NetCap: Data-Plane Capability-Based Defense Against Token Theft in Network Access
Osama Bajaber
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Systems Security
Token theft remains one of the most exploited attack vectors in modern authentication systems, enabling attackers to impersonate legitimate users and bypass credential requirements entirely. This talk introduces **NetCap**, the first system to realize **network-level capability-based defense** against stolen access tokens. By cryptographically binding capabilities to specific process IDs and network service destinations using the **SipHash algorithm** running directly on **programmable switches (Tofino)**, NetCap adds continuous per-request, per-process authentication that operates transparently across a wide range of communication protocols -- without modifying applications, kernel source code, or existing authentication protocols. The system blocked **100% of attack traffic** from stolen tokens while maintaining negligible latency overhead of just **130 nanoseconds** for data packets.
AI review
A well-engineered system that extends capability-based access control to the network level using programmable switches and eBPF, binding access tokens to specific process IDs to prevent token theft exploitation. The implementation on physical Tofino hardware with 130ns overhead and 100% attack blocking is impressive engineering. The SipHash-based capability generation is lightweight but effective. However, the system assumes you have programmable switches deployed, and the PID-based binding has known limitations (PID reuse, containerized environments).