Automated Annotation Inference for MCP-based Agents

Model Context Protocol (MCP) provides a standardized interface for agents to interact with external tools and data sources such as file systems, APIs, and databases. However, the flexibility of MCP, especially when combined with large language models (LLMs) for autonomous planning, introduces vulnerabilities, including unrestricted tool access coupled with opaque decision-making processes, which can lead to system failures or security breaches. To address these risks, Information Flow Control (IFC) systems are commonly employed to enforce policies that regulate data flow within and between components. However, these systems typically rely on manually annotated labels. This talk presents an approach for automatically inferring IFC annotations by analyzing an agent’s source code, deployment configuration, and runtime behavior. Our method targets MCP-based agents and leverages a combination of static and dynamic analysis techniques. By analyzing the agent’s source code and libraries, we identify capabilities and data handling patterns that are then enriched with metadata extracted from deployment configurations. Additionally, we monitor network traffic and filesystem state within an execution environment to capture dynamic interactions and validate the inferred annotations. This multi-step approach improves the accuracy of label inference, enabling correct and secure deployment.