Skip to content

Update ASI07 Insecure Inter-Agent Communication #729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stefanoamorelli wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update ASI07 Insecure Inter-Agent Communication #729

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fcb26ba
docs(asi07): update Insecure Inter-Agent Communication entry
stefanoamorelli Dec 16, 2025
2d314ad
Merge branch 'main' into update-asi07-insecure-inter-agent-communication
stefanoamorelli Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 37 additions & 17 deletions ...rint 1-first-public-draft-expanded/ASI07_Insecure_Inter_Agent_Communication .md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,48 @@
## ASI07 Insecure Inter-Agent Communication
## ASI07: Insecure Inter-Agent Communication

**Description:**
**Description**

A brief description of the vulnerability that includes its potential effects such as system compromises, data breaches, or other security concerns.
Multi agent systems depend on continuous communication between autonomous agents that coordinate via APIs, message buses, and shared memory, significantly expanding the attack surface. Decentralized architecture, varying autonomy, and uneven trust make perimeter-based security models ineffective. Weak inter-agent controls for authentication, integrity, confidentiality, or authorization let attackers intercept, manipulate, spoof, or block messages.

**Common Examples of Vulnerability:**
Insecure Inter-Agent Communication occurs when these exchanges lack proper authentication, integrity, or semantic validation-allowing interception, spoofing, or manipulation of agent messages and intents. The threat spans transport, routing, discovery, and semantic layers, including covert or side-channels where agents leak or infer data through timing or behavioral cues.

1. Example 1: Specific instance or type of this vulnerability.
2. Example 2: Another instance or type of this vulnerability.
3. Example 3: Yet another instance or type of this vulnerability.
This differs from ASI03 (Identity & Privilege Abuse), which focuses on credential and permissions misuse, and ASI06 (Memory & Context Poisoning), which targets stored knowledge corruption. ASI07 focuses on compromising real-time messages between agents, leading to misinformation, privilege confusion, or coordinated manipulation across distributed agentic systems.

**How to Prevent:**
The entry is covered by T12 – Agent Communication Poisoning & T16 – Insecure Inter-Agent Protocol Abuse in Agentic Threats and Mitigations

1. Prevention Step 1: A step or strategy that can be used to prevent the vulnerability or mitigate its effects.
2. Prevention Step 2: Another prevention step or strategy.
3. Prevention Step 3: Yet another prevention step or strategy.
**Common Examples of the Vulnerability**

**Example Attack Scenarios:**
1. Unencrypted and channels enabling semantic manipulation: MITM intercepts unencrypted messages and injects hidden instructions altering agent goals and decision logic.
2. Message tampering leading to cross-context contamination: Modified or injected messages blur task boundaries between agents, leading to data leakage or goal confusion during coordination.
3. Replay on trust chains: Replayed delegation or trust messages trick agents into granting access or honoring stale instructions.
4. Protocol downgrade and descriptor forgery, causing authority confusion: Attackers coerce agents into weaker communication modes or spoof agent descriptors, making malicious commands appear as valid exchanges.
5. Message-routing attacks on discovery and coordination: Misdirected discovery traffic forges relationships with malicious agents or unauthorized coordinators.
6. Metadata analysis for behavioral profiling: Traffic patterns reveal decision cycles and relationships, enabling prediction and manipulation of agent behavior.

Scenario #1: A detailed scenario illustrating how an attacker could potentially exploit this vulnerability, including the attacker's actions and the potential outcomes.
**Example Attack Scenarios**

Scenario #2: Another example of an attack scenario showing a different way the vulnerability could be exploited.
1. Semantic injection via unencrypted communications: Over HTTP or other unauthenticated channels, a MITM attacker injects hidden instructions, causing agents to produce biased or malicious results while appearing normal.
2. Trust poisoning via message tampering: In an agentic trading network, altered reputation messages skew which agents are trusted for decisions.
3. Context confusion via replay: Replayed emergency coordination messages trigger outdated procedures and resource misallocation.
4. Goal manipulation via protocol downgrade: Forced legacy, unencrypted mode lets attackers inject objectives and risk parameters, producing harmful advice.
5. Agent-in-the-Middle via MCP descriptor poisoning: A malicious MCP endpoint advertises spoofed agent descriptors or false capabilities. When trusted, it routes sensitive data through attacker infrastructure.
6. A2A registration spoofing: An attacker registers a fake peer agent in the discovery service using a cloned schema, intercepting privileged coordination traffic.
7. Semantics split-brain: A single instruction is parsed into divergent intents by different agents, producing conflicting but seemingly legitimate actions.

**Reference Links:**
**Prevention and Mitigation Guidelines**

1. [Link Title](URL): Brief description of the reference link.
2. [Link Title](URL): Brief description of the reference link.
1. Secure agent channels: Use end-to-end encryption with per-agent credentials and mutual authentication. Enforce PKI certificate pinning, forward secrecy, and regular protocol reviews to prevent interception or spoofing.
2. Message integrity and semantic protection: Digitally sign messages, hash both payload and context, and validate for hidden or modified natural-language instructions. Apply natural-language–aware sanitization and intent-diffing to detect goal, parameter tampering, hidden or modified natural-language instructions
3. Agent-aware anti-replay: Protect all exchanges with nonces, session identifiers, and timestamps tied to task windows. Maintain short-term message fingerprints or state hashes to detect cross-context replays.
4. Protocol and capability security: Disable weak or legacy communication modes. Require agent-specific trust negotiation and bind protocol authentication to agent identity. Enforce version and capability policies at gateways or middleware.
5. Limit metadata-based inference: Reduce the attack surface for traffic analysis by using fixed-size or padded messages where feasible, smoothing communication rates, and avoiding deterministic communication schedules. These lightweight measures make it harder for attackers to infer agent roles or decision cycles from metadata alone, without requiring heavy protocol redesign.
6. Protocol pinning and version enforcement: Define and enforce allowed protocol versions (e.g., MCP, A2A, gRPC). Reject downgrade attempts or unrecognized schemas and validate that both peers advertise matching capability and version fingerprints.
7. Discovery and routing protection. Authenticate all discovery and coordination messages using cryptographic identity. Secure directories with access controls and verified reputations, validate identity and intent end-to-end, and monitor for anomalous routing flows.
8. Attested registry and agent verification: Use registries or marketplaces that provide digital attestation of agent identity, provenance, and descriptor integrity. Require signed agent cards and continuous verification before accepting discovery or coordination messages. Leverage the PKI trusted root certificate registries to enable robust agent verification and attestation of critical attributes.
9. Typed contracts and schema validation: Use versioned, typed message schemas with explicit per-message audiences. Reject messages that fail validation or attempt schema down-conversion without declared compatibility. Typed contracts help with structure, but semantic divergence across agents remains an inherent challenge; mitigations therefore focus on integrity, provenance, and controlled communication patterns rather than attempting full semantic alignment.

**References**

1. [Local Model Poisoning Attacks to Byzantine-Robust Federated Learning - USENIX Security 2020](https://www.usenix.org/system/files/sec20summer_fang_prepub.pdf)
2. [Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning - NDSS](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6C-3_24498_paper.pdf)
3. [Resilient Consensus Control for Multi-Agent Systems - MDPI / PMC](https://pmc.ncbi.nlm.nih.gov/articles/PMC10054319/)