17:30
-
18:00
-
18:00
Day 3
SocksTrace: Preventing Proxy Leaks in Your Applications
When building privacy-sensitive applications, we often rely on proxies like Tor to ensure that no direct connections escape the intended anonymity network. However, verifying that every part of an application reliably goes through the proxy is surprisingly difficult. Even a single syscall escaping the proxy path can quietly deanonymize a user.
SocksTrace is a lightweight proxy-leak detection tool that traces network-related syscalls and validates whether they correctly route through the configured proxy.
In this talk, I’ll show how SocksTrace works under the hood, what kinds of leaks it can catch, and why syscall-level inspection is essential for high-assurance privacy tools. I’ll also walk through real-world findings: during our testing, we identified previously unknown proxy leaks in major browsers including Firefox and Brave, one of which resulted in a confirmed bug bounty. These results highlight how subtle proxy routing mistakes can occur even in widely-used, privacy-oriented software.
SocksTrace is a Linux-based proxy leak detector and traffic proxifier built on seccomp-notify. By intercepting network syscalls directly in the kernel, it provides runtime-agnostic visibility and enforcement that works even for statically linked binaries and modern browsers.
The talk showcases real WebRTC-related proxy leaks discovered using SocksTrace, explains shortcomings of traditional tools, and demonstrates transparent SOCKSification, DNS enforcement, and safe handling of applications that launch their own Tor instances. We conclude with practical use cases and future directions for syscall-level network containment.