Securing AI Agents with Information-Flow Control

TL;DR

This paper introduces a formal framework and a new planner, Fides, that uses information-flow control to enhance the security of AI agents, particularly against prompt injection, while maintaining task utility.

Contribution

It develops a formal model for security in AI agents, characterizes enforceable properties, and presents Fides, a planner with novel security primitives and demonstrated effectiveness.

Findings

Fides enforces security policies through dynamic taint-tracking.

The approach enables secure completion of diverse tasks.

Evaluation shows effective security guarantees in AgentDojo.

Abstract

As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner that tracks confidentiality and integrity labels, deterministically enforces security policies, and introduces novel primitives for selectively hiding information. Its evaluation in AgentDojo demonstrates that this approach enables us to complete a broad range of tasks with security guarantees. A tutorial to walk readers through the the concepts introduced in the paper can be found at https://github.com/microsoft/fides