Large Language Model (LLM)-based agent systems are increasingly deployed for complex real-world tasks but remain vulnerable to natural language-based attacks that exploit over-privileged tool use. This paper aims to understand and mitigate such attacks through the lens of privilege escalation, defined as agent actions exceeding the least privilege required for a user's intended task. Based on a formal model of LLM agent systems, we identify novel privilege escalation scenarios, particularly in multi-agent systems, including a variant akin to the classic confused deputy problem. To defend against both known and newly demonstrated privilege escalation, we propose SEAgent, a mandatory access control (MAC) framework built upon attribute-based access control (ABAC). SEAgent monitors agent-tool interactions via an information flow graph and enforces customizable security policies based on entity attributes. Our evaluations show that SEAgent effectively blocks various privilege escalation while maintaining a low false positive rate and negligible system overhead. This demonstrates its robustness and adaptability in securing LLM-based agent systems.
@article{arxiv.2601.11893,
title = {Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework},
author = {Zimo Ji and Daoyuan Wu and Wenyuan Jiang and Pingchuan Ma and Zongjie Li and Yudong Gao and Shuai Wang and Yingjiu Li},
journal= {arXiv preprint arXiv:2601.11893},
year = {2026}
}