Large language model (LLM)-based agents are vulnerable to prompt injection attacks when processing untrusted inputs. To address this, we propose CaMeL, a defense framework that introduces the first explicit separation of control flow and data flow: program logic (control flow) derived from trusted queries is strictly isolated from external inputs (data flow). This separation is reinforced by capability-driven private data access control and a secure sandbox architecture, enabling formally verifiable safety guarantees. Evaluated on the AgentDojo benchmark (NeurIPS 2024), CaMeL achieves a 67% task completion rate while maintaining end-to-end formal security—outperforming all existing defenses in both robustness and provable safety.

Large Language Models (LLMs) are increasingly deployed in agentic systems that interact with an external environment. However, LLM agents are vulnerable to prompt injection attacks when handling untrusted data. In this paper we propose CaMeL, a robust defense that creates a protective system layer around the LLM, securing it even when underlying models may be susceptible to attacks. To operate, CaMeL explicitly extracts the control and data flows from the (trusted) query; therefore, the untrusted data retrieved by the LLM can never impact the program flow. To further improve security, CaMeL relies on a notion of a capability to prevent the exfiltration of private data over unauthorized data flows. We demonstrate effectiveness of CaMeL by solving $67%$ of tasks with provable security in AgentDojo [NeurIPS 2024], a recent agentic security benchmark.