Causality Laundering: Denial-Feedback Leakage in Tool-Calling LLM Agents

TL;DR

This paper identifies a new security vulnerability in tool-calling language models called causality laundering, and proposes the Agentic Reference Monitor (ARM) to prevent such attacks by tracking causal influence and denial effects.

Contribution

The paper introduces causality laundering as a novel attack pattern and presents ARM, a runtime enforcement layer that enhances provenance tracking to secure tool-calling LLM agents.

Findings

ARM effectively blocks causality laundering attacks

ARM adds minimal overhead to policy evaluation

Provenance augmentation improves security against causal influence leaks

Abstract

Tool-calling LLM agents can read private data, invoke external services, and trigger real-world actions, creating a security problem at the point of tool execution. We identify a denial-feedback leakage pattern, which we term causality laundering, in which an adversary probes a protected action, learns from the denial outcome, and exfiltrates the inferred information through a later seemingly benign tool call. This attack is not captured by flat provenance tracking alone because the leaked information arises from causal influence of the denied action, not direct data flow. We present the Agentic Reference Monitor (ARM), a runtime enforcement layer that mediates every tool invocation by consulting a provenance graph over tool calls, returned data, field-level provenance, and denied actions. ARM propagates trust through an integrity lattice and augments the graph with counterfactual edges from denied-action nodes, enabling enforcement over both transitive data dependencies and denial-induced causal influence. In a controlled evaluation on three representative attack scenarios, ARM blocks causality laundering, transitive taint propagation, and mixed-provenance field misuse that a flat provenance baseline misses, while adding sub-millisecond policy evaluation overhead. These results suggest that denial-aware causal provenance is a useful abstraction for securing tool-calling agent systems.