what time is it
play

What Time Is It? Steganography in File System Metadata Sebastan - PowerPoint PPT Presentation

Sep 19, 2023 •39 likes •489 views

What Time Is It? Steganography in File System Metadata Sebastan Neuner, SBA Research whoami Security Researcher at SBAResearch Bug Hunter / Pentester CTFs!!11elf 2/40 What to Expect Today What is steganography Examples

  1. What Time Is It? Steganography in File System Metadata Sebastan Neuner, SBA Research

  2. whoami • Security Researcher at SBA–Research • Bug Hunter / Pentester • CTFs!!11elf 2/40

  3. What to Expect Today • What is steganography • Examples • File system metadata steganography • Special case: Timestamps • Demo 3/40

  4. What Is Steganography? • Conceal data in data • Steganos στεγανός and graphein γράφειν → Air-tght writng (well...almostˆˆ) The important thing: Hide data in data, so no-one knows that it is hidden 4/40

  5. Stego Examples

  6. Historical Stego • Transfer hidden messages to your allies through the enemy territory • Ancient Greece: Tatoo the shaved head of a slave 1 → Hair needs to regrow (takes tme) • Having slaves with ”encoded” heads for a lot of possible use-cases??? 5/40 1 Slave of Histaeus

  7. Historical Stego And take care of spelling errors :D 6/40

  8. Historical Stego • French Resistance sent couriers with invisible ink on back • When: World War II 7/40

  9. (Semi-) Historical Stego One more example... • Knited Morse Code • In carpets and tapestries 8/40

  10. Modern Stego A lot of stuff based on historical Stego... • Morse Code while blinking eyes (American POW 1966) • Historical tatoos → modern UV–pens (Would also work on skin...) 9/40

  11. Digital Stego

  12. Digital Stego ISIS / Al-Qaeda use steganography over various channels... 2 • Discovered by Mossad • Messages encoded into ebay offers, Reddit messages and ”X-rated-pics” (Hard work, guys :D ) 2 http://nypost.com/2015/03/01/ terrorists-using-ebay-and-reddit-to-send-coded-messages-mossad/ , http://www.independent.co.uk/news/world/middle-east/ isis-and-al-qaeda-sending-coded-messages-through-ebay-pornography-and-reddit-10081123. 10/40 html

  13. Digital Stego Hide data in YouTube videos 3 • Not really Stego • ”For backup reasons” • Discrete Cosine Transform • Parameters for encoding have to be known (And maybe it’s encrypted?) 11/40 3 https://hackaday.com/2015/08/23/transfer-data-via-youtube/

  14. Digital Stego Transmit informaton in the trilling of a referees whistle 4 • I will stop afer this example → I am going too far now :D • Frequency shif key modulaton (FSK) • Perl script for encoding: 100 baud FSK 12/40 4 http://www.windytan.com/2015/10/pea-whistle-steganography.html

  15. Steganography in File System Metadata

  16. Why Stego? • As you have seen: Stego is almost everywhere (can be applied / injected almost everywhere) • Advantage for the good guys (Snowden?) • Another layer of abstracton to the bad guys (Agencies?) 13/40

  17. Why FS Metadata Stego? Because file systems are everywhere. And every filesystem needs metadata (in some form) 14/40

  18. FS Metadata Stego Requirements: • Do not corrupt FS on modificaton • Do not make files unreadable • Be stealth • Be robust • Rely on Kerkhoffs Law 15/40

  19. FS Metadata Stego Feature Resoluton suitable ∼ File name free text � File created 1s-1ns ∼ File modified 1s-1ns ∼ / � File access 1s-1ns ∼ / � File metadata modified 1s-1ns ∼ File size any size ∼ Fragmentaton arbitrary ✪ Permissions r/w/x ✪ Owner, Group user/group ID ✪ File type sof-/hard link ∼ Data locaton best fit Table: Suitability of file system metadata 16/40

