Mitigations

10 course-of-action (mitigation) STIX objects addressing adversary behaviors in LLM-integrated IDEs.

AI Configuration File Integrity Monitoring

Implement file integrity monitoring and diff analysis for AI configuration files (.cursorrules, .github/copilot-instructions, MCP configs). Flag non-obvious instruction content and enforce review requirements for AI configuration changes in repositories.

Mitigates 4 techniques:
AIDE-004 — MCP Server Configuration Tampering AIDE-001 — IDE Configuration File Poisoning AIDE-018 — IDE Session Memory Persistence Poisoning AIDE-002 — Steganographic Instruction Embedding

AI Network Traffic Segmentation

Implement egress filtering restricting LLM API and MCP tool server traffic to approved endpoints. Baseline normal LLM API traffic patterns and alert on deviations. Restrict agent-initiated outbound connections to pre-approved destinations.

Mitigates 2 techniques:
AIDE-017 — LLM API Traffic as Covert C2 Channel AIDE-016 — Agent-Facilitated Lateral Movement

Agent Command Allowlisting

Implement command allowlists restricting agent-executable commands to development-relevant operations. Block system enumeration commands, cloud metadata access, and administrative operations unless explicitly approved per-task.

Mitigates 3 techniques:
AIDE-008 — Autonomous Agent Command Execution Abuse AIDE-015 — LLM-Directed Environment Discovery AIDE-013 — LLM-Mediated Codebase Reconnaissance

Agent Execution Sandboxing

Run AI coding agents in isolated security contexts with least-privilege permissions separate from the developer's ambient session. Implement task-scoped permission grants that restrict agent capabilities to files and tools relevant to the current task.

Mitigates 6 techniques:
AIDE-019 — Self-Replicating Prompt Propagation AIDE-015 — LLM-Directed Environment Discovery AIDE-018 — IDE Session Memory Persistence Poisoning AIDE-016 — Agent-Facilitated Lateral Movement AIDE-014 — Agent Permission Inheritance Exploitation AIDE-008 — Autonomous Agent Command Execution Abuse

Context Window Content Filtering

Apply input sanitization and prompt injection detection to content entering the LLM context window. Scan for instruction-like patterns in code comments, documentation, and external content. Implement content trust levels differentiating project files from external sources.

Mitigates 5 techniques:
AIDE-003 — Cross-Context Adversarial Prompt Injection AIDE-009 — AI-Assisted Supply Chain Propagation AIDE-019 — Self-Replicating Prompt Propagation AIDE-013 — LLM-Mediated Codebase Reconnaissance AIDE-018 — IDE Session Memory Persistence Poisoning

Credential Isolation from AI Agents

Prevent AI agent processes from accessing the developer's credential stores, SSH key directories, cloud configuration files, and authentication tokens. Use credential proxies that provide task-scoped, time-limited access.

Mitigates 3 techniques:
AIDE-016 — Agent-Facilitated Lateral Movement AIDE-014 — Agent Permission Inheritance Exploitation AIDE-006 — LLM-Mediated Credential Harvesting

Extension Security Controls

Enforce extension allowlisting from verified publishers. Flag extensions requesting LLM API access combined with network permissions. Monitor extension API calls for prompt/response interception. Restrict sideloading from non-marketplace sources.

Mitigates 1 technique:
AIDE-010 — LLM Extension/Plugin Trojanization

Generated Code Security Scanning

Apply inline SAST/security scanning to AI-generated code before presentation to the developer. Track vulnerability detection rates over time to identify adversarial steering patterns. Block acceptance of code with known vulnerability patterns.

Mitigates 4 techniques:
AIDE-012 — Code Completion Model Poisoning AIDE-007 — Adversarial Code Generation Steering AIDE-019 — Self-Replicating Prompt Propagation AIDE-009 — AI-Assisted Supply Chain Propagation

LLM Output Validation and Encoding Detection

Scan LLM-generated output for encoded data patterns (base64, URL encoding), embedded URLs, and content that diverges from the prompt intent. Implement output content policies that block exfiltration patterns in generated code, markdown rendering, and tool invocations.

Mitigates 4 techniques:
AIDE-011 — Context Window Sensitive Data Exfiltration AIDE-006 — LLM-Mediated Credential Harvesting AIDE-019 — Self-Replicating Prompt Propagation AIDE-017 — LLM API Traffic as Covert C2 Channel

MCP Server Allowlisting and Verification

Maintain an approved inventory of MCP tool servers. Require signature verification for server registration. Validate that registered endpoints match approved providers. Alert on new server registrations from project-level configuration.

Mitigates 3 techniques:
AIDE-005 — Agent Tool-Invocation Hijacking AIDE-004 — MCP Server Configuration Tampering AIDE-017 — LLM API Traffic as Covert C2 Channel
Ask about AIDE-TACT
Set API key in Settings
Thinking...

No account? Have an account?