{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:GUDRED4HSFV4DREQ5ZRUVWD5PD","short_pith_number":"pith:GUDRED4H","schema_version":"1.0","canonical_sha256":"3507120f87916bc1c490ee634ad87d78c2370c8b22b677fd29c110ecaac5ad43","source":{"kind":"arxiv","id":"2505.23643","version":2},"attestation_state":"computed","paper":{"title":"Securing AI Agents with Information-Flow Control","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Aashish Kolluri, Ahmed Salem, Andrew Paverd, Boris K\\\"opf, Lukas Wutschitz, Manuel Costa, Mark Russinovich, Santiago Zanella-B\\'eguelin, Shruti Tople","submitted_at":"2025-05-29T16:50:41Z","abstract_excerpt":"As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2505.23643","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-05-29T16:50:41Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"edd3dae6979bd4f3a8d9cdbcf7f35fb4e585c53f696d9da314c21847365097e2","abstract_canon_sha256":"6f3682787171169b47a76163368cb916334189441b1440ced6b4d3f2edd2f917"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:52.612044Z","signature_b64":"qnCoCLscHXGGn+fZ/YznS0rNbtr5Cki+FAbMrcZFp4VCdxZmD1UCXUHACTm6+YoO9vWCR8cdWLZd7xRXRzsRAw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"3507120f87916bc1c490ee634ad87d78c2370c8b22b677fd29c110ecaac5ad43","last_reissued_at":"2026-05-17T23:38:52.611353Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:52.611353Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Securing AI Agents with Information-Flow Control","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Aashish Kolluri, Ahmed Salem, Andrew Paverd, Boris K\\\"opf, Lukas Wutschitz, Manuel Costa, Mark Russinovich, Santiago Zanella-B\\'eguelin, Shruti Tople","submitted_at":"2025-05-29T16:50:41Z","abstract_excerpt":"As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Fides enables us to complete a broad range of tasks with security guarantees.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"0fd9a257f067f3f5c355522bdc80929d837430b96535f236f9ef06ef00431249"},"source":{"id":"2505.23643","kind":"arxiv","version":2},"verdict":{"id":"3390cd10-73d3-4a0a-a20b-a9d766f3cf2b","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T11:50:59.663951Z","strongest_claim":"Fides enables us to complete a broad range of tasks with security guarantees.","one_line_summary":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","pith_extraction_headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility."},"references":{"count":50,"sample":[{"doi":"","year":2025,"title":"Get my drift? catching llm task drift with activation deltas","work_id":"5d2032b0-d97c-478f-80d9-33c36aafee31","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Guidance: A guidance language for controlling large language models","work_id":"ee65f69d-7029-4bd2-bc06-d04f5b9b6c6c","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Computer Use (beta)","work_id":"12fb0611-dffd-4a06-9f4e-887ec59c46f1","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Ahsan Ayub and Subhabrata Majumdar","work_id":"522adc92-59e8-4925-99a2-af24467c9d9c","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"AI agents with formal security guarantees","work_id":"5757efd8-254e-478b-bcb1-a4918294d897","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":50,"snapshot_sha256":"b1cc49b9ae3deccd75cf92781bd7f04bb2893ae018dd463d528feb27bbd8248a","internal_anchors":0},"formal_canon":{"evidence_count":1,"snapshot_sha256":"b31e176abe782fc0c2350e92dd221c6500edfdb58ad35d2ec7264a2f2a561391"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2505.23643","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"arxiv_version","alias_value":"2505.23643v2","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2505.23643","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"pith_short_12","alias_value":"GUDRED4HSFV4","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"GUDRED4HSFV4DREQ","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"GUDRED4H","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":31,"internal_anchor_count":31,"sample":[{"citing_arxiv_id":"2605.22643","citing_title":"Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2605.22842","citing_title":"The Misattribution Gap: When Memory Poisoning Looks Like Model Failure in Agentic AI Systems","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2605.22643","citing_title":"Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":15,"is_internal_anchor":true},{"citing_arxiv_id":"2604.18248","citing_title":"Beyond Pattern Matching: Seven Cross-Domain Techniques for Prompt Injection Detection","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2605.17380","citing_title":"ADR: An Agentic Detection System for Enterprise Agentic AI Security","ref_index":49,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":15,"is_internal_anchor":true},{"citing_arxiv_id":"2605.16976","citing_title":"Securing LLM Agents Need Intent-to-Execution Integrity","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01970","citing_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2511.20284","citing_title":"Can LLMs Make (Personalized) Access Control Decisions?","ref_index":67,"is_internal_anchor":true},{"citing_arxiv_id":"2602.16708","citing_title":"Formal Policy Enforcement for Real-World Agentic Systems","ref_index":18,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14290","citing_title":"Web Agents Should Adopt the Plan-Then-Execute Paradigm","ref_index":6,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14421","citing_title":"MemLineage: Lineage-Guided Enforcement for LLM Agent Memory","ref_index":7,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13471","citing_title":"Sleeper Channels and Provenance Gates: Persistent Prompt Injection in Always-on Autonomous AI Agents","ref_index":28,"is_internal_anchor":true},{"citing_arxiv_id":"2604.04035","citing_title":"Causality Laundering: Denial-Feedback Leakage in Tool-Calling LLM Agents","ref_index":6,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10907","citing_title":"Engineering Robustness into Personal Agents with the AI Workflow Store","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11039","citing_title":"The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11026","citing_title":"AgentShield: Deception-based Compromise Detection for Tool-using LLM Agents","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2604.27819","citing_title":"MCPHunt: An Evaluation Framework for Cross-Boundary Data Propagation in Multi-Server MCP Agents","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2604.26274","citing_title":"Enforcing Benign Trajectories: A Behavioral Firewall for Structured-Workflow AI Agents","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2605.09822","citing_title":"Oracle Poisoning: Corrupting Knowledge Graphs to Weaponise AI Agent Reasoning","ref_index":7,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10907","citing_title":"Engineering Robustness into Personal Agents with the AI Workflow Store","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03378","citing_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","ref_index":147,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01970","citing_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2605.00314","citing_title":"Semia: Auditing Agent Skills via Constraint-Guided Representation Synthesis","ref_index":5,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":1,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD","json":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD.json","graph_json":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/graph.json","events_json":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/events.json","paper":"https://pith.science/paper/GUDRED4H"},"agent_actions":{"view_html":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD","download_json":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD.json","view_paper":"https://pith.science/paper/GUDRED4H","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2505.23643&json=true","fetch_graph":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/graph.json","fetch_events":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/timestamp_anchor","attest_storage":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/storage_attestation","attest_author":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/author_attestation","sign_citation":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/citation_signature","submit_replication":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/replication_record"}},"created_at":"2026-05-17T23:38:52.611481+00:00","updated_at":"2026-05-17T23:38:52.611481+00:00"}