  20. FS Metadata Stego • Permission, type and ownership modificaton would very likely make the file unreadable • Data fragmentaton, locaton of the file and file name are detectable → In case of fragmentaton: statstcal outlier detecton of file fragmentaton • Creaton and access tmestamps are suitable → More later... 17/40

  21. Examples

  22. ACL Stego Presented at BlackHat 2013 by Michael Perklin 5 • Cool idea including a PoC • Shown on Windows FSs • Not totally stealth... 18/40 5 https://www.youtube.com/watch?v=J4x8Hz6_hq0

  23. Fragmentaton Steganography Fragmentaton paterns in the cluster distributon of an existng file 6 • Up to 24bits per cluster (2KB cluster size) on a half empty disk • Encrypted data embedding • Stated as ”statstcally undetectable” • Shown on Windows’ FAT FS • Defragmentaton will (most likely) kill all the informaton 19/40 6 http://www.sciencedirect.com/science/article/pii/S016740481000088X

  24. Permutaton Steganography Permutaton of file ordering in FAT 7 • Based on: Files are differently ordered by FAT and displayed by a GUI • 15bytes to embed require 33 files • On file deleton, the embedded data is killed (or relying on FATs undeleton) • On file inserton, the order could be disrupted 20/40 7 http://link.springer.com/chapter/10.1007/978-3-662-46739-8_6

  25. Timestamp Steganography

  26. Timestamp–Basics NTFS (Our PoCs target NTFS from Win Vista on → later...) • MACE (Modified, Access, Creaton, Modified MFT entry) • Each 64bits → 24bits of that describe the nano seconds • Number of 100 nano seconds since 1.1.1601 21/40

  27. Timestamp–Basics NTFS Before Vista (XP...): 22/40

  28. Timestamp–Basics NTFS Vista++ • By default: NtsDisableLastAccessUpdate set to 1 → Immutable access tme • (ext4 mount opton ”noatme”) 23/40

  29. Timestamp Stego–Idea Take the nano-second-part of tmestamps • Normally not presented to the user • Suitable FSs: NTFS, ext4, btrfs, ZFS, XFS, and JFS • Non-suitable FSs: FAT32, HFS+, ext3, ext2 and ReiserFS 24/40

  30. Timestamp Stego–PoC * Embed informaton in the creaton (C) and access (A) nano-tmestamp-parts of files’ metadata • Python • NTFS • Error correcton and encrypton • Kerkhoffs Principle! 25/40

  31. Timestamp Stego–PoC 1 Save a metadata file • Produce a metadata file, containing the locaton of all modified files • Error corrected payload is encrypted • Metadata file is encrypted also (different algorithm) • Drawback: Obviously a file with random data is lying around 26/40

  32. Timestamp Stego–PoC 2 Oblivious Replacement • Take the data • Produce error correctng codes • Hide a canary byte in the creaton tmestamp • Hide the length indicators • Encrypt the stuff • Embed it 27/40

  33. Timestamp Stego–Thoughts • The canary is needed to recover the correct order of the files • The amount of error correcton is variable but influences the possible capacity • Speaking of capacity: → PoC 1 is able to use 48bits payload, where PoC 2 just 40 bits (canary byte) → The more error-correcton, the more capacity is needed (the more errors are recoverable) 28/40

  34. Timestamp Stego–Thoughts • The canary is needed to recover the correct order of the files • The amount of error correcton is variable but influences the capacity • Speaking of capacity: → PoC 1 is able to use 48bits payload, where PoC 2 just 40 bits (canary byte) → The more error-correcton, the more capacity is needed (the more errors are recoverable) 29/40

  35. Timestamp Stego–Capacity Example for PoC2 (oblivious replacement) • Creaton: 3bytes / Access: 3bytes ◦ Minus: 1byte per file (canary) ◦ Minus: Every 255th file contains the length of the whole data ◦ Minus: Error correcton 30/40

