🤖 AI Summary
This work addresses the vulnerability of large language model (LLM) agents to privilege escalation when processing attacker-controllable context, stemming from the absence of unified access control over fields, semantic payloads, and invocation events. To mitigate this, the paper introduces Context-to-eXecution Integrity (CXI), a mechanism that enforces fine-grained authorization at execution boundaries. CXI employs policy tags to protect fields, type-directed release for validating propagated values, and opaque data slots to preserve forensic evidence. Crucially, a deterministic gating mechanism binds field access, effect generation, and invocation permissions to a unified action manifest before execution proceeds. This approach achieves, for the first time, coordinated field-, effect-, and call-level permission binding, delivering triple-layered integrity guarantees. Evaluated on AgentDojo (720 tasks) and a code-agent benchmark (400 repository tasks), CXI successfully completed 231 security-sensitive tasks with zero escapes, demonstrating both efficacy and compatibility.
📝 Abstract
Language-model agents read attacker-writable context to solve tasks. Tool execution needs a separate authority check for protected sink fields, sink-interpreted payloads, and the invocation event. Context-to-Execution Integrity (CXI) is an execution-boundary system for this setting. Policies mark protected sink fields, typed releases carry narrow validated values from writable context to specific destinations, opaque data slots keep evidence as data, and a deterministic gate admits a call only after field authority, exact-effect authorization, and invocation authority all bind to the same action manifest.
We evaluate CXI on open-weight field-projection runs, AgentDojo live episodes, a code-agent exact-effect benchmark, manifest-bound ledger faults, proposal-pressure controls, and hosted/API compatibility traces. AgentDojo covers 720 live episodes and 1,739 LLM calls; the code-agent benchmark covers 400 repository episodes with exact-effect authorization and lease-bound execution, yielding 231 safe task completions and zero observed field, effect, or invocation escapes. The accounting reports parser outcomes, authorization outcomes, and task-quality outcomes together with the admission-integrity result. Across the evaluated sinks, CXI admits execution only when field, effect, and invocation authority bind to the same action manifest.