{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T18:37:41Z","timestamp":1771699061322,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":29,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,13]]},"DOI":"10.1145\/3766882.3767177","type":"proceedings-article","created":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T13:55:02Z","timestamp":1759326902000},"page":"50-55","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Securing MCP-based Agent Workflows"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1158-3056","authenticated-orcid":false,"given":"Grigoris","family":"Ntousakis","sequence":"first","affiliation":[{"name":"Brown University, Providence, RI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2613-531X","authenticated-orcid":false,"given":"Julian James","family":"Stephen","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5000-6393","authenticated-orcid":false,"given":"Michael V.","family":"Le","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3663-9231","authenticated-orcid":false,"given":"Sai Sree Laya","family":"Chukkapalli","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4915-1286","authenticated-orcid":false,"given":"Teryl","family":"Taylor","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-2157-1140","authenticated-orcid":false,"given":"Ian M.","family":"Molloy","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5143-8318","authenticated-orcid":false,"given":"Frederico","family":"Araujo","sequence":"additional","affiliation":[{"name":"IBM Research, Yorktown Heights, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,10,13]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2024. GitHub MCP Server. https:\/\/github.com\/github\/github-mcp-server. Accessed: 2025-07-04."},{"key":"e_1_3_2_1_2_1","unstructured":"2025. GitHub MCP Exploited: Accessing private repositories via MCP. https:\/\/invariantlabs.ai\/blog\/mcp-github-vulnerability. Accessed: 2025-07-04."},{"key":"e_1_3_2_1_3_1","unstructured":"Agent Communication Protocol Team. 2025. Welcome - Agent Communication Protocol. https:\/\/agentcommunicationprotocol.dev\/introduction\/welcome Accessed: 2025-07-08."},{"key":"e_1_3_2_1_4_1","unstructured":"Anthropic PBC. 2025. Claude.ai Desktop App Download. https:\/\/claude.ai\/download Accessed: 2025-07-28."},{"key":"e_1_3_2_1_5_1","volume-title":"Building resilient medical technology supply chains with a software bill of materials. npj Digital Medicine 4, 1","author":"Carmody Seth","year":"2021","unstructured":"Seth Carmody, Andrea Coravos, Ginny Fahs, Audra Hatch, Janine Medina, Beau Woods, and Joshua Corman. 2021. Building resilient medical technology supply chains with a software bill of materials. npj Digital Medicine 4, 1 (2021), 1--6."},{"key":"e_1_3_2_1_6_1","unstructured":"Manuel Costa Boris K\u00f6pf Aashish Kolluri Andrew Paverd Mark Russinovich Ahmed Salem Shruti Tople Lukas Wutschitz and Santiago Zanella-B\u00e9guelin. 2025. Securing AI Agents with Information-Flow Control. arXiv:2505.23643 [cs.CR] https:\/\/arxiv.org\/abs\/2505.23643"},{"key":"e_1_3_2_1_7_1","unstructured":"Edoardo Debenedetti Ilia Shumailov Tianqi Fan Jamie Hayes Nicholas Carlini Daniel Fabian Christoph Kern Chongyang Shi Andreas Terzis and Florian Tram\u00e8r. 2025. Defeating Prompt Injections by Design. arXiv:2503.18813 [cs.CR] https:\/\/arxiv.org\/abs\/2503.18813"},{"key":"e_1_3_2_1_8_1","volume-title":"Magentic-one: A generalist multi-agent system for solving complex tasks. arXiv preprint arXiv:2411.04468","author":"Fourney Adam","year":"2024","unstructured":"Adam Fourney, Gagan Bansal, Hussein Mozannar, Cheng Tan, Eduardo Salinas, Friederike Niedtner, Grace Proebsting, Griffin Bassman, Jack Gerrits, Jacob Alber, et al. 2024. Magentic-one: A generalist multi-agent system for solving complex tasks. arXiv preprint arXiv:2411.04468 (2024)."},{"key":"e_1_3_2_1_9_1","unstructured":"Google Developers Blog. 2024. A2A: A New Era of Agent Interoperability. https:\/\/developers.googleblog.com\/en\/a2a-a-new-era-of-agent-interoperability\/ Accessed: 2025-07-08."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Kai Greshake Sahar Abdelnabi Shailesh Mishra Christoph Endres Thorsten Holz and Mario Fritz. 2023. Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. arXiv:2302.12173 [cs.CR] https:\/\/arxiv.org\/abs\/2302.12173","DOI":"10.1145\/3605764.3623985"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/54289.871709"},{"key":"e_1_3_2_1_12_1","volume-title":"GNtousakis, julianstephen, araujof, terylt, and mvle.","year":"2025","unstructured":"imolloy, iamsreec, GNtousakis, julianstephen, araujof, terylt, and mvle. 2025. SEP-1075: Security Annotations for MCP Tool Definitions. GitHub issue #1075, ModelContextProtocol\/modelcontextprotocol. https:\/\/github.com\/modelcontextprotocol\/modelcontextprotocol\/issues\/1075 Status: Open; opened 2025-07-28."