AgentVisor: Defending LLM Agents Against Prompt Injection via Semantic Virtualization

Large Language Model (LLM) agents are increasingly used to automate complex workflows, but integrating untrusted external data with privileged execution exposes them to severe security risks, particularly direct and indirect prompt injection. Existing defenses face significant challenges in balancing security with utility, often encountering a trade-off where rigorous protection leads to over-defense, or where subtle indirect injections bypass detection. Drawing inspiration from operating system virtualization, we propose AgentVisor, a novel defense framework that enforces semantic privilege separation. AgentVisor treats the target agent as an untrusted guest and intercepts tool calls via a trusted semantic visor. Central to our approach is a rigorous audit protocol grounded in classic OS security primitives, designed to systematically mitigate both direct and indirect injection attacks. Furthermore, we introduce a one-shot self-correction mechanism that transforms security violations into constructive feedback, enabling agents to recover from attacks. Extensive experiments show that AgentVisor reduces the attack success rate to 0.65%, achieving this strong defense while incurring only a 1.45% average decrease in utility relative to the No Defense scenario, demonstrating superior performance compared to existing defense methods.

Key Contributions

• AgentVisor framework applying OS virtualization concepts (privilege separation, policy enforcement, exception injection) to LLM agent security
• STI (Suitability, Taint, Integrity) audit protocol adapting OS security primitives to semantic space for systematic prompt injection defense
• One-shot self-correction mechanism that converts security violations into feedback for agent recovery

🛡️ Threat Analysis

Details

Similar Papers