AEGIS seals LLM API routers in hardware enclaves to block man-in-the-middle attacks
Researchers propose AEGIS, an attested API router that confines LLM traffic to a hardware enclave so that the router operator cannot read or alter agent interactions.
Score breakdown
AEGIS removes the router operator as a trusted party in the agent-LLM communication path, blocking all four identified attack classes that existing client-side defenses cannot prevent.
- 01API routers terminate client TLS sessions and hold full LLM interactions in plaintext, making them application-layer man-in-the-middle points.
- 02Four malicious-router attack classes are identified: rewriting tool calls, swapping in typosquatted packages, audit-evading conditional attacks, and passive secret exfiltration.
- 03AEGIS confines plaintext handling to a hardware enclave; the host can neither read nor alter the interaction.
Sipeng Xie, Qianhong Wu, and Hengrun Lu observe that agents increasingly reach LLMs through API routers, and that the standard TLS termination model gives those routers full plaintext access to every interaction. The paper catalogs four malicious-router attack classes: rewriting agent tool calls, swapping dependencies for typosquatted packages, triggering attacks only under audit-evading conditions, and passively exfiltrating secrets. The authors demonstrate that all four attacks succeed against a plaintext-access baseline and that existing client-side defenses are evadable.
To close this gap, the paper introduces AEGIS, a provider-transparent attested API router.
To close this gap, the paper introduces AEGIS, a provider-transparent attested API router. Its core design principle is that plaintext handling is confined to a small hardware-enclave component, while authentication, scheduling, accounting, and management remain on the untrusted host. The client verifies the enclave's attestation before releasing plaintext, and the host can neither read nor alter the interaction. Plaintext is permitted to leave only toward destinations fixed by the measured image, making the data path a client-verified faithful passthrough.
The trusted path is 851 lines of code and carries three provider-native APIs without conversion. Under real-provider workload and concurrency, every request completes successfully, with a local relay overhead of approximately six milliseconds per request. In a seeded audit pilot, two commodity coding agents found eight and ten of ten planted invariant violations, demonstrating the system's auditability properties.
Key facts
- 01API routers terminate client TLS sessions and hold full LLM interactions in plaintext, making them application-layer man-in-the-middle points.
- 02Four malicious-router attack classes are identified: rewriting tool calls, swapping in typosquatted packages, audit-evading conditional attacks, and passive secret exfiltration.
- 03AEGIS confines plaintext handling to a hardware enclave; the host can neither read nor alter the interaction.
- 04The client verifies the enclave's attestation before releasing any plaintext.
- 05The AEGIS trusted path is 851 lines of code and supports three provider-native APIs without conversion.
- 06Local relay overhead is approximately six milliseconds per request.
- 07In a seeded audit pilot, two commodity coding agents found eight and ten of ten planted invariant violations.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 16, 2026 · 23:11 UTC. How this works →