English

Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework

Cryptography and Security 2026-01-21 v1

Abstract

Large Language Model (LLM)-based agent systems are increasingly deployed for complex real-world tasks but remain vulnerable to natural language-based attacks that exploit over-privileged tool use. This paper aims to understand and mitigate such attacks through the lens of privilege escalation, defined as agent actions exceeding the least privilege required for a user's intended task. Based on a formal model of LLM agent systems, we identify novel privilege escalation scenarios, particularly in multi-agent systems, including a variant akin to the classic confused deputy problem. To defend against both known and newly demonstrated privilege escalation, we propose SEAgent, a mandatory access control (MAC) framework built upon attribute-based access control (ABAC). SEAgent monitors agent-tool interactions via an information flow graph and enforces customizable security policies based on entity attributes. Our evaluations show that SEAgent effectively blocks various privilege escalation while maintaining a low false positive rate and negligible system overhead. This demonstrates its robustness and adaptability in securing LLM-based agent systems.

Keywords

Cite

@article{arxiv.2601.11893,
  title  = {Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework},
  author = {Zimo Ji and Daoyuan Wu and Wenyuan Jiang and Pingchuan Ma and Zongjie Li and Yudong Gao and Shuai Wang and Yingjiu Li},
  journal= {arXiv preprint arXiv:2601.11893},
  year   = {2026}
}
R2 v1 2026-07-01T09:08:38.654Z