ElephantAgent: Contextual State Continuity in Agentic Systems
Pith reviewed 2026-07-03 14:03 UTC · model grok-4.3
The pith
ElephantAgent enforces contextual state continuity in agentic systems to defend against poisoning by verifying state digests with replicated trusted hardware.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper presents ElephantAgent as a protocol that enforces Contextual State Continuity to defend against contextual state poisoning in agentic systems. It extends prior state-continuity mechanisms to the evolving contextual state by recomputing the digest of the local contextual state and verifying it against the latest authorized digest. Replicated trusted hardware maintains a linearizable ledger of authorized contextual state transitions to detect out-of-band state tampering, while Historical Traceability enables conditional post-hoc audit and recovery for in-band semantic abuse.
What carries the argument
The recomputation and verification of the contextual state digest against an authorized ledger on replicated trusted hardware, which enforces continuity and detects tampering.
If this is right
- Agents detect out-of-band tampering of contextual state before processing each query.
- The system provides a linearizable history of authorized state transitions.
- Historical traceability allows recovery to a known-good prior state after detecting semantic abuse.
- This protection applies to the bounded subset of context including tool state and memory.
Where Pith is reading between the lines
- Deployment would require the trusted hardware to be available and uncompromised for every agent query.
- The bounding of contextual state to a security-critical subset may need careful engineering in complex agent setups.
- This could inspire similar continuity mechanisms in other AI systems with persistent state.
- Testing against real-world poisoning attacks would validate the detection capabilities.
Load-bearing premise
The contextual state can be cleanly bounded to a security-critical subset whose digest can be maintained in a linearizable ledger on replicated trusted hardware that itself remains uncompromised and available before every query.
What would settle it
Demonstrating a poisoning attack that alters the agent's contextual state without detection by the digest verification or ledger check would falsify the effectiveness of the continuity enforcement.
Figures
read the original abstract
Agentic systems enhance their capabilities by invoking external tools and maintaining persistent memory. However, these external dependencies introduce novel attack surfaces. Recent tool and memory poisoning attacks show that maliciously crafted tool descriptors and poisoned memory can covertly bias agent behavior. These threats reflect a deeper issue: the lack of verifiable continuity in the agent's contextual state for planning and execution. We present ElephantAgent, a protocol that enforces Contextual State Continuity to defend against contextual state poisoning. Inspired by prior state-continuity mechanisms (e.g., Nimble), ElephantAgent extends this protection to the evolving contextual state of agentic systems. We define the contextual state as the bounded, security-critical subset of the agent's entire context (e.g., tool state and memory). Before processing each query, ElephantAgent recomputes the digest of the local contextual state and verifies it against the latest authorized digest. Using replicated trusted hardware, ElephantAgent maintains a linearizable ledger of authorized contextual state transitions and detects out-of-band state tampering. To handle in-band semantic abuse, ElephantAgent additionally provides Historical Traceability, enabling conditional post-hoc audit and recovery to a known-good prior state.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes ElephantAgent, a protocol for agentic systems that enforces Contextual State Continuity by defining a bounded security-critical subset of context (e.g., tool state and memory), recomputing its digest before each query, and verifying it against a linearizable ledger of authorized transitions maintained on replicated trusted hardware; it also adds Historical Traceability to enable post-hoc audit and recovery against in-band semantic abuse.
Significance. If the protocol's assumptions can be realized, the work would extend prior state-continuity techniques (such as Nimble) to the domain of tool-using agents with persistent memory, offering a concrete mechanism to detect out-of-band tampering via digest verification. The linearizable ledger and traceability features address both out-of-band and in-band threats in a unified way.
major comments (2)
- [Abstract] Abstract: the central defense rests on the existence of an 'unambiguous, complete partition' between security-critical and non-critical state such that every poisoning vector falls inside the former, yet no construction, algorithm, or argument is supplied for how this partition is obtained or maintained when tools and memory are external and mutable.
- [Abstract] Abstract: the protocol assumes replicated trusted hardware remains uncompromised and always reachable before every query to support the linearizable ledger, but supplies neither a threat model nor an argument showing why this hardware assumption holds in an agentic setting where external dependencies can be altered.
Simulated Author's Rebuttal
We thank the referee for these comments on the abstract and the underlying protocol. We respond to each major comment below, indicating where the manuscript will be revised to address the points raised.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central defense rests on the existence of an 'unambiguous, complete partition' between security-critical and non-critical state such that every poisoning vector falls inside the former, yet no construction, algorithm, or argument is supplied for how this partition is obtained or maintained when tools and memory are external and mutable.