  36. Timestamp Stego–Capacity Win8 Freshly installed Win8 → roughly 160k files • Theoretcal payload: 48bits * 160k: 960KB • Real payload: (40bits * 160k) - (160k / 255 * 5) - ( 15% error correcton ) → ∼ 680kb hard payload 31/40

  37. Impressive? 32/40

  38. Impressive? BUT... ...we have encrypton ...we have error correcton ...we can recover order ...we are stealth 33/40

  39. Stealth? By relying on the requirement of encrypton to look like random data, our embedded data looks like random data. Stealth → statstcally undetectable 34/40

  40. Undetectable? Measured with Kullback–Leibler divergence (”measure of the difference between two probability distributons” 8 ) 35/40 8 https://en.wikipedia.org/wiki/Kullback%E2%80%93Leibler_divergence

  41. DEMO DEMO 36/40

  42. Concluding → Publish paper in 2016 → On date of publicaton: Source code on github (Twiter) 37/40

  43. Thank you for your atenton... Sebastan Neuner sebastan.neuner@gmail.com PGP: 0x7864146D sneuner@sba-research.org PGP: 0x5E82F701 @sebastan9er 38/40

  44. 39/40

  45. Image References https://ctf.isis.poly.edu/static/archives/2013/about/ctf.jpg http://tpj.videonativesltd.netdna-cdn.com/wp-content/uploads/2014/11/ strentgh-head-tattoo-fail.jpg http://images.coplusk.net/project_images/116623/image/full_tumbler_cozy_full.jpg http://www.the-scientist.com/wordpress/wp-content/uploads/2011/09/secret-cropped.jpg https://hackadaycom.files.wordpress.com/2015/08/stegmain.png?w=800 https://upload.wikimedia.org/wikipedia/commons/thumb/3/39/Fsk.svg/800px-Fsk.svg.png http://i2.kym-cdn.com/photos/images/original/000/558/887/01d.png https://blogs.sans.org/computer-forensics/files/2010/10/ts_change_rules_gui1.jpg https://i.imgur.com/L9cPO.png http://cdn.meme.am/instances/32090244.jpg http://www.quickmeme.com/img/a6/ a6984aabbb5d3a2249abac266b44bd266214648332f0aeb5bdd8b4fdd9d00331.jpg http://philbaumann.com/wp-content/uploads/2009/01/Twitter_bird_logo_2012.png http://img4.wikia.nocookie.net/__cb20121008041422/thehungergames/images/b/bd/I_has_a_ question.jpg 40/40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil & Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization. If round-trip time is used, then accurate clocks are only needed at the anchors. 9/8/05 Jie Gao, CSE590-fall05 1 Time Difference of Arrival

830 views • 54 slides
International Time Use Community & Policy-Relevant Time Use Research Time Use Research

International Time Use Community & Policy-Relevant Time Use Research Time Use Research

International Time Use Community & Policy-Relevant Time Use Research Time Use Research Kimberly Fisher Secretary International Association for Time Use Research Centre for Time Use Research Early Time Use Developments Earliest

661 views • 34 slides
Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in distributed systems A baseball example Synchronizing real clocks Cristians algorithm The Berkeley Algorithm Network

484 views • 21 slides
As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time management (Getting more done) Showan Asyabi- Shain Roozkhosh Time Management Techniques Urgent Not Urgent Important Paper Deadlines Quality Time

565 views • 15 slides
Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time Environment The static source code requires considerable support to be executed on a computer Data objects must be created and destroyed

590 views • 42 slides
Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female 57.7% 63.7% Male 42.3% 36.3% ETHNICITY FIRST TIME % NOT FIRST TIME % Asian 15.8% 17.5% Black 13.9% 13.7% Hispanic 43.2% 42.5% White

456 views • 12 slides
Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Outline of Talk Background Augmented CPU Open real-time systems Reservations Rez and HLS Stolen time Rez-C and Rez-FB John Regehr John A. Stankovic Design University of Virginia Performance More stolen time

164 views • 3 slides
Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z

Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z

Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z ones Sys.timezone() "America/Los_Angeles" WORKING WITH DATES AND TIMES IN R IANA Time z ones OlsonNames() "Africa/Abidjan"

735 views • 18 slides
It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time?

