AgentArmor: Enforcing Program Analysis on Agent Runtime Trace to Defend Against Prompt Injection

TL;DR

AgentArmor transforms LLM agent runtime traces into structured program representations to analyze and enforce security policies, significantly reducing prompt injection risks with minimal utility loss.

Contribution

This work introduces AgentArmor, a novel framework that applies program analysis techniques to agent runtime traces for security enforcement, a new approach in LLM agent security.

Findings

Reduces attack success rate to 3%

Maintains 99% utility of agent functions

Effectively detects security policy violations

Abstract

Large Language Model (LLM) agents offer a powerful new paradigm for solving various problems by combining natural language reasoning with the execution of external tools. However, their dynamic and non-transparent behavior introduces critical security risks, particularly in the presence of prompt injection attacks. In this work, we propose a novel insight that treats the agent runtime traces as structured programs with analyzable semantics. Thus, we present AgentArmor, a program analysis framework that converts agent traces into graph intermediate representation-based structured program dependency representations (e.g., CFG, DFG, and PDG) and enforces security policies via a type system. AgentArmor consists of three key components: (1) a graph constructor that reconstructs the agent's runtime traces as graph-based intermediate representations with control and data flow described within; (2) a property registry that attaches security-relevant metadata of interacted tools \& data, and (3) a type system that performs static inference and checking over the intermediate representation. By representing agent behavior as structured programs, AgentArmor enables program analysis for sensitive data flow, trust boundaries, and policy violations. We evaluate AgentArmor on the AgentDojo benchmark, the results show that AgentArmor can reduce the ASR to 3\%, with the utility drop only 1\%.