Authors: The manuscript defines contextual state as the bounded security-critical subset of the agent's context (with tool state and memory given as examples) and uses digest verification against a ledger of authorized transitions. We acknowledge that the current version supplies only this definition and does not include an explicit construction, algorithm, or argument for how the partition is obtained or maintained when tools and memory are external and mutable. We will revise the manuscript to add a dedicated subsection that provides such a construction (e.g., via designer-specified boundaries with runtime verification) and discusses its maintenance under mutation. revision: yes
-
Referee: [Abstract] Abstract: the protocol assumes replicated trusted hardware remains uncompromised and always reachable before every query to support the linearizable ledger, but supplies neither a threat model nor an argument showing why this hardware assumption holds in an agentic setting where external dependencies can be altered.
Authors: The protocol inherits its trusted-hardware assumptions from prior state-continuity work such as Nimble. The current manuscript does not supply a dedicated threat model or argument tailored to the agentic setting that justifies why the replicated hardware remains uncompromised and reachable despite external dependencies. We agree this is a gap and will add an explicit threat-model section that articulates the assumptions and the conditions under which they are expected to hold. revision: yes
Circularity Check
No circularity: protocol description contains no derivations, predictions, or self-referential reductions
full rationale
The manuscript describes a protocol (ElephantAgent) that recomputes a digest of a defined 'bounded, security-critical subset' of context and checks it against a ledger on replicated trusted hardware. No equations, fitted parameters, or quantitative predictions appear. The definition of contextual state is presented as an explicit design choice to enable the mechanism, not as a derived quantity that loops back to itself. No self-citations are invoked as load-bearing premises, and the text supplies no 'uniqueness theorem' or ansatz smuggled from prior author work. The claims rest on the operational description of the protocol under its stated assumptions rather than any tautological equivalence between inputs and outputs.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Replicated trusted hardware can maintain a linearizable ledger of authorized contextual state transitions without itself being compromised.
- domain assumption The agent's contextual state can be bounded to a security-critical subset whose digest is sufficient for verification.
Reference graph
Works this paper leans on
- [1]
-
[2]
2026.Key Management Service
Alibaba Cloud. 2026.Key Management Service. https://www.alibabacloud.com/ en/product/kms?_p_lc=1
2026
-
[3]
Sebastian Angel, Aditya Basu, Weidong Cui, Trent Jaeger, Stella Lau, Srinath Setty, and Sudheesh Singanamalla. 2023. Nimble: Rollback protection for confidential cloud services. In17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). 193–208
2023
-
[4]
Anthropic. 2024. Introducing the Model Context Protocol. Anthropic News. https://www.anthropic.com/news/model-context-protocol Accessed: 2026-02- 04
2024
-
[5]
2026.How Claude remembers your project
Anthropic. 2026.How Claude remembers your project. https://code.claude.com/ docs/en/memory Claude Code Docs
2026
-
[6]
Apple Inc. 2026. ccs-caldavtester. https://github.com/apple/ccs-caldavtester. Accessed: 2026-03-05
2026
-
[7]
2023.Con- fidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI
Emily Apsey, Phil Rogers, Michael O’Connor, and Rob Nertney. 2023.Con- fidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI. https://developer.nvidia.com/blog/confidential-computing-on-h100-gpus- for-secure-and-trustworthy-ai/ NVIDIA Technical Blog
2023
-
[8]
Marcus Brandenburger, Christian Cachin, Matthias Lorenz, and Rüdiger Kapitza
-
[9]
In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Rollback and forking detection for trusted execution environments us- ing lightweight collective memory. In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 157–168
-
[10]
browser-use contributors. 2026. browser-use: Make websites accessible for AI agents. GitHub repository. https://github.com/browser-use/browser-use Latest release: 0.11.8 (Feb 3, 2026). Accessed: 2026-02-06
