ML Security PapersAgentSys: Secure and Dynamic LLM Agents Through Explicit Hierarchical Memory Management
Ruoyao Wen 1, Hao Li 1, Chaowei Xiao 2, Ning Zhang 1
Published on arXiv
2602.07398
Prompt Injection
OWASP LLM Top 10 — LLM01
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Achieves 0.78% and 4.25% attack success rate on AgentDojo and ASB respectively while slightly improving benign utility over undefended baselines.
AgentSys
Novel technique introduced
Indirect prompt injection threatens LLM agents by embedding malicious instructions in external content, enabling unauthorized actions and data theft. LLM agents maintain working memory through their context window, which stores interaction history for decision-making. Conventional agents indiscriminately accumulate all tool outputs and reasoning traces in this memory, creating two critical vulnerabilities: (1) injected instructions persist throughout the workflow, granting attackers multiple opportunities to manipulate behavior, and (2) verbose, non-essential content degrades decision-making capabilities. Existing defenses treat bloated memory as given and focus on remaining resilient, rather than reducing unnecessary accumulation to prevent the attack. We present AgentSys, a framework that defends against indirect prompt injection through explicit memory management. Inspired by process memory isolation in operating systems, AgentSys organizes agents hierarchically: a main agent spawns worker agents for tool calls, each running in an isolated context and able to spawn nested workers for subtasks. External data and subtask traces never enter the main agent's memory; only schema-validated return values can cross boundaries through deterministic JSON parsing. Ablations show isolation alone cuts attack success to 2.19%, and adding a validator/sanitizer further improves defense with event-triggered checks whose overhead scales with operations rather than context length. On AgentDojo and ASB, AgentSys achieves 0.78% and 4.25% attack success while slightly improving benign utility over undefended baselines. It remains robust to adaptive attackers and across multiple foundation models, showing that explicit memory management enables secure, dynamic LLM agent architectures. Our code is available at: https://github.com/ruoyaow/agentsys-memory.
Key Contributions
- Hierarchical agent architecture inspired by OS process memory isolation, where worker agents handle tool calls in isolated contexts and only schema-validated JSON return values cross memory boundaries
- Ablation showing that memory isolation alone reduces attack success rate to 2.19%, with a validator/sanitizer further reducing it to 0.78% on AgentDojo
- Demonstrated robustness against adaptive attackers and across multiple foundation models with minimal benign utility loss