},{"key":"e_1_3_2_1_13_1","volume-title":"GNtousakis, julianstephen, araujof, terylt, and mvle.","year":"2025","unstructured":"imolloy, iamsreec, GNtousakis, julianstephen, araujof, terylt, and mvle. 2025. SEP-1076: Dependency Annotations. GitHub issue #1076, ModelContextProtocol\/modelcontextprotocol. https:\/\/github.com\/modelcontextprotocol\/modelcontextprotocol\/issues\/1076 Status: draft; opened 2025-07-17."},{"key":"e_1_3_2_1_14_1","unstructured":"Invariant Labs. 2025. MCP Security Notification: Tool Poisoning Attacks. https:\/\/invariantlabs.ai\/blog\/mcp-security-notification-tool-poisoning-attacks Accessed: 2025-07-21."},{"key":"e_1_3_2_1_15_1","unstructured":"Yuanchun Li Hao Wen Weijun Wang Xiangyu Li Yizhen Yuan Guohong Liu Jiacheng Liu Wenxing Xu Xiang Wang Yi Sun Rui Kong Yile Wang Hanfei Geng Jian Luan Xuefeng Jin Zilong Ye Guanjing Xiong Fan Zhang Xiang Li Mengwei Xu Zhijun Li Peng Li Yang Liu Ya-Qin Zhang and Yunxin Liu. 2024. Personal LLM Agents: Insights and Survey about the Capability Efficiency and Security. arXiv:2401.05459 [cs.HC] https:\/\/arxiv.org\/abs\/2401.05459"},{"key":"e_1_3_2_1_16_1","unstructured":"Xiao Liu Hao Yu Hanchen Zhang Yifan Xu Xuanyu Lei Hanyu Lai Yu Gu Hangliang Ding Kaiwen Men Kejuan Yang Shudan Zhang Xiang Deng Aohan Zeng Zhengxiao Du Chenhui Zhang Sheng Shen Tianjun Zhang Yu Su Huan Sun Minlie Huang Yuxiao Dong and Jie Tang. 2023. AgentBench: Evaluating LLMs as Agents. arXiv:2308.03688 [cs.AI] https:\/\/arxiv.org\/abs\/2308.03688"},{"key":"e_1_3_2_1_17_1","unstructured":"mcp.so. 2025. MCP Servers. https:\/\/mcp.so\/explore Accessed: 2025-07-28."},{"key":"e_1_3_2_1_18_1","unstructured":"Model Context Protocol Team. 2025. Introduction - Model Context Protocol. https:\/\/modelcontextprotocol.io\/introduction Accessed: 2025-07-08."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095829"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1346281.1346321"},{"key":"e_1_3_2_1_21_1","volume-title":"ConfusedPilot: Confused Deputy Risks in RAG-based LLMs. ArXiv abs\/2408.04870","author":"RoyChowdhury Ayush","year":"2024","unstructured":"Ayush RoyChowdhury, Mulong Luo, Prateek Sahu, Sarbartha Banerjee, and Mohit Tiwari. 2024. ConfusedPilot: Confused Deputy Risks in RAG-based LLMs. ArXiv abs\/2408.04870 (2024). https:\/\/api.semanticscholar.org\/Corpusld:271871335"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"crossref","unstructured":"J. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. In unknown.","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_3_2_1_24_1","unstructured":"Hao Song Yiming Shen Wenxuan Luo Leixin Guo Ting Chen Jiashui Wang Beibei Li Xiaosong Zhang and Jiachi Chen. 2025. Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem. arXiv:2506.02040 [cs.CR] https:\/\/arxiv.org\/abs\/2506.02040"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294284"},{"key":"e_1_3_2_1_26_1","volume-title":"First Conference on Language Modeling.","author":"Wu Qingyun","year":"2024","unstructured":"Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, Shaokun Zhang, Jiale Liu, et al. 2024. Autogen: Enabling next-gen LLM applications via multi-agent conversations. In First Conference on Language Modeling."},{"key":"e_1_3_2_1_27_1","unstructured":"Zhiheng Xi Wenxiang Chen Xin Guo Wei He Yiwen Ding Boyang Hong Ming Zhang Junzhe Wang Senjie Jin Enyu Zhou Rui Zheng Xiaoran Fan Xiao Wang Limao Xiong Yuhao Zhou Weiran Wang Changhao Jiang Yicheng Zou Xiangyang Liu Zhangyue Yin Shihan Dou Rongxiang Weng Wensen Cheng Qi Zhang Wenjuan Qin Yongyan Zheng Xipeng Qiu Xuanjing Huang and Tao Gui. 2023. The Rise and Potential of Large Language Model Based Agents: A Survey. arXiv:2309.07864 [cs.AI] https:\/\/arxiv.org\/abs\/2309.07864"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00219"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3690624.3709179"}],"event":{"name":"SOSP '25: ACM SIGOPS 31st Symposium on Operating Systems Principles","location":"Seoul Republic of Korea","acronym":"SOSP '25","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"]},"container-title":["Proceedings of the 4th Workshop on Practical Adoption Challenges of ML for Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3766882.3767177","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T17:19:40Z","timestamp":1763054380000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3766882.3767177"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":29,"alternative-id":["10.1145\/3766882.3767177","10.1145\/3766882"],"URL":"https:\/\/doi.org\/10.1145\/3766882.3767177","relation":{},"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-10-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}