Search papers, labs, and topics across Lattice.
This paper introduces ShareLock, a novel multi-tool threshold poisoning attack framework that leverages Shamir's threshold scheme to enhance stealth and fault tolerance in exploiting Model Context Protocol (MCP) interactions. By distributing malicious instructions as secret shares across multiple tool descriptions, ShareLock achieves both information-theoretic secrecy and robustness against detection, effectively bypassing existing defenses. Experimental results across various LLMs and MCP clients reveal that ShareLock outperforms traditional single-tool poisoning methods, achieving over 90% attack success rates while evading detection mechanisms.
ShareLock achieves over 90% success in multi-tool poisoning attacks while remaining undetectable, reshaping the threat landscape for LLM-driven agents.
With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schemes typically adopt a monolithic plaintext embedding paradigm, which fails to withstand manual inspection or automated detectors. Current research still lacks a systematic analysis on multi-tool poisoning, where multiple tools can be exploited cooperatively to disperse detection risk. In this paper, we introduce ShareLock, a multi-tool threshold poisoning framework that utilizes Shamir's threshold scheme to ensure exceptional stealth and fault tolerance. ShareLock distributes the malicious instruction as benign-looking secret shares across multiple tool descriptions, achieving both information-theoretic secrecy and attack robustness against moderate auditing. After a covert reconstruction trigger is planted during server update, the aggregated shares reconstruct the hidden instruction, resulting in critical breaches of system assets or private data. To evaluate the realistic threat of ShareLock, we constructed a comprehensive benchmark encompassing four multi-tool scenarios and conducted extensive experiments across mainstream LLMs on two distinct MCP clients. Our results demonstrate that ShareLock significantly outperforms existing single-tool poisoning strategies in tool description-based detection while maintaining an average attack success rate exceeding 90%.