Breaking and Fixing Defenses Against Control-Flow Hijacking in Multi-Agent Systems
This addresses security vulnerabilities in multi-agent systems, which are critical for applications like autonomous systems and AI assistants, but the approach is incremental as it builds on control-flow integrity principles.
The paper tackled control-flow hijacking attacks in multi-agent systems by demonstrating that existing defenses like LlamaFirewall are evadable, and proposed ControlValve, a new defense that enforces permitted control-flow graphs and contextual rules, achieving a 98% reduction in successful attacks in evaluations.
Control-flow hijacking attacks manipulate orchestration mechanisms in multi-agent systems into performing unsafe actions that compromise the system and exfiltrate sensitive information. Recently proposed defenses, such as LlamaFirewall, rely on alignment checks of inter-agent communications to ensure that all agent invocations are "related to" and "likely to further" the original objective. We start by demonstrating control-flow hijacking attacks that evade these defenses even if alignment checks are performed by advanced LLMs. We argue that the safety and functionality objectives of multi-agent systems fundamentally conflict with each other. This conflict is exacerbated by the brittle definitions of "alignment" and the checkers' incomplete visibility into the execution context. We then propose, implement, and evaluate ControlValve, a new defense inspired by the principles of control-flow integrity and least privilege. ControlValve (1) generates permitted control-flow graphs for multi-agent systems, and (2) enforces that all executions comply with these graphs, along with contextual rules (generated in a zero-shot manner) for each agent invocation.