pith. sign in

arxiv: 2607.01919 · v1 · pith:6S74M5APnew · submitted 2026-07-02 · 💻 cs.AI · cs.CR

ElephantAgent: Contextual State Continuity in Agentic Systems

Pith reviewed 2026-07-03 14:03 UTC · model grok-4.3

classification 💻 cs.AI cs.CR
keywords ElephantAgentcontextual state continuityagentic systemsstate poisoningtrusted hardwarehistorical traceabilitylinearizable ledgertool poisoning
0
0 comments X

The pith

ElephantAgent enforces contextual state continuity in agentic systems to defend against poisoning by verifying state digests with replicated trusted hardware.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

ElephantAgent tackles the problem of contextual state poisoning in agentic systems that use external tools and persistent memory. The protocol defines a bounded security-critical contextual state and recomputes its digest before each query to verify against an authorized version. It uses replicated trusted hardware to maintain a linearizable ledger of state transitions, detecting out-of-band tampering. Historical traceability is added to handle in-band semantic abuse through post-hoc audits and recovery. This matters because it aims to ensure agents base decisions on untampered context despite persistent external dependencies.

Core claim

The paper presents ElephantAgent as a protocol that enforces Contextual State Continuity to defend against contextual state poisoning in agentic systems. It extends prior state-continuity mechanisms to the evolving contextual state by recomputing the digest of the local contextual state and verifying it against the latest authorized digest. Replicated trusted hardware maintains a linearizable ledger of authorized contextual state transitions to detect out-of-band state tampering, while Historical Traceability enables conditional post-hoc audit and recovery for in-band semantic abuse.

What carries the argument

The recomputation and verification of the contextual state digest against an authorized ledger on replicated trusted hardware, which enforces continuity and detects tampering.

If this is right

  • Agents detect out-of-band tampering of contextual state before processing each query.
  • The system provides a linearizable history of authorized state transitions.
  • Historical traceability allows recovery to a known-good prior state after detecting semantic abuse.
  • This protection applies to the bounded subset of context including tool state and memory.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Deployment would require the trusted hardware to be available and uncompromised for every agent query.
  • The bounding of contextual state to a security-critical subset may need careful engineering in complex agent setups.
  • This could inspire similar continuity mechanisms in other AI systems with persistent state.
  • Testing against real-world poisoning attacks would validate the detection capabilities.

Load-bearing premise

The contextual state can be cleanly bounded to a security-critical subset whose digest can be maintained in a linearizable ledger on replicated trusted hardware that itself remains uncompromised and available before every query.

What would settle it

Demonstrating a poisoning attack that alters the agent's contextual state without detection by the digest verification or ledger check would falsify the effectiveness of the continuity enforcement.

Figures

Figures reproduced from arXiv: 2607.01919 by Deyue Zhang, Dongdong Yang, Jiankai Jin, Quanchen Zou, Wenzhuo Xu, Xiangzheng Zhang, Zhao Liu.

Figure 1
Figure 1. Figure 1: ElephantAgent overview, instantiated with MCP. The MCP Host runs inside a TEE, and the Context Guard (CG) serves as the enforcement component on the host. The TEE ensures that the MCP Host faithfully mediates contextual state construction and verification: tool descriptors returned from MCP Servers and the host-side memory (instructions, transcript, and artifacts) are verified by CG before being released t… view at source ↗
Figure 2
Figure 2. Figure 2: MCP Server Tool Invocation Time across the three [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: ElephantAgent overview, instantiated for a CLI-based deployment. Compared with [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗
read the original abstract

Agentic systems enhance their capabilities by invoking external tools and maintaining persistent memory. However, these external dependencies introduce novel attack surfaces. Recent tool and memory poisoning attacks show that maliciously crafted tool descriptors and poisoned memory can covertly bias agent behavior. These threats reflect a deeper issue: the lack of verifiable continuity in the agent's contextual state for planning and execution. We present ElephantAgent, a protocol that enforces Contextual State Continuity to defend against contextual state poisoning. Inspired by prior state-continuity mechanisms (e.g., Nimble), ElephantAgent extends this protection to the evolving contextual state of agentic systems. We define the contextual state as the bounded, security-critical subset of the agent's entire context (e.g., tool state and memory). Before processing each query, ElephantAgent recomputes the digest of the local contextual state and verifies it against the latest authorized digest. Using replicated trusted hardware, ElephantAgent maintains a linearizable ledger of authorized contextual state transitions and detects out-of-band state tampering. To handle in-band semantic abuse, ElephantAgent additionally provides Historical Traceability, enabling conditional post-hoc audit and recovery to a known-good prior state.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper proposes ElephantAgent, a protocol for agentic systems that enforces Contextual State Continuity by defining a bounded security-critical subset of context (e.g., tool state and memory), recomputing its digest before each query, and verifying it against a linearizable ledger of authorized transitions maintained on replicated trusted hardware; it also adds Historical Traceability to enable post-hoc audit and recovery against in-band semantic abuse.

