CapShim: Validating Capability Policies for the Model Context Protocol via a Non-Interference Type System

Fatimah Emad Eldin

CapShim is a transparent proxy between an LLM agent and an MCP server.

It typechecks the agent's proposed tool-call plan against an

Information Flow Control (IFC) lattice and statically rejects any

plan whose data flow would violate a YAML-declared policy — before

any tool fires.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The paper presents a very fun! and self contained little experiment in implementing a capability-based constraint system for MCP commands. This is a very nice project, and I'm curious to see how it develops! That being said, the work builds on a really rich area of information flow type systems for which similar ideas have been tried out and their various warts discovered and accounted for. In particular, following the development of the first information flow type systems, the area has investigated various extensions and refinements to make it easier and more ergonomic to use these types. One particular problem is that these policies end up being very restrictive, and often loose information too quickly. One idea that I would encourage the author to look into is that while historically these heavier more precise type systems have had typing obligations that would put off any human, they may be more than manageable for an agent. Anyway, overall, this paper is very clean, consise, self contained and fun to read, the direction is well scoped and tackles an interesting problem albeit with a small delta ontop of existing work. Looking forward to seeing how this develops!

The framing is principled and timely: treat MCP's ambient authority as a type error and enforce information-flow control at the protocol boundary. The artifact is real (a deployable proxy, four specified typing rules, real-server tests), and the limitations section is a model, naming in-LLM laundering, lying tool authors, and timing channels rather than burying them. The score rests on that engineering; validation is the soft spot. The 100% block and 0% false-positive figures use an external attack taxonomy but a self-built harness on the author's own toy server, plus ten invented benign cases, so they are not yet independent evidence; an outside agent-injection corpus would fix this. The non-interference argument, the paper's titular contribution, is an unproven sketch with its three lemmas deferred, and as stated covers only payload-bearing egress, narrower than the abstract implies. T-Declassify, the one rule that intentionally moves Secret data, is never exercised by any scenario.

This work correctly identifies a security issue underlying much of today's agentic workflows. The proposed solution is relatively simple - and this is excellent and the author resists the temptation to overcomplicate. I would not be surprised if this approach is essentially or similar to what the industry settles on in the near-to-medium term. This work has clearly been conducted by a competent ML engineer with good security mindset and thinking and I look forward to seeing more from them.

The design displayed requires no onerous refactoring of existing workflows and would be relatively simple to drop in place (modulo maintainers needing anyway to create sensible security policies). The separation of policy from tool implementations allows reusability and aids abstraction.

This work is similar conceptually to CaMeL (https://arxiv.org/abs/2503.18813) and it was a notable omission to not place the work in this context and distinguish it appropriately. Similarly the benchmark was hard to evaluate credibility of since it is small and self-authored, but provides _some_ credibility. The diagram had overflowing text which was a little messy. I was also a little concerned that the soundness sketch was not proved; I"ll also note that I don't think it actually reflects the threat model mentioned earlier (given adversaries have some control over emission of tool calls) which might mislead reviewers.

I particularly liked Appendix A and the correct identification of additional covert channels though I would add that (4) significantly underestimates the capacity of an attacker to get information out through the choice, timing and order of different benign calls.

Cite this work

@misc {

title={

(HckPrj) CapShim: Validating Capability Policies for the Model Context Protocol via a Non-Interference Type System

},

author={

Fatimah Emad Eldin

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.