Pith. sign in

REVIEW 10 major objections 6 minor 55 references

Zero escapes: binding LLM agent actions to one authority manifest

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · glm-5.2

2026-07-08 19:16 UTC pith:DOQFETIC

load-bearing objection A well-scoped admission gate for LLM agent actions, with an honest but narrow evidence base. the 10 major comments →

arxiv 2607.06000 v1 pith:DOQFETIC submitted 2026-07-07 cs.CR

Context-to-Execution Integrity for LLM Agents

classification cs.CR
keywords LLM agent securityauthority launderinginformation flow controlexecution boundarymanifest-bound admissiontyped releaseexact-effect authorizationcomplete mediation
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper addresses a structural security flaw in language-model agents: when an agent reads attacker-writable text (emails, CI logs, issue bodies, web pages) and then takes real-world actions (file writes, shell commands, API calls, database operations), the text can silently gain authority over privileged side effects. The author calls this 'authority laundering' — a CI log line that identifies a failing file should not also get to choose which tool runs, mark a change as approved, or trigger a production write. Schema validation checks that a tool call is well-formed; it does not check whether each field, each interpreted effect, and the invocation itself carry legitimate authority. Context-to-Execution Integrity (CXI) is the proposed system. It places a deterministic gate at the last point before a side effect occurs. Before the sink executes, the gate checks three things and binds them to one canonical action manifest: (1) every protected sink field (tool name, target path, approval state, recipient, etc.) is backed by trusted authority or a narrow typed release scoped to that specific field; (2) every sink-interpreted payload (patch diffs, SQL, shell commands, CI YAML, package manifests) matches an exact-effect commitment computed under a trusted snapshot, so the executed effect equals what a validator authorized; and (3) the invocation event itself consumes a manifest-bound capability into a linearizable execution lease, preventing unauthorized retries, batch manipulation, or replay. The formal claim is Admit(m) implies Fields(m) and Effects(m) and Invoke(m). Untrusted text may be quoted as opaque evidence or validated into a narrow typed release for one destination field, but raw writable context cannot authorize a different field, a different effect, or the invocation event. The evaluation reports zero observed field, effect, or invocation escapes across 720 AgentDojo live episodes (1,739 LLM calls), 400 code-agent repository episodes, 10 manifest-bound ledger fault cases, and 800 hosted/API compatibility rows, while separately tracking 196-407 unauthorized proposals that the models generated but the gate rejected before execution.

Core claim

The central object is the manifest-bound admission gate: a deterministic checkpoint that sits between a model's proposed action and the actual side-effecting sink. The gate canonicalizes the proposed action into a manifest, then verifies that field authority (each protected field has trusted or typed-release provenance), effect authority (each sink-interpreted payload matches an exact-effect commitment), and invocation authority (a manifest-bound capability is consumed into an execution lease) all bind to that same manifest. The key insight is that these three authority checks are non-interchangeable: a typed release for one field cannot authorize another field, an effect commitment cannotbe

What carries the argument

The manifest-bound admission gate with three non-interchangeable authority checks: field authority (protected fields require trusted provenance or destination-scoped typed releases), exact-effect authorization (sink-interpreted payloads must match validator-computed effect commitments under a trusted snapshot), and invocation authority (a manifest-bound capability must be consumed into an execution lease before the sink runs). All three bind to one canonical action manifest, and any mismatch causes fail-closed rejection.

Load-bearing premise

The load-bearing premise is complete mediation: every side-effecting route in a deployment must pass through the shared manifest-bound gate. If any path — a helper API, an alternate client, a generated file, an install hook, or a bot — bypasses the gate, the admission claim does not hold for that route. This is a deployment property that the paper can check for its evaluated sink families but cannot guarantee for arbitrary real-world deployments.

