Pith. sign in

REVIEW 28 cited by

System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2409.19091 v2 pith:YJJ5DOM2 submitted 2024-09-27 cs.CR

System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective

classification cs.CR
keywords informationsystemsystemsf-securesecuritycompromisecontrolcritical
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

Large Language Model-based systems (LLM systems) are information and query processing systems that use LLMs to plan operations from natural-language prompts and feed the output of each successive step into the LLM to plan the next. This structure results in powerful tools that can process complex information from diverse sources but raises critical security concerns. Malicious information from any source may be processed by the LLM and can compromise the query processing, resulting in nearly arbitrary misbehavior. To tackle this problem, we present a system-level defense based on the principles of information flow control that we call an f-secure LLM system. An f-secure LLM system disaggregates the components of an LLM system into a context-aware pipeline with dynamically generated structured executable plans, and a security monitor filters out untrusted input into the planning process. This structure prevents compromise while maximizing flexibility. We provide formal models for both existing LLM systems and our f-secure LLM system, allowing analysis of critical security guarantees. We further evaluate case studies and benchmarks showing that f-secure LLM systems provide robust security while preserving functionality and efficiency. Our code is released at https://github.com/fzwark/Secure_LLM_System.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 28 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Measuring Real-World Prompt Injection Attacks in LLM-based Resume Screening

    cs.CR 2026-05 unverdicted novelty 8.0

    Roughly 1% of real resumes contain hidden prompt injections against LLM screeners, prevalence has risen over 1-2 years, and over 90% avoid explicit instructions.

  2. TRUSTDESC: Preventing Tool Poisoning in LLM Applications via Trusted Description Generation

    cs.CR 2026-04 unverdicted novelty 8.0

    TRUSTDESC prevents tool poisoning in LLM applications by automatically generating accurate tool descriptions from code via a three-stage pipeline of reachability analysis, description synthesis, and dynamic verification.

  3. Prismata: Confining Cross-Site Prompt Injection in Web Agents

    cs.CR 2026-07 conditional novelty 7.5

    Prismata cuts web-agent prompt-injection attack success from 85.5% to 0.7% via Biba-inspired DOM trust labeling and mechanical least-privilege confinement without site annotations.

  4. Agent Data Injection Attacks are Realistic Threats to AI Agents

    cs.CR 2026-07 accept novelty 7.0

    Agent data injection (ADI) forges trusted agent metadata via probabilistic delimiter injection and bypasses defenses built only for instruction injection.

  5. DualView: Preventing Indirect Prompt Injection in Personal AI Agents

    cs.CR 2026-07 conditional novelty 7.0

    DualView extends Dual-LLM symbol isolation into the shared user environment via dual Agent/Human views, blocking both immediate and stored IPI at 0% ASR while preserving near-baseline utility.

  6. AutoDojo: Adaptive Black-Box Attacks Reveal the Limits of IPI Defenses and Task-Specification Effects in LLM Agents

    cs.CR 2026-06 unverdicted novelty 7.0

    AutoDojo adaptively optimizes IPI attacks to bypass defenses, recovering substantial ASR on action-open tasks where static attacks fail.

  7. AgentDyn: Are Your Agent Security Defenses Deployable in Real-World Dynamic Environments?

    cs.CR 2026-02 accept novelty 7.0

    AgentDyn benchmark demonstrates that current AI agent defenses against prompt injection fail to handle dynamic real-world conditions.

  8. AOHP: An Open-Source OS-Level Agent Harness for Personalized, Efficient and Secure Interaction

    cs.AI 2026-06 unverdicted novelty 6.0

    AOHP is an Android-based OS harness that reports 21% higher agent task completion, 52% lower token cost, and improved security compliance through agent-first system primitives.

  9. GIF: Locally Sound Geometric Information Flow Control for LLMs

    cs.AI 2026-06 unverdicted novelty 6.0

    GIF introduces a Jacobian-based upper bound on input-output mutual information in LLMs with formal Lean proof and strong empirical recall on injection and leakage benchmarks.

  10. Aligning Provenance with Authorization: A Dual-Graph Defense for LLM Agents

    cs.CR 2026-05 unverdicted novelty 6.0

    AuthGraph aligns an execution provenance graph with a clean authorization graph to detect parameter-source deviations from user intent, reducing attack success rates to 1-2% on AgentDojo and AgentDyn while retaining m...

  11. An Empirical Study of Privacy Leakage Chains via Prompt Injection in Black-Box Chatbot Environments

    cs.CR 2026-05 unverdicted novelty 6.0

    Empirical demonstration that prompt injection combined with web-tool use creates a feasible privacy-leakage chain in deployed black-box chatbot agents.

  12. LivePI: More Realistic Benchmarking of Agents Against Indirect Prompt Injection

    cs.CR 2026-05 unverdicted novelty 6.0

    LivePI benchmark reports indirect prompt injection success rates of 10.7-29.6% across five models on seven input surfaces and shows a two-layer defense blocking all malicious completions while preserving utility.

