🤖 AI Summary
This work reveals that the long-term memory mechanisms of large language model agents introduce a novel attack surface, wherein adversaries can bypass access control policies by fragmenting sensitive content and later reassembling it through fused retrieval queries. The study presents FragFuse, the first black-box, automated attack framework that exploits temporal channels inherent in memory operations. FragFuse integrates adaptive querying, fragment masking, payload-carrying queries, and memory retrieval fusion to generate effective attack payloads without violating standard threat model assumptions. Experimental evaluation across four agent scenarios and three state-of-the-art access control mechanisms demonstrates an average bypass rate of 86.3%, an end-to-end success rate of 41.1% on harmful tasks, and only a 4.4% performance overhead.
📝 Abstract
Large language model (LLM) agents increasingly rely on long-term memory to support complex task execution, user personalization, and domain adaptation. Meanwhile, emerging access-control mechanisms for LLM agents are being explored to block policy-violating requests and prevent misuse. We reveal a novel attack surface arising from agent memory operations: prohibited content that would trigger access control can be fragmented across interactions, stored in long-term memory in benign-appearing form, and later reconstructed through memory retrieval without appearing explicitly in the final user query. We propose FragFuse, the first attack that enables unprivileged users to bypass agent access control by exploiting this temporal channel introduced by long-term memory. FragFuse operates in three stages: (1) identifying rejection-responsive fragments via black-box adaptive querying with fragment masking; (2) injecting these fragments into memory using marker carrier queries; and (3) retrieving and fusing the stored fragments through a follow-up attack query. Although FragFuse can be instantiated manually for individual agents, we further develop a surrogate-based optimization scheme that tunes fusion instructions and marker designs, enabling automated attack generation without violating the attacker's threat-model assumptions. We evaluate FragFuse across four representative agent settings and task domains, covering three state-of-the-art agent access-control mechanisms. FragFuse achieves an average bypass success rate of 86.3% and an average end-to-end harmful task success rate of 41.1% across all settings, with only 4.4% average task-success degradation compared with configurations without access control. We also show that alternative defenses, including state-of-the-art prompt-injection detectors and perplexity detectors, do not effectively address this attack.