π€ AI Summary
This work addresses the security risks posed by untrusted LLM API routers, which can intercept or tamper with plaintext interactions between clients and modelsβa vulnerability inadequately mitigated by existing client-side defenses that are easily bypassed. To counter this, the paper introduces AEGIS, the first transparent API routing framework that integrates remote attestation with Trusted Execution Environments (TEEs). AEGIS leverages hardware enclaves verifiable by clients to ensure faithful message relaying, strictly confining plaintext processing to a minimal trusted path. Crucially, it requires no modifications to existing APIs and establishes an end-to-end trusted channel fully controlled by the client. Evaluated under realistic workloads, AEGIS incurs only ~6 ms of additional latency, implements its trusted computing base in just 851 lines of code, and effectively thwarts four distinct classes of malicious router attacks, with its security formally validated through seed-based auditing.
π Abstract
Agents increasingly access large language models (LLMs) through API routers. A router terminates the client's transport-layer security session and opens a separate upstream session, so it holds the full interaction in plaintext. This makes the router an application-layer man-in-the-middle: it can rewrite agent tool calls, swap dependencies for typosquatted packages, trigger attacks only under audit-evading conditions, and passively exfiltrate secrets. Existing client-side defenses are evadable.
We propose AEGIS, a provider-transparent attested API router whose data path is a client-verified faithful passthrough. AEGISconfines plaintext handling to a small hardware-enclave component while leaving authentication, scheduling, accounting, and management on the untrusted host. The client verifies the enclave before releasing plaintext. The host can neither read nor alter the interaction, and plaintext leaves only toward destinations fixed by the measured image. We show that all four malicious-router attack classes succeed against a plaintext-access baseline and are blocked by AEGIS, including adaptive tests against the same boundary. The trusted path is $851$ lines, carries three provider-native APIs without conversion, and completes every request under real-provider workload and concurrency. In a seeded audit pilot, two commodity coding agents find eight and ten of ten planted invariant violations. The local relay overhead is about six milliseconds per request.