  13. LivePI: More Realistic Benchmarking of Agents Against Indirect Prompt Injection

    cs.CR 2026-05 unverdicted novelty 6.0

    LivePI benchmark shows indirect prompt injection attack success rates of 10.7% to 29.6% across five AI models in live test environments covering seven input surfaces and multiple malicious goals.

  14. Securing LLM Agents Need Intent-to-Execution Integrity

    cs.CR 2026-05 conditional novelty 6.0

    The paper defines intent-to-execution integrity as the conjunction of Tool Integrity, Instruction Integrity, Judgment Integrity, and Data Flow Integrity, arguing that existing LLM agent defenses provide only partial c...

  15. An AI Agent Execution Environment to Safeguard User Data

    cs.CR 2026-04 unverdicted novelty 6.0

    GAAP guarantees confidentiality of private user data for AI agents by enforcing user-specified permissions deterministically through persistent information flow tracking, without trusting the agent or requiring attack...

  16. Don't Make Models Guess Security and Safety: Symbolic Guardrails for Domain-Specific AI Agents

    cs.SE 2026-04 unverdicted novelty 6.0

    Symbolic guardrails enforce about 74% of agent security and safety requirements on three benchmarks with mostly simple checks, improving safety without sacrificing utility.

  17. ACE: A Security Architecture for LLM-Integrated App Systems

    cs.CR 2025-04 unverdicted novelty 6.0

    ACE decouples planning into abstract and concrete phases with static information-flow verification and enforces execution barriers to secure LLM app systems against prompt injection and related attacks.

  18. Progent: Securing AI Agents with Privilege Control

    cs.CR 2025-04 unverdicted novelty 6.0

    Progent introduces a privilege-control framework for AI agents that uses LLM-generated symbolic rules over tools, SMT-solver-enforced monotonic updates, and deterministic checks to reduce attack success rates on Agent...

  19. Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents

    cs.CR 2026-06 unverdicted novelty 5.0

    A data-centric survey finds that only information-flow control covers compositional and cross-session leakage in LLM agents and that no single benchmark tests an agent across all its data surfaces under one policy.

  20. Adaptive Evaluation of Out-of-Band Defenses Against Prompt Injection in LLM Agents

    cs.CR 2026-06 unverdicted novelty 5.0

    An independent reproduction on AgentDojo with Qwen2.5-7B finds that the Progent out-of-band defense reduces mean attack success from 25.8% to 4.2% and holds against a hand-crafted adaptive attack at 2.6%.

  21. Reframing LLM Agent Security as an Agent-Human Interaction Problem

    cs.CR 2026-05 unverdicted novelty 5.0

    LLM agent security is reframed as an agent-human interaction issue, supported by a survey showing industry preference for human-centric mechanisms over academic favorites and proposing a new research agenda.

  22. Toward Securing AI Agents Like Operating Systems

    cs.CR 2026-05 unverdicted novelty 5.0

    LLM agents share OS-like security challenges; a case study on four agents finds protections often fail without careful setup but many vulnerabilities are mitigable with OS techniques.

  23. Engineering Robustness into Personal Agents with the AI Workflow Store

    cs.CR 2026-05 unverdicted novelty 5.0

    AI agents should shift from on-the-fly plan synthesis to invoking pre-engineered, tested, and reusable workflows stored in an AI Workflow Store to gain reliability and security.

  24. Don't Make Models Guess Security and Safety: Symbolic Guardrails for Domain-Specific AI Agents

    cs.SE 2026-04 unverdicted novelty 5.0

    Symbolic guardrails enforce 74% of specified safety policies in agent benchmarks and boost safety without hurting utility.

  25. PIArena: A Platform for Prompt Injection Evaluation

    cs.CR 2026-04 unverdicted novelty 5.0

    PIArena provides a unified evaluation platform for prompt injection attacks and defenses, featuring a new adaptive attack that reveals major weaknesses in existing protections.

  26. Assessing Automated Prompt Injection Attacks in Agentic Environments

    cs.CR 2026-06 unverdicted novelty 4.0

    Black-box optimization outperforms gradient-based methods for prompt injection on LLM agents, with success depending on attacker model strength and limited transfer from small to frontier models.

  27. Engineering Robustness into Personal Agents with the AI Workflow Store

    cs.CR 2026-05 unverdicted novelty 4.0

    Position paper advocating a shift from on-the-fly AI agent synthesis to reusable hardened workflows in an AI Workflow Store to improve robustness and security.

  28. Engineering Robustness into Personal Agents with the AI Workflow Store

    cs.CR 2026-05 unverdicted novelty 4.0

    AI agents require pre-engineered reusable workflows stored in a central repository rather than generating plans on the fly to achieve production-grade reliability and security.