Hydan: Hiding Information in Program Binaries

  • Rakan El-Khalil
  • Angelos D. Keromytis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


We present a scheme to steganographically embed information in x86 program binaries. We define sets of functionally-equivalent instructions, and use a key-derived selection process to encode information in machine code by using the appropriate instructions from each set. Such a scheme can be used to watermark (or fingerprint) code, sign executables, or simply create a covert communication channel. We experimentally measure the capacity of the covert channel by determining the distribution of equivalent instructions in several popular operating system distributions. Our analysis shows that we can embed only a limited amount of information in each executable (approximately \(\frac{1}{110}\) bit encoding rate), although this amount is sufficient for some of the potential applications mentioned. We conclude by discussing potential improvements to the capacity of the channel and other future work.


Hiding Information Negative Form Covert Channel Machine Code Executable Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Provos, N.: Defending Against Statistical Steganalysis. In: Proceedings of the 10th USENIX Security Symposium (2001)Google Scholar
  2. 2.
    Cachin, C.: An Information-Theoretic Model for Steganography. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 306–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Petitcolas, F.A.P., Anderson, R.J., Kuhn, M.G.: Information hiding—A survey. Proceedings of the IEEE 87, 1062–1078 (1999)CrossRefGoogle Scholar
  4. 4.
    Moulin, P., O’Sullivan, J.: Information-theoretic analysis of information hiding (1999)Google Scholar
  5. 5.
    Samson, P.R.: Apparatus and method for serializing and validating copies of computer software. US Patent 5,287,408 (1994)Google Scholar
  6. 6.
    Davidson, R.L., Myhrvold, N.: Mehod and system for generating and auditing a signature for a computer program. US Patent 5,559,884 (1996)Google Scholar
  7. 7.
    Moskowitz, S., Cooperman, M.: Method for stega-cipher protection of computer code. US Patent 5,745,569 (1996)Google Scholar
  8. 8.
    Holmes, K.: Computer software protection. US Patent 5,287,407 (1994)Google Scholar
  9. 9.
    Collberg, C., Thomborson, C.: On the Limits of Software Watermarking. Technical Report 164, Department of Computer Science, The University of Auckland (1998)Google Scholar
  10. 10.
    Council for IBM Corporation: Software birthmarks. Talk to BCS Technology of Software Protection Special Interest Group (1985)Google Scholar
  11. 11.
    Stern, J.P., Hachez, G., Koeune, F., Quisquater, J.J.: Robust object watermarking: Application to code. In: Information Hiding, pp. 368–378 (1999)Google Scholar
  12. 12.
    Hachez, G.: A comparative study of software protection tools suited for e-commerce with contributions to software watermarking and smart cards (2003)Google Scholar
  13. 13.
    Wayner, P.: Disappearing Cryptography, 2nd edn. Morgan Kaufmann, San Francisco (2002)Google Scholar
  14. 14.
    Kwan, M.: gifshuffle (2003),
  15. 15.
    Bender, W., Gruhl, D., Lu, A.: Techniques for data hiding. IBM Systems Journal 35 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Rakan El-Khalil
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Department of Computer ScienceColumbia University in the City of New York 

Personalised recommendations