77 lines
4.6 KiB
Markdown
77 lines
4.6 KiB
Markdown
# ClawLess: A Security Model of AI Agents
|
|
|
|
**arXiv ID**: 2604.06284v1
|
|
**Authors**: Hongyi Lu, Nian Liu, Shuai Wang, Fengwei Zhang
|
|
**Date**: 7 Apr 2026
|
|
**Category**: cs.CR (Cryptography and Security)
|
|
**Institutions**: Southern University of Science and Technology, Hong Kong University of Science and Technology
|
|
|
|
## Abstract
|
|
|
|
Autonomous AI agents powered by Large Language Models can reason, plan, and execute complex tasks, but their ability to autonomously retrieve information and run code introduces significant security risks. Existing approaches attempt to regulate agent behavior through training or prompting, which does not offer fundamental security guarantees. We present ClawLess, a security framework that enforces formally verified policies on AI agents under a worst-case threat model where the agent itself may be adversarial. ClawLess formalizes a fine-grained security model over system entities, trust scopes, and permissions to express dynamic policies that adapt to agents' runtime behavior. These policies are translated into concrete security rules and enforced through a user-space kernel augmented with BPF-based syscall interception. This approach bridges the formal security model with practical enforcement, ensuring security regardless of the agent's internal design.
|
|
|
|
## Key Concepts
|
|
|
|
### 1. ClawLess Framework
|
|
A comprehensive security framework for autonomous AI agents that combines formal verification with practical enforcement mechanisms.
|
|
|
|
### 2. Formal Security Model
|
|
A fine-grained model capturing entities, scopes, and permissions across multiple system domains, enabling precise security policy specification.
|
|
|
|
### 3. User-space Kernel
|
|
A trusted layer between potentially malicious AI agents and the vulnerable host kernel, providing isolation while maintaining usability.
|
|
|
|
### 4. BPF-based Syscall Interception
|
|
Using Berkeley Packet Filter (BPF) to intercept and enforce security policies on system calls made by AI agents.
|
|
|
|
### 5. Worst-case Threat Model
|
|
Assumes AI agents are capable of sophisticated attacks and will eventually be lured into malicious behavior, requiring security that doesn't rely on agent cooperation.
|
|
|
|
### 6. Secure Containers Comparison
|
|
Analysis of different container technologies (Docker, user-space kernels, virtualization, confidential containers) in terms of compatibility, interoperability, deployability, and security.
|
|
|
|
## Core Contributions
|
|
|
|
1. **First comprehensive security analysis** for autonomous AI agents with two fundamental assumptions about AI agent security.
|
|
2. **Formalized fine-grained security model** that prevents agents from abusing capabilities while maintaining usability.
|
|
3. **ClawLess implementation** - an isolation framework that enforces formally verified security policies on AI agents.
|
|
|
|
## Methodology
|
|
|
|
### Security Challenges Addressed
|
|
- **Ambiguous Trust Boundary**: AI agents retrieve data from diverse sources, blurring trusted/untrusted boundaries.
|
|
- **Privilege/Usability Trade-off**: Balancing agent capabilities with security risks.
|
|
- **Security for Autonomous Software**: Traditional mechanisms inadequate for non-deterministic LLM behavior.
|
|
|
|
### Technical Approach
|
|
1. **Formal Policy Specification**: Define security policies using formal methods.
|
|
2. **Policy Compilation**: Translate high-level policies into concrete system call rules.
|
|
3. **Runtime Enforcement**: Use user-space kernel with BPF interception to enforce policies.
|
|
4. **Isolation Architecture**: Deploy agents in secure containers with user-space kernel protection.
|
|
|
|
## Key Findings
|
|
|
|
1. **Docker Vulnerabilities**: Standard Docker has 37 CVEs over past ten years, including 5 high-severity vulnerabilities (>9.0 CVSS).
|
|
2. **User-space Kernel Security**: Only one CVE in past ten years, providing better security while maintaining usability.
|
|
3. **Formal Verification Gap**: Existing approaches lack formal verification for dynamic, tool-using AI agent behavior.
|
|
|
|
## Related Work
|
|
|
|
- **ACE**: Security architecture for LLM-integrated app systems
|
|
- **IsolateGPT**: Execution isolation architecture for LLM-based agentic systems
|
|
- **NeuroFilter**: Privacy guardrails for conversational LLM agents
|
|
- **ExpGuard**: LLM content moderation in specialized domains
|
|
|
|
## Implications
|
|
|
|
ClawLess provides a principled foundation for securing increasingly capable autonomous AI agents, moving beyond training/prompting-based approaches to formal verification and runtime enforcement.
|
|
|
|
## References
|
|
|
|
1. Hongyi Lu, Nian Liu, Shuai Wang, Fengwei Zhang. "ClawLess: A Security Model of AI Agents". arXiv:2604.06284v1 [cs.CR], 2026.
|
|
2. Related papers cited in the references section.
|
|
|
|
---
|
|
*Created: 2026-04-22*
|
|
*Source: arXiv:2604.06284v1*
|
|
*Integration: Wiki knowledge base* |