← Back to arXiv Cryptography and Security

arXiv Cryptography and Security briefings

Policy SafetyOfficialarXiv Cryptography and Security

How Agents Ask for Permission: User Permissions for AI Agents, from Interfaces to Enforcement

A new preprint surveys 21 proposals for user-level permissions in AI agent systems, developing a taxonomy of how permissions are specified, derived, and enforced. The authors also compare five commercial AI agents to academic proposals, highlighting differences and identifying areas where further research is needed.

Why it matters: As AI agents become more autonomous, robust user-level permissions are essential to prevent unauthorized actions and protect user data, yet current systems lack standardized approaches.

Jul 16, 2026

ResearchOfficialarXiv Cryptography and Security

Study: Plain Coding Agents Rival Specialized Systems in Autonomous Penetration Testing Benchmarks

A new preprint presents a controlled study on the XBOW benchmark, showing that default coding CLI agents (such as Codex, OpenCode, and Pi) using the same GPT-5 model can achieve results comparable to specialized security harnesses like MAPTA and PentestGPT V2. The findings suggest that much of the reported performance in recent autonomous penetration testing systems may be attributable to the underlying language model rather than architectural innovations. The authors advocate for including model-matched plain-agent baselines in future evaluations to accurately assess the impact of system architecture.

Why it matters: This research calls into question the added value of complex architectures in autonomous penetration testing, highlighting the importance of rigorous baselines to properly evaluate new system designs.

Jul 16, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Paper Argues Watermarking AI Content as 'AI-Generated' Is Misguided, Proposes Transparency Instead

A new preprint contends that visible 'AI-generated' labels derived from watermarking are both conceptually and practically flawed. The authors argue such labels oversimplify the creative process, offer no insight into the truthfulness of content, and may stigmatize legitimate uses of generative AI while fostering misplaced trust in unmarked material. Instead, they propose prioritizing process transparency and information literacy to better address the epistemic and ethical challenges posed by AI-generated disinformation.

Why it matters: This work questions the effectiveness of watermarking as a policy tool for AI content, suggesting that more nuanced approaches are needed to address misinformation and ethical concerns.

Jul 16, 2026

ResearchOfficialarXiv Cryptography and Security

Survey Reveals Evidence Gaps for LLMs in Fraud Detection and Trust-and-Safety Workflows

A new survey of 49 operationally relevant sources finds that research on LLMs for fraud detection often lacks public reporting on key operational metrics such as latency, cost, and calibration, while content moderation studies more frequently address these constraints. The authors introduce the FORTE framework to categorize LLM roles in these workflows and propose a minimum deployment-evidence checklist to guide future research. The study highlights the need for more comprehensive evidence before deploying LLMs in live fraud and trust-and-safety systems.

Why it matters: This work underscores that current public evidence is insufficient to justify deploying LLMs in critical fraud detection and trust-and-safety pipelines, impacting deployment and risk management decisions.

Jul 16, 2026

Policy SafetyOfficialarXiv Cryptography and Security

SingGuard-NSFA: Extensible Guardrails for Agentic AI via Generative Reasoning and Real-Time Classification

Researchers present nsfaguard, a guardrail framework designed to secure agentic AI systems against operational threats such as prompt injection, sensitive information extraction, and resource exhaustion. The framework introduces a taxonomy of 185 risk variants, a benchmark suite with over 93,000 samples, and a dual-mode detection system that combines generative reasoning for offline auditing with discriminative classification for real-time detection at approximately 50ms latency. Released models (ranging from 0.8B to 9B parameters) achieve at least 94% F1 on benchmarks, outperforming existing guardrails by 6–12 points.

Why it matters: This work offers a comprehensive and extensible guardrail system for agentic AI, advancing safety and security with high performance and real-time detection capabilities.

Jul 16, 2026

ResearchOfficialarXiv Cryptography and Security

AutoTrace: Agentic Pipeline Localizes Vulnerability Triggers Beyond Patched Functions

AutoTrace is an agentic pipeline that uses LLM agents to explore code property graphs and localize vulnerability triggers, even when they are located outside patched functions. On the InterPVD benchmark, AutoTrace achieves 75.0% VulnHit and 80.8% FuncHit, surpassing previous methods. The authors also introduce SinkTrace-Bench, a dataset of 1,542 source-to-sink causal chains, which reveals that current frontier LLMs struggle with causal reasoning in vulnerability analysis.

Why it matters: This work advances automated vulnerability analysis by enabling interprocedural trigger localization and provides a new benchmark that highlights the causal reasoning limitations of current LLMs.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

StableAML: Machine Learning for Behavioral Wallet Detection in Stablecoin Anti-Money Laundering on Ethereum

A new preprint introduces StableAML, a machine learning framework for detecting money laundering in stablecoin transactions on Ethereum. The study finds that domain-informed tree ensemble models outperform graph neural networks in identifying suspicious wallets, and can distinguish between behavioral patterns of cybercrime syndicates and sanctioned entities. The approach is designed to support compliance with emerging regulations such as the EU's MiCA and the U.S. GENIUS Act.

Why it matters: This work presents a novel, interpretable method for high-precision behavioral classification in stablecoin anti-money laundering, potentially improving compliance and reducing unjustified asset freezes under new regulatory frameworks.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Agent Identity URI Scheme Enables Decentralized, Topology-Independent Naming and Discovery for Multi-Agent Systems

A new preprint introduces the agent:// URI scheme, designed to decouple agent identity from network location in multi-agent systems. The scheme incorporates trust roots, hierarchical capability paths, and sortable unique identifiers, with cryptographic attestation using PASETO tokens. Evaluation demonstrates full capability expressiveness on 369 tools, perfect discovery precision across 10,000 agents, and sub-5-microsecond performance, suggesting a robust and scalable approach to agent identity and discovery.

Why it matters: This work proposes a novel, decentralized solution to agent identity and discovery, potentially enabling more robust and scalable multi-agent ecosystems.

Jul 15, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Large-Scale Study Reveals LLM Agents Hallucinate Skill Names, Enabling Supply-Chain Attacks

A large-scale study analyzing 15,000 prompts across 12 LLM and agent configurations found that hallucination of skill names is widespread, with rates averaging 36.0% for standalone LLMs and 36.9% for agents, and rising to 43.1% on real-world developer questions. These hallucinated names can be exploited by adversaries who pre-register malicious skills, enabling supply-chain attacks. The study evaluated four defenses and found that the strongest, retrieval grounding, reduced hallucination to 3.2% but significantly reduced the system's usefulness, with correct skill recommendations dropping to about one in six.

Why it matters: This vulnerability exposes LLM agent ecosystems to easy supply-chain attacks, and current defenses severely compromise usability, highlighting the need for structural changes to registries and recommendation pipelines.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

LLMs Show Promise but Limitations in Detecting Malicious Python Packages

A preprint study evaluated 13 large language models (LLMs) on their ability to detect malicious Python packages from PyPI. The models achieved high recall and F1 scores up to 0.99 for flagging malicious packages, but struggled to accurately identify specific lines of malicious code, with weighted F1 dropping to 0.48. Code complexity, particularly longer packages, was found to be the main factor reducing performance.

Why it matters: The findings suggest LLMs can assist in initial triage for software supply chain security, but are not yet reliable for pinpointing specific malicious behaviors.

Jul 15, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Researchers Uncover New Attack Surfaces in Vision-Language Model-Powered Mobile Agents

A new preprint identifies two novel attack surfaces—Screen Perception and Misused Channel—in third-party mobile agents powered by Vision-Language Models (VLMs). The researchers demonstrate seven concrete attacks, showing that malicious apps can hijack agent actions and execute arbitrary commands without requiring permissions, all while remaining visually indistinguishable to users.

Why it matters: This work exposes a fundamental security risk in the design of autonomous mobile agents, emphasizing the need for new security models on multi-tenant platforms.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Audit Reveals Methodological Flaws in Inference-Time Defense Evaluations for Multimodal LLMs

A recent audit of inference-time defenses for multimodal large language models (MLLMs) found that three benchmark branches failed provenance checks, restricting reliable comparative results to only two datasets. The study also discovered that a legacy keyword-based safety protocol incorrectly counted empty strings as safe, with raw model responses unavailable to reassess this effect. Contrary to earlier claims, the archive does not support widespread model refusal, with a pooled refusal rate of just 0.52%.

Why it matters: This work exposes critical methodological issues in evaluating MLLM safety defenses, emphasizing the importance of traceable audits and provenance standards for trustworthy comparisons.

Jul 15, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Researchers Uncover Decoder Side-channel Attacks in Fault-tolerant Quantum Computers

A new preprint identifies a previously unrecognized class of side-channel attacks targeting fault-tolerant quantum computers. The study demonstrates that syndrome data sent to decoder systems can leak information about which logical circuits are being executed, introducing the concept of 'gate fingerprints'—distinctive patterns in syndrome data that reveal specific logical operations. The authors argue that decoder systems must be secured or trusted to mitigate this vulnerability.

