Grimlock: Guarding High-Agency Systems with eBPF and Attested Channels
Pith reviewed 2026-06-29 17:21 UTC · model grok-4.3
The pith
Grimlock shifts security enforcement for agent communication into the Linux kernel with eBPF interception and TLS-bound attestations.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Grimlock uses eBPF-enforced traffic interception to ensure sandbox communication passes through a guard, combines it with post-handshake attestation bound to standard TLS 1.3 channel bindings, mints short-lived channel-bound scope tokens, and requires the destination guard to re-validate identity, scope, and binding before releasing plaintext. kTLS supplies the efficient protected dataplane. The result is transparent, auditable, scope-bound communication that requires no changes to user-layer orchestration code.
What carries the argument
eBPF-enforced traffic interception combined with post-handshake attestation bound to TLS 1.3 channel bindings, which routes all traffic through the guard and enforces policy via minted scope tokens.
If this is right
- Agent-to-agent messages receive consistent least-privilege authorization through short-lived channel-bound scope tokens.
- Security policies move from scattered application code to a single infrastructure-level guard.
- Kernel-level interception creates auditable records of identity, scope, and delegation.
- Communication works across heterogeneous clouds using only standard Linux primitives.
- No modification to user orchestration code is needed for the security layer to apply.
Where Pith is reading between the lines
- The same interception-plus-binding pattern could be tested on other kernel primitives if eBPF equivalents exist elsewhere.
- Performance measurements under high agent interaction rates would clarify whether kTLS keeps overhead acceptable.
- Integration with existing container runtimes might require only configuration changes rather than code patches.
Load-bearing premise
eBPF can be set up to catch every sandbox communication path and the attestation binding to TLS 1.3 channel bindings cannot be bypassed or forged.
What would settle it
A working demonstration that an agent communicates successfully without triggering the eBPF guard or without a valid attested channel binding would disprove the enforcement claim.
Figures
read the original abstract
Agentic systems increasingly run user-authored orchestration code that invokes tools, spawns subtasks, and delegates work across machines and clouds. Although this high agency is productive, it creates a security problem: identity, authorization, provenance, and delegation are often pushed into application code, where they become difficult to enforce consistently and difficult to audit. We present Grimlock, an Agent Guard that restores separation of concerns by moving trust enforcement into the sandbox substrate while leaving agent code unchanged. Grimlock uses eBPF-enforced traffic interception to ensure that sandbox communication passes through a guard, and combines it with post-handshake attestation bound to standard TLS~1.3 channel bindings. After a channel is established, the guard authorizes communication and mints short-lived, channel-bound scope tokens that capture least-privilege delegation. At the receiving side, the destination guard re-validates identity, scope, and channel binding, terminates TLS, and releases plaintext to the destination sandbox only after policy checks succeed. kTLS provides an efficient dataplane for protected communication. As a result, Grimlock offers a path toward transparent, auditable, and scope-bound agent-to-agent communication across heterogeneous multi-cloud environments, using commodity Linux primitives and without requiring changes to user-layer orchestration code.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript presents Grimlock, an Agent Guard for high-agency systems. It uses eBPF-enforced traffic interception to route all sandbox communication through a guard, combined with post-handshake attestation bound to TLS 1.3 channel bindings. After channel establishment the guard authorizes flows and mints short-lived channel-bound scope tokens for least-privilege delegation; the receiving guard re-validates identity, scope and binding before releasing plaintext. The design aims to deliver transparent, auditable, scope-bound agent-to-agent communication across heterogeneous multi-cloud environments using only commodity Linux primitives (eBPF, kTLS) and without changes to user-layer orchestration code.
Significance. If the interception and binding mechanisms can be shown to be reliable and forgery-resistant, Grimlock would supply a practical substrate-level enforcement layer for identity, authorization and provenance in agentic systems. The reliance on standard OS primitives rather than application changes is a clear strength for deployability across clouds.
major comments (2)
- [Abstract] Abstract: the claim that eBPF-enforced interception ensures every sandbox-to-sandbox flow passes through the guard supplies no attachment points (cgroup, tc, sockmap, etc.) and no argument that all user-space or container networking paths are covered. This property is load-bearing for the asserted transparency and unavoidability of the guard.
- [Abstract] Abstract: the post-handshake attestation is said to be 'bound to standard TLS 1.3 channel bindings' but no protocol sketch or cryptographic argument is given showing how the attestation is tied to the TLS exporter or tls-unique value so that an active attacker cannot present a different attested identity on the same channel. This is load-bearing for the forgery resistance of the attested channels and minted scope tokens.
minor comments (2)
- The abstract is concise but would benefit from a single high-level architecture diagram illustrating the interception, handshake, attestation and token-minting steps.