Significance. If the protocol's assumptions can be realized, the work would extend prior state-continuity techniques (such as Nimble) to the domain of tool-using agents with persistent memory, offering a concrete mechanism to detect out-of-band tampering via digest verification. The linearizable ledger and traceability features address both out-of-band and in-band threats in a unified way.

major comments (2)
  1. [Abstract] Abstract: the central defense rests on the existence of an 'unambiguous, complete partition' between security-critical and non-critical state such that every poisoning vector falls inside the former, yet no construction, algorithm, or argument is supplied for how this partition is obtained or maintained when tools and memory are external and mutable.
  2. [Abstract] Abstract: the protocol assumes replicated trusted hardware remains uncompromised and always reachable before every query to support the linearizable ledger, but supplies neither a threat model nor an argument showing why this hardware assumption holds in an agentic setting where external dependencies can be altered.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for these comments on the abstract and the underlying protocol. We respond to each major comment below, indicating where the manuscript will be revised to address the points raised.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central defense rests on the existence of an 'unambiguous, complete partition' between security-critical and non-critical state such that every poisoning vector falls inside the former, yet no construction, algorithm, or argument is supplied for how this partition is obtained or maintained when tools and memory are external and mutable.

    Authors: The manuscript defines contextual state as the bounded security-critical subset of the agent's context (with tool state and memory given as examples) and uses digest verification against a ledger of authorized transitions. We acknowledge that the current version supplies only this definition and does not include an explicit construction, algorithm, or argument for how the partition is obtained or maintained when tools and memory are external and mutable. We will revise the manuscript to add a dedicated subsection that provides such a construction (e.g., via designer-specified boundaries with runtime verification) and discusses its maintenance under mutation. revision: yes

  2. Referee: [Abstract] Abstract: the protocol assumes replicated trusted hardware remains uncompromised and always reachable before every query to support the linearizable ledger, but supplies neither a threat model nor an argument showing why this hardware assumption holds in an agentic setting where external dependencies can be altered.

    Authors: The protocol inherits its trusted-hardware assumptions from prior state-continuity work such as Nimble. The current manuscript does not supply a dedicated threat model or argument tailored to the agentic setting that justifies why the replicated hardware remains uncompromised and reachable despite external dependencies. We agree this is a gap and will add an explicit threat-model section that articulates the assumptions and the conditions under which they are expected to hold. revision: yes

Circularity Check

0 steps flagged

No circularity: protocol description contains no derivations, predictions, or self-referential reductions

full rationale

The manuscript describes a protocol (ElephantAgent) that recomputes a digest of a defined 'bounded, security-critical subset' of context and checks it against a ledger on replicated trusted hardware. No equations, fitted parameters, or quantitative predictions appear. The definition of contextual state is presented as an explicit design choice to enable the mechanism, not as a derived quantity that loops back to itself. No self-citations are invoked as load-bearing premises, and the text supplies no 'uniqueness theorem' or ansatz smuggled from prior author work. The claims rest on the operational description of the protocol under its stated assumptions rather than any tautological equivalence between inputs and outputs.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

Review performed on abstract only; ledger entries are therefore limited to assumptions explicitly invoked in the provided text.

axioms (2)
  • domain assumption Replicated trusted hardware can maintain a linearizable ledger of authorized contextual state transitions without itself being compromised.
    Invoked when the abstract states that ElephantAgent 'maintains a linearizable ledger of authorized contextual state transitions and detects out-of-band state tampering'.
  • domain assumption The agent's contextual state can be bounded to a security-critical subset whose digest is sufficient for verification.
    Stated when the abstract defines 'the contextual state as the bounded, security-critical subset of the agent's entire context'.

pith-pipeline@v0.9.1-grok · 5742 in / 1416 out tokens · 33095 ms · 2026-07-03T14:03:28.738760+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 9 canonical work pages · 2 internal anchors

  1. [1]

    Tamer Abuelsaad, Deepak Akkil, Prasenjit Dey, Ashish Jagmohan, Aditya Vem- paty, and Ravi Kokku. 2024. Agent-e: From autonomous web navigation to foun- dational design principles in agentic systems.arXiv preprint arXiv:2407.13032 (2024)

  2. [2]

    2026.Key Management Service

    Alibaba Cloud. 2026.Key Management Service. https://www.alibabacloud.com/ en/product/kms?_p_lc=1

  3. [3]

    Sebastian Angel, Aditya Basu, Weidong Cui, Trent Jaeger, Stella Lau, Srinath Setty, and Sudheesh Singanamalla. 2023. Nimble: Rollback protection for confidential cloud services. In17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). 193–208

  4. [4]

    Anthropic. 2024. Introducing the Model Context Protocol. Anthropic News. https://www.anthropic.com/news/model-context-protocol Accessed: 2026-02- 04

  5. [5]

    2026.How Claude remembers your project

    Anthropic. 2026.How Claude remembers your project. https://code.claude.com/ docs/en/memory Claude Code Docs

  6. [6]

    Apple Inc. 2026. ccs-caldavtester. https://github.com/apple/ccs-caldavtester. Accessed: 2026-03-05

  7. [7]

    2023.Con- fidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI

    Emily Apsey, Phil Rogers, Michael O’Connor, and Rob Nertney. 2023.Con- fidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI. https://developer.nvidia.com/blog/confidential-computing-on-h100-gpus- for-secure-and-trustworthy-ai/ NVIDIA Technical Blog

  8. [8]

    Marcus Brandenburger, Christian Cachin, Matthias Lorenz, and Rüdiger Kapitza

  9. [9]

    In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

    Rollback and forking detection for trusted execution environments us- ing lightweight collective memory. In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 157–168

  10. [10]

    browser-use contributors. 2026. browser-use: Make websites accessible for AI agents. GitHub repository. https://github.com/browser-use/browser-use Latest release: 0.11.8 (Feb 3, 2026). Accessed: 2026-02-06

  11. [11]

    Zhaorun Chen, Zhen Xiang, Chaowei Xiao, Dawn Song, and Bo Li. 2024. Agent- Poison: Red-teaming llm agents via poisoning memory or knowledge bases. Advances in Neural Information Processing Systems37 (2024), 130185–130213

  12. [12]

    Pau-Chen Cheng, Wojciech Ozga, Enriquillo Valdez, Salman Ahmed, Zhongshu Gu, Hani Jamjoom, Hubertus Franke, and James Bottomley. 2024. Intel TDX Demystified: A Top-Down Approach.Comput. Surveys56, 9 (2024), 1–33

  13. [13]

    Victor Costan and Srinivas Devadas. 2016. Intel SGX explained.Cryptology ePrint Archive(2016)

  14. [14]

    Shen Dong, Shaochen Xu, Pengfei He, Yige Li, Jiliang Tang, Tianming Liu, Hui Liu, and Zhen Xiang. 2025. A practical memory injection attack against llm agents.arXiv preprint arXiv:2503.03704(2025)

  15. [15]

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.arXiv preprint arXiv:2302.12173(2023)

  16. [16]

    Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. InProceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. Article 11, 1 pages

  17. [17]

    Eric Holmes. 2026. MCP is dead. Long live the CLI. https://ejholmes.github.io/ 2026/02/28/mcp-is-dead-long-live-the-cli.html Blog post, accessed 2026-03-12

  18. [18]

    Intel Corporation. [n. d.].Intel Trust Domain Extensions. White Pa- per 343961-002US. Intel Corporation. https://www.intel.com/content/dam/ develop/external/us/en/documents/tdx-whitepaper-final9-17.pdf Document code: 0920/RR/MESH/PDF; accessed: 2026-02-04

  19. [19]

    Saeid Jamshidi, Kawser Wazed Nafi, Arghavan Moradi Dakhel, Negar Shahabi, Foutse Khomh, and Naser Ezzati-Jivan. 2025. Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks. arXiv:2512.06556 [cs.CR] https://arxiv.org/abs/2512.06556

  20. [20]

    Jiankai Jin, Chitchanok Chuengsatiansup, Toby Murray, Benjamin IP Rubinstein, Yuval Yarom, and Olga Ohrimenko. 2024. Elephants do not forget: Differential privacy with state continuity for privacy budget. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 1909–1923

  21. [21]

    David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White paper13 (2016)

  22. [22]

    J. Koppel. 2026. QuixBugs. https://github.com/jkoppel/QuixBugs. Accessed: 2026-03-05

  23. [23]

    2024.MCP Security Notification: Tool Poisoning Attacks

    Invariant Labs. 2024.MCP Security Notification: Tool Poisoning Attacks. https: //invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks

  24. [24]

    Yiming Li, Yulun Fu, Ziqi Zhang, Yijun Zhao, Xinyu Chen, Bo Li, and Haixin Duan. 2026. SuperLocalMemory: Privacy-Preserving Multi-Agent Memory with Bayesian Trust Defense Against Memory Poisoning. arXiv:2603.02240 [cs.CR] https://arxiv.org/abs/2603.02240

  25. [25]

    2017.{ROTE}: Rollback protection for trusted execution

    Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017.{ROTE}: Rollback protection for trusted execution. In26th USENIX Security Symposium (USENIX Security 17). 1289–1306

  26. [26]

    Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution.Hasp@ isca10, 1 (2013)

  27. [27]

    Microsoft. [n. d.]. Nimble. https://github.com/Microsoft/Nimble. GitHub reposi- tory, accessed 2026-04-16

  28. [28]

    Gal Nagli. 2025. Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History. Wiz Blog. https://www.wiz.io/ blog/wiz-research-uncovers-exposed-deepseek-database-leak Accessed: 2026- 02-05

  29. [29]

    Jianyu Niu, Wei Peng, Xiaokuan Zhang, and Yinqian Zhang. 2022. Narrator: Secure and practical state continuity for trusted execution in the cloud. InPro- ceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2385–2399

  30. [30]

    2025.Introducing Codex

    OpenAI. 2025.Introducing Codex. https://openai.com/index/introducing-codex/ Published 2025-05-16; updated 2025-06-03

  31. [31]

    OWASP GenAI Security Project. 2025. OWASP Top 10 for Agentic Applica- tions for 2026. https://genai.owasp.org/resource/owasp-top-10-for-agentic- applications-for-2026/ Whitepaper, accessed 2026-03-19

  32. [32]

    Bryan Parno, Jacob R Lorch, John R Douceur, James Mickens, and Jonathan M McCune. 2011. Memoir: Practical state continuity for protected modules. In2011 IEEE Symposium on Security and Privacy. IEEE, 379–394

  33. [33]

    Atharv Singh Patlan, Ashwin Hebbar, Pramod Viswanath, and Prateek Mittal

  34. [34]

    Context manipulation attacks: Web agents are susceptible to corrupted memory.arXiv preprint arXiv:2506.17318(2025)

  35. [35]

    Atharv Singh Patlan, Peiyao Sheng, S Ashwin Hebbar, Prateek Mittal, and Pramod Viswanath. 2025. Real AI agents with fake memories: Fatal context manipulation attacks on web3 agents.arXiv preprint arXiv:2503.16248(2025)

  36. [36]

    Raoul Strackx and Frank Piessens. 2016. Ariadne: A minimal approach to state continuity. In25th USENIX Security Symposium (USENIX Security 16). 875–892

  37. [37]

    Zhiqiang Wang, Junyang Zhang, Guanquan Shi, HaoRan Cheng, Yunhao Yao, Kaiwen Guo, Haohua Du, and Xiang-Yang Li. 2025. MindGuard: Tracking, Detecting, and Attributing MCP Tool Poisoning Attack via Decision Dependence Graph.arXiv preprint arXiv:2508.20412(2025)

  38. [38]

    Qianshan Wei, Tengchao Yang, Yaochen Wang, Xinfeng Li, Lijun Li, Zhenfei Yin, Yi Zhan, Thorsten Holz, Zhiqiang Lin, and XiaoFeng Wang. 2025. A-MemGuard: Defending Against Memory Attacks in LLM-based Agents via Proactive Memory Protection.arXiv preprint arXiv:2510.02373(2025)

  39. [39]

    Zhuo Zhan, Shahar Chacko, Boxin Wang, Ruotong Hong, Jiewen Mao, Tracy Wang, Wenbo Feng, and Zhenlin Wang. 2024. InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents. InFindings of the Association for Computational Linguistics: ACL 2024. Jin et al. A Generality ofElephantAgent The add-on components ofElephantAg...