What would settle it

A single side-effecting route that bypasses the manifest-bound gate in a real deployment would falsify the admission claim for that route. Additionally, if provenance tracking fails to conservatively capture an influence path — for example, if a summary or memory write carries writable-context influence that is not labeled as W-derived — a protected field could be admitted with laundered authority.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Agent deployments could adopt manifest-bound gates as a deployment-pattern security boundary: any side-effecting route — file writes, shell commands, API calls, CI changes, package installs — that does not pass through the gate is explicitly outside the integrity claim, making the security perimeter auditable rather than implicit.
  • The typed-release mechanism suggests a practical design pattern for agent systems: untrusted context can inform a proposed value, but trusted declassifier code must canonicalize and validate it before it gains authority for one specific destination field, preventing cross-field authority reuse.
  • The exact-effect commitment approach for constructive payloads (patches, SQL, shell commands) could be adopted independently: instead of checking payload syntax, systems compute and authorize the semantic effect the sink will apply, binding it to a specific repository snapshot, principal, and policy epoch to prevent replay.
  • The separation of proposal pressure from execution escapes provides a useful evaluation methodology: measuring unauthorized model proposals before the gate separately from unauthorized executions at the gate clarifies that models still attempt unsafe actions but the gate prevents them from executing.
  • The hosted/API compatibility path, which cannot observe provider-internal decoder state, demonstrates that the admission check works with weaker evidence — host-observed field-local construction — making the gate design applicable to closed-source model providers, though with a narrower evidence claim.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The complete-mediation requirement is a deployment property that scales with the number of side-effecting routes in a real system: as agent deployments add more tools, sinks, and alternate paths (helper APIs, generated files, install hooks, bots), the policy authoring and bypass-checking burden grows linearly, and a single missed route voids the admission claim for that path.
  • The conservative influence-tracking assumption (provenance must over-approximate what could have influenced a field, not just byte origin) suggests that as agents use more complex reasoning chains — multi-step summaries, memory systems, tool-output chains — the provenance tracking infrastructure must propagate influence labels through increasingly indirect derivation paths, which could become a pr
  • The evidence ladder (field-closed reference decoding, direct-span, suffix-taint, runtime-map, hosted/API field-local) implies that the strength of the admission claim varies with deployment: open-weight deployments with attention-mask control provide stronger evidence, while hosted/API deployments provide compatibility evidence but cannot prove provider-internal enforcement, creating a two-tier tr
  • The zero-escape result is conditioned on the evaluated sink families and policies; extending to new sink types (e.g., financial transactions, infrastructure provisioning, multi-party delegation chains) would require new effect adapters, validators, and bypass checks, meaning the system's coverage is bounded by policy authoring effort rather than by the gate mechanism itself.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

10 major / 6 minor

Summary. The paper introduces Context-to-Execution Integrity (CXI), an execution-boundary system for LLM agents that mediate side-effecting tool calls. The central claim is a 'mediated admission integrity' property: before a side effect occurs, the host checks that the invocation event, protected sink fields, and sink-interpreted effects are all authorized for the same canonical action manifest. Formally, Admit(m) ⇒ Fields(m) ∧ Effects(m) ∧ Invoke(m). The system uses typed releases (declassification), opaque data slots, exact-effect commitments, and a manifest-bound invocation capability consumed via a linearizable ledger. The evaluation spans open-weight field-projection runs, 720 AgentDojo episodes, 400 code-agent episodes, 10 ledger fault cases, and 800 hosted/API compatibility rows, reporting zero observed field, effect, or invocation escapes across all evaluated sinks.

Significance. The paper makes a well-scoped contribution to the growing literature on agent security. Its strengths include: (1) a deterministic, clearly specified gate predicate (Section 3.4, Appendix B) that is not circularly derived—it checks against external authority objects (trusted state, typed releases, exact-effect commitments, invocation capabilities); (2) an explicit and honest non-goals section that separates admission integrity from task quality, validator completeness, provider internals, and external exactly-once delivery; (3) an evidence ladder (Table 7, Section 5.3) that distinguishes field-closed reference decoding from narrower serving-path checks, rather than conflating them; (4) an anonymous review artifact with policy manifests, gate decisions, and table-regeneration scripts. The separation of proposal pressure (pre-gate) from executed escapes (at-gate) in Figure 3 is a useful experimental design choice. The paper ships falsifiable predictions: any unauthorized field, effect, or invocation reaching a mediated sink would falsify the core claim.

major comments (10)
  1. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  2. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  3. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  4. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  5. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  6. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  7. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  8. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  9. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
  10. §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3: 'sets attention scores from protected X query tokens to blocked W-derived key tokens to −∞ before softmax'). This blocks direct attention but does not address indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected field representations via indirect attention paths at later layers. The paper acknowledges this gap (§5.3: 'Full causal taint over internal transformer state requires stronger serving support'; Table 15: 'Does not support: Full hidden-state, KV-lineage, or model-level noninterference'). However, the gap is load-bearing for the correctness of Fields(m) on the serving path: if W influence
minor comments (6)
  1. §4.3: The model identifiers (e.g., 'Qwen/Qwen3.6-27B', 'gpt-5.5', 'claude-opus-4-7') appear to be future or placeholder names. If these are anonymized aliases, this should be stated explicitly; if they are real model versions, the naming should be verified for consistency.
  2. Table 6: The 'AgentDojo exact-effect admissions' row reports '0/0/0 field/effect/invocation' in the boundary outcome column, but the format is not defined. Consider adding a header note or footnote clarifying that these are field/effect/invocation escape counts.
  3. §5.4, Figure 3: The figure caption states 'Bars show unauthorized proposals before the CXI gate; right-hand boxes show executed escapes at the mediated sink.' The figure would benefit from axis labels and a legend clarifying what the '0' in the right-hand boxes represents (zero escapes, not zero proposals).
  4. §5.5: The mechanism baseline suite (argument-role provenance approximation, field-scoped capabilities, typed reader/writer) is described textually but would be clearer as a small table showing which attack cases each partial mechanism fails on.
  5. Appendix B: The gate predicate names (MAYINFLUENCE, AUTHORIZESVALUE, EFFECTOK, AUTHORIZEINVOKE) use a different casing convention than the main text (mayInfluence, authorizesValue). Consider unifying.
  6. §2.1: The vocabulary table introduces symbols T, W, D, O, X but the symbol for 'Protected sink field' (X) is not used consistently in the formal notation of Appendix B, where protected fields are referred to as f. Consider clarifying the relationship.

