Memory Isolation and Contextual Integrity

• Memory isolation and contextual integrity are foundational security principles that restrict memory access to designated domains and enforce data flows appropriate to each context.
• Architectural mechanisms like hypervisor-enforced enclaves, reference monitors, hierarchical agent contexts, and hardware roots-of-trust provide multilayered protection across operating systems, LLM agents, and distributed environments.
• Benchmark evaluations using metrics such as Violation@n and Completeness show that these strategies can reduce unauthorized access from over 30% to below 1%, thereby significantly enhancing system security.

Memory isolation and contextual integrity are foundational principles for securing computational agents, operating systems, and memory-augmented artificial intelligence. Memory isolation restricts data access to designated domains, preventing untrusted code, processes, agents, or users from leaking or tampering with information outside their authorized context. Contextual integrity formalizes the notion that data and behaviors must be appropriate to their execution or application context, such that unauthorized flows or disclosures are prohibited even in the presence of sophisticated adversaries. These concepts interplay across system software, LLM-based agents, benchmark frameworks, and advanced hardware, as detailed below.

1. Formal Foundations of Memory Isolation and Contextual Integrity

Memory isolation mandates that memory regions, objects, or traces belonging to a subject (process, driver, agent) are not accessible to other subjects except via approved interfaces. Traditional mechanisms use virtual memory and hardware page tables; modern directions extend to hypervisor-enforced enclaves, reference-monitored address-spaces, and cryptographically authenticated memory accesses. Contextual integrity, as formalized in LLM evaluation frameworks and systems security, refers to the enforcement that information flows match their contextual constraints—attributes should only be accessible when the task and privilege level demand, and not otherwise. Quantitative metrics, as introduced in CIMemories, measure the probability that a sensitive memory attribute is inappropriately revealed (Violation@n) and the probability that a necessary attribute is appropriately shared (Completeness) (Mireshghallah et al., 18 Nov 2025).

A typical formalism, exemplified by “Secure Memory Management on Modern Hardware,” models system state as tuple $(\mathit{ACM},\,\mathit{cfg})$ of an Access Control Matrix (assigning rights per subject/object pair) and an explicit mapping of address spaces. Every mapping change and memory access passes through a reference monitor, and system invariants require that only subjects possessing both grant and map rights may alter memory translations (Achermann et al., 2020). Such frameworks provide a canonical foundation for contextual integrity, ensuring that at any point, memory accesses and changes are policy-justifiable and contextual boundaries are enforced.

2. Architectural Mechanisms and Enforcement Strategies

Multiple architectures embody memory isolation and contextual integrity:

• Hypervisor-Enforced Enclaves: MemoryRanger employs Intel VT-x with Extended Page Tables (EPT) to assign every kernel-mode driver its own isolated enclave, encapsulating allocations and code. Only enclave-resident code can execute or read/write its associated pools; cross-driver or driver→OS accesses are trapped by the hypervisor and denied or redirected, preventing both code tampering and unauthorized data exfiltration (Korkin, 2018).
• Reference Monitor-Based Enforcement: The fine-grained protection model in (Achermann et al., 2020) mediates all MMU/IOMMU and translation-unit updates, mapping changes, and physical memory accesses through an explicit reference monitor, which can be formalized and code-generated for heterogeneous hardware.
• Hierarchical Agent Contexts: AgentSys models each LLM agent’s memory as a hierarchy of isolated contexts, where a main agent spawns worker agents for external tool invocations, each with ephemeral, gated working memory. Raw tool outputs are never concatenated into the trusted context; only schema-validated, designer-anticipated results can cross boundaries, enforced deterministically via JSON schemas and LLM-mediated gates (Wen et al., 7 Feb 2026).
• Hardware Root-of-Trust for Distributed Environments: Space-Control augments CXL-based disaggregated memory with hardware root-of-trust that tags every load/store with authenticated process labels and enforces isolated access via permission caches, permission checkers, and cryptographic context authentication—even when the OS is fully compromised (Goswami et al., 6 Mar 2026).

3. Contextual Integrity in LLMs and Agents

LLM-based agents frequently fail to enforce contextual integrity when relying on persistent or indiscriminately accumulated memory. The CIMemories benchmark reveals that LLMs, when given composite persistent memory, leak sensitive attributes into contexts where they should be withheld (up to 69% attribute-level violations), especially as tasks accumulate or on repeated queries, with no robust trade-off between privacy and task completeness (Mireshghallah et al., 18 Nov 2025). Prompt-based interventions only shift the violation-completeness curve, as models tend toward all-or-nothing responses rather than nuanced, contextually controlled outputs.

AgentSys directly operationalizes these insights: the main agent’s trusted context is never exposed to unfiltered external data or reasoning traces. Instead, working memory proceeds strictly via validated and schema-constrained channels, thereby ensuring that adversarial or injected instructions never persist (Δ(τ,τ′)=0 for main-agent traces except for data conforming precisely to intentional schema). Ablations demonstrate that isolation reduces indirect prompt injection attack success rates from 30.66% to 2.19%, with full schema and validator layers reducing this further to 0.78% (see Table 1) (Wen et al., 7 Feb 2026):

Defense	AgentDojo ASR	ASB ASR
No Defense	30.66%	30.66%*
Isolation only	2.19%	-
AgentSys (full)	0.78%	4.25%

Strict memory boundaries eliminate context persistence of attacks.

4. Multi-Agent, Multi-Tenant, and Distributed Isolation

In multi-agent and distributed environments, memory isolation must transcend process boundaries and survive even in the presence of untrusted system software:

• SuperLocalMemory enforces per-agent data isolation at the storage engine level, separating behavioral data (collected to learn user/agent preferences) from core memory, with GDPR-compliant erasure and strict partitioning by project, agent, and workflow context. All mutations and accesses are tied to agent-provenance tokens. A Bayesian trust scorer manages write/delete privileges, blocking low-trust agents from memory poison insertion (Bhardwaj, 17 Feb 2026).
• Space-Control introduces per-process authentication and access control for CXL-based shared memory: on each context switch, all loads/stores are cryptographically bound to authenticated process contexts (HWPID, base pointer). Hardware permission caches enforce fast access control, with 99.9% cache hit rates and minimal overhead (~3.3%), maintaining contextual integrity and per-access noninterference (unauthorized accesses always fault, even if OS colludes with a process, as A-bits and labels cannot be forged without keys) (Goswami et al., 6 Mar 2026).

5. Practical Metrics, Benchmarking, and Defense Evaluation

Rigorous evaluation frameworks quantify both the guarantees and trade-offs of isolation and contextual integrity:

• CIMemories directly measures attribute-level Violation@n and Completeness, exposing the inability of current LLMs to balance privacy with utility (Mireshghallah et al., 18 Nov 2025).
• AgentSys’s defense efficacy is calculated as E = 100 – ASR. Isolation alone achieves E=97.81, schema validation and sanitization push E→99.22, all while slightly improving benign utility (64.36% vs. baseline 63.54%) (Wen et al., 7 Feb 2026).
• SuperLocalMemory measures trust separation gap (Δ_Benign−Malicious ≈ 0.90), resilience under sleeper attacks (72% trust degradation), and NDCG@5 improvement in ranking with re-ranking enabled (+104%) (Bhardwaj, 17 Feb 2026).
• Space-Control achieves near-baseline throughput (≤3.3% performance overhead) for typical workloads, with nearly all enforcement costs masked by high permission cache hit rates (Goswami et al., 6 Mar 2026).
• MemoryRanger traps only illegal cross-enclave accesses, achieving threefold lower overhead (170,000 vs. 500,000 cycles) than single-EPT trapping (Korkin, 2018).

6. Limitations and Open Directions

Current mechanisms may not fully protect shared buffers, indirect DMA, or handle ambiguous attribute-context mappings. In LLMs, contextually nuanced reasoning remains unsolved: privacy-conscious prompting induces proportional loss of completeness, and all-allocation of memory by default is inherently unsafe. Formal enforcement at the hardware monitor level may be stymied by performance or generality gaps when novel accelerator architectures emerge. Future directions include training context-sensitive modules for in-situ decision-making, inference-time guardrails for memory masking, and hybrid architectures to separate persistent memory from the contextual policy module (Mireshghallah et al., 18 Nov 2025). Expanding to multi-turn dialogues, tool-augmented agents, and real-world studies is necessary for generalizing integrity claims.

7. Synthesis and Comparative Architecture

A cross-domain summary highlights principal approaches to memory isolation and contextual integrity:

Domain	Isolation Mechanism	Contextual Integrity Guarantee
OS/Kernel	Hypervisor EPT/Enclaves	Hardware-enforced, per-driver page access (Korkin, 2018)
LLM Agents	Hierarchical agent memory	Only schema-validated returns permeate (Wen et al., 7 Feb 2026)
ML Benchmarks	Task-attribute gating	Violation and completeness trade-off (Mireshghallah et al., 18 Nov 2025)
Multi-Agent AI	Provenance, Bayesian trust	No cross-agent contamination or memory poisoning (Bhardwaj, 17 Feb 2026)
Disaggregated	HW permission checkers	Authenticated, per-access, process isolation (Goswami et al., 6 Mar 2026)

Integrated architectures that combine hardware roots of trust, dynamic permission enforcement, agent-context hierarchies, and explicit policy-checking achieve strong isolation that persists under system compromise, adversarial input, and untrusted multi-party computation. Empirical results across these domains establish that such principled separation and formal validation dramatically reduce unauthorized access and attack success while sustaining or improving legitimate utility.