It would be desirable to detect if the tracee is using SOCKS without an appropriate username/password. (This would constitute a stream isolation leak.)
This should be doable by passively parsing the SOCKS handshake (sniffed via intercepting the send and receive syscalls) to determine what authentication data is being supplied, and killing the connection (by replacing a send syscall with a close syscall) if it doesn't satisfy the requirements.
(This approach is not far off from the design of Subgraph TLS-Guard, which passively parses a TLS handshake to determine whether it meets certain security requirements, and kills the connection if it detects insecure behavior.)
It would be desirable to detect if the tracee is using SOCKS without an appropriate username/password. (This would constitute a stream isolation leak.)
This should be doable by passively parsing the SOCKS handshake (sniffed via intercepting the
send
andreceive
syscalls) to determine what authentication data is being supplied, and killing the connection (by replacing asend
syscall with aclose
syscall) if it doesn't satisfy the requirements.(This approach is not far off from the design of Subgraph TLS-Guard, which passively parses a TLS handshake to determine whether it meets certain security requirements, and kills the connection if it detects insecure behavior.)