iGEN
Visit IGEN World Explore IGEN Expo
EXPLORE UPGRADE PLANS
BREAKING
UniBrain: A Unified Multimodal Model for Brain MRI Imputation and Understanding DeepRoot Multi-Agent System Enables Therapeutic Reasoning Over Historical Medical Texts with 47.6% Accuracy Primacy Bias in Multimodal RAG: First Retrieved Items Dominate, Study Finds N-Sea appoints Pim Nelemans as chief executive, succeeding Martin Adler ‘We’re not flipping a switch and pushing it to everyone at once’: Sonos is about to make its biggest changes yet to the controversial new app, designed to make it way more intuitive to use — and it seems to have learned from its past mistakes New Generalization Bounds for Deep Learning Models via Local Robustness and Stability Deep Residual Injection Method Enables Full-Spectrum Forensic AI Detection in Multimodal Models JoyAI-VL-Interaction Model Brings Real-Time Vision-Language AI to Enterprise Applications LectūraAgents Multi-Agent Framework Promises Adaptive Personalized AI-Assisted Learning Amazfit Cheetah 2 Ultra: The Most Expensive Smartwatch Yet—Is It Worth the Price? UniBrain: A Unified Multimodal Model for Brain MRI Imputation and Understanding DeepRoot Multi-Agent System Enables Therapeutic Reasoning Over Historical Medical Texts with 47.6% Accuracy Primacy Bias in Multimodal RAG: First Retrieved Items Dominate, Study Finds N-Sea appoints Pim Nelemans as chief executive, succeeding Martin Adler ‘We’re not flipping a switch and pushing it to everyone at once’: Sonos is about to make its biggest changes yet to the controversial new app, designed to make it way more intuitive to use — and it seems to have learned from its past mistakes New Generalization Bounds for Deep Learning Models via Local Robustness and Stability Deep Residual Injection Method Enables Full-Spectrum Forensic AI Detection in Multimodal Models JoyAI-VL-Interaction Model Brings Real-Time Vision-Language AI to Enterprise Applications LectūraAgents Multi-Agent Framework Promises Adaptive Personalized AI-Assisted Learning Amazfit Cheetah 2 Ultra: The Most Expensive Smartwatch Yet—Is It Worth the Price?
Home ›› Technology ›› Ai ›› Llms ›› AEGIS Secures LLM API Routers Against Man-in-the-Middle Attacks Using Attested Trusted Execution Environments
iGEN
Technology Artificial Intelligence

AEGIS Secures LLM API Routers Against Man-in-the-Middle Attacks Using Attested Trusted Execution Environments

A new system called AEGIS uses attested trusted execution environments to prevent LLM API routers from acting as man-in-the-middle. The provider-transparent design confines plaintext to a small hardware enclave, blocking four attack classes including tool call rewriting and credential exfiltration. In a seeded audit, two coding agents found 8 and 10 of 10 planted invariant violations.

iG
iGEN Editorial
June 16, 2026
AEGIS Secures LLM API Routers Against Man-in-the-Middle Attacks Using Attested Trusted Execution Environments

Large language model (LLM) API routers expose a critical security gap: because the router terminates the client's transport-layer security session and opens a separate upstream session, it holds the full interaction in plaintext. This makes the router an application-layer man-in-the-middle capable of rewriting agent tool calls, swapping dependencies for typosquatted packages, triggering attacks only under audit-evading conditions, and passively exfiltrating secrets. Existing client-side defenses are evadable, according to researchers from multiple institutions in a paper posted on arXiv.

The Threat Landscape

The researchers identify four distinct malicious-router attack classes that succeed against a plaintext-access baseline:

  • Rewriting agent tool calls to alter the intended action
  • Swapping dependencies for typosquatted packages to inject malicious code
  • Triggering attacks under audit-evading conditions to avoid detection
  • Passively exfiltrating secrets such as API keys or sensitive data

These attacks are possible because the router sees all plaintext data between the client and the LLM.

How AEGIS Works

The paper proposes AEGIS, a provider-transparent attested API router whose data path is a client-verified faithful passthrough. AEGIS confines plaintext handling to a small hardware-enclave component, while authentication, scheduling, accounting, and management remain on the untrusted host. The client verifies the enclave before releasing plaintext. The host can neither read nor alter the interaction, and plaintext leaves only toward destinations fixed by the measured image.

AEGIS carries three provider-native APIs without conversion and completes every request under real-provider workload and concurrency.

Technical Specifications

The trusted path consists of 851 lines of code, minimizing the attack surface. The local relay overhead is about six milliseconds per request, making the security guarantee practical for latency-sensitive applications.

Security Validation

In a seeded audit pilot, two commodity coding agents were tasked with finding planted invariant violations. Agent 1 found 8 of 10 violations; Agent 2 found all 10. The paper states that all four malicious-router attack classes are blocked by AEGIS, including adaptive tests against the same boundary.

Attack Class Success Against Baseline Blocked by AEGIS
Rewriting agent tool calls Yes Yes
Swapping dependencies for typosquatted packages Yes Yes
Triggering attacks under audit-evading conditions Yes Yes
Passively exfiltrating secrets Yes Yes

Implications for Enterprise

For enterprises deploying LLM agents through API routers, AEGIS offers a provider-transparent hardening that does not require changes to existing cloud LLM services. The attestation mechanism gives clients cryptographic proof that their interaction is not being read or modified by the router host. With a small trusted computing base and low latency overhead, the approach addresses a previously unsealed attack surface in LLM infrastructure.

Sources:

Keep Reading

Recommended Stories

SkillVetBench Uses LLM-as-Judge to Evaluate Security Risks in Open-Source Agent Skills Technology

SkillVetBench Uses LLM-as-Judge to Evaluate Security Risks in Open-Source Agent Skills

SkillVetBench, a live Hugging Face leaderboard, uses an LLM-as-Judge approach to vet open-source LLM agent skills for security risks. It introduces the Skill Agentic Risk Score (SARS) and integrates CVSS v4.0, achieving zero false negatives across 78 malicious skills and zero false positives on 22 benign controls, outperforming static baselines like SKILLSIEVE.

June 16, 2026
GAS-Leak-LLM: Genetic Algorithm Jailbreaks Black-Box LLMs, Exposing Safety Gaps Technology

GAS-Leak-LLM: Genetic Algorithm Jailbreaks Black-Box LLMs, Exposing Safety Gaps

A new research paper introduces GAS-Leak-LLM, a genetic algorithm-based attack that evolves adversarial suffixes to bypass LLM safety constraints in a strict black-box setting. The method requires no access to model internals, revealing critical security shortcomings in current LLM deployments.

June 16, 2026
New Attack Forces Costly Model Usage in Multimodal LLM Cascades Technology

New Attack Forces Costly Model Usage in Multimodal LLM Cascades

A research paper introduces the Forced Deferral Attack (FDA), which manipulates confidence thresholds in multimodal large language model cascades, causing queries to be routed to more expensive strong models. The attack raises security concerns for enterprises deploying cost-optimized AI systems.

June 16, 2026
AgentLeak Benchmark Reveals Internal Channel Privacy Leaks in Multi-Agent LLM Systems Technology

AgentLeak Benchmark Reveals Internal Channel Privacy Leaks in Multi-Agent LLM Systems

A new benchmark called AgentLeak evaluates privacy leakage in multi-agent large language model (LLM) systems, finding that inter-agent messages leak at 68.8% compared to 27.2% for final outputs. Across 1,000 scenarios and five models, total system exposure reaches 68.9%, highlighting risks invisible to standard output-only audits.

June 16, 2026