Ghost in the Agent: Redefining Information Flow Tracking for LLM Agents

TL;DR

NeuroTaint is a novel framework for tracking information flow in LLM agents, addressing the limitations of traditional taint analysis by considering semantic and causal influences.

Contribution

We introduce NeuroTaint, the first taint tracking system tailored for LLM agents that captures semantic transformations and causal influences in information flow.

Findings

NeuroTaint outperforms FIDES in source-sink detection across 400 scenarios.

It remains effective on established security benchmarks like InjecAgent and ToolEmu.

Operates efficiently offline with modest auditing costs.

Abstract

Autonomous Large Language Model (LLM) agents are increasingly deployed to conduct complex tasks by interacting with external tools, APIs, and memory stores. However, processing untrusted external data exposes these agents to severe security threats, such as indirect prompt injection and unauthorized tool execution. Securing these systems requires effective information flow tracking. Yet, traditional taint analysis that is designed for program memory states fundamentally fails when applied to LLMs, where data propagation is governed by probabilistic natural language reasoning. In this paper, we present NeuroTaint, the first comprehensive taint tracking framework tailored for the unique information flow characteristics of LLM agents. Our key insight is that taint propagation in LLM agents must be understood not only as explicit content transfer, but also as semantic transformation, causal influence on decisions, and cross-session persistence through memory. NeuroTaint therefore audits execution traces offline to reconstruct provenance from untrusted sources to privileged sinks using semantic evidence, causal reasoning, and persistent context tracking, rather than relying on exact string matches or pre-defined source-sink paths alone. Extensive evaluation using TaintBench, our 400-scenario benchmark spanning 20 real-world agent frameworks, shows that NeuroTaint substantially outperforms FIDES, an information-flow-control (IFC)-style baseline for LLM agents, in source-sink propagation detection. We further show that NeuroTaint remains effective on established agent-security benchmarks, including InjecAgent and ToolEmu, while operating offline with modest additional auditing cost.