Why it matters: This work exposes a novel security risk in quantum computing, underscoring the importance of secure decoder design as the field progresses toward practical deployment.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Watermark Forensics for Generative Models: An Information-Theoretic Perspective

A new arXiv preprint introduces an information-theoretic framework for watermark forensics in generative models, establishing fundamental limits on detection, attribution, and payload extraction. The authors derive tight entropy-rate laws, showing that attributing text to one of N users requires Θ(log N/h) tokens and extracting an ℓ-bit payload requires Θ(ℓ/h) tokens, where h is the entropy rate. Experiments on GPT-2, Pythia-410M, and Qwen2.5 confirm the theoretical predictions.

Why it matters: This work rigorously quantifies the trade-offs and costs of watermarking in generative AI, providing a theoretical foundation that can inform the design of more reliable forensic tools.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks

Researchers present MCP Pitfall Lab, a protocol-aware security testing framework for Model Context Protocol (MCP) tool servers that models developer pitfalls as reproducible scenarios and validates outcomes using objective validators. In 2,579 runs across four models, they report a 31.9% overall attack success rate, with multi-modal injection attacks achieving the highest rate at 38.7%. The framework also introduces the Semantic MCP-Bill-of-Material (MCP-BOM), which augments component inventories with security-relevant tool semantics to aid in auditing and hardening. The study demonstrates that static analysis alone is insufficient for certain attack vectors, highlighting the need for runtime provenance.

Why it matters: This work provides a novel and practical framework for systematically identifying and mitigating security risks in the MCP tool server ecosystem, advancing the security of AI software supply chains.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

New Evaluation Protocol for AI Pentesting Agents Targets Real-World Vulnerability Discovery

Researchers have introduced a practical evaluation protocol for AI pentesting agents that emphasizes validated vulnerability discovery in complex, real-world targets, rather than just task completion. The protocol incorporates LLM-based semantic matching, bipartite resolution, and cumulative scoring to enable more operationally meaningful comparisons between agents. Expert-annotated ground truth and code are released to support reproducibility.

Why it matters: This protocol bridges the gap between controlled benchmarks and real-world offensive security, supporting more reliable and realistic assessment of AI agents for cybersecurity applications.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Ball Differential Privacy: Less Noise, Stronger Reconstruction Defense

Ball Differential Privacy (Ball-DP) modifies standard differential privacy by enforcing indistinguishability only for substitutions within a bounded ball in embedding space, rather than over all possible records. This approach allows for reduced noise addition while still providing robustness against reconstruction attacks. The paper introduces noise calibrations for convex learning and Ball-ReRo certificates that bound reconstruction success, and demonstrates through experiments on seven benchmarks that Ball-DP achieves improved utility compared to standard DP, particularly at high privacy levels.

Why it matters: Ball-DP provides a practical method to reduce the accuracy cost of differential privacy in machine learning, making privacy-preserving models more feasible when defending against reconstruction attacks.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Study Finds Majority of x402 AI Agent Payments Are Fictitious or Internal

A population-scale analysis of the x402 protocol for AI agent payments on the Base blockchain reveals that, over 280 days, 21.20% of 136.7 million settlements are fictitious and 63.78% are internal to linked clusters. The study finds that genuinely independent payments are much lower, ranging between $187,861 and $20.3 million, indicating that settlement counts primarily reflect manufacturability rather than real adoption.

Why it matters: This research challenges claims of a robust AI agent economy by demonstrating that most on-chain payments can be artificially generated, undermining settlement count as a metric for genuine autonomous economic activity.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Bulkhead: LLM-Based Framework for Automated Detection and Remediation of Container Escape Vulnerabilities

A new preprint introduces Bulkhead, an automated framework that integrates large language models (LLMs) with formal methods to detect and remediate path traversal vulnerabilities in containerized environments. Bulkhead employs a multi-agent system to identify cross-boundary interactions, generate proof-of-concept exploits, and produce verified patches. The approach aims to address the limitations of existing detection and defense methods for container escape vulnerabilities, particularly as cloud systems increasingly mount shared resources for AI workloads.

Why it matters: Automated, semantic detection and remediation of container escape vulnerabilities is increasingly important for securing cloud environments that support AI workloads and shared resources.

Jul 15, 2026

ResearchOfficialarXiv Cryptography and Security

Study: 38.9% of AI-Generated Pull Requests Contain Security Smells

A large-scale empirical study of 4,022 pull requests from the AIDev dataset found that 38.9% of agent-generated PRs contain at least one security smell, with supply chain integrity issues accounting for 82.3% of all detected smells. Hard-coded credentials made up 99.6% of critical-severity issues, and 81.1% of these credentials went undetected before integration. The study also found that human collaborators introduced 67.6% of genuine leaked secrets in agent-assisted workflows.

Why it matters: This research reveals that autonomous coding agents introduce significant security risks that current review processes often fail to catch, highlighting the urgent need for improved security guardrails in human-AI collaboration.

Jul 15, 2026