This repository contains the artifacts for the paper titled "NetCap: Data-Plane Capability-Based Defense Against Token Theft in Network Access", accepted at The Network and Distributed System Security (NDSS) Symposium 2026. For questions, please reach out to Osama Bajaber.
Tokens play a vital role in enterprise network access control by enabling secure authentication and authorization across various protocols (e.g., JSON Web Tokens, OAuth 2.0). This allows users to access authorized resources using valid access tokens, without the need to repeatedly submit credentials. However, the ambient trust granted to all processes within an authorized host, combined with long token lifetimes, creates an opportunity for malicious processes to hijack tokens and impersonate legitimate users. This threat affects a wide range of protocols and has led to numerous real-world incidents.
We present NetCap, a new defense mechanism designed to prevent attackers from using stolen tokens to access unauthorized resources in enterprise environments. The core idea is to introduce unforgeable, process-level capabilities that are bound to authorized processes. These capabilities are continuously embedded in the processes' network traffic to target resources for validation and are frequently refreshed. This binding between process identity and capability ensures that even if access tokens are stolen by malicious processes, they cannot be used to pass authentication without valid capabilities. To support the high volume of requests generated by processes in the network, NetCap introduces a novel data-plane design based on programmable switches and eBPF. Through multiple optimization techniques, our system supports inline generation and embedding of capabilities, allowing large volumes of traffic to be processed at line rate with little overhead. Our extensive evaluations show that NetCap maintains line-rate network performance across a variety of protocols and real-world applications with negligible overhead, while effectively securing these applications against token theft attacks.
- Python 3.7
- Intel Tofino Switch SDE 9.7.0
- BCC (Linux 5.15.0)
- Scapy 2.4.5
- Pyroute2 0.9.5
Current settings assume two hosts are linked to the Tofino switch, each assigned with the following IP addresses. (feel free to adjust these settings as per your topology)
Client Host, 10.0.0.1Server Host, 10.0.0.2
Ensure that the Tofino switch SDE is installed and set the environment variables SDE=~/bf-sde-9.7.0/ and SDE_INSTALL=~/bf-sde-9.7.0/install. Note: The run_switchd.sh can be found within your SDE directory /bf-sde-9.7.0/.
Step 1: Run the switch program in the Tofino switch
./run_switchd.sh -p netcap
Step 2: Start the control plane
python3 switch/controller.py
This will load NetCap in the designated Tofino switch and run the control plane.
Now, as the switch program is running, load the eBPF programs into the hosts. We tested these programs on Ubuntu 20.04.1 LTS, but it should work with other versions. Make sure to update the correct interface name in client_program/client.py and server_program/server.py.
Step 1: In server_program/server.py, add the applications logs to be monitored by the userspace application
LOGS = {
"/var/log/secure": re.compile(r"\bAccepted\b.*\bfrom\s+([0-9.]+)\s+port\s+(\d+)\b"),
# Add more files + regex as needed
}
Step 2: Run both the client and server eBPF-based programs. The following commands will attach all the needed eBPF programs inside the kernel
python3 server_program/server.py
python3 client_program/client.py
We provide custom Scapy tools to send customized packets with capability headers. Adjust the headers as needed in custom_cap_script.py
Step 1: At the sending host, run the following command to send a custom packet
python3 custom_cap_script.py <destination_IP> <message>
If you like or use our work, please cite us using:
@inproceedings{bajaber2026netcap,
author = {O. Bajaber and B. Ji and P. Gao},
title = {NetCap: Data-Plane Capability-Based Defense Against Token Theft in Network Access},
booktitle={Network and Distributed System Security Symposium (NDSS)},
year = {2026},
}