Securing AI Agents with Information-Flow Control
About
As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner that tracks confidentiality and integrity labels, deterministically enforces security policies, and introduces novel primitives for selectively hiding information. Its evaluation in AgentDojo demonstrates that this approach enables us to complete a broad range of tasks with security guarantees. A tutorial to walk readers through the the concepts introduced in the paper can be found at https://github.com/microsoft/fides
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Agentic Security Evaluation | AgentDojo v1 (97 benign tasks, 27 injection tasks) | Utility Score59.8 | 20 | |
| Agent Planning | AgentDojo | TCR @ ∞78.9 | 16 | |
| Agent Safety Evaluation | Agent-SafetyBench | -- | 8 | |
| SND Defense | SND Evaluation Corpus | Benign FPR0.00e+0 | 6 | |
| Indirect Prompt Injection Defense | InjecAgent external stress (test) | DH Block Rate100 | 4 | |
| Safety Evaluation | Cross-domain generalization set (5 domains) | Utility Score35.7 | 4 | |
| Propagation Detection | InjecAgent base | Precision100 | 2 | |
| Propagation Detection | InjecAgent enhanced | Precision1 | 2 | |
| Propagation Detection | ToolEmu filtered 79-case injection-like | Precision62.3 | 2 | |
| Persistent Memory Attack Blocking | Cross-session persistent memory attack dataset 110 entry-model pairs 1.0 (test) | Total Samples Labeled (S2)0.00e+0 | 2 |