{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:GUDRED4HSFV4DREQ5ZRUVWD5PD","short_pith_number":"pith:GUDRED4H","schema_version":"1.0","canonical_sha256":"3507120f87916bc1c490ee634ad87d78c2370c8b22b677fd29c110ecaac5ad43","source":{"kind":"arxiv","id":"2505.23643","version":2},"attestation_state":"computed","paper":{"title":"Securing AI Agents with Information-Flow Control","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Aashish Kolluri, Ahmed Salem, Andrew Paverd, Boris K\\\"opf, Lukas Wutschitz, Manuel Costa, Mark Russinovich, Santiago Zanella-B\\'eguelin, Shruti Tople","submitted_at":"2025-05-29T16:50:41Z","abstract_excerpt":"As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2505.23643","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-05-29T16:50:41Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"edd3dae6979bd4f3a8d9cdbcf7f35fb4e585c53f696d9da314c21847365097e2","abstract_canon_sha256":"6f3682787171169b47a76163368cb916334189441b1440ced6b4d3f2edd2f917"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:52.612044Z","signature_b64":"qnCoCLscHXGGn+fZ/YznS0rNbtr5Cki+FAbMrcZFp4VCdxZmD1UCXUHACTm6+YoO9vWCR8cdWLZd7xRXRzsRAw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"3507120f87916bc1c490ee634ad87d78c2370c8b22b677fd29c110ecaac5ad43","last_reissued_at":"2026-05-17T23:38:52.611353Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:52.611353Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Securing AI Agents with Information-Flow Control","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Aashish Kolluri, Ahmed Salem, Andrew Paverd, Boris K\\\"opf, Lukas Wutschitz, Manuel Costa, Mark Russinovich, Santiago Zanella-B\\'eguelin, Shruti Tople","submitted_at":"2025-05-29T16:50:41Z","abstract_excerpt":"As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Fides enables us to complete a broad range of tasks with security guarantees.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"0fd9a257f067f3f5c355522bdc80929d837430b96535f236f9ef06ef00431249"},"source":{"id":"2505.23643","kind":"arxiv","version":2},"verdict":{"id":"3390cd10-73d3-4a0a-a20b-a9d766f3cf2b","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T11:50:59.663951Z","strongest_claim":"Fides enables us to complete a broad range of tasks with security guarantees.","one_line_summary":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","pith_extraction_headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility."},"references":{"count":50,"sample":[{"doi":"","year":2025,"title":"Get my drift? catching llm task drift with activation deltas","work_id":"5d2032b0-d97c-478f-80d9-33c36aafee31","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Guidance: A guidance language for controlling large language models","work_id":"ee65f69d-7029-4bd2-bc06-d04f5b9b6c6c","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Computer Use (beta)","work_id":"12fb0611-dffd-4a06-9f4e-887ec59c46f1","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Ahsan Ayub and Subhabrata Majumdar","work_id":"522adc92-59e8-4925-99a2-af24467c9d9c","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"AI agents with formal security guarantees","work_id":"5757efd8-254e-478b-bcb1-a4918294d897","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":50,"snapshot_sha256":"b1cc49b9ae3deccd75cf92781bd7f04bb2893ae018dd463d528feb27bbd8248a","internal_anchors":0},"formal_canon":{"evidence_count":1,"snapshot_sha256":"b31e176abe782fc0c2350e92dd221c6500edfdb58ad35d2ec7264a2f2a561391"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2505.23643","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"arxiv_version","alias_value":"2505.23643v2","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2505.23643","created_at":"2026-05-17T23:38:52.611481+00:00"},{"alias_kind":"pith_short_12","alias_value":"GUDRED4HSFV4","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"GUDRED4HSFV4DREQ","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"GUDRED4H","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":60,"internal_anchor_count":60,"sample":[{"citing_arxiv_id":"2606.25189","citing_title":"ActPlane: Programmable OS-Level Policy Enforcement for Agent Harnesses","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2606.24322","citing_title":"Securing LLM-Agent Long-Term Memory Against Poisoning: Non-Malleable, Origin-Bound Authority with Machine-Checked Guarantees","ref_index":27,"is_internal_anchor":true},{"citing_arxiv_id":"2606.24535","citing_title":"Governed Shared Memory for Multi-Agent LLM Systems","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2606.26627","citing_title":"Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents","ref_index":27,"is_internal_anchor":true},{"citing_arxiv_id":"2606.26524","citing_title":"VIGIL: Runtime Enforcement of Behavioral Specifications in AI Agent Skills","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2606.26479","citing_title":"Adaptive Evaluation of Out-of-Band Defenses Against Prompt Injection in LLM Agents","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2606.23277","citing_title":"GIF: Locally Sound Geometric Information Flow Control for LLMs","ref_index":11,"is_internal_anchor":true},{"citing_arxiv_id":"2606.23449","citing_title":"AOHP: An Open-Source OS-Level Agent Harness for Personalized, Efficient and Secure Interaction","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2606.15057","citing_title":"AutoDojo: Adaptive Black-Box Attacks Reveal the Limits of IPI Defenses and Task-Specification Effects in LLM Agents","ref_index":32,"is_internal_anchor":true},{"citing_arxiv_id":"2607.02357","citing_title":"Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware","ref_index":48,"is_internal_anchor":true},{"citing_arxiv_id":"2606.10525","citing_title":"Assessing Automated Prompt Injection Attacks in Agentic Environments","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2605.26542","citing_title":"ChainCaps: Composition-Safe Tool-Using Agents via Monotonic Capability Attenuation","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2606.25189","citing_title":"ActPlane: Programmable OS-Level Policy Enforcement for Agent Harnesses","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2606.04990","citing_title":"From Agent Traces to Trust: A Survey of Evidence Tracing and Execution Provenance in LLM Agents","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2606.04141","citing_title":"Caught in the Act(ivation): Toward Pre-Output and Multi-Turn Detection of Credential Exfiltration by LLM Agents","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2606.02965","citing_title":"What Benchmarks Don't Measure: The Case for Evaluating Abstention Competence in Autonomous Agents","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2606.02668","citing_title":"What You Approve Is What Executes: Consent Integrity for Black-Box LLM Agents","ref_index":14,"is_internal_anchor":true},{"citing_arxiv_id":"2605.12863","citing_title":"Language-Based Agent Control","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10907","citing_title":"Engineering Robustness into Personal Agents with the AI Workflow Store","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2605.26542","citing_title":"ChainCaps: Composition-Safe Tool-Using Agents via Monotonic Capability Attenuation","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2605.24309","citing_title":"Reframing LLM Agent Security as an Agent-Human Interaction Problem","ref_index":11,"is_internal_anchor":true},{"citing_arxiv_id":"2605.26542","citing_title":"ChainCaps: Composition-Safe Tool-Using Agents via Monotonic Capability Attenuation","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2606.04990","citing_title":"From Agent Traces to Trust: A Survey of Evidence Tracing and Execution Provenance in LLM Agents","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2606.29788","citing_title":"MemLeak: Diagnosing Information Leaks in Multimodal Agent Memory","ref_index":41,"is_internal_anchor":true},{"citing_arxiv_id":"2605.26497","citing_title":"Aligning Provenance with Authorization: A Dual-Graph Defense for LLM Agents","ref_index":3,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":1,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD","json":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD.json","graph_json":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/graph.json","events_json":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/events.json","paper":"https://pith.science/paper/GUDRED4H"},"agent_actions":{"view_html":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD","download_json":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD.json","view_paper":"https://pith.science/paper/GUDRED4H","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2505.23643&json=true","fetch_graph":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/graph.json","fetch_events":"https://pith.science/api/pith-number/GUDRED4HSFV4DREQ5ZRUVWD5PD/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/timestamp_anchor","attest_storage":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/storage_attestation","attest_author":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/author_attestation","sign_citation":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/citation_signature","submit_replication":"https://pith.science/pith/GUDRED4HSFV4DREQ5ZRUVWD5PD/action/replication_record"}},"created_at":"2026-05-17T23:38:52.611481+00:00","updated_at":"2026-05-17T23:38:52.611481+00:00"}