Papers
Topics
Authors
Recent
Search
2000 character limit reached

From Tool Connection to Execution Control: Benchmarking Security Invariants in MCP-Style Agent Runtimes

Published 27 Jun 2026 in cs.CR and cs.AI | (2606.29073v1)

Abstract: Model Context Protocol (MCP)-style ecosystems give language-model applications a practical connection layer for tools, resources, prompts, and transports. As agents move from connection to execution, security decisions often remain split across clients, servers, prompts, approval dialogs, OAuth deployments, and logs. This paper asks whether a runtime can make execution-layer invariants explicit and testable while preserving MCP-like workflows. We define eight invariants: metadata non-authority, grant-backed approval, canonical resources, principal binding, scoped capability invocation, source-and-target data-flow authorization, deny-path audit, and explicit protocol state. We implement these invariants in HCP, a Handle-Capability Protocol reference runtime for MCP-style agent execution that represents calls through principals, resources, grants, capabilities, handles, policy decisions, data-pipe checks, and audit entries. We evaluate HCP against two MCP-like baselines: a naive connection-layer runtime and a practice-informed connection-layer mitigation baseline with metadata linting, session checks, and per-call approvals. Across 10 benchmark cases, the naive baseline permits all modeled attacks, the mitigation baseline permits 6 of 10, and HCP blocks all 10 while preserving audit evidence. Ablations identify which runtime components block attacks and preserve forensic evidence. A local in-memory microbenchmark reports sub-millisecond mean latencies for measured policy, invocation, peek, and pipe operations. A bounded GitHub README-screening sample provides ecosystem signals, not vulnerability findings. The results support a narrow claim: MCP-style agent systems need an execution-control layer in addition to connection-layer conventions.

Authors (1)

Summary

  • The paper introduces the Handle-Capability Protocol (HCP) as a runtime enforcement model that bridges the gap between connection-oriented security and execution control.
  • It establishes eight explicit security invariants, rigorously benchmarked across three execution modes, showing that full runtime enforcement (B2) blocks all tested attack vectors.
  • The evaluation demonstrates that HCP achieves comprehensive security with sub-millisecond overhead, ensuring runtime auditability and robust defense against misdirected execution authority.

Execution-Control Invariants for Security in MCP-Style Agent Runtimes

Introduction

This paper, "From Tool Connection to Execution Control: Benchmarking Security Invariants in MCP-Style Agent Runtimes" (2606.29073), systematically investigates the limits of connection-oriented security in Model Context Protocol (MCP) ecosystems and addresses the execution-layer gaps that emerge as agent systems transition from connection to active tool invocation. It proposes an explicit runtime enforcement model—the Handle-Capability Protocol (HCP)—which mediates authority, resource access, and audit trails, and provides a structured benchmark evaluating concrete attack classes and security invariants.

Motivation and Problem Statement

MCP and its adjacents provide a robust and pragmatic connection substrate for agent-tool integration, specifying clients, servers, resources, transports, and tool invocation patterns [mcp_spec_2025_11_25]. Standard security mechanisms are in place at the connection layer—OAuth-based authentication, session management, and metadata hygiene—but these do not systematize runtime enforcement of execution authority. Execution-phase risk arises when session approvals, tool metadata, and provider authority remain weakly bound in runtime state, leaving systems susceptible to confused deputy, excessive permissioning, tool poisoning, and covert data exfiltration attacks. The central research question is whether an agent runtime can render such invariants explicit, enforceable, and testable—bridging the gap between surface connectivity (MCP) and concrete execution control.

Proposed Security Invariants

The paper delineates eight invariants tailored to the execution layer:

  1. Metadata Non-Authority: Tool metadata is advisory, not a basis for policy.
  2. Grant-Backed Approval: Approval cannot substitute for explicit grant-based authorization.
  3. Canonical Resource Resolution: Resources are defined provider-canonically, not via client string injection.
  4. Principal Binding: Runtime binding across grants, tasks, handles, and audit for all principals.
  5. Scoped Capability Invocation: Invocation requires scope-checked grant matching.
  6. Bidirectional Data-Flow Authorization: Both source and target endpoints of data pipes are policy objects, incorporating ownership and compatibility checks.
  7. Deny-Path Audit: All denied execution pathways yield explicit audit evidence.
  8. Explicit Protocol State: Initialization and versioning are first-order security boundaries.

Crucially, these invariants cannot be consistently enforced by connection-layer conventions such as metadata linting, approval dialogs, or session checks alone.

