Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework
About
Large Language Model (LLM)-based agent systems are increasingly deployed for complex real-world tasks but remain vulnerable to natural language-based attacks that exploit over-privileged tool use. This paper aims to understand and mitigate such attacks through the lens of privilege escalation, defined as agent actions exceeding the least privilege required for a user's intended task. Based on a formal model of LLM agent systems, we identify novel privilege escalation scenarios, particularly in multi-agent systems, including a variant akin to the classic confused deputy problem. To defend against both known and newly demonstrated privilege escalation, we propose SEAgent, a mandatory access control (MAC) framework built upon attribute-based access control (ABAC). SEAgent monitors agent-tool interactions via an information flow graph and enforces customizable security policies based on entity attributes. Our evaluations show that SEAgent effectively blocks various privilege escalation while maintaining a low false positive rate and negligible system overhead. This demonstrates its robustness and adaptability in securing LLM-based agent systems.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| RAG Poisoning Defense | Extended InjecAgent RAG Poisoning | ASR0.00e+0 | 12 | |
| Single-agent tool use | API-Bank reconstructed | Correctness74.73 | 9 | |
| App Compromise Defense | Extended InjecAgent App Compromise | ASR0.00e+0 | 9 | |
| App Data Stealing Defense | Extended InjecAgent App Data Stealing | ASR0.00e+0 | 9 | |
| Indirect Prompt Injection Defense | AgentDojo | Banking Defense Rate0.00e+0 | 3 | |
| Multi-agent Task Fulfillment | AWS Benchmark Travel scenario | User GSR78.79 | 2 | |
| Multi-agent Task Fulfillment | AWS Benchmark Mortgage scenario | Goal Success Rate (User)62.07 | 2 |