Defense-in-depth testing: APS delegation enforcement as defense layer for ASI benchmarks #5
Description
Kevlar benchmarks ASI-01 through ASI-10 at the model reasoning level. The Agent Passport System provides a cryptographic enforcement layer that Kevlar can use to test whether defense-in-depth actually holds when the model layer is compromised.
Test scenario: Run Kevlar's ASI-01 (Goal Hijack) attack against an agent protected by APS delegation chains. The agent's LLM gets hijacked and attempts an out-of-scope action. Does the APS policy engine catch it?
| Kevlar ASI Test | APS Defense Layer | Expected Result |
|---|---|---|
| ASI-01: Goal Hijack | Delegation scope check | Hijacked intent signed but denied — action outside delegated scope |
| ASI-02: Tool Misuse | ProxyGateway tool binding | Tool call rejected — not in approved tool list |
| ASI-03: Identity Abuse | Ed25519 signature verification | Forged identity fails cryptographic check |
| ASI-05: RCE | Gateway execution boundary | Code execution attempt denied — not in delegation scope |
| ASI-07: Inter-Agent Comms | Signed messages + delegation proof | Unsigned message rejected; out-of-scope delegation denied |
| ASI-10: Rogue Agents | Cascade revocation | Revoke parent delegation → rogue agent's authority invalidated |
APS ships as an MCP server (120 tools), so Kevlar could integrate it as a defense layer and test whether prompt injection attacks that succeed at the model layer are still blocked at the authorization layer.
- SDK:
npm install agent-passport-system(v1.27.0, 1634 tests) - MCP server: 120 tools
- GitHub: https://github.com/aeoess/agent-passport-system
Would you be interested in adding an "APS-defended agent" test profile to Kevlar?