HCP Reference Runtime Design

HCP operationalizes the above invariants using runtime object models: Principal, Resource, Grant, Capability, PolicyDecision, Handle, DataPipe, and AuditEntry. The runtime intercepts invocation paths, resolving all identity and resource authority at execution time rather than relying on supplied descriptors or prior token issuance. Every execution event (allow or deny) generates policy-state and audit evidence, ensuring all grant, approval, handle, and data-movement actions are fully attributable and testable.

Handles are endowed with owner metadata, preventing ambient authority scenarios, and data pipes are explicitly guarded, extending the security surface from operation invocation to intermediate result handling and data transfer—even for simple tool output flows.

Benchmark Evaluation

Benchmark Structure

The rigorous evaluation leverages a ten-case benchmark suite comprising five attack classes, each with concrete case fixtures and expected outcomes:

  • Tool poisoning (indirect meta-invocation/exfiltration)
  • Confused deputy (server-side resource misbinding)
  • Excessive permission/approval fatigue (broad grant overreach)
  • Context poisoning/data-pipe exploits (cross-handle data flow to unauthorized targets)
  • Protocol/session confusion (API state misuse/pre-initialization method calls)

Each case is evaluated on three execution modes:

  • B0: Naive connection-layer (no runtime-enforced execution invariants)
  • B1: Practice-informed mitigations (metadata checks, session enforcement, per-call approval)
  • B2: HCP runtime (full object-model enforcement)

Results and Ablation

The benchmark shows that:

  • B0 permits all ten modeled attacks.
  • B1 blocks only 4/10, specifically where session or identity mismatches intersect the attack surface.
  • B2 blocks all 10 attacks, providing comprehensive audit evidence.

Ablation studies confirm that particular runtime mechanisms are necessary: disabling grant matching, approval, handle ownership, or data-pipe target policy exposes distinct attack classes. Notably, disabling deny-path audit leaves forensic gaps, undermining post-hoc investigation and accountability.

Measured overheads (in an in-memory prototype) are sub-millisecond for all policy, invocation, peek, and data-pipe operations, confirming that strict execution-control can be introduced without significant runtime penalty.

Governance and Ecosystem Signals

To probe real-world deployment surfaces, the paper screens public MCP-adjacent project metadata. The majority of sampled repositories expose authority surfaces in README documentation, but lack explicit audit narratives—underscoring the practical demand for runtime-enforced auditability such as HCP provides.

Operator-governance surface analysis reveals that HCP's explicit runtime objects (grants, handles, approvals, audit) directly yield functionality needed for configuration clarity, risk attestation, and incident response, in a way not always possible with implicit convention-driven designs.

Theoretical and Practical Implications

The primary theoretical implication is the shift from ambient, distributed, and metadata-driven execution authority to explicit, runtime-mediated security objects. This aligns with capability discipline and information-flow principles [hardy_confused_deputy, denning_lattice_1976, rajani_capabilities_2016], embedding provenance-aware and policy-driven runtime logic at the core of agent execution. The architecture successfully partitions trust boundaries: model and provider metadata propose, runtime policy decides.

In practice, this approach enables quantifiable and reproducible security assurance: agent-based systems can define, enforce, and audit runtime execution policies rather than relying on scattered client, server, and UI conventions. HCP does not attempt to subsume OAuth, provider attestation, or environment sandboxing, but rather addresses the unique execution-path risks at the rendezvous of AI decision and code/data effect.

Limitations and Future Research

The research scope is intentionally scoped: the HCP reference implementation is in-memory, and persistent, production-grade platform integrations remain open engineering tasks. The ecosystem measurement is bounded to public documentation, not exploit validation. Attacks such as supply chain compromise, provider malware, or LLM prompt subversion are not exhaustively modeled.

Future developments should include robust persistent state for grants and audits, provider attestation models, and integrated policy introspection tools. The extension of these invariants to distributed, federated, or cross-organizational agent systems is a natural next step. Detailed user studies may be necessary for conclusive assertions about governance usability.

Conclusion

This work demonstrates that MCP-style agent ecosystems, while effective at surfacing tool connectivity, retain critical exposure at the execution layer if runtime authority, data movement, and audit are not centrally enforced and rendered explicit. The HCP reference runtime provides a tractable pattern for secure agent execution, strongly reducing benchmarked attack success and yielding auditable evidence throughout. These results motivate future agent architectures to adopt an execution-control layer, enabling reproducible and explainable security for AI-augmented workflows (2606.29073).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 1 like about this paper.