Enregistré dans:
Détails bibliographiques
Auteurs principaux: Zheng, Yusheng, Yang, Yiwei, Zhang, Wei, Quinn, Andi
Format: Preprint
Publié: 2026
Sujets:
Accès en ligne:https://arxiv.org/abs/2603.20625
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866910061981335552
author Zheng, Yusheng
Yang, Yiwei
Zhang, Wei
Quinn, Andi
author_facet Zheng, Yusheng
Yang, Yiwei
Zhang, Wei
Quinn, Andi
contents LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration
format Preprint
id arxiv_https___arxiv_org_abs_2603_20625
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
Zheng, Yusheng
Yang, Yiwei
Zhang, Wei
Quinn, Andi
Cryptography and Security
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration
title ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
topic Cryptography and Security
url https://arxiv.org/abs/2603.20625