It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time?

It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time? What is a day? What is an hour? What is a minute? What is a second? Lets start at the beginning... What is a Day? How is time measured? By

928 views • 50 slides
A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks

A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks

A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks Implementation details Mind the Gap How a venerable, established, simple data structure/algorithm was botched multiple times. Order of Events Dynamo And

2.27k views • 168 slides
Embedded Internet and the Internet of Things WS 12/13 1. Introduction Prof. Dr. Mesut Gne

Embedded Internet and the Internet of Things WS 12/13 1. Introduction Prof. Dr. Mesut Gne

Embedded Internet and the Internet of Things WS 12/13 1. Introduction Prof. Dr. Mesut Gne Distributed, embedded Systems (DES) Institute of Computer Science Freie Universitt Berlin 1 Prof. Dr. Mesut Gne 1. Introduction Overview

977 views • 70 slides
Customisation System for a Persistent Online Action Game Maurizio Sciglio Simon Taylor Outline

Customisation System for a Persistent Online Action Game Maurizio Sciglio Simon Taylor Outline

APB: Creating a Powerful Customisation System for a Persistent Online Action Game Maurizio Sciglio Simon Taylor Outline Goals Initial Design Refinements Demo Scalability Conclusions GOALS What is APB? Persistent

621 views • 49 slides
Introduction The automatic detection and extraction of Semantic Relations is a crucial step to

Introduction The automatic detection and extraction of Semantic Relations is a crucial step to

Causal Relation Extraction Eduardo Blanco, Nuria Castell, Dan Moldovan HLT Research Institute, TALP Research Centre, Lymba Corporation LREC 2008, Marrakech Introduction The automatic detection and extraction of Semantic Relations is a

285 views • 16 slides
Global Project Linking: To link nor not to link; that is the question PRESENTED BY Paul Pehrson

Global Project Linking: To link nor not to link; that is the question PRESENTED BY Paul Pehrson

Global Project Linking: To link nor not to link; that is the question PRESENTED BY Paul Pehrson | @docguy Certified Flare trainer DocGuy Training Paul Pehrson Flare user for 13 years Flare trainer for 11 years Owner of DocGuy Training

434 views • 14 slides
Chapter 3: Syntactic Forms, Grammatical Functions, and Semantic Roles Syntactic Constructions in

Chapter 3: Syntactic Forms, Grammatical Functions, and Semantic Roles Syntactic Constructions in

Chapter 3: Syntactic Forms, Grammatical Functions, and Semantic Roles Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 3 1 / 47 Introduction 1 Grammatical Functions 2 Subjects Direct Objects and

861 views • 47 slides
Activity 1: Collaborating with Google Slides Task 1: Introduce yourself! Introduce yourself!

Activity 1: Collaborating with Google Slides Task 1: Introduce yourself! Introduce yourself!

Activity 1: Collaborating with Google Slides Task 1: Introduce yourself! Introduce yourself! Find an empty slide. Then: Title the slide with your name Add some information to the body Add a picture of your favorite animal See

575 views • 25 slides
In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &

In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &

Smar Smart De t Device Usa vice Usage ge In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor & Consultant HIMSS Analytics Certified 11 August 2019 Creative AGENDA Non-Compliant Final

331 views • 20 slides
( ) 15 2 = 7215.8456 in 3 199 Skittles x Skittles 14.437 in 3 =

( ) 15 2 = 7215.8456 in 3 199 Skittles x Skittles 14.437 in 3 =

V = r 2 h + r 2 h = 2 r 2 h 2 = 2 17.5 ( ) 15 2 = 7215.8456 in 3 199 Skittles x Skittles 14.437 in 3 = 7215.8456 in 3 ( ) 7215.8456 ( ) x = 199 14.437 x = 99,463.4116 Skittles 160

410 views • 13 slides

More recommend