SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems

2026-06-10 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Robotics & Autonomous Systems · Depth: Expert, quick

Summary

SMSR (Signed Memory with Smoothed Retrieval) is introduced as the first certified defense against Multi-Session Memory Poisoning (MSMP) in retrieval-augmented generation (RAG) agent systems utilizing persistent memory. MSMP is a new attack surface where adversaries inject crafted memories through normal channels, steering future agent responses without altering model weights or code. Existing defenses, like RobustRAG and ReliabilityRAG, are ineffective against this threat, which can bypass heuristic filters with fluent text. SMSR comprises two components: HMAC-SHA256 provenance at write time (Component 1) to block unsigned injections, and randomized memory ablation with verdict-based majority voting at query time (Component 2) to bound authenticated adversary influence. Component 1 reduced attack success from 93-100% to 0% for all unsigned variants. Component 2 limited authenticated adversary success to 8.0% (95% CI [5.8, 10.9], n=450). In end-to-end query-only attacks, SMSR reduced success from 65.3% to 5.3% (n=150). Clean-query utility is 90% for Component 1 and 85% combined. This work was published on 2026-06-10.

Key takeaway

For AI Security Engineers designing or deploying persistent RAG agent systems, traditional memory poisoning defenses are insufficient against Multi-Session Memory Poisoning (MSMP). You should integrate certified solutions like SMSR, