Attacking Connection Tracking Frameworks as used by Virtual Private Networks
Authors: Benjamin Mixon-Baca (ASU/Breakpointing Bad), Jeffrey Knockel (Citizen Lab, University of Toronto), Diwen Xue (University of Michigan), Tarun Ayyagari (Arizona State University), Deepak Kapur (University of New Mexico), Roya Ensafi (University of Michigan), Jedidiah R. Crandall (ASU/Breakpointing Bad)
Volume: 2024
Issue: 3
Pages: 109–126
DOI: https://doi.org/10.56553/popets-2024-0070
Abstract: VPNs (Virtual Private Networks) have become an essential privacy-enhancing technology, particularly for at-risk users like dissidents, journalists, NGOs, and others vulnerable to targeted threats. While previous research investigating VPN security has focused on cryptographic strength or traffic leakages, there remains a gap in understanding how lower-level primitives fundamental to VPN operations, like connection tracking, might undermine the security and privacy that VPNs are intended to provide.
In this paper, we examine the connection tracking frameworks used in common operating systems, identifying a novel exploit primitive that we refer to as the port shadow. We use the port shadow to build four attacks against VPNs that allow an attacker to intercept and redirect encrypted traffic, de-anonymize a VPN peer, or even portscan a VPN peer behind the VPN server. We build a formal model of modern connection tracking frameworks and identify that the root cause of the port shadow lies in five shared, limited resources. Through bounded model checking, we propose and verify six mitigations in terms of enforcing process isolation. We hope our work leads to more attention on the security aspects of lower-level systems and the implications of integrating them into security-critical applications.
Keywords: computer network, security, VPN, exploit, formal methods
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
