Context-to-Execution Integrity for LLM Agents

📅 2026-07-07
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of large language model (LLM) agents to privilege escalation when processing attacker-controllable context, stemming from the absence of unified access control over fields, semantic payloads, and invocation events. To mitigate this, the paper introduces Context-to-eXecution Integrity (CXI), a mechanism that enforces fine-grained authorization at execution boundaries. CXI employs policy tags to protect fields, type-directed release for validating propagated values, and opaque data slots to preserve forensic evidence. Crucially, a deterministic gating mechanism binds field access, effect generation, and invocation permissions to a unified action manifest before execution proceeds. This approach achieves, for the first time, coordinated field-, effect-, and call-level permission binding, delivering triple-layered integrity guarantees. Evaluated on AgentDojo (720 tasks) and a code-agent benchmark (400 repository tasks), CXI successfully completed 231 security-sensitive tasks with zero escapes, demonstrating both efficacy and compatibility.
📝 Abstract
Language-model agents read attacker-writable context to solve tasks. Tool execution needs a separate authority check for protected sink fields, sink-interpreted payloads, and the invocation event. Context-to-Execution Integrity (CXI) is an execution-boundary system for this setting. Policies mark protected sink fields, typed releases carry narrow validated values from writable context to specific destinations, opaque data slots keep evidence as data, and a deterministic gate admits a call only after field authority, exact-effect authorization, and invocation authority all bind to the same action manifest. We evaluate CXI on open-weight field-projection runs, AgentDojo live episodes, a code-agent exact-effect benchmark, manifest-bound ledger faults, proposal-pressure controls, and hosted/API compatibility traces. AgentDojo covers 720 live episodes and 1,739 LLM calls; the code-agent benchmark covers 400 repository episodes with exact-effect authorization and lease-bound execution, yielding 231 safe task completions and zero observed field, effect, or invocation escapes. The accounting reports parser outcomes, authorization outcomes, and task-quality outcomes together with the admission-integrity result. Across the evaluated sinks, CXI admits execution only when field, effect, and invocation authority bind to the same action manifest.
Problem

Research questions and friction points this paper is trying to address.

Context-to-Execution Integrity
LLM Agents
Tool Execution
Authority Check
Protected Sink Fields
Innovation

Methods, ideas, or system contributions that make the work stand out.

Context-to-Execution Integrity
LLM Agents
Typed Releases
Action Manifest
Deterministic Gate
🔎 Similar Papers
2024-02-20Conference on Empirical Methods in Natural Language ProcessingCitations: 8