Introduction to Parasitic Computing with BrainSlug

my name is roberto martinez i work for bbba at the innovation labs that is the department and i'm going to talk about parasitic computing an introduction to opacity computing with range lag so what is parasitic computing well it's a programming technique where one program that is communicating in a normal fashion with another program managed to get the other program to perform a computation okay this was first proposed in 2001 by the department of physics and the department of computer science in the university of notre dame and they managed to to solve this a very large an extremely difficult three-set problem parasitizing the tcp stack of a remote web server but what is a three set problem in the

first place well it's a problem that you have given a very complex boolean expression like that one and you have to what this this boolean expression is formed by by variables and boolean operators and some parentheses and you have to find if there is any combination whatsoever of values for this variable to make the whole expression to evaluate to true so this this kind of problems can be very very difficult and np-complete another thing that you have to to know to understand this is that one property of the tcp checksum function is that it has enough logic before implementing implementing any boolean operation basically and by extension any arithmetic operation so uh we are computing with uh the tcp

checksum uh function they do that to solve the this uh three sub problem and the way uh they managed to to resolve this point was by just by splitting this very large boolean expression into very simple boolean operations that match the capabilities of the of this tcp checksum function afterwards they encode this smaller boolean operation into tcp packets so they can manage to force the other computer to perform this computation for them and the way they did it was by first opening a normal tcp connection to the to on a web server they establish the connection normally and then they forge this this packet by uh [Music] just encoding the the smaller problem into into the

the tcp payload and detection in a way that if the if the tcp checksum is is correct for the for the data that's in the packet also the the boolean operation is true and vice versa okay so what happened is the if the if the guess that they are doing for the boolean operation is is correct what happened is that also the section is correct and of course the packet is pushed up to the http um http web server but this kind of package is not a valid http packet so the server response is an error but this is enough information for the parasite to know that the case is true is correct what happens if the guess is not correct

of course that section will will be also incorrect so the gcps stack will drop the packet at the gcp level without pushing it to the http level so they after splitting this very big problem into uh into smaller problems they sent him in parallel all those http packets with the gases and only the correct solutions are answered by the server so they managed to solve this problem so one year later a student of the university of aptly science in barn switzerland made this virtual machine that used this technique to basically basically compute any kind of program so yeah if you if you want to use free resources you can compile to this for this virtual machine and just run the

problem with the free resources of the internet yeah we have free computer power guys so let's mine bitcoins and be rich basically but no not so fast that's why that's because the the just the the cost of encoding the problem into gcp packets is is why higher than sorby solving the problem in the first place so opacity computing seems impractical but has some very nice features for example logic protection i mean by loading protection uh that the the host that we are using to compute can discover what the parasite is computing that's because the the the parasite is not sending any any kind of algorithm to the parasite to the host just using it as a resource for

the computation also another really nice feature is the host readiness i mean that the host is already available in in the internet and the resource is just there sitting there so they there was no need to install any special software in the host just using it and this is because the the parasite is clever enough to encode the problem in a way that the host is is understanding the last feature is the host resources itself themselves and just in the in the case we we in the case we we have seen um the problem that the cpu was not not very well used but the computers are much more than just cpus they have a hardware

and by hardware i mean memory storage and special hardware like gpus etc and they have networking capabilities because maybe they are connected to another network we are trying to to to access and also they have data inside that maybe is interesting for us so the question really is uh can we make it practical and the author of the original paper suggests that as one moves up the application stack there might come a point where there is a computational gain to the parasite so up we are up we go and i really like to do to to to make this exercise and think about the the host that we were using in the in the example

as a um a kind of a virtual machine and if if this tcp checksum function were a virtual machine this work this will be the properties and and the properties are that the instruction set of this virtual machine is very limited because we just can compute boolean operations and we only could access to access to the cpu of the of the host but but if we uh think about an ideal virtual machine for our parasite to to take advantage of we would like to to have a high level richer restriction set i mean by high level uh like in a in a primary language a very high level stuff and richer a really a a big

variety of of instruction that we can perform in the host and also we would like to to access the any resource that the the host has like hardware network or any data so my conclusion is that dynamic languages are the perfect target for parasite computing why is this because they offer the same features that we discussed before like logic protection how they offer logic protection well dynamic languages have this evolved function and that we are very familiar with and using the animal function we can execute very small pieces of code so using this we can perform yes uh just that they also provide horse readiness and i mean that dynamic languages are everywhere in every system i i think

and there are at least a cell and a cell is a kind of dynamic language in a way and also has access to the house resources dynamic language makes it makes easy to access the any any kind of resources they are very high level languages so thinking about that we we developed rangelag that is a framework for parasitic computing it's an open source project that you can you can see in github at the official report bpa and brainstack allows users to write normal normal looking python programs that use the resources from external dynamic languages from external interpreters and for understanding brainstorm we have to understand the terminology that we use and the first thing that i like to show

