Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework
Zimo Ji, Daoyuan Wu, Wenyuan Jiang, Pingchuan Ma, Zongjie Li, Yudong Gao, Shuai Wang, Yingjiu Li
TL;DR
This work formalizes privilege escalation in LLM-based agent systems and proposes SEAgent, a policy-driven MAC framework built on ABAC that enforces fine-grained information flows via a System View graph, a policy database, a first-match decision engine, and SEMemory for cross-round context. By labeling tools, agents, and RAG databases with security attributes and implementing four targeted policies, SEAgent defends against direct and indirect prompt injections, RAG poisoning, untrusted agents, and confused deputy attacks, achieving 0% attack success rate in major benchmarks with minimal overhead. The approach demonstrates strong security guarantees while preserving task performance in both single-agent and multi-agent settings, and scales to complex MAS topologies with enhanced robustness and controllable memory use. The framework provides a practical, extensible baseline for secure LLM-based agent deployment, offering deterministic protections and clear paths for customization and future automation of labeling and policy generation.
Abstract
Large Language Model (LLM)-based agent systems are increasingly deployed for complex real-world tasks but remain vulnerable to natural language-based attacks that exploit over-privileged tool use. This paper aims to understand and mitigate such attacks through the lens of privilege escalation, defined as agent actions exceeding the least privilege required for a user's intended task. Based on a formal model of LLM agent systems, we identify novel privilege escalation scenarios, particularly in multi-agent systems, including a variant akin to the classic confused deputy problem. To defend against both known and newly demonstrated privilege escalation, we propose SEAgent, a mandatory access control (MAC) framework built upon attribute-based access control (ABAC). SEAgent monitors agent-tool interactions via an information flow graph and enforces customizable security policies based on entity attributes. Our evaluations show that SEAgent effectively blocks various privilege escalation while maintaining a low false positive rate and negligible system overhead. This demonstrates its robustness and adaptability in securing LLM-based agent systems.
