ProcRoute: Process-Scoped Authorization of Split-Tunnel Routes

TL;DR

ProcRoute enhances VPN/ZTNA security by restricting internal route access to authorized applications, preventing malicious processes from exploiting broad route permissions, with a formal model and efficient Linux implementation.

Contribution

It introduces ProcRoute, a novel system that models route access as an access-control problem, providing process-scoped internal route restrictions in Linux.

Findings

ProcRoute matches WireGuard performance and is 13% faster than nftables cgroup-matching.

It scales to 5,000 prefixes with sub-millisecond revocation latency.

Microbenchmarks show low overhead and effective blocking of unauthorized attempts.

Abstract

In most split-tunnel VPN/ZTNA deployments, installing an internal route authorizes the entire device, not a specific application, to use it. An unprivileged malicious process can therefore reach internal services by reusing routes intended for corporate applications. We present ProcRoute, a system that restricts internal-route access to explicitly authorized applications. ProcRoute models route access as an access-control problem: application identities are principals, destination prefixes with port and protocol constraints are resources, and a total, default-deny decision function mediates every connect() and UDP sendmsg() to an internal destination. Processes without a grant retain external access but are denied internal routes under our threat model. We describe ProcRoute's formal model, a Linux prototype built on cgroup v2 and eBPF socket-address hooks, and two complementary evaluations. In a two-machine WireGuard deployment, ProcRoute matches the WireGuard baseline and 13% faster than an nftables cgroup-matching configuration, with a p50 connect latency of 93 $\mu$s (+3.6 $\mu$s over baseline), flat policy scaling to 5,000 prefixes, and sub-millisecond revocation. Single-machine loopback microbenchmarks confirm low hook overhead: 2.7 $\mu$s on the internal-allow path, 82/82 unauthorized pivot attempts blocked, and zero transient allows across 1.2 million connection attempts during policy reload.