2026
-
[11]
Zhaorun Chen, Zhen Xiang, Chaowei Xiao, Dawn Song, and Bo Li. 2024. Agent- Poison: Red-teaming llm agents via poisoning memory or knowledge bases. Advances in Neural Information Processing Systems37 (2024), 130185–130213
2024
-
[12]
Pau-Chen Cheng, Wojciech Ozga, Enriquillo Valdez, Salman Ahmed, Zhongshu Gu, Hani Jamjoom, Hubertus Franke, and James Bottomley. 2024. Intel TDX Demystified: A Top-Down Approach.Comput. Surveys56, 9 (2024), 1–33
2024
-
[13]
Victor Costan and Srinivas Devadas. 2016. Intel SGX explained.Cryptology ePrint Archive(2016)
2016
- [14]
-
[15]
Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.arXiv preprint arXiv:2302.12173(2023)
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[16]
Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. InProceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. Article 11, 1 pages
2013
-
[17]
Eric Holmes. 2026. MCP is dead. Long live the CLI. https://ejholmes.github.io/ 2026/02/28/mcp-is-dead-long-live-the-cli.html Blog post, accessed 2026-03-12
2026
-
[18]
Intel Corporation. [n. d.].Intel Trust Domain Extensions. White Pa- per 343961-002US. Intel Corporation. https://www.intel.com/content/dam/ develop/external/us/en/documents/tdx-whitepaper-final9-17.pdf Document code: 0920/RR/MESH/PDF; accessed: 2026-02-04
2026
-
[19]
Saeid Jamshidi, Kawser Wazed Nafi, Arghavan Moradi Dakhel, Negar Shahabi, Foutse Khomh, and Naser Ezzati-Jivan. 2025. Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks. arXiv:2512.06556 [cs.CR] https://arxiv.org/abs/2512.06556
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[20]
Jiankai Jin, Chitchanok Chuengsatiansup, Toby Murray, Benjamin IP Rubinstein, Yuval Yarom, and Olga Ohrimenko. 2024. Elephants do not forget: Differential privacy with state continuity for privacy budget. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 1909–1923
2024
-
[21]
David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White paper13 (2016)
2016
-
[22]
J. Koppel. 2026. QuixBugs. https://github.com/jkoppel/QuixBugs. Accessed: 2026-03-05
2026
-
[23]
2024.MCP Security Notification: Tool Poisoning Attacks
Invariant Labs. 2024.MCP Security Notification: Tool Poisoning Attacks. https: //invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks
2024
- [24]
-
[25]
2017.{ROTE}: Rollback protection for trusted execution
Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017.{ROTE}: Rollback protection for trusted execution. In26th USENIX Security Symposium (USENIX Security 17). 1289–1306
2017
-
[26]
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution.Hasp@ isca10, 1 (2013)
2013
-
[27]
Microsoft. [n. d.]. Nimble. https://github.com/Microsoft/Nimble. GitHub reposi- tory, accessed 2026-04-16
2026
-
[28]
Gal Nagli. 2025. Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History. Wiz Blog. https://www.wiz.io/ blog/wiz-research-uncovers-exposed-deepseek-database-leak Accessed: 2026- 02-05
2025
-
[29]
Jianyu Niu, Wei Peng, Xiaokuan Zhang, and Yinqian Zhang. 2022. Narrator: Secure and practical state continuity for trusted execution in the cloud. InPro- ceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2385–2399
2022
-
[30]
2025.Introducing Codex
OpenAI. 2025.Introducing Codex. https://openai.com/index/introducing-codex/ Published 2025-05-16; updated 2025-06-03
2025
-
[31]
OWASP GenAI Security Project. 2025. OWASP Top 10 for Agentic Applica- tions for 2026. https://genai.owasp.org/resource/owasp-top-10-for-agentic- applications-for-2026/ Whitepaper, accessed 2026-03-19
2025
-
[32]
Bryan Parno, Jacob R Lorch, John R Douceur, James Mickens, and Jonathan M McCune. 2011. Memoir: Practical state continuity for protected modules. In2011 IEEE Symposium on Security and Privacy. IEEE, 379–394
2011
-
[33]
Atharv Singh Patlan, Ashwin Hebbar, Pramod Viswanath, and Prateek Mittal
- [34]
- [35]
-
[36]
Raoul Strackx and Frank Piessens. 2016. Ariadne: A minimal approach to state continuity. In25th USENIX Security Symposium (USENIX Security 16). 875–892
2016
- [37]
- [38]
-
[39]
Zhuo Zhan, Shahar Chacko, Boxin Wang, Ruotong Hong, Jiewen Mao, Tracy Wang, Wenbo Feng, and Zhenlin Wang. 2024. InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents. InFindings of the Association for Computational Linguistics: ACL 2024. Jin et al. A Generality ofElephantAgent The add-on components ofElephantAg...
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.