Common Weakness Enumeration

MITRE’s community-maintained catalog (CWE) of software and hardware weakness types, used as a shared vocabulary for describing security vulnerabilities. Cited as a frame for classifying LLM-agent and protocol-layer pathologies.

In this vault

Summary

This survey organizes the emerging threat landscape of LLM-powered AI agents around four knowledge gaps: unpredictability of multi-step user inputs, complexity of internal execution, variability of operational environments, and interactions with untrusted external entities. It unifies single-agent and multi-agent attack surfaces within a perception/brain/action + agent2agent/agent2env/agent2memory taxonomy.

Concrete threats reviewed include adversarial prompts, prompt injection, jailbreaks, backdoor attacks, hallucination and misalignment, tool-use risks, indirect prompt injection, reinforcement-learning environment attacks, cooperative and competitive inter-agent risks, and long/short-term memory attacks. The authors tabulate defenses (prevention- and detection-based), rate their efficacy, and highlight open directions for robust and trustworthy agents.

Key Ideas

Four knowledge gaps framing agent security.

Taxonomy: perception / brain / action / agent2agent / agent2env / agent2memory threats.

Six categories of prompt-injection attack engineering (naive, escape, context-ignore, fake-completion, multimodal, combined).

Jailbreak domino effect in multi-agent populations.

Memory poisoning and indirect prompt injection as underexplored surfaces.

Conceptual Contribution

Claim: LLM Agents security should be organised around four knowledge gaps (input unpredictability, internal complexity, environmental variability, untrusted interactions) mapped onto a perception/brain/action + agent2{agent,env,memory} taxonomy.

Mechanism: Surveys adversarial prompts, prompt injection, jailbreaks, backdoors, hallucination, tool-use risks, indirect injection, RL environment attacks, inter-agent cooperative/competitive risks, memory poisoning; tabulates prevention- vs detection-based defences and rates their efficacy.

Concepts introduced/used: Prompt Injection, Jailbreak, Backdoor Attacks, Tool Use, Memory Poisoning, Hallucination, Model Context Protocol, LLM Agents, Multi-Agent Systems, Trust and Reputation, Distributed Security, Agent Security

Stance: survey

Relates to: Provides the threat scaffolding that MalTool Malicious Tool Attacks deepens at the tool layer; complements lifecycle threats in Survey Of Agent Interoperability Protocols; motivates static-analysis defences like A Language-Based Approach To Prevent DDoS.

Summary

The authors catalogue seven recurring classes of input-handling bugs under the LangSec (language-theoretic security) lens: shotgun parsing, non-minimalist input-handling code, differing interpretations of the input language, incomplete protocol specification, overloaded fields in input format, permissive processing of invalid input, and inability to express input languages in the Chomsky hierarchy. Each class is grounded in concrete CVEs (Heartbleed, Android Master Key, Rosetta Flash, OpenSSL CVE-2016-0752).

LangSec’s remedy is to treat input acceptance as a formal language-recognition problem: specify a grammar no more complex than deterministic context-free, build a recognizer that fully validates before any processing, and cleanly separate parsing from application logic. The paper proposes new CWE entries naming each weakness so auditors can precisely describe vulnerable input-handling code.

Key Ideas

LangSec: input should be a well-defined language with a fully-validating recognizer.

Seven anti-patterns: shotgun parsing, non-minimalist code, interpretation drift, incomplete spec, field overloading, permissive invalid input, undecidable grammars.

Chomsky hierarchy as a safety ceiling for input languages.

Hand-rolled parsers vs parser-combinator / generator tooling (e.g., Hammer).

Proposed new CWEs to label LangSec anti-patterns.

Conceptual Contribution

Claim: Most serious input-handling vulnerabilities reduce to seven recurring anti-patterns, all addressable by treating input acceptance as a formal language-recognition problem bounded by the Chomsky hierarchy.

Mechanism: Catalogues each anti-pattern (shotgun parsing, non-minimalist code, interpretation drift, incomplete spec, field overloading, permissive invalid input, undecidable grammars) against real CVEs (Heartbleed, Android Master Key, Rosetta Flash); prescribes grammar-first validating recognizers and proposes new CWE entries.

Concepts introduced/used: LangSec, Shotgun Parsing, Chomsky Hierarchy, Parser Combinators, Distributed Security, Common Weakness Enumeration

Stance: engineering / critique

Relates to: Shares a language-theoretic security stance with A Language-Based Approach To Prevent DDoS and Security Kernel Lambda Calculus; its grammar-discipline arguments apply directly to the schema/protocol surfaces catalogued in Survey Of Agent Interoperability Protocols and exploited in MalTool Malicious Tool Attacks.

Common Weakness Enumeration

In this vault

Backlinks