Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework

Large Language Model (LLM)-based agent systems are increasingly deployed for complex real-world tasks but remain vulnerable to natural language-based attacks that exploit over-privileged tool use. This paper aims to understand and mitigate such attacks through the lens of privilege escalation, defined as agent actions exceeding the least privilege required for a user's intended task. Based on a formal model of LLM agent systems, we identify novel privilege escalation scenarios, particularly in multi-agent systems, including a variant akin to the classic confused deputy problem. To defend against both known and newly demonstrated privilege escalation, we propose SEAgent, a mandatory access control (MAC) framework built upon attribute-based access control (ABAC). SEAgent monitors agent-tool interactions via an information flow graph and enforces customizable security policies based on entity attributes. Our evaluations show that SEAgent effectively blocks various privilege escalation while maintaining a low false positive rate and negligible system overhead. This demonstrates its robustness and adaptability in securing LLM-based agent systems.

Key Contributions

• Formal model of LLM agent privilege escalation identifying novel attack scenarios in multi-agent systems, including a confused-deputy variant where a low-privilege agent manipulates a high-privilege agent
• SEAgent: a mandatory access control framework using attribute-based access control (ABAC) that monitors agent-tool interactions via an information flow graph and enforces customizable security policies
• Empirical evaluation showing SEAgent blocks diverse privilege escalation attacks with low false positive rates and negligible system overhead

🛡️ Threat Analysis

Details

Similar Papers