Hydan: Hiding Information in Program Binaries

We present a scheme to steganographically embed information in x86 program binaries. We define sets of functionally-equivalent instructions, and use a key-derived selection process to encode information in machine code by using the appropriate instructions from each set. Such a scheme can be used to watermark (or fingerprint) code, sign executables, or simply create a covert communication channel. We experimentally measure the capacity of the covert channel by determining the distribution of equivalent instructions in several popular operating system distributions. Our analysis shows that we can embed only a limited amount of information in each executable (approximately $\frac{1}{110}$ bit encoding rate), although this amount is sufficient for some of the potential applications mentioned. We conclude by discussing potential improvements to the capacity of the channel and other future work.