with pixels (they will be used to
encode data), such as imagecolorat()
and imagesetpixel().
GD extension
Source: http://libgd.bitbucket.org/

Demo #2.1
Embedding text data into
images (+ steganalysis)

Demo #2.2
Embedding images into
images (+ steganalysis)

• A polyglot is a program written in a valid
form of multiple programming
languages.
• Generally are written in a combination of
C (which allows redeﬁnition of tokens
with a preprocessor) and a scripting
language.
Polyglot programs

polyglot.pl.php.py.rb.cpp
Polyglot programs
#/*<?php eval('echo "PHP Coden";'); __halt_compiler();?> */
#include <stdio.h> /*
print ((("b" + "0" == 0) and eval('"Perl Coden"')) or (0 and "Ruby
Coden" or "Python Code"));
__DATA__ = 1
"""""
__END__
===== . ===== */
#ifdef __cplusplus
char msg[9] = {'C','+','+',' ','C','o','d','e', 'n'};
#else
char msg[7] = {'C',' ','C','o','d','e', 'n'};
#endif
int main() { int i; for(i = 0; i < 9; ++i) putchar(msg[i]); return 0;}
Source: https://gist.github.com/SaswatPadhi/2872457

Demo #3.1
Embedding PHP code using
__halt_compiler()

__halt_compiler()
• Halts the execution of the compiler.
• The byte position of the data start is
given by the __COMPILER_HALT_OFFSET__
constant.
• PHAR files make use of this function to
separate the stub (loader functionality)
and the rest of the file (manifest, files
and signature).

Demo #3.2
Hiding messages using
whitespace characters

Demo #3.3
Hiding code using
whitespace characters

Demo #3.4
Embedding Whitespace code in
empty lines of Docblocks

Whitespace
• Esoteric programming language with
only three lexical tokens: Space (ASCII
32), Tab (ASCII 9) and Line Feed (ASCII
10).
• Stack based language with support for
I/O, ﬂow control and arithmetic
operations.

hello_world.ws
Whitespace
Source: http://compsoc.dur.ac.uk/whitespace/

nikic/php-parser
• A PHP parser written in PHP.
• Useful for static code analysis, manipulation
and generation.
• Converts PHP code into an AST (Abstract
Syntax Tree).
• Uses a PHP 5.6 compliant grammar (backwards
compatible with PHP 5.2+). Also, emulates
tokens from different versions of the one
running (for example, parse 5.6 code from 5.3).
Source: https://github.com/nikic/PHP-Parser

nikic/php-parser
Assignment
Variable Lnumber
If
Equal Statements
Echo
condition
Name: test Value: 1
Lnumber
Value: 1
Variable
Name: test
left right
String
Value: ok
$test = 1;
if (1 == $test) {
echo 'ok';
}

hello_world.ws
nikic/php-parser
$code = <<<CODE
<?php
$test = 1;
if (1 == $test) {
echo 'ok';
}
CODE;
$parser = new PhpParserParser(
new PhpParserLexerEmulative
);
$ast = $parser->parse($code);

nikic/php-parser
• The parser provides two main
components:
• NodeTraverser: For traversing and
visiting the node tree.
• PrettyPrinter: To compile the AST
back to PHP code.

Questions?
raulfraile
raulfraile@gmail.com
Credits:
https://www.flickr.com/photos/ignotus/16132533706
https://www.flickr.com/photos/sporkqueen/2525132547 
https://www.flickr.com/photos/kjarrett/15428375607
https://www.iconfinder.com/iconsets/hawcons

Steganography: Hiding your secrets with PHP

Steganography: Hiding your secrets with PHP

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Steganography: Hiding your secrets with PHP

Similar to Steganography: Hiding your secrets with PHP(20)

More from Raul Fraile

More from Raul Fraile(17)

Recently uploaded

Recently uploaded(20)

Steganography: Hiding your secrets with PHP