Securing AI Agent Execution

• URL: http://arxiv.org/abs/2510.21236v2
• Date: Wed, 29 Oct 2025 13:11:21 GMT
• Title: Securing AI Agent Execution
• Authors: Christoph Bühler, Matteo Biagiola, Luca Di Grazia, Guido Salvaneschi,
• Abstract summary: We introduce AgentBound, the first access control framework for MCP servers.<n>We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy.<n>We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that policy enforcement engine introduces negligible overhead.
• Score: 5.599792629509229
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Large Language Models (LLMs) have evolved into AI agents that interact with external tools and environments to perform complex tasks. The Model Context Protocol (MCP) has become the de facto standard for connecting agents with such resources, but security has lagged behind: thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface. In this paper, we introduce AgentBound, the first access control framework for MCP servers. AgentBound combines a declarative policy mechanism, inspired by the Android permission model, with a policy enforcement engine that contains malicious behavior without requiring MCP server modifications. We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy. We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that policy enforcement engine introduces negligible overhead. Our contributions provide developers and project managers with a practical foundation for securing MCP servers while maintaining productivity, enabling researchers and tool builders to explore new directions for declarative access control and MCP security.

Related papers

• Securing the Model Context Protocol (MCP): Risks, Controls, and Governance [1.4072883206858737]
  We focus on three types of adversaries that take advantage of MCP s flexibility.<n>Based on early incidents and proof-of-concept attacks, we describe how MCP can increase the attack surface.<n>We propose a set of practical controls, including per-user authentication with scoped authorization.
  arXiv  Detail & Related papers  (2025-11-25T23:24:26Z)
• Toward Understanding Security Issues in the Model Context Protocol Ecosystem [4.3754423452518205]
  We present the first comprehensive security analysis of the Model Context Protocol ecosystem.<n>We decompose MCP ecosystem into three core components: hosts, registries, and servers.<n>We uncover a wide range of vulnerabilities that enable attackers to hijack servers.
  arXiv  Detail & Related papers  (2025-10-18T16:09:05Z)
• Code Agent can be an End-to-end System Hacker: Benchmarking Real-world Threats of Computer-use Agent [64.08182031659047]
  We propose AdvCUA, the first benchmark aligned with real-world TTPs in MITRE ATT&CK Enterprise Matrix.<n>We evaluate the existing five mainstream CUAs, including ReAct, AutoGPT, Gemini CLI, and Cursor CLI.<n>Results demonstrate that current frontier CUAs do not adequately cover OS security-centric threats.
  arXiv  Detail & Related papers  (2025-10-08T03:35:23Z)
• When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation [23.550422942185904]
  Model Context Protocol (MCP) servers enable AI applications to connect to external systems in a plug-and-play manner.<n>Despite this pressing risk, the security implications of MCP servers remain underexplored.<n>We present the first systematic study that treats MCP servers as active threat actors and decomposes them into core components.
  arXiv  Detail & Related papers  (2025-09-29T04:29:58Z)
• Automatic Red Teaming LLM-based Agents with Model Context Protocol Tools [47.32559576064343]
  We propose AutoMalTool, an automated red teaming framework for LLM-based agents by generating malicious MCP tools.<n>Our evaluation shows that AutoMalTool effectively generates malicious MCP tools capable of manipulating the behavior of mainstream LLM-based agents.
  arXiv  Detail & Related papers  (2025-09-25T11:14:38Z)
• LiveMCPBench: Can Agents Navigate an Ocean of MCP Tools? [50.60770039016318]
  We present LiveMCPBench, the first comprehensive benchmark for benchmarking Model Context Protocol (MCP) agents.<n>LiveMCPBench consists of 95 real-world tasks grounded in the MCP ecosystem.<n>Our evaluation covers 10 leading models, with the best-performing model reaching a 78.95% success rate.
  arXiv  Detail & Related papers  (2025-08-03T14:36:42Z)
• Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition [101.86739402748995]
  We run the largest public red-teaming competition to date, targeting 22 frontier AI agents across 44 realistic deployment scenarios.<n>We build the Agent Red Teaming benchmark and evaluate it across 19 state-of-the-art models.<n>Our findings highlight critical and persistent vulnerabilities in today's AI agents.
  arXiv  Detail & Related papers  (2025-07-28T05:13:04Z)
• We Should Identify and Mitigate Third-Party Safety Risks in MCP-Powered Agent Systems [48.345884334050965]
  We advocate the research community in LLM safety to pay close attention to the new safety risks issues introduced by MCP.<n>We conduct a series of pilot experiments to demonstrate the safety risks in MCP-powered agent systems is a real threat and its defense is not trivial.
  arXiv  Detail & Related papers  (2025-06-16T16:24:31Z)
• Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol (MCP) Ecosystem [16.610726885457847]
  The Model Context Protocol (MCP) is an emerging standard designed to enable seamless interaction between Large Language Model (LLM) applications and external tools or resources.<n>This paper presents the first end-to-end empirical evaluation of attack vectors targeting the MCP ecosystem.
  arXiv  Detail & Related papers  (2025-05-31T08:01:11Z)
• Progent: Programmable Privilege Control for LLM Agents [46.31581986508561]
  We introduce Progent, the first privilege control framework to secure Large Language Models agents.<n>Progent enforces security at the tool level by restricting agents to performing tool calls necessary for user tasks while blocking potentially malicious ones.<n>Thanks to our modular design, integrating Progent does not alter agent internals and only requires minimal changes to the existing agent implementation.
  arXiv  Detail & Related papers  (2025-04-16T01:58:40Z)
• MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits [0.0]
  The Model Context Protocol (MCP) is an open protocol that standardizes API calls to large language models (LLMs), data sources, and agentic tools.<n>We show that the current MCP design carries a wide range of security risks for end users.<n>We introduce a safety auditing tool, MCPSafetyScanner, to assess the security of an arbitrary MCP server.
  arXiv  Detail & Related papers  (2025-04-02T21:46:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.