Search papers, labs, and topics across Lattice.
AgentSecBench is introduced as a benchmark to evaluate the security of LLM agents against prompt injection, privacy leakage, and tool-use integrity violations. It formalizes security concerns into three games鈥攊nstruction-integrity, retrieval-confidentiality, and capability-integrity鈥攂ased on noninterference principles. Experiments with Qwen3 models and various defenses reveal the effectiveness of channel closure techniques and highlight persistent adversarial capabilities.
LLM agents are surprisingly vulnerable: even small models (Qwen3-0.6B and 1.7B) struggle to maintain security boundaries against prompt injection, privacy leakage, and tool-use integrity attacks, despite various defenses.
LLM agents process trusted instructions, retrieved records, and tool observations through a common generative channel. This conflates data flow with authority: an untrusted string can affect a secret-bearing response or an action proposal even when no application policy authorizes that influence. We introduce AgentSecBench as an empirical instantiation of a formal security framework for this problem. The framework defines three games-instruction-integrity, retrieval-confidentiality, and capability-integrity-under a common notion of intent-to-execution noninterference with permitted leakage. It represents an application policy as a projection onto authorized observations and capabilities, distinguishes prompt annotations from enforcing projections, and measures both adversarial advantage and whether a defense closes the relevant model-visible channel before generation. The exact-marker experiments are intentionally one observable instantiation of the games rather than a complete semantic security claim: they test disclosure and forbidden-action distinguishers with unambiguous ground truth. We evaluate six defense classes with Qwen3-0.6B and Qwen3-1.7B on paired adversarial and benign-control executions. The measurements show when risk reduction follows channel closure and when a model-visible adversarial capability remains exploitable. The result is a security-oriented evaluation method: prompt text can describe a boundary, whereas provenance projection, capability restriction, and output validation can enforce one.