Simulated Author's Rebuttal

2 responses · 0 unresolved

The referee raises a single substantive comment (repeated due to what appears to be a formatting artifact) about the gap between attention masking in the vLLM serving path and full causal taint over internal transformer state, arguing that this gap is load-bearing for the correctness of Fields(m). We agree the gap is real and already acknowledged in the manuscript; we will strengthen the framing to make clearer that the serving-path evidence does not close the indirect residual-stream channel and that the field-closed reference path is the contract target that would.

read point-by-point responses
  1. Referee: §3.6, §5.3, Table 15: The admitted-action contract requires 'conservative field provenance Π' for the Fields(m) predicate. The open-weight serving path uses attention masking in vLLM (§4.3) which blocks direct attention but does not address indirect influence through the residual stream. The gap is load-bearing for the correctness of Fields(m) on the serving path.

    Authors: We agree with the referee's technical point. The attention mask in the evaluated vLLM serving path blocks direct attention from protected-field query positions to W-derived key positions, but it does not block indirect influence through the residual stream: W-derived representations at non-blocked positions can propagate through intermediate layers and affect protected-field representations via later attention paths. This is a real channel, and the referee is correct that it bears on whether the serving-path evidence satisfies the conservative provenance requirement of Fields(m) as stated in §3.6. revision: partial

  2. Referee: (Same comment, repeated)

    Authors: We address the single underlying point once above. The manuscript already acknowledges this gap in three places: §5.3 ('Full causal taint over internal transformer state requires stronger serving support'), Table 15 ('Does not support: Full hidden-state, KV-lineage, or model-level noninterference'), and §3.6's separation of the field-closed reference target from narrower serving-path evidence checks. However, we agree the framing can be sharpened. In the revision we will: (1) Add an explicit statement in §4.3 that the attention mask blocks direct query-to-key attention only and that indirect residual-stream propagation remains possible on the evaluated serving path. (2) Clarify in §3.6 and §5.3 that the field-closed reference contract (Table 3: fresh prefill, fresh KV, no W-seen prefix reuse, no batching, no CUDA graph replay, no speculative decode) is the target that would close the indirect channel, and that the evaluated serving-path checks (direct-span, suffix-taint, runtime-map) are explicitly narrower evidence modes that do not claim to close it. (3) Add a sentence in §5.3 stating that the zero-escape result on the serving path is observed under the evaluated evidence mode, not a proof of model-level noninterference, and that a model exhibiting indirect residual-stream influence from W to a protected field would not be caught by the serving-path evidence check. (4) Update Table 15 to state more directly that the serving-path check does not address indirect residual-stream influence and that field-closed reference decoding is required to close that channel. We believe these changes make the claim boundary honest and precise: the gate predicate is correct by construction; the evidence that the evaluated serving path satisfies the conservative provenance precondition revision: no

Circularity Check

0 steps flagged

No circularity found: the admission contract is a design specification verified empirically, not a fitted prediction or self-citation chain.

full rationale

The paper's central claim, Admit(m) ⇒ Fields(m) ∧ Effects(m) ∧ Invoke(m) (Appendix B), is a design contract: the gate is defined to check field authority, exact-effect authorization, and invocation capability, and the contract states that if the gate admits, those checks passed. This is trivially true by construction of the gate, but the paper does not present it as a first-principles derivation or a prediction — it is presented as a systems design specification that is then empirically verified. The evaluation (zero escapes across 720 AgentDojo episodes, 400 code-agent episodes, 10 ledger faults, 800 hosted/API rows) measures whether the implemented gate correctly rejects unauthorized actions under fault injection and live episodes. These are measurements of gate behavior, not fitted predictions renamed as results. The paper also reports non-zero unauthorized proposal pressure before the gate (Figure 3: 196/300, 407/522, 85/400, 45+16/240), demonstrating the model does attempt unauthorized actions that the gate blocks — this is a meaningful empirical contrast, not a tautology. There are no self-citations: the author (Santos-Grueiro) does not appear in any cited reference. The paper builds on external prior work (IFC, capabilities, confused deputy, PACT, CaMeL, ARGUS) with proper attribution and does not invoke any uniqueness theorem from the authors' prior work. The skeptic's concern about attention masking not capturing indirect transformer influence (Section 5.3, Table 15) is a correctness/completeness risk — the paper explicitly acknowledges it — but it is not a circularity issue. The derivation chain is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

