Threat Model-Driven Test Framework for Security and Privacy of Agentic LLM Applications
摘要
Agentic llms are equipped with ‘agency’, the capability to autonomously take action, which can range from invoking auxiliary custom tools, scripts or modules, directly accessing databases, communicating with external web services, to even participating in multi-agent, long-running business processes. This agentic capability significantly increases the attack surface and risk exposure: user interactions are no longer confined to a single conversation or session, and the execution of agentic code incurs additional security and privacy threats. This paper first presents a structured threat model for agentic llm applications consisting of 159 threats. This threat model is based on the systematic application of both stride and linddun. We contextualize the threat analysis results in three emerging threat taxonomy efforts, among which the owasp threat model for Agentic AI and the threat model for the Model Context Protocol (mcp). Secondly, we present a novel and extensible test framework designed to experimentally verify the identified threats through 7 concrete test cases, each anchored to specific threats. We report on experimental findings obtained over 5 different llms. Through demonstrating the vulnerability of current llms to the identified threats, this work highlights real-world risks that can in part be attributed to the rapid roll-out of agentic AI technology, underscoring yet again the importance of proper security and privacy by design efforts.