2024-mixon-baca-snitch
Attacking Connection Tracking Frameworks as used by Virtual Private Networks
Abstract
VPNs are an essential privacy-enhancing technology, particularly for
at-risk users like dissidents, journalists, and NGOs. While prior
work has examined VPN cryptography and traffic leakage, the authors
identify a gap in the security of lower-level primitives — specifically
the connection-tracking frameworks (conntrack/Netfilter and friends)
on which most VPN servers rely. They introduce a novel exploit
primitive, the "port shadow," and use it to build four attacks that
let an off-path attacker intercept and redirect encrypted traffic,
de-anonymise a VPN peer, or even portscan a peer hidden behind the
VPN server. They build a formal model of modern connection-tracking
frameworks, identify the five shared resources at the root of the
port shadow, and verify six process-isolation mitigations via
bounded model checking.