- The paper introduces the Handle-Capability Protocol (HCP) as a runtime enforcement model that bridges the gap between connection-oriented security and execution control.
- It establishes eight explicit security invariants, rigorously benchmarked across three execution modes, showing that full runtime enforcement (B2) blocks all tested attack vectors.
- The evaluation demonstrates that HCP achieves comprehensive security with sub-millisecond overhead, ensuring runtime auditability and robust defense against misdirected execution authority.
Execution-Control Invariants for Security in MCP-Style Agent Runtimes
Introduction
This paper, "From Tool Connection to Execution Control: Benchmarking Security Invariants in MCP-Style Agent Runtimes" (2606.29073), systematically investigates the limits of connection-oriented security in Model Context Protocol (MCP) ecosystems and addresses the execution-layer gaps that emerge as agent systems transition from connection to active tool invocation. It proposes an explicit runtime enforcement model—the Handle-Capability Protocol (HCP)—which mediates authority, resource access, and audit trails, and provides a structured benchmark evaluating concrete attack classes and security invariants.
Motivation and Problem Statement
MCP and its adjacents provide a robust and pragmatic connection substrate for agent-tool integration, specifying clients, servers, resources, transports, and tool invocation patterns [mcp_spec_2025_11_25]. Standard security mechanisms are in place at the connection layer—OAuth-based authentication, session management, and metadata hygiene—but these do not systematize runtime enforcement of execution authority. Execution-phase risk arises when session approvals, tool metadata, and provider authority remain weakly bound in runtime state, leaving systems susceptible to confused deputy, excessive permissioning, tool poisoning, and covert data exfiltration attacks. The central research question is whether an agent runtime can render such invariants explicit, enforceable, and testable—bridging the gap between surface connectivity (MCP) and concrete execution control.
Proposed Security Invariants
The paper delineates eight invariants tailored to the execution layer:
- Metadata Non-Authority: Tool metadata is advisory, not a basis for policy.
- Grant-Backed Approval: Approval cannot substitute for explicit grant-based authorization.
- Canonical Resource Resolution: Resources are defined provider-canonically, not via client string injection.
- Principal Binding: Runtime binding across grants, tasks, handles, and audit for all principals.
- Scoped Capability Invocation: Invocation requires scope-checked grant matching.
- Bidirectional Data-Flow Authorization: Both source and target endpoints of data pipes are policy objects, incorporating ownership and compatibility checks.
- Deny-Path Audit: All denied execution pathways yield explicit audit evidence.
- Explicit Protocol State: Initialization and versioning are first-order security boundaries.
Crucially, these invariants cannot be consistently enforced by connection-layer conventions such as metadata linting, approval dialogs, or session checks alone.
HCP Reference Runtime Design
HCP operationalizes the above invariants using runtime object models: Principal, Resource, Grant, Capability, PolicyDecision, Handle, DataPipe, and AuditEntry. The runtime intercepts invocation paths, resolving all identity and resource authority at execution time rather than relying on supplied descriptors or prior token issuance. Every execution event (allow or deny) generates policy-state and audit evidence, ensuring all grant, approval, handle, and data-movement actions are fully attributable and testable.
Handles are endowed with owner metadata, preventing ambient authority scenarios, and data pipes are explicitly guarded, extending the security surface from operation invocation to intermediate result handling and data transfer—even for simple tool output flows.
Benchmark Evaluation
Benchmark Structure
The rigorous evaluation leverages a ten-case benchmark suite comprising five attack classes, each with concrete case fixtures and expected outcomes:
- Tool poisoning (indirect meta-invocation/exfiltration)
- Confused deputy (server-side resource misbinding)
- Excessive permission/approval fatigue (broad grant overreach)
- Context poisoning/data-pipe exploits (cross-handle data flow to unauthorized targets)
- Protocol/session confusion (API state misuse/pre-initialization method calls)
Each case is evaluated on three execution modes:
- B0: Naive connection-layer (no runtime-enforced execution invariants)
- B1: Practice-informed mitigations (metadata checks, session enforcement, per-call approval)
- B2: HCP runtime (full object-model enforcement)
Results and Ablation
The benchmark shows that:
- B0 permits all ten modeled attacks.
- B1 blocks only 4/10, specifically where session or identity mismatches intersect the attack surface.
- B2 blocks all 10 attacks, providing comprehensive audit evidence.
Ablation studies confirm that particular runtime mechanisms are necessary: disabling grant matching, approval, handle ownership, or data-pipe target policy exposes distinct attack classes. Notably, disabling deny-path audit leaves forensic gaps, undermining post-hoc investigation and accountability.
Measured overheads (in an in-memory prototype) are sub-millisecond for all policy, invocation, peek, and data-pipe operations, confirming that strict execution-control can be introduced without significant runtime penalty.
Governance and Ecosystem Signals
To probe real-world deployment surfaces, the paper screens public MCP-adjacent project metadata. The majority of sampled repositories expose authority surfaces in README documentation, but lack explicit audit narratives—underscoring the practical demand for runtime-enforced auditability such as HCP provides.
Operator-governance surface analysis reveals that HCP's explicit runtime objects (grants, handles, approvals, audit) directly yield functionality needed for configuration clarity, risk attestation, and incident response, in a way not always possible with implicit convention-driven designs.
Theoretical and Practical Implications
The primary theoretical implication is the shift from ambient, distributed, and metadata-driven execution authority to explicit, runtime-mediated security objects. This aligns with capability discipline and information-flow principles [hardy_confused_deputy, denning_lattice_1976, rajani_capabilities_2016], embedding provenance-aware and policy-driven runtime logic at the core of agent execution. The architecture successfully partitions trust boundaries: model and provider metadata propose, runtime policy decides.
In practice, this approach enables quantifiable and reproducible security assurance: agent-based systems can define, enforce, and audit runtime execution policies rather than relying on scattered client, server, and UI conventions. HCP does not attempt to subsume OAuth, provider attestation, or environment sandboxing, but rather addresses the unique execution-path risks at the rendezvous of AI decision and code/data effect.
Limitations and Future Research
The research scope is intentionally scoped: the HCP reference implementation is in-memory, and persistent, production-grade platform integrations remain open engineering tasks. The ecosystem measurement is bounded to public documentation, not exploit validation. Attacks such as supply chain compromise, provider malware, or LLM prompt subversion are not exhaustively modeled.
Future developments should include robust persistent state for grants and audits, provider attestation models, and integrated policy introspection tools. The extension of these invariants to distributed, federated, or cross-organizational agent systems is a natural next step. Detailed user studies may be necessary for conclusive assertions about governance usability.
Conclusion
This work demonstrates that MCP-style agent ecosystems, while effective at surfacing tool connectivity, retain critical exposure at the execution layer if runtime authority, data movement, and audit are not centrally enforced and rendered explicit. The HCP reference runtime provides a tractable pattern for secure agent execution, strongly reducing benchmarked attack success and yielding auditable evidence throughout. These results motivate future agent architectures to adopt an execution-control layer, enabling reproducible and explainable security for AI-augmented workflows (2606.29073).