Multi-Agent Systems

18. Security Considerations

Chapter 18 of 24 · 15 min

Multi-agent systems introduce security considerations beyond standard application security. Agents interact with external tools, share context across trust boundaries, and make decisions based on outputs from other agents—all potential attack vectors.

Context Injection Attacks

Malicious inputs to one agent can propagate through context sharing to affect other agents. Input validation and sanitization at system boundaries prevents injection of adversarial content into agent prompts.

# security/context_guard.py
import re
from dataclasses import dataclass
from typing import Optional

@dataclass
class SecurityContext:
    source_agent: str
    trust_level: str
    content_type: str
    sanitized: bool = False

class ContextGuard:
    def __init__(self, blocked_patterns: list[str] = None):
        self.blocked_patterns = blocked_patterns or [
            r'<script[^>]*>.*?</script>',
            r'javascript:',
            r'on\w+\s*=',
        ]
        self._compiled = [re.compile(p, re.IGNORECASE) for p in self.blocked_patterns]
    
    def validate(self, content: str) -> tuple[bool, Optional[str]]:
        for pattern in self._compiled:
            match = pattern.search(content)
            if match:
                return False, f"Blocked pattern detected: {match.group()}"
        return True, None
    
    def sanitize(self, content: str) -> str:
        for pattern in self._compiled:
            content = pattern.sub('[REDACTED]', content)
        return content

class AgentSecurityManager:
    def __init__(self, guard: ContextGuard):
        self.guard = guard
        self.trust_levels = {
            "system": 3,
            "verified": 2,
            "external": 1
        }
    
    def can_share_context(
        self, 
        source: SecurityContext, 
        target_trust_level: str
    ) -> bool:
        source_trust = self.trust_levels.get(source.source_agent, 0)
        target_trust = self.trust_levels.get(target_trust_level, 0)
        return source_trust >= target_trust
    
    def enforce_context_boundary(self, context: dict, target_agent: str) -> dict:
        if not self.can_share_context(context.get("security", {}), target_agent):
            return {"error": "Security policy violation", "redacted": True}
        return context

Tool Authorization

Agents invoking tools require authorization scoping. Tools receive minimal necessary permissions, and invocation logging captures all tool usage for audit trails.

Secrets Management

Agent configurations, API keys, and credentials require secure storage with rotation policies. Agents access secrets through secure channels rather than receiving them in plaintext configuration.

Adversarial Agent Behavior

Agents processing untrusted inputs may exhibit unexpected behaviors. Sandboxed execution environments, resource limits, and behavior monitoring detect and contain compromised agents.

EXERCISE

Implement a security policy engine that evaluates agent interaction permissions based on trust levels, content types, and destination agent classifications, blocking unauthorized cross-agent communication.