Causality Laundering: Denial-Feedback Leakage in Tool-Calling LLM Agents
This addresses a security vulnerability in LLM agents that handle private data and real-world actions, offering a novel enforcement mechanism for causal influence, though it is incremental in the broader field of AI security.
The paper tackles the security problem of denial-feedback leakage in tool-calling LLM agents, where adversaries infer information from denied actions and exfiltrate it through later tool calls, and presents the Agentic Reference Monitor (ARM) that blocks such attacks with sub-millisecond overhead in evaluations.
Tool-calling LLM agents can read private data, invoke external services, and trigger real-world actions, creating a security problem at the point of tool execution. We identify a denial-feedback leakage pattern, which we term causality laundering, in which an adversary probes a protected action, learns from the denial outcome, and exfiltrates the inferred information through a later seemingly benign tool call. This attack is not captured by flat provenance tracking alone because the leaked information arises from causal influence of the denied action, not direct data flow. We present the Agentic Reference Monitor (ARM), a runtime enforcement layer that mediates every tool invocation by consulting a provenance graph over tool calls, returned data, field-level provenance, and denied actions. ARM propagates trust through an integrity lattice and augments the graph with counterfactual edges from denied-action nodes, enabling enforcement over both transitive data dependencies and denial-induced causal influence. In a controlled evaluation on three representative attack scenarios, ARM blocks causality laundering, transitive taint propagation, and mixed-provenance field misuse that a flat provenance baseline misses, while adding sub-millisecond policy evaluation overhead. These results suggest that denial-aware causal provenance is a useful abstraction for securing tool-calling agent systems.