ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control
Manish Bhatt, Vineeth Sai Narajala, Idan Habler
TL;DR
This paper targets security gaps in the Model Context Protocol (MCP) that expose LLM-driven tools to Tool Poisoning and Rug Pull attacks. It introduces ETDI, a cryptographic, versioned, and permission-anchored interface for tool definitions, augmented with OAuth 2.0 for standardized authorization. To address dynamic risk, it then integrates policy-based access control using policy engines like Cedar and Open Policy Agent, and demonstrates a workflow with Amazon Verified Permissions for runtime decision making and call-stack verification. The proposed multilayer approach aims to establish verifiable trust, user-consent, and context-aware enforcement, significantly improving the security and controllability of AI applications interfacing with external tools.
Abstract
The Model Context Protocol (MCP) plays a crucial role in extending the capabilities of Large Language Models (LLMs) by enabling integration with external tools and data sources. However, the standard MCP specification presents significant security vulnerabilities, notably Tool Poisoning and Rug Pull attacks. This paper introduces the Enhanced Tool Definition Interface (ETDI), a security extension designed to fortify MCP. ETDI incorporates cryptographic identity verification, immutable versioned tool definitions, and explicit permission management, often leveraging OAuth 2.0. We further propose extending MCP with fine-grained, policy-based access control, where tool capabilities are dynamically evaluated against explicit policies using a dedicated policy engine, considering runtime context beyond static OAuth scopes. This layered approach aims to establish a more secure, trustworthy, and controllable ecosystem for AI applications interacting with LLMs and external tools.