- Key terms such as 'scope tokens' and 'channel-bound' appear without prior definition; a short glossary or inline clarification on first use would improve readability.
Simulated Author's Rebuttal
We thank the referee for the constructive comments identifying areas where the abstract could more explicitly support its claims. We address each point below and will revise the manuscript accordingly to improve clarity on the interception and attestation mechanisms.
read point-by-point responses
-
Referee: [Abstract] Abstract: the claim that eBPF-enforced interception ensures every sandbox-to-sandbox flow passes through the guard supplies no attachment points (cgroup, tc, sockmap, etc.) and no argument that all user-space or container networking paths are covered. This property is load-bearing for the asserted transparency and unavoidability of the guard.
Authors: We agree the abstract would be strengthened by naming the attachment points and sketching the coverage argument. In the revision we will update the abstract to reference the eBPF programs (cgroup v2 for container isolation, tc for egress control, and sockmap for socket-level redirection) and note that these are applied at the host and container runtime layers to intercept all user-space and container networking paths. A supporting paragraph will be added to Section 4 explaining why no bypass paths remain under standard Linux container configurations. revision: yes
-
Referee: [Abstract] Abstract: the post-handshake attestation is said to be 'bound to standard TLS 1.3 channel bindings' but no protocol sketch or cryptographic argument is given showing how the attestation is tied to the TLS exporter or tls-unique value so that an active attacker cannot present a different attested identity on the same channel. This is load-bearing for the forgery resistance of the attested channels and minted scope tokens.
Authors: We accept that the abstract lacks an explicit sketch of the binding. The manuscript body (Section 5) already uses the TLS 1.3 exporter value per RFC 8446 to bind the attestation, but we will revise the abstract to include a one-sentence description of this binding and will ensure the main text contains a concise cryptographic argument that an active attacker substituting a different attested identity would fail the channel-binding check at the receiving guard before any scope token is accepted. revision: yes
Circularity Check
No circularity: purely architectural description with no derivation chain
full rationale
The paper describes a system design using eBPF interception, kTLS, and TLS 1.3 channel bindings for agent communication guards. It contains no equations, fitted parameters, predictions, or quantitative derivations. All load-bearing claims are feasibility statements about commodity Linux primitives rather than results that reduce to their own inputs by construction. No self-citations, ansatzes, or uniqueness theorems are invoked in a manner that creates circularity. This is a standard non-finding for an architectural security paper.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Norm Hardy. 1988. The Confused Deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review22, 4 (1988), 36–38
1988
-
[2]
Sirui Hong, Mingchen Zhuge, Jonathan Chen, Xiawu Zheng, Yuheng Cheng, Ceyao Zhang, Jinlin Wang, Zili Wang, Steven Ka Shing Yau, Zijuan Lin, et al . 2024. MetaGPT: Meta programming for a multi- agent collaborative framework. International Conference on Learning Representations, ICLR
2024
-
[3]
Xiao Liu, Hao Yu, Hanchen Zhang, Yifan Xu, Xuanyu Lei, Hanyu Lai, Yu Gu, Hangliang Ding, Kaiwen Men, Kejuan Yang, et al. 2023. Agentbench: Evaluating llms as agents.arXiv preprint arXiv:2308.03688(2023)
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[4]
Sandhu and Pierangela Samarati
Ravi S. Sandhu and Pierangela Samarati. 1994. Access Control: Princi- ples and Practice.IEEE Communications Magazine32 (1994), 40–48
1994
-
[5]
Muhammad Usama Sardar. 2026. Pre-, Intra- and Post-handshake Attestation. Internet-Draft, IETF SEAT WG. Work in Progress: draft- usama-seat-intra-vs-post-02
2026
-
[6]
Nick Sullivan. 2022. Exported Authenticators in TLS. RFC 9261. doi:10. 17487/RFC9261
2022
-
[7]
Yanlin Wang, Wanjun Zhong, Yanxian Huang, Ensheng Shi, Min Yang, Jiachi Chen, Hui Li, Yuchi Ma, Qianxiang Wang, and Zibin Zheng
-
[8]
Automated Software Engineering32, 2 (2025), 1–36
Agents in software engineering: Survey, landscape, and vision. Automated Software Engineering32, 2 (2025), 1–36
2025
-
[9]
Samuel Whited. 2022. Channel Bindings for TLS 1.3. RFC 9266. doi:10. 17487/RFC9266
2022
-
[10]
Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, Shaokun Zhang, Jiale Liu, et al . 2024. Autogen: Enabling next-gen LLM applications via multi-agent conver- sations. InFirst Conference on Language Modeling
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.