MVAR: Deterministic Sink Enforcement for AI Agent Security

MVAR (Mvar-Security) introduces a deterministic sink enforcement mechanism designed to protect AI agents from prompt-injection-driven tool misuse. This system employs information flow control and cryptographic provenance tracking to enhance the security of LLM agent runtimes. MVAR operates as a deterministic reference monitor at execution sinks, contrasting with traditional approaches that patch specific bugs, often leading to disabled tools and reduced utility. MVAR labels data with integrity (TRUSTED/UNTRUSTED) and confidentiality (PUBLIC/SENSITIVE/SECRET) classifications, propagating these labels conservatively, meaning any untrusted input taints all derived outputs. It uses QSEAL Ed25519 signatures on provenance nodes for enhanced security. The system enforces policies per target, differentiating between authorized and unauthorized destinations, and uses command whitelisting for shell tools. MVAR's deterministic evaluation results in three possible outcomes: ALLOW, BLOCK, or STEP_UP, based on a decision matrix that considers data integrity and sink risk. The approach applies IFC-style dual-lattice taint tracking, similar to Jif/FlowCaml lineage, to agent runtimes, ensuring deterministic enforcement and cryptographic auditability. MVAR's sink policy blocks potentially harmful actions, such as executing untrusted code, by evaluating the risk associated with the data's origin and the intended sink. This ensures that even if an LLM generates a potentially dangerous command, it will be blocked if the input data is labeled as untrusted and the sink is deemed critical. MVAR represents a significant advancement in AI agent security by providing a robust and deterministic method to prevent prompt injection attacks and ensure the safe operation of AI agents.