5 free parameters · 6 axioms · 4 invented entities

The free parameters are policy artifacts (field classifications, validators, adapter specs, evidence mode minimums, capability parameters) that must be hand-authored per mediated sink. They are not fitted to data in the statistical sense; they are design decisions. The axioms are a mix of standard prior art (IFC declassification, capability models) and domain assumptions (complete mediation, conservative provenance, trusted host, fail-closed validators). The invented entities are all data structures with deterministic verification, not physical postulates. No new particles, forces, or dimensions. The main risk is that the domain assumptions are deployment properties that cannot be verified from the paper alone.

free parameters (5)
  • Policy field classifications
    Each mediated sink requires a policy declaring which fields are protected, effect-bearing, or opaque. These are hand-authored per-sink, not derived. Table 4 lists 24 evaluated sinks with 149 fields, 85 X fields, 20 D fields, 29 O fields.
  • Declassifier validators
    Each typed release type (FilePath, ApprovalRef, etc.) has a hand-authored validator that canonicalizes and validates the candidate value. Section 3.3 and Appendix D describe these as trusted code with destination-specific logic.
  • Exact-effect adapter specifications
    Each effect-bearing payload class (patch, SQL, shell, CI manifest) has a hand-authored adapter that computes the sink-interpreted effect commitment. Table 2 and Appendix D list these. The repository state-delta adapter binds base commit, paths, blobs, modes, symlinks, renames—each chosen for the adapter domain.
  • Evidence mode minimums
    Policy declares the minimum evidence mode required (direct-span, suffix-taint, runtime-map, field-closed). Section 4.4 describes anti-downgrade checks. The choice of minimum is a policy decision, not derived.
  • Invocation capability parameters
    Each invocation capability names sink, operation, budget, sequence state, idempotency token, expiry, trusted snapshot, and policy version. These are policy-defined per-sink, not fitted to data.
axioms (6)
  • domain assumption Complete mediation: every side-effecting route reaches the shared gate before execution.
    Section 4.1: 'a CXI result is meaningful only for side-effect paths that enter the shared gate.' Table 5 lists bypass checks. This is a deployment property, not a theorem.
  • domain assumption Conservative provenance: the runtime conservatively captures the influences on each protected field and on the invocation event.
    Section 2.3: 'CXI tracks provenance of influence, not only provenance of bytes.' Table 9 defines influence events. Unknown or ambiguous provenance rejects, but the assumption is that the tracking is conservative.
  • domain assumption Trusted host runtime: the host runtime, trusted tools, correct approval state, and mediated sinks are trusted.
    Section 2.2: 'The trusted components are explicit: policy, provenance tracking, declassifier validators, backend evidence verification, and the host runtime.' A compromised host can lie about provenance or evidence.
  • domain assumption Fail-closed validators: validators fail closed when they cannot demonstrate a field is inert or an effect is bounded.
    Section 3.2: 'The policy is fail-closed: unknown fields, omitted classifications, invalid branch expansions, stale policy versions, and unsupported evidence modes reject before execution.' Assumes validator implementations are correct.
  • standard math Classical IFC declassification model: typed releases are explicit downgrade boundaries with policy justification.
    Section 2.3 and 3.3 cite Sabelfeld and Sands (2009), Myers (1999), Krohn et al. (2007). The declassification framework is standard prior art.
  • standard math Capability-based authority: invocation capabilities are consumable, linearizable, and bound to manifest digests.
    Section 3.4-3.5 and Appendix B cite Hardy (1988), Watson et al. (2010, 2015), Levy (1984). The capability model is standard prior art.
invented entities (4)
  • Action manifest independent evidence
    purpose: Canonical binding object that records action nonce, canonical action digest, adapter ID/revision, effective principal, trusted snapshot, policy epoch, assembly revision, protected-field evidence digests, effect-authorization digests, and call-authority digest.
    The manifest is a data structure, not a physical entity. Its correctness is checked by the gate's deterministic predicates. Falsifiable: any mutation after validation changes a digest and causes execution to fail (Section 3.5).
  • Typed release (D) independent evidence
    purpose: Narrow validated value carried from writable context to a specific destination field, minted by trusted declassifier code after validation.
    A data structure with type, source scope, destination scope, declassifier identity, validator identity, and provenance. Falsifiable: a release for one field cannot authorize another field (Section 3.3).
  • Backend evidence record independent evidence
    purpose: Binds evidence to one field in one action: input, influence-map, cache-lineage, and trusted-snapshot bindings for open-weight protected-field decoding.
    A data structure verified by the gate. Falsifiable: the verifier recomputes the canonical action digest and checks freshness, field binding, and supported backend path (Section 4.4).
  • Invocation capability independent evidence
    purpose: Authority object for the side-effect event: names sink, operation, budget, sequence state, idempotency token, expiry, trusted snapshot, and policy version. Consumed by a linearizable ledger before execution.
    A data structure consumed against the manifest digest. Falsifiable: duplicate consume, wrong-manifest replay, or stale capability rejects (Appendix B).

