HITB2018AMS — Steganography Ante Portas
By Steffen Wendzel, Professor of Information Security, Worms University of Applied Sciences
Waterrmarks is and example of hidden information. But just about any form of information can be hidden in any other type of information.
The basics objective of steganography is to hide one object in such a way that it looks like another object. This is called mimicry. It a well know phenomemnon in nature where prey animals try to confuse predators by looking like non-prey animal.
During the 80’s mimicry become digital. Traditionally covert objects had to physically be moved from sender to recipient, which is costly. Today a lot of objects move from sender to recipient digitally and it not that costly. This is called a covert channel.
Anybody attacking a covert channel can either do it passivly, detecting that a covert message is there, actively, changing the covert message or maliciously, injecting his own covert message into the channel.
Covert channels are used in the wild, e.g. to hide C&C servers or to exfiltrate data. It is used in APTs, by crimals to exchange information, by military and secret services and by journalists and citizens to avoid censorship.
Netowrk steganography tries to either hide the communication all together, or tries to hide the recipient or sender of the communication. There are hundreds of techniques that do this, professor Wendzel, analysed a lot of techniques and discovered a number of basic patterns used by these techniques.
There are two may catagories, either changing the timeing of the communication of the storage of the message.
Wendzel first focussed on techniques that modify non-payload data to hide message.
- The size modulation patter e.g. uses large packages for 1’s and small packets for 0’s.
- The sequence pattern modifies the order of metadata (e.g. headers) to signal different meanings to the recipients.
- The add redundancy pattern add data that is not absolutely need to add a hidden message.
- The PDU corruption pattern uses intentionally corrupted packages to transfer data
- The Random Value pattern uses the pseudo random values used in certain protocolsd and replaces them with a different value
- The Value Modulation pattern uses allowed variations in the composition of metabase to signal a message, e.g. User-Agent may also be written as uSER-aGENT.
- The Reserved/Unused pattern uses reserved/unused fields in protocols to transmit information. This is a well know and often detected pattern.
Timing patterns are:
- The Inter-arrival time pattern, using the time between packets to signal a message
- The rate pattern uses the rate of packages to signal the message
- The PDU Order Pattern, uses packages that arrive out of order to signal a message
- The re-transmission pattern uses a forced re-transmission to hide data.
Wendzel also analysed the frequency of occurance these patterns.
He challenges the hackers in the room to come up with a new pattern for information hiding.
On top of covert channels there are micro protocols that provide additional functionality like error correction.
Multiple patterns can be combined to increase the bandwidth and pattern hopping can be used to work around blocking or attacking techniques.
The next challenge for the room is to find new counter measures against network steganography.
Steganography has been observed in the IoT field. Why to work around the limitations that IoT devices have and to avoid detection of the network traffic.
Last challenge to the audience. How can we store more data in fewer registers in IoT devices.
Paper: https://dl.acm.org/citation.cfm?id=3158416
About the speaker
Steffen is a professor for information security at the University of Applied Sciences in Worms, Germany, and author of several books on Linux, network security, and steganography-related topics. He spoke at HITB-AMS’14, TROOPERS, SANS European ICS Security Summit and other conferences around the world. Most of his 100+ publications are available on is website http://www.wendzel.de.
This article is part of my coverage of the Hack in the Box security conference 2018 Amsterdam. This article is my recording of the talk as it was given at the conferences. Therefore any opinions expressed are not mine, but those of the speaker.
