defense 2026

The LLMbda Calculus: AI Agents, Conversations, and Information Flow

Zac Garby 1, Andrew D. Gordon 2, David Sands 3,4

1 University of Nottingham

2 University of Edinburgh

3 Chalmers University of Technology

4 The University of Gothenburg

0 citations · 58 references · arXiv (Cornell University)
α

Published on arXiv

2602.20064

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

A termination-insensitive noninterference theorem formally proves that LLMbda's information-flow control primitives provide integrity and confidentiality guarantees for LLM agent conversations against prompt injection attacks.

LLMbda calculus

Novel technique introduced

A conversation with a large language model (LLM) is a sequence of prompts and responses, with each response generated from the preceding conversation. AI agents build such conversations automatically: given an initial human prompt, a planner loop interleaves LLM calls with tool invocations and code execution. This tight coupling creates a new and poorly understood attack surface. A malicious prompt injected into a conversation can compromise later reasoning, trigger dangerous tool calls, or distort final outputs. Despite the centrality of such systems, we currently lack a principled semantic foundation for reasoning about their behaviour and safety. We address this gap by introducing an untyped call-by-value lambda calculus enriched with dynamic information-flow control and a small number of primitives for constructing prompt-response conversations. Our language includes a primitive that invokes an LLM: it serializes a value, sends it to the model as a prompt, and parses the response as a new term. This calculus faithfully represents planner loops and their vulnerabilities, including the mechanisms by which prompt injection alters subsequent computation. The semantics explicitly captures conversations, and so supports reasoning about defenses such as quarantined sub-conversations, isolation of generated code, and information-flow restrictions on what may influence an LLM call. A termination-insensitive noninterference theorem establishes integrity and confidentiality guarantees, demonstrating that a formal calculus can provide rigorous foundations for safe agentic programming.

Key Contributions

  • LLMbda calculus: an untyped call-by-value lambda calculus extended with primitives for LLM prompt-response conversations (@, fork, clear) and dynamic information-flow control via labelled expressions and label testing
  • Formal operational semantics that explicitly captures conversation state and faithfully models how prompt injection alters subsequent agent computation in planner loops
  • Termination-insensitive noninterference theorem establishing formal integrity and confidentiality guarantees, providing rigorous foundations for defenses such as the dual LLM pattern and CaMeL

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
llm agentsai agent planner loopsagentic programming systems
Read PDF arXiv DOI

Similar Papers

defense

A2AS: Agentic AI Runtime Security and Self-Defense

2025 3 cit.
100%
defense

AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents

2025 0 cit.
100%
defense

Spider-Sense: Intrinsic Risk Sensing for Efficient Agent Defense with Hierarchical Adaptive Screening

2026 0 cit.
100%
defense

Agent-Sentry: Bounding LLM Agents via Execution Provenance

2026 0 cit.
100%
defense

Optimizing Agent Planning for Security and Autonomy

2026 0 cit.
100%
defense

Securing AI Agents: Implementing Role-Based Access Control for Industrial Applications

2025 0 cit.
100%
defense

BlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability

2025 0 cit.
100%
defense

Policy Compiler for Secure Agentic Systems

2026 0 cit.
100%