Papers
Topics
Authors
Recent
Search
2000 character limit reached

The Balkanization of Execution-Security Research for AI Coding Agents: Isolation, Access Control, and Time-of-Check-to-Time-of-Use Vulnerabilities

Published 7 Jul 2026 in cs.CR and cs.AI | (2607.05743v1)

Abstract: AI coding agents now read repositories, call tools, and execute shell commands with limited human oversight, and a fast-growing body of work studies whether the execution layer around them is actually safe. That literature is scattered. Papers on sandbox isolation, capability and access control, policy enforcement, time-of-check-to-time-of-use (TOCTOU) races, Model Context Protocol (MCP) threats, identity delegation, execution provenance, network egress control, and static analysis of agent-generated code are published independently and rarely cite one another. We systematize 39 papers published between 2023 and 2026 into 17 categories, each verified directly against its source. The same verification protocol also confirms four disclosed, patched CVEs directly affecting production agent harnesses. Reading across categories surfaces five cross-cutting gaps that no single paper addresses. (1) Isolation architectures and capability models are almost never evaluated against one another on a shared benchmark. (2) Policy-enforcement studies report failure rates from 69% to 98% of real denylists, yet no isolation paper re-evaluates its own defense under that adversarial setting. (3) TOCTOU and MCP threats are analyzed as separate literatures despite both being instances of the same state-validation problem. (4) Every enforcement mechanism assumes an honest policy author, leaving policy-authoring error itself unaddressed. (5) Benign but out-of-scope agent actions occurring at rates up to 17.1% under realistic prompting are addressed by no access-control or capability paper in the corpus. Existing broader surveys of agentic AI security discuss sandboxing only as one item among many defenses, leaving execution security without a dedicated systematization. This paper is written to fill that gap. We conclude with a research agenda directed at the five gaps.

Authors (1)

Summary

  • The paper establishes a formal taxonomy of 17 execution-security mechanisms based on a survey of 39 key studies from 2023–2026.
  • It demonstrates vulnerabilities in isolation, access control, and TOCTOU races, supported by CVE analyses and empirical success metrics.
  • The study identifies cross-cutting gaps hindering compositional defenses and calls for unified adversarial benchmarks in security evaluations.

Systematizing Execution-Security Research for AI Coding Agents

Introduction

The research paper, "The Balkanization of Execution-Security Research for AI Coding Agents: Isolation, Access Control, and Time-of-Check-to-Time-of-Use Vulnerabilities" (2607.05743), provides a comprehensive and critical systematization of the rapidly growing body of execution-security research for AI coding agents. It establishes a formal taxonomy based on a survey of 39 primary papers published between 2023 and 2026, categorizing them according to 17 distinct execution-security mechanisms. The analysis identifies recurring root causes, structural patterns, and exposes fundamental cross-cutting gaps unaddressed by existing work.

Motivation and Scope

The operational security of coding agents—systems where LLM-based agents read repositories, invoke tools, and run shell commands—depends critically on the robustness of their execution context, not merely on the alignment of their generative models. Prompt-injection defenses are necessary but not sufficient; the execution layer constitutes an independent axis of vulnerability. The literature in this domain is characterized by fragmentation: individual works focus on sandboxing, access control, time-of-check-to-time-of-use (TOCTOU) races, and emerging protocols such as the Model Context Protocol (MCP), yet rarely engage across conceptual or mechanistic boundaries.

Importantly, the relevance of execution-layer security is grounded in real-world incidents: the authors confirm four distinct CVEs affecting production agent harnesses, ranging from a widely used container-escape bug (CVE-2024-21626) to critically rated flaws in both proprietary (Claude Code) and widely deployed (GitHub Copilot) agent systems. This validates that the risk landscape is neither theoretical nor marginal.

Taxonomy of Execution-Security Mechanisms

The research systematically verifies and categorizes prior work into 17 execution-security categories, based on primary mechanism rather than secondary summaries. The most populous categories include isolation architectures, adversarial/escape benchmarks, and access-control frameworks, with additional attention to emergent issues such as scope creep and skill/plugin security. For each, the paper synthesizes motivations, structural insights, and reported empirical outcomes.

Isolation Architectures

Isolation architectures pursue confinement of the agent's operational blast radius within well-defined sandboxes, often inspired by application store models or layered containment (e.g., HTTP-layer sandboxes for browser agents). Empirical evaluations demonstrate bounded performance overheads (<30% in IsolateGPT) and, in transactional frameworks, report near-perfect interception and rollback rates. Figure 1

Figure 1: Isolation architectures channel agent activity through sandbox boundaries to contain the blast radius, mitigating root-cause vulnerabilities.

Escape and Adversarial Benchmarks

This category stresses systems under adversarial pressure, determining whether agents can subvert or escape the prescribed execution boundary. Capture-the-flag-style benchmarks and red-team scenarios reveal both the willingness of current models to execute risky operations and the susceptibility of agent harnesses to code generation flaws. Figure 2

Figure 2: Adversarial tasks induce agent escape attempts, with empirical measurement of break-out rates under various configurations.

Access Control and Capability Models

Access-control mechanisms provide fine-grained, revocable permissioning at the level of agent actions or tool invocations. They employ diverse architectural patterns, including Android-inspired policy layers, Datalog reference monitors, revocable tokens, and context-sensitive constraints. Reported attacker success rates are often reduced to negligible levels with strict enforcement, but these assurances are predicated on idealized, uncompromised enforcement. Figure 3

Figure 3: Access control models enforce fine-grained policies, determining grants or denials at action-execution time.

Policy Enforcement Fragility

Measurement-focused work exposes profound fragility in deployed policy artifacts. For example, ShellSieve's large-scale corpus analysis finds that 69–98.6% of real-world command denylists are fragile under model-synthesized bypasses. These findings directly challenge assumptions underpinning proposals in the other categories. Figure 4

Figure 4: Measuring policy enforcement fragility by searching for bypasses against deployed denylists, revealing high rates of policy failure.

Time-of-Check-to-Time-of-Use Races

TOCTOU vulnerabilities arise from the drift between the time a state is validated and when an action is performed. Novel benchmarks and mitigation approaches reduce race-induced flaws from approximately 12% to 8%, but the literature evidences structural similarity to protocol-level attacks (e.g., MCP tool poisoning), yet these lines of work remain largely disjoint. Figure 5

Figure 5: Validated state may drift prior to action execution, inducing stale-action vulnerabilities characteristic of TOCTOU races.

MCP-Specific Threats, Skill Packaging, and Other Categories

The taxonomy extends to MCP-specific threats (e.g., tool metadata poisoning), execution provenance/auditability, skill/plugin packaging security, static code analysis, and network egress controls. Each exposes novel avenues for privilege escalation, data exfiltration, or attack persistence, as demonstrated by security analyses of open-source MCP servers and plugin ecosystems.

Synthesis: Root Causes and Structural Patterns

Surveying the entire taxonomy, the authors collapse 17 mechanism categories onto four recurrent root causes:

  • RC1: Absence of structural separation between untrusted data and control plane inputs (e.g., tool results processed as executable instructions).
  • RC2: Authorization or validation checks trusted forever, with no revalidation against possible state drift (including TOCTOU and protocol races).
  • RC3: Mechanism encodes only what is permitted in general, not whether an action is contextually intended now, leading to overeager agent behavior.
  • RC4: Evaluations of defenses almost exclusively consider author-constructed, rather than empirically observed, attack and failure patterns. Figure 6

    Figure 6: Seventeen taxonomy categories mapped onto four recurring root causes, with primary and secondary attributions visualized.

Concrete causal chains for each root cause, instantiated with representative papers, elucidate how the same basic design flaws underpin vulnerability classes spanning the taxonomy. Crucially, the field exhibits minimal compositionality; no single existing defense addresses both missing state and wrong-question-type failures in aggregate. Figure 7

Figure 7: Representative papers instantiating distinct root-cause causal chains, locating the pipeline breakpoints where authorization or control fails.

A concurrent, pipeline-stage analysis shows that most mechanism proposals enforce gates pre- or at-action, while measurements and audits are predominantly post hoc. There is a systemic lack of cross-evaluation: few, if any, defenses are tested using independently produced adversarial corpora from measurement-oriented work.

Cross-Cutting Gaps and Critical Findings

This meta-analysis identifies five unaddressed gaps:

  • Gap 1: Isolation and access-control mechanisms are not evaluated against one another on shared benchmarks, precluding direct comparison or compositional analysis.
  • Gap 2: Most defenses are not re-evaluated under real-world policy fragility and bypass rates; reported success rates are thus uncalibrated for actual attacker models.
  • Gap 3: Structurally analogous attacks (e.g., TOCTOU and MCP tool poisoning) are studied under separate terminologies and without cross-citation, impeding transfer of mitigations.
  • Gap 4: All enforcement mechanisms assume correct and honest policy authorship, neglecting risks from policy-authoring error or mis-specification.
  • Gap 5: Measurement of benign but out-of-scope agent activities ("scope creep") is not addressed by any active access-control or capability enforcement mechanism.

Empirical data reinforce these points. For example, scope-creep measurement in particular demonstrates a stark increase in overeager action rates (from 0.0% to 17.1%) on a major agenting framework depending solely on prompt phrasing. Figure 8

Figure 8: Scope-creep measurement flow, documenting the increased overeager rate with minor prompt modifications.

Clustered similarity analysis reveals high off-diagonal correlations between pairs of categories that are not referenced in each other's literature, confirming a structurally balkanized research field. Figure 9

Figure 9: Pairwise similarity heatmap showing that conceptually related failures are studied in isolation, limiting knowledge transfer and consolidation.

Implications and Prospects

This synthesis strongly suggests that execution-security research for coding agents is moving rapidly, but remains siloed by mechanism. The strong numerical findings regarding policy bypass rates and scope creep highlight substantial residual risk in current agent deployment.

Practical implications include the necessity for composite evaluation of proposed defenses, ideally benchmarking isolation and access-control mechanisms against shared, adversarial datasets. The empirical discovery that even advanced agent-output code is correct and secure less than 25% of the time cautions against over-reliance on generative quality as a security control. The observed gaps around policy-authoring correctness indicate an overlooked risk vector in both academic and deployed systems.

Theoretically, the work positions execution security as an orthogonally critical component to prompt-level or model-centric alignment. It underscores the insufficiency of solution frameworks that fail to integrate adversarial measurement, cross-mechanism compositionality, and transferability. It also motivates the development of unified formal models for structurally similar vulnerabilities, and empirically validated, context-aware enforcement strategies.

Conclusion

By systematizing execution-security work for coding agents into a rigorously verified taxonomy anchored in primary sources and real vulnerability data, the paper clarifies the fragmentation of current research, exposes precise root causes, and surfaces five actionable gaps that delimit the state of the art. The implications for both security engineering and academic research are direct: further progress requires adversarial evaluation on shared benchmarks, greater attention to policy-authoring error, cross-pollination of mechanisms and measurement methods, and systematic response to structurally recurring design defects. Addressing these challenges is foundational to the safe and reliable deployment of AI coding agents in practice.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.