research(security): SMCP — formal security hardening for MCP lifecycle (tool poisoning, stolen credentials, privilege escalation) (arXiv:2602.01129) #2497
Description
Summary
arXiv:2602.01129 — SMCP: Secure Model Context Protocol (February 2026)
Proposes concrete security hardening for the full MCP lifecycle. Covers five attack classes with mitigations:
- Tool poisoning — malicious
description/annotationsfields steer model execution; mitigation: strip/sanitize fields before model sees them (partially addressed in security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472) - Prompt injection via tool output — tool results containing adversarial instructions; mitigation: output sandboxing with intent anchor (see also research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 VIGIL)
- Fake installer / supply chain — SMCP proposes package signing for MCP server distribution
- Stolen credentials — MCP servers with env/filesystem access can exfiltrate API keys; mitigation: per-server secret namespace isolation
- Privilege escalation — server upgrades own permissions via tool call side-effects; mitigation: immutable capability grant at connection time
Gap in Zeph (zeph-mcp):
- Tool output is currently passed to the LLM without intent-anchoring — vulnerable to injection via tool result
- No per-MCP-server secret namespace; all servers share the same environment view
- Capability grant is checked at invocation but not immutably fixed at connection time (server could advertise new tools after auth)
Proposed Improvements
- Apply VIGIL-style intent anchor to MCP tool output before inserting into context (research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 research backing)
- Namespace MCP server env access: each server only sees a restricted env slice based on declared capability
- Snapshot and lock tool list at connection time; refuse re-registration mid-session
References
- Paper: https://arxiv.org/abs/2602.01129
- Related: security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472 (tool poisoning detection — merged), research(security): MCP/A2A protocol threat modeling — shadowing attacks, privilege escalation, coarse-grained tokens (arXiv:2602.11327) #2496 (MCP/A2A threat modeling), research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 (VIGIL intent anchor)