you is is the slack the slack is the name that we that we give to to the parasite and the the duty of the of the slag is to control the program flow and make translation between the python interpreter that we are running the program on and the remote dynamic language okay and the next thing is the zombie body or just the body the zombie body is a small script in the remote language written in the remote language that we want to control that [Applause] is in charge of communicating with the slack this is the the suda code for for a very normal um body and the the first thing it does is download some code from the from the

slack via http evaluate the code using eball and sending the result of the evaluation back to the server via the same http request and when sending back the result it will download some new code and it will repeat the same the same loop over and over okay i don't i don't know if you can read this this is a very simple body for brainstorm written in bash in javascript and is exactly the same algorithm the first thing we do is uh make this this request sorry make this this core request sending the variable rest that initialize to 20 to an empty scene to the slack and this will download some new passcode that we will evaluate using the the

dollar symbol parenthesis stuff of the of the cell and this will hopefully generate some result that will be assigned again to the rest um to the rest variable and this loops uh repeats forever it's it's clear enough okay so hello world in brazil [Music] the things that we have here are the the the same two things that we um just we have in the left hand side the code of the of a slack and in the right hand side we have the same the body the the code that we're seeing this is the the code in the left hand side of the slab as you can see is a very normal python code we are

importing some stuff from the branch library and we are declaring this this function hello world function that is decorated with this slack decorator this just tells the system that we need for running this slack we need a body attached to us okay and this body is gonna uh be named remote okay so this remote is the body attached to us and last we we run this hello world function through the run function that we import and when this is running the remote has this print function inside that will print hello world in the host in the body okay in the zombie body the next thing we have is exactly the same code that we we

saw before and with this we can we have the the system making a hello world okay and how it works behind the scenes well we have here the exactly the same code in the left hand side we have the the slack in the right hand side we have the the body and they are talking to each other the first thing they they we have to do is to to initialize the the program the slack we do this in in the parasite side and the first thing it does is uh wait for the body because we are trying to run this function that needs a body without the body it can it can run freely so when the body connects via

http because of the core that we are making we are making here the slack executes start execution until the body is needed and it's very very quick here in the first line the print of the hello world so in this in this moment some bash code is being generated by the slack and sent back by the http request to the body the body receives this bus code evaluates it and in this case there is no result to the echo of course but an empty result is sent back and this operation continues forever or until the the slack is closed it's clear yeah okay so we are going to see a demo a demo the first demo is a parasitic remote

desktop so you can think about this like a pnc server or bnc click client but the difference is that we are implementing this in in brainzlar and again we have two parts the the slag and the body the slack in this case will ask the body for a screenshot continually to have this sensation of video okay and we can we will see this uh this video through a remote web server sorry a remote a web interface that the slack is opening for us also the slack will forward any mouse or keyboard interaction through this web interface to the body and what we have in the body in the body we have exactly the same code that you

saw in in bus but of course in in in powershell okay this is a remote desktop for windows and is all you need powershell is the only dependency here uh a standard powershell why is this because powerslide is capable of taking a screenshot of the of the whole screen and also is capable of moving and making clicks with the mouse okay so first demo it's gonna be a little bit dark

okay we have here three windows i hate you i have we have here three three windows in the top left uh in the top left we have a a virtual box with windows in the right hand side we have a normal chrome chrome browser and in the bottom left we have a linux console with the the the python program here we have the the code is a just 86 lines long and it's just a standard python so we we run it okay and the first thing it does is wait for the body okay so to to get the body running here because this is this is powerful i have to to open a powerful window

and write here some code i'm not writing here the whole body code i will just ask to brainstorm for the for a launcher we can get this code by i think you can see that the url is just the url of the of the slack slash launch slash powerful and it will um give us this small powerful code this is the smallest possible powershell code for for evaluating some code for some reason and here in the in the powershell console i paste the code if it wants to okay but as soon as i press enter here down the program continues and it's opening another web interface for us for the client of the of the

on the bnc or the remote desktop sorry and it's opening the port 1891 so here in my in my browser i can enter in localhost 1891 and i i'm entering the in the web server that the brain slack is opening for for us so at this moment in the right hand side i don't know if you can see it we have a terminal a session and we can interact with it it's a a little bit slow but it's functional you can write hello world sure enough this this is happening of course in the in the windows machine okay so if i if i move the the mouse in the right hand side you can see

with us with some luck in the left hand side the most moving and this is all happening by sending small pieces of code through the network to the to the powershell loop and evaluating okay so there there's any kind of software installed really in the in the windows machine okay continue

