
PNG and Hidden Pixels - pimterry
https://www.hackerfactor.com/blog/index.php?/archives/894-PNG-and-Hidden-Pixels.html
======
jorangreef
I wrote something similar but for the ZIP format, called Pure, to detect
hidden buffer bleeds outside and between and within structures, amongst other
anomalies. It's also amazing what you can do with a ZIP file.

Pure: [https://github.com/ronomon/pure](https://github.com/ronomon/pure)

The goal of Pure is to reduce the attack surface available for zero-days by
doing the simple yet critical buffer bounds checks that most end-user
application software will not, and to do this for more and more popular file
formats.

The vision is that one day you can deploy Pure at your email server and get
much stronger guarantees on the safety of email attachments that you open...
as well as on the attachments you send out... for example that your billing
software is not leaking the contents of sensitive server memory into XLSX
reports that you are mass mailing to clients (Pure actually found two cases of
prominent investment firms that were doing just this).

It's like type checking or linting but for everyday file formats.

------
StavrosK
This is very nitpicky, but does adding extra data at the bottom of the image
count as steganography? I've always thought of steganography as something that
is very hard to detect, like changing the LSB of each pixel to a part of your
message.

~~~
onion2k
_does adding extra data at the bottom of the image count as steganography_

"steganography" is simply the act of hiding messages, so I don't see why this
wouldn't count.

What term for hiding information outside of the bounds of the image would you
propose instead?

~~~
082349872349872
I'd say communicating outside normal means would be "using a covert channel",
and reserve "steganography" for such communication as has been whitened to
resemble noise[1].

Obviously tastes may differ, so someone else might call the former
"steganography" and distinguish the latter as "deniable steganography", or at
least "near-noise steganography".

(with a little information theory, one can even communicate reliably via sub-
noise steganography)

cryptography vs. steganography?

[1] compare Bacon (1605):
[https://archive.org/details/advancementofl00baco/page/256/mo...](https://archive.org/details/advancementofl00baco/page/256/mode/2up?q=biliteral)

"... a method of expressing and signifying one's mind to any distance by
objects that are either visible or audible — provided only the objects are but
capable of two differences ..."

~~~
onion2k
_I 'd say communicating outside normal means would be "using a covert
channel", and reserve "steganography" for such communication which has been
whitened to resemble noise[1]._

Ah. I think I see where the confusion is coming from. You're saying this isn't
steganography because the information isn't _hidden_ in the image data. It's
there in the 'plaintext'. I thought this is steganography because the image is
hidden in the _file_ data by exploiting the fact that PNG renderers don't
display it.

I'm going to change my mind and say that your definition is actually better
than mine. The information itself _isn 't_ hidden. You don't need a trick, or
a key, or any special knowledge to view it. The fact that common PNG libraries
don't display it isn't really enough to say that it's enciphered at all - you
can't really say a message is definitely hidden if you assume something about
the PNG library the attacker is using to view it. I don't know what the right
term is, but it probably isn't steganography.

~~~
082349872349872
security per obscurity? (skotadigraphy?)

~~~
HelloNurse
More "security by hoping they don't look". And in fact, the suggested uses of
overlong PNG chunks in the linked article aren't particularly secure ones.

------
tvb12
I really like the explanation of the png file format. I'm not sure I'll ever
use this knowledge, but I was happy to learn it.

------
grenoire
I actually developed a game which used this trick for an Easter egg. I added
in a texture for the Companion Cube from Portal, and set the alpha to 1. In
game, however, I loaded the textures with only a single bit of alpha, which
meant that the alpha of 1 was the same as 255. Not entirely invisible, but was
fun to do!

------
est
I remember there was a similar trick that hides data in GZip streams in its
FCOMMENT block.

Could something similar be done with DEFLATE? Allocate some unused Huffman
table? Put stuff in reserved bits?

~~~
ekimekim
Specifically with PNG it has a concept of "private" chunks which you can use
to store arbitrary data. Conforming decoders will ignore these chunks, and may
or may not drop them if the file is modified. See
[https://en.wikipedia.org/wiki/Portable_Network_Graphics#%22C...](https://en.wikipedia.org/wiki/Portable_Network_Graphics#%22Chunks%22_within_the_file)

------
tenbino
The pico8 console stores the entire game in a png file in its data area.

~~~
Lerc
Doesn't it store it in the low bits of visible picture?

That's what I do for my own virtual console project. While the methods listed
in this article are pretty neat, once you go browser based you are limited to
what the browser gives you access to. The only alternative is doing a request
for the file and doing the entire file format decoding in JavaScript. If you
go that far then you might as well use a zTXt or custom chunk.

------
deadalus
[https://web.archive.org/web/20200901074527/https://www.hacke...](https://web.archive.org/web/20200901074527/https://www.hackerfactor.com/blog/index.php?/archives/894-PNG-
and-Hidden-Pixels.html)

------
userbinator
You can do something similar with video too --- the width and height are
padded to macroblock boundaries (usually 16 pixels) so there's plenty of space
for extra data at the right and bottom.

In the analog realm, something similar was used to add closed captioning to
the video signal:
[https://en.wikipedia.org/wiki/EIA-608](https://en.wikipedia.org/wiki/EIA-608)

------
jansan
Column padding can be done with .ico files, too. For 16 and 256 color images
each line of data must be a multiple of 4 bytes. And since 16 and 256 color
images are required to be included in ico images, the low color resolution
does not even raise suspicion.

------
spicybright
"Back in the day" there was an image board where people uploaded JPGs that
actually were zip archives when you renamed the extension. People would post
music albums like that where the image was the cover art.

~~~
jansan
This is one of my favorite presentations ever:

[https://media.ccc.de/v/31c3_-_5930_-_en_-
_saal_6_-_201412291...](https://media.ccc.de/v/31c3_-_5930_-_en_-
_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini#t=1966)

Ange Albertini shows how a file can be a multiple files in different formats
at the same time. Amazing stuff.

~~~
jasomill
I ran into a very annoying case of this in the wild: a USB hard drive "pre-
formatted for Windows and Mac".

Specifically, the entire disk was pre-formatted as both NTFS and HFS+.

The trick: as shipped, LBA 0 contained an MBR pointing to an NTFS-formatted
partition _spanning the free space of an empty HFS+ volume_ whose (slightly
larger) partition was defined by an Apple Partition Map in LBA 1.

So Windows would read the MBR and find the NTFS volume, Mac OS would read the
APM and find the HFS+ volume, and all was right with the world.

Right, that is, until you plugged the disk into a Mac after writing to it in
Windows, because the simple act of auto-mounting the "empty" HFS+ volume
caused OS X to fill enough of the volume's "free" space to corrupt the
colocated NTFS filesystem beyond repair.

------
fenomas
Sorry if this is a dumb question, but what does hiding information in images
have to do with CTF-style challenges? Does that term not refer to "break into
server X and retrieve file Y" sorts of tasks?

~~~
marcan_42
CTF games come in two styles (attack and defense i.e. PvP, and jeopardy i.e.
PvE), and within the jeopardy class there are many categories, one or which
can be steganography, file formats, and related challenges.

(Source: I run a CTF, have written over 100 challenges, and the JPEG padding
trick was one of them years ago)

~~~
fenomas
Ah, I had thought they were exclusively about security/penetration/etc.
Thanks!

