AgentArmor: Enforcing Program Analysis on Agent Runtime Trace to Defend Against Prompt Injection
This addresses critical security vulnerabilities in LLM agents for developers and users, offering a novel defense mechanism against prompt injection attacks.
The paper tackles the security risks of LLM agents against prompt injection attacks by proposing AgentArmor, a program analysis framework that converts agent runtime traces into structured representations and enforces security policies, reducing the attack success rate to 3% with only a 1% utility drop.
Large Language Model (LLM) agents offer a powerful new paradigm for solving various problems by combining natural language reasoning with the execution of external tools. However, their dynamic and non-transparent behavior introduces critical security risks, particularly in the presence of prompt injection attacks. In this work, we propose a novel insight that treats the agent runtime traces as structured programs with analyzable semantics. Thus, we present AgentArmor, a program analysis framework that converts agent traces into graph intermediate representation-based structured program dependency representations (e.g., CFG, DFG, and PDG) and enforces security policies via a type system. AgentArmor consists of three key components: (1) a graph constructor that reconstructs the agent's runtime traces as graph-based intermediate representations with control and data flow described within; (2) a property registry that attaches security-relevant metadata of interacted tools \& data, and (3) a type system that performs static inference and checking over the intermediate representation. By representing agent behavior as structured programs, AgentArmor enables program analysis for sensitive data flow, trust boundaries, and policy violations. We evaluate AgentArmor on the AgentDojo benchmark, the results show that AgentArmor can reduce the ASR to 3\%, with the utility drop only 1\%.