🤖 AI Summary
This work addresses the vulnerability of intelligent agent systems to context-state poisoning attacks—stemming from their reliance on external tools and memory—and the absence of verifiable guarantees for state continuity. To mitigate these risks, the authors propose ElephantAgent, a novel protocol that introduces state continuity mechanisms into dynamic context management for agent systems. By recomputing and verifying a digest of the local context state prior to each query and leveraging trusted hardware to maintain a linearized log of authorized state transitions, ElephantAgent ensures historical traceability. This approach effectively defends against attacks such as tool descriptor tampering and memory poisoning, while enabling anomaly detection and rollback to known-good states.
📝 Abstract
Agentic systems enhance their capabilities by invoking external tools and maintaining persistent memory. However, these external dependencies introduce novel attack surfaces. Recent tool and memory poisoning attacks show that maliciously crafted tool descriptors and poisoned memory can covertly bias agent behavior. These threats reflect a deeper issue: the lack of verifiable continuity in the agent's contextual state for planning and execution. We present ElephantAgent, a protocol that enforces Contextual State Continuity to defend against contextual state poisoning. Inspired by prior state-continuity mechanisms (e.g., Nimble), ElephantAgent extends this protection to the evolving contextual state of agentic systems. We define the contextual state as the bounded, security-critical subset of the agent's entire context (e.g., tool state and memory). Before processing each query, ElephantAgent recomputes the digest of the local contextual state and verifies it against the latest authorized digest. Using replicated trusted hardware, ElephantAgent maintains a linearizable ledger of authorized contextual state transitions and detects out-of-band state tampering. To handle in-band semantic abuse, ElephantAgent additionally provides Historical Traceability, enabling conditional post-hoc audit and recovery to a known-good prior state.