so the second we the second demo the second demo is a parasitic remote browser it is exactly the same but the exactly the same code in the slack no changes whatsoever the time we are changing the body instead of a power shell body we are using a javascript body that will load some javascript libraries on demand by the by tesla and taking screenshots of the of a browser it's not really possible to take a screenshot of a browser because there is no javascript api to do to do that but there is there's this javascript library html to canvas that renders the canvas into sorry renders a dom into a canvas so it can it can provide the screenshot

for us so in in this demo i have here instead of a windows visual machine i have another browser and the same in the same browser on the right and the same console in in the in the in the bottom so i execute the code sorry i have the same the windows body running

so i execute the code and the same happens it's waiting for the body but this time i'm going to use the the body of the javascript body so i have to um i have to download the the the way to to launch it and this is the same instead of writing launch powershell i write launch browser and instead of having an ugly piece of powershell code i have this link we see the code is just a a javascript link that we can use as a as a bookmark so i will drag it drop drop it here to have a bookmark and now i can i can navigate to any website for example reference first one

and i will click this server screen and this will launch the body inside the the browser so when i click on the on the link the same happen the port is open so i can here enter the same address 1891 and instead of seeing a windows machine we are seeing the browser on the left so here if i in the roster of the left write something and hello besides you can see in the right hand side the session being been drawn okay any questions oh okay moving on so what sorcerer is this the same program with two two languages well brains lack is is not magic of course some work has to be done in order to

translate between python and other languages and is the thing that we are going to see now so how you can define new bodies with brain slug well you have to declare uh a boot function that is the the one that will return the the source code of the body that we see um before and this this is the source code the first thing we have to we have to do is define this this thing we call ribosome it's an internal object of renew this ribosome is like a collection of functions to define an external language and the first thing you have to do is declare the root of this collection in this case i am declaring the

the the bash language so i declare and a generate this object bus and i define with this decorator just a function that returns the the bash code that we we saw but instead of hard coding here the the url of the of the slack we have to provide a way of getting it dynamically so here we are receiving the url and this is by the way python37 so i'm using the new way of interpolation ff strings so here you have the world and how you can add functionality to this body well you have to exactly do exactly the same and define function with this decorator define these functions have the the responsibility of encoding the coding

front and to the external language and have to use this double double underscore about level underscore function that is the one that sends the code back to the back to the to the to the body to be evaluated so in this case okay in this case we are defining the print function that we we saw in the in the example we have to define bus dot print okay decorating this this function the name of the function is not relevant so here i use the underscore all of these ribosomes that is the name of those functions receive a remote that is the same object that we are using in the slack so we can uh we can call any

other function that we have and the result parameters of the function in this case because this is the print function we are receiving the text that we want to print and we did a double underscore about function we are translating this code to to pass so is an echo and we are using the escape function that we see to prefer the the liquidation so in summary when you would like to use run slack you you want to use brian slag if you need any of those three properties or the three of them that are logic protection that's because all the pro logic is in the slack none of the pro logic will be sent to the

to the to the host if you need host readiness because uh you want to execute some program without it installing anything in the body just using remote interpreters no deploys and finally to access the host resources occasionally this is not not the best way to access the resources for everyday use but occasionally is is is a way and the last thing i want to say to you is that you you can contribute you can write new bodies and new ribosomes for your brain's life and you can even without our intervention distribute the the these bodies and ribosomes as python packages so you don't need us for that and that's all i i think [Applause] mind-blowing

questions any questions [Music] um are you assuming cooperation of the zombie machines that someone's going to run a command to allow it to become a body um well if there is cooperation technically it's not parasite computing so you have to provide a way of accessing the interpreter to be parasite computing because if not is just distribute computing but for the dim for the demo i have to just make something simple so yeah so it would be maybe some other exploit to yeah maybe some remote code execution or something like that yeah of course you can use it the same way i did and these have some benefits too for example that you don't have to deploy so or or you don't have

to reveal your your logic to the other party so yeah maybe it has its own benefits

any other question don't be shy i know you're tired [Music] uh so does the zombie then need to have like complete code execution or would you be able to like break a a payload into multiple steps maybe you could get a part of it run like well you have to you have to have access to the full access to the interpreter okay to run the the initial code and after that any other code it's just evaluated so i i don't i don't know if i answered your question um but then once once you've got the framework in place maybe it's easier than to develop yeah yeah on top of that that would make it the

discount this doesn't have to be the only way to exploit the host this is just one way that maybe in some occasion is useful because you don't have for example uh access to write anything in the disk so you can't deploy a script and then run the script here everything is on the fly nothing was written to the disk so yeah it was really cool it was just hard for me to follow at the start because it seemed a lot like just uh distribute computing as you say yeah it's it's really the the the difference is more um philosophical because distributed computing um you you you have to put all those pieces in place to make the computation very uh

optimized for the for the task this is more oriented to some environment when you don't have really the benefit of the of this deployment of this i don't know this way of of working so yeah maybe other use cases but this is very related to distributed computing any other question no okay thank you [Applause]