Operationalizing CaMeL: Strengthening LLM Defenses for Enterprise Deployment

TL;DR

The paper tackles prompt injection threats in enterprise LLM deployments and evaluates CaMeL's capability-based sandbox as a defense. It identifies initial prompt trust, output manipulation, and side-channel leakage as gaps and proposes a multi-pronged set of mitigations, including prompt screening, output auditing, provenance tagging, tiered-risk access, and a formal verification path. It also addresses side-channel risks and architectural constraints, recommending policy-as-code, a security-focused DSL, and constant-time design considerations for scalable deployment. Together, these directions aim to advance CaMeL toward production-grade security for regulated, high-assurance LLM agent systems.

Abstract

CaMeL (Capabilities for Machine Learning) introduces a capability-based sandbox to mitigate prompt injection attacks in large language model (LLM) agents. While effective, CaMeL assumes a trusted user prompt, omits side-channel concerns, and incurs performance tradeoffs due to its dual-LLM design. This response identifies these issues and proposes engineering improvements to expand CaMeL's threat coverage and operational usability. We introduce: (1) prompt screening for initial inputs, (2) output auditing to detect instruction leakage, (3) a tiered-risk access model to balance usability and control, and (4) a verified intermediate language for formal guarantees. Together, these upgrades align CaMeL with best practices in enterprise security and support scalable deployment.