Securing LLM-Agent Long-Term Memory Against Poisoning: Non-Malleable, Origin-Bound Authority with Machine-Checked Guarantees

📅 2026-06-23
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of long-term memory in large language model (LLM) agents to poisoning attacks, wherein adversaries manipulate stored memories to induce high-risk downstream behaviors. The study formally defines the notion of mutability in memory poisoning for the first time, demonstrating that defenses relying solely on content or provenance metadata are fundamentally inadequate. It establishes a necessary and sufficient security condition: binding unforgeable source identities at write time combined with Sybil-resistant collaborative verification. By integrating non-mutable information flow control (IFC), TLA+ formal verification, source-binding authentication, and gated collaborative validation, the proposed defense achieves 0% attack success rates—against both direct and laundering-style attacks—across eight mainstream LLMs, while preserving 100% legitimate functionality, substantially outperforming existing approaches, which exhibit attack success rates as high as 68%.
📝 Abstract
LLM agents increasingly rely on persistent long-term memory, which creates a critical vulnerability that we study here: memory poisoning. An adversary can store untrusted content in one session that later steers a consequential action, such as a payment, a setting change, or data exfiltration, in a future session. Existing defenses base a memory item's authority to act on either its content (detection or trust-scoring) or its derivation history (lineage). We show that both signals are malleable. An attacker can launder an untrusted origin through three channels specific to LLM agents: the agent's own summarization, a trusted-tool echo, and manufactured corroboration. Each makes the content look benign and breaks or flips its derivation edge to ``trusted.'' We formalize malleability for the memory write-retrieve-act pipeline and prove a machine-checked separation theorem. No content- or lineage-based defense is sound under laundering (T1), write-time origin binding is necessary (T2), and non-malleable origin-bound authority with Sybil-resistant corroboration-gated elevation is sufficient (T3). Our construction, TMA-NM (Tamper-evident Memory Authority, Non-Malleable), instantiates non-malleable information-flow control (IFC) for LLM-agent memory. A cross-defense, cross-attack, and cross-model benchmark over eight frontier models shows that existing defenses fail exactly where the theory predicts (up to 68% laundering attack-success), while TMA-NM reaches 0% attack success on both direct and laundering attacks across all models and channels, at full legitimate utility. We release the benchmark, harness, and machine-checked TLA+ models to support reproducibility.
Problem

Research questions and friction points this paper is trying to address.

memory poisoning
LLM agents
long-term memory
malleability
origin binding
Innovation

Methods, ideas, or system contributions that make the work stand out.

memory poisoning
non-malleable authority
origin binding
information-flow control
LLM agent security
🔎 Similar Papers