Osama Bajaber (Virginia Tech), Bo Ji (Virginia Tech), Peng Gao (Virginia Tech)

Tokens play a vital role in enterprise network access control by enabling secure authentication and authorization across various protocols (e.g., JSON Web Tokens, OAuth 2.0). This allows users to access authorized resources using valid access tokens, without the need to repeatedly submit credentials. However, the ambient trust granted to all processes within an authorized host, combined with long token lifetimes, creates an opportunity for malicious processes to hijack tokens and impersonate legitimate users. This threat affects a wide range of protocols and has led to numerous real-world incidents.

In this paper, we present NetCap, a new defense mechanism designed to prevent attackers from using stolen tokens to access unauthorized resources in enterprise environments. The core idea is to introduce unforgeable, process-level capabilities that are bound to authorized processes. These capabilities are continuously embedded in the processes' network traffic to target resources for validation and are frequently refreshed. This binding between process identity and capability ensures that even if access tokens are stolen by malicious processes, they cannot be used to pass authentication without valid capabilities. To support the high volume of requests generated by processes in the network, NetCap introduces a novel data-plane design based on programmable switches and eBPF. Through multiple optimization techniques, our system supports inline generation and embedding of capabilities, allowing large volumes of traffic to be processed at line rate with little overhead. Our extensive evaluations show that NetCap maintains line-rate network performance across a variety of protocols and real-world applications with negligible overhead, while effectively securing these applications against token theft attacks.

View More Papers

A Usability Evaluation Method for SOC Tools Using a...

Yukina Okazawa (Toho University), Akira Kanaoka (Toho University), Takumi Yamamoto (Mitsubishi Electric Corporation)

Read More

ANONYCALL: Enabling Native Private Calling in Mobile Networks

Hexuan Yu (Virginia Polytechnic Institute and State University), Chaoyu Zhang (Virginia Polytechnic Institute and State University), Yang Xiao (University of Kentucky), Angelos D. Keromytis (Georgia Institute of Technology), Y. Thomas Hou (Virginia Polytechnic Institute and State University), Wenjing Lou (Virginia Polytechnic Institute and State University)

Read More

Work-in-progress: Spurious Credentials in Breach Compilations

Lucas Stephens (Oregon State University), Jacob Porter (Oregon State University), Zane Ma (Oregon State University)

Read More