pith-pipeline@v1.1.0-glm · 27874 in / 4808 out tokens · 600722 ms · 2026-07-08T19:16:16.233083+00:00 · methodology

0 comments
read the original abstract

Language-model agents read attacker-writable context to solve tasks. Tool execution needs a separate authority check for protected sink fields, sink-interpreted payloads, and the invocation event. Context-to-Execution Integrity (CXI) is an execution-boundary system for this setting. Policies mark protected sink fields, typed releases carry narrow validated values from writable context to specific destinations, opaque data slots keep evidence as data, and a deterministic gate admits a call only after field authority, exact-effect authorization, and invocation authority all bind to the same action manifest. We evaluate CXI on open-weight field-projection runs, AgentDojo live episodes, a code-agent exact-effect benchmark, manifest-bound ledger faults, proposal-pressure controls, and hosted/API compatibility traces. AgentDojo covers 720 live episodes and 1,739 LLM calls; the code-agent benchmark covers 400 repository episodes with exact-effect authorization and lease-bound execution, yielding 231 safe task completions and zero observed field, effect, or invocation escapes. The accounting reports parser outcomes, authorization outcomes, and task-quality outcomes together with the admission-integrity result. Across the evaluated sinks, CXI admits execution only when field, effect, and invocation authority bind to the same action manifest.

Figures

Figures reproduced from arXiv: 2607.06000 by Igor Santos-Grueiro.

Figure 1
Figure 1. Figure 1: Authority laundering at a structured sink. Writable evidence may be read, quoted, or converted into a typed release for [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: CXI admission architecture. Invocation, hosted/API, open-weight, and effect-adapter lanes produce separate authority [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Proposal pressure before admission. Bars show [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 55 canonical work pages · 11 internal anchors

  1. [1]

    Control-flow integrity: Principles, implemen- tations, and applications

    Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity: Principles, implemen- tations, and applications. InProceedings of the ACM Conference on Computer and Communications Security, 2005

  2. [2]

    Prompt control-flow integrity: A priority-aware runtime de- fense against prompt injection in LLM systems

    Md Takrim Ul Alam, Akif Islam, Mohd Ruhul Ameen, Abu Saleh Musa Miah, and Jungpil Shin. Prompt control-flow integrity: A priority-aware runtime de- fense against prompt injection in LLM systems. https: //arxiv.org/abs/2603.18433, 2026

  3. [3]

    Pappas, and Eric Wong

    Patrick Chao, Alexander Robey, Edgar Dobriban, Hamed Hassani, George J. Pappas, and Eric Wong. Jailbreaking black box large language models in twenty queries. https://arxiv.org/abs/2310. 08419, 2023

  4. [4]

    StruQ: Defending against prompt injection with structured queries

    Sizhe Chen, Julien Piet, Chawin Sitawarin, and David Wagner. StruQ: Defending against prompt injection with structured queries. In34th USENIX Security Symposium, pages 2383–2400. USENIX Association, 2025

  5. [5]

    Securing AI Agents with Information-Flow Control

    Manuel Costa, Boris Köpf, Aashish Kolluri, Andrew Paverd, Mark Russinovich, Ahmed Salem, Shruti Tople, Lukas Wutschitz, and Santiago Zanella-Béguelin. Se- curing AI agents with information-flow control. https: //arxiv.org/abs/2505.23643, 2025

  6. [6]

    FlashAttention-2: Faster attention with bet- ter parallelism and work partitioning

    Tri Dao. FlashAttention-2: Faster attention with bet- ter parallelism and work partitioning. InInternational Conference on Learning Representations, 2024

  7. [7]

    Fu, Stefano Ermon, Atri Rudra, and Christopher Ré

    Tri Dao, Daniel Y . Fu, Stefano Ermon, Atri Rudra, and Christopher Ré. FlashAttention: Fast and memory- efficient exact attention with IO-awareness. InAdvances in Neural Information Processing Systems, 2022

  8. [8]

    Defeating Prompt Injections by Design

    Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Carlini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Florian Tramèr. De- feating prompt injections by design. https://arxiv. org/abs/2503.18813, 2025

  9. [9]

    AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents

    Edoardo Debenedetti, Jie Zhang, Mislav Balunovi ´c, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents. InThe Thirty-Eighth Annual Conference on Neural Information Processing Systems, Datasets and Benchmarks Track, 2024

  10. [10]

    Dorothy E. Denning. A lattice model of secure informa- tion flow.Communications of the ACM, 19(5):236–243, 1976

  11. [11]

    Labels and event processes in the asbestos operating system

    Petros Efstathopoulos, Maxwell Krohn, Steve VanDe- Bogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek, and Robert Morris. Labels and event processes in the asbestos operating system. InProceedings of the ACM Symposium on Operating Systems Principles, 2005

  12. [12]

    The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck

    Linfeng Fan, Ziwei Li, Yuan Tian, Yichen Wang, Rong- sheng Li, and Xiong Wang. The granularity mismatch 14 in agent security: Argument-level provenance solves en- forcement and isolates the LLM reasoning bottleneck. https://arxiv.org/abs/2605.11039, 2026

  13. [13]

    Goguen and José Meseguer

    Joseph A. Goguen and José Meseguer. Security policies and security models. InIEEE Symposium on Security and Privacy, pages 11–20, 1982

  14. [14]

    Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt in- jection

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt in- jection. InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security, pages 79–90, 2023

  15. [15]

    The confused deputy: Or why capa- bilities might have been invented

    Norman Hardy. The confused deputy: Or why capa- bilities might have been invented. http://cap-lore. com/CapTheory/ConfusedDeputy.html, 1988. Ac- cessed 2026-06-27

  16. [16]

    Jimenez, John Yang, Alexander Wettig, Shunyu Yao, Kexin Pei, Ofir Press, and Karthik Narasimhan

    Carlos E. Jimenez, John Yang, Alexander Wettig, Shunyu Yao, Kexin Pei, Ofir Press, and Karthik Narasimhan. SWE-bench: Can language models resolve real-world GitHub issues? InInternational Conference on Learning Representations, 2024

  17. [17]

    Prompt Flow Integrity to Prevent Privilege Escalation in LLM Agents

    Juhee Kim, Woohyuk Choi, and Byoungyoung Lee. Prompt flow integrity to prevent privilege escalation in LLM agents. https://arxiv.org/abs/2503.15547, 2025

  18. [18]

    Frans Kaashoek, Eddie Kohler, and Robert Morris

    Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. Information flow control for standard OS ab- stractions. InProceedings of the ACM Symposium on Operating Systems Principles, 2007

  19. [19]

    Gonza- lez, Hao Zhang, and Ion Stoica

    Woosuk Kwon, Zhuohan Li, Siyuan Zhuang, Ying Sheng, Lianmin Zheng, Cody Hao Yu, Joseph E. Gonza- lez, Hao Zhang, and Ion Stoica. Efficient memory man- agement for large language model serving with Page- dAttention. InProceedings of the ACM SIGOPS 29th Symposium on Operating Systems Principles, 2023

  20. [20]

    Xu, Siva Reddy, Graham Neubig, Quentin Cappart, Russ Salakhutdinov, and Nicolas Chapados

    Thibault Le Sellier de Chezelles, Maxime Gasse, Alexandre Lacoste, Massimo Caccia, Alexandre Drouin, Léo Boisvert, Megh Thakkar, Tom Marty, Rim As- souel, Sahar Omidi Shayegan, Lawrence Keunho Jang, Xing Han Lù, Ori Yoran, Dehan Kong, Frank F. Xu, Siva Reddy, Graham Neubig, Quentin Cappart, Russ Salakhutdinov, and Nicolas Chapados. The Browser- Gym ecosys...

  21. [21]

    Fast inference from transformers via speculative decoding

    Yaniv Leviathan, Matan Kalman, and Yossi Matias. Fast inference from transformers via speculative decoding. In International Conference on Machine Learning, pages 19274–19286, 2023

  22. [22]

    Levy.Capability-Based Computer Systems

    Henry M. Levy.Capability-Based Computer Systems. Digital Press, 1984

  23. [23]

    AgentBench: Evaluating LLMs as agents

    Xiao Liu, Hao Yu, Hanchen Zhang, Yifan Xu, Xuanyu Lei, Hanyu Lai, Yu Gu, Hangliang Ding, Kaiwen Men, Kejuan Yang, Shudan Zhang, Xiang Deng, Aohan Zeng, Zhengxiao Du, Chenhui Zhang, Sheng Shen, Tianhua Zhang, Yu Su, Huan Sun, Minlie Huang, Yuxiao Dong, and Jie Tang. AgentBench: Evaluating LLMs as agents. InInternational Conference on Learning Representa- t...

  24. [24]

    Tree of attacks: Jailbreaking black-box LLMs automatically

    Anay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi. Tree of attacks: Jailbreaking black-box LLMs automatically. https://arxiv.org/abs/2312. 02119, 2023

  25. [25]

    Andrew C. Myers. JFlow: Practical mostly-static in- formation flow control. InProceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Pro- gramming Languages, 1999

  26. [26]

    Myers and Barbara Liskov

    Andrew C. Myers and Barbara Liskov. Protecting privacy using the decentralized label model.ACM Transactions on Software Engineering and Methodol- ogy, 9(4):410–442, 2000

  27. [27]

    WebGPT: Browser-assisted question-answering with human feedback

    Reiichiro Nakano, Jacob Hilton, Suchir Balaji, Jeff Wu, Long Ouyang, Christina Kim, Christopher Hesse, Shantanu Jain, Vineet Kosaraju, William Saunders, Xu Jiang, Karl Cobbe, Tyna Eloundou, Gretchen Krueger, Kevin Button, Matthew Knight, Benjamin Chess, and John Schulman. Webgpt: Browser-assisted question-answering with human feedback. https: //arxiv.org/...

  28. [28]

    OWASP LLM01:2025 prompt injection

    OWASP Foundation. OWASP LLM01:2025 prompt injection. https://genai.owasp.org/llmrisk/ llm01-prompt-injection/, 2025. Accessed 2026- 06-27

  29. [29]

    Formal Policy Enforcement for Real-World Agentic Systems

    Nils Palumbo, Sarthak Choudhary, Jihye Choi, Guy Amir, Prasad Chalasani, and Somesh Jha. Formal pol- icy enforcement for real-world agentic systems. https: //arxiv.org/abs/2602.16708, 2026

  30. [30]

    Ignore Previous Prompt: Attack Techniques For Language Models

    Fábio Perez and Ian Ribeiro. Ignore previous prompt: Attack techniques for language models. https:// arxiv.org/abs/2211.09527, 2022

  31. [31]

    AIRGuard: Guarding Agent Actions with Runtime Authority Control

    Suliu Qin, Haomin Zhuang, Yujun Zhou, Yufei Han, and Xiangliang Zhang. AIRGuard: Guarding agent actions with runtime authority control. https://arxiv.org/ abs/2605.28914, 2026. 15

  32. [32]

    Maddison, and Tatsunori Hashimoto

    Yangjun Ruan, Honghua Dong, Andrew Wang, Silviu Pitis, Yongchao Zhou, Jimmy Ba, Yann Dubois, Chris J. Maddison, and Tatsunori Hashimoto. ToolEmu: Iden- tifying the risks of LM agents with an LM-emulated sandbox. InInternational Conference on Learning Rep- resentations, 2024

  33. [33]

    Andrei Sabelfeld and Andrew C. Myers. Language- based information-flow security.IEEE Journal on Se- lected Areas in Communications, 21(1):5–19, 2003

  34. [34]

    Declassification: Di- mensions and principles.Journal of Computer Security, 17(5):517–548, 2009

    Andrei Sabelfeld and David Sands. Declassification: Di- mensions and principles.Journal of Computer Security, 17(5):517–548, 2009

  35. [35]

    Saltzer and Michael D

    Jerome H. Saltzer and Michael D. Schroeder. The pro- tection of information in computer systems.Proceed- ings of the IEEE, 63(9):1278–1308, 1975

  36. [36]

    Tool- former: Language models can teach themselves to use tools

    Timo Schick, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettle- moyer, Nicola Cancedda, and Thomas Scialom. Tool- former: Language models can teach themselves to use tools. InAdvances in Neural Information Processing Systems, 2023

  37. [37]

    Shapiro, Jonathan M

    Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. EROS: A fast capability system. InProceedings of the ACM Symposium on Operating Systems Princi- ples, 1999

  38. [38]

    FlexGen: High- throughput generative inference of large language mod- els with a single GPU

    Ying Sheng, Lianmin Zheng, Binhang Yuan, Zhuohan Li, Max Ryabinin, Beidi Chen, Percy Liang, Christo- pher Ré, Ion Stoica, and Ce Zhang. FlexGen: High- throughput generative inference of large language mod- els with a single GPU. InInternational Conference on Machine Learning, 2023

  39. [39]

    Ap- pWorld: A controllable world of apps and people for benchmarking interactive coding agents

    Harsh Trivedi, Tushar Khot, Mareike Hartmann, Ruskin Manku, Vinty Dong, Edward Li, Shashank Gupta, Ashish Sabharwal, and Niranjan Balasubramanian. Ap- pWorld: A controllable world of apps and people for benchmarking interactive coding agents. InProceed- ings of the 62nd Annual Meeting of the Association for Computational Linguistics, pages 16022–16076, 2024

  40. [40]

    A sound type system for secure flow analysis.Journal of Computer Security, 4(2–3):167–187, 1996

    Dennis V olpano, Geoffrey Smith, and Cynthia Irvine. A sound type system for secure flow analysis.Journal of Computer Security, 4(2–3):167–187, 1996

  41. [41]

    Anderson, and Susan L

    Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isola- tion. InProceedings of the ACM Symposium on Operat- ing Systems Principles, 1993

  42. [42]

    The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions

    Eric Wallace, Kai Xiao, Reimar Leike, Lilian Weng, Johannes Heidecke, and Alex Beutel. The instruction hi- erarchy: Training LLMs to prioritize privileged instruc- tions.https://arxiv.org/abs/2404.13208, 2024

  43. [43]

    Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. Capsicum: Practical capabilities for UNIX. InUSENIX Security Symposium. USENIX Association, 2010

  44. [44]

    Robert N. M. Watson, Jonathan Woodruff, Peter G. Neu- mann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A hy- brid capability-system architecture for scalable software compartmentalization. InIEEE Symposium on Sec...

  45. [45]

    Jailbroken: How does LLM safety training fail? In Advances in Neural Information Processing Systems, 2023

    Alexander Wei, Nika Haghtalab, and Jacob Steinhardt. Jailbroken: How does LLM safety training fail? In Advances in Neural Information Processing Systems, 2023

  46. [46]

    ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection

    Shihao Weng, Yang Feng, Jinrui Zhang, Xiaofei Xie, Jiongchi Yu, and Jia Liu. ARGUS: Defending LLM agents against context-aware prompt injection. https: //arxiv.org/abs/2605.03378, 2026

  47. [47]

    OSWorld: Benchmarking mul- timodal agents for open-ended tasks in real computer environments

    Tianbao Xie, Danyang Zhang, Jixuan Chen, Xiaochuan Li, Siheng Zhao, Ruisheng Cao, Toh Jing Hua, Zhoujun Cheng, Dongchan Shin, Fangyu Lei, Yitao Liu, Yiheng Xu, Shuyan Zhou, Silvio Savarese, Caiming Xiong, Vic- tor Zhong, and Tao Yu. OSWorld: Benchmarking mul- timodal agents for open-ended tasks in real computer environments. InThe Thirty-Eighth Annual Con...

  48. [48]

    Narasimhan

    Shunyu Yao, Noah Shinn, Pedram Razavi, and Karthik R. Narasimhan. τ-bench: A benchmark for tool-agent-user interaction in real-world domains. InInternational Con- ference on Learning Representations, 2025

  49. [49]

    ReAct: Synergizing reasoning and acting in language models

    Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. ReAct: Synergizing reasoning and acting in language models. InInternational Conference on Learning Representa- tions, 2023

  50. [50]

    Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar

    Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009

  51. [51]

    Orca: A distributed serving system for transformer-based generative models

    Gyeong-In Yu, Joo Seong Jeong, Geon-Woo Kim, Soo- jeong Kim, and Byung-Gon Chun. Orca: A distributed serving system for transformer-based generative models. InUSENIX Symposium on Operating Systems Design and Implementation. USENIX Association, 2022. 16

  52. [52]

    Making information flow ex- plicit in HiStar

    Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow ex- plicit in HiStar. InProceedings of the USENIX Sympo- sium on Operating Systems Design and Implementation. USENIX Association, 2006

  53. [53]

    Gonzalez, Clark Bar- rett, and Ying Sheng

    Lianmin Zheng, Liangsheng Yin, Zhiqiang Xie, Chuyue Sun, Jeff Huang, Cody Hao Yu, Shiyi Cao, Christos Kozyrakis, Ion Stoica, Joseph E. Gonzalez, Clark Bar- rett, and Ying Sheng. SGLang: Efficient execution of structured language model programs. InAdvances in Neural Information Processing Systems, 2024

  54. [54]

    Xu, Hao Zhu, Xuhui Zhou, Robert Lo, Abishek Sridhar, Xianyi Cheng, Tianyue Ou, Yonatan Bisk, Daniel Fried, Uri Alon, and Graham Neu- big

    Shuyan Zhou, Frank F. Xu, Hao Zhu, Xuhui Zhou, Robert Lo, Abishek Sridhar, Xianyi Cheng, Tianyue Ou, Yonatan Bisk, Daniel Fried, Uri Alon, and Graham Neu- big. WebArena: A realistic web environment for build- ing autonomous agents. InInternational Conference on Learning Representations, 2024

  55. [55]

    Universal and Transferable Adversarial Attacks on Aligned Language Models

    Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J. Zico Kolter, and Matt Fredrikson. Universal and trans- ferable adversarial attacks on aligned language models. https://arxiv.org/abs/2307.15043, 2023. Appendices The appendices provide technical details for readers who want to inspect the admission boundary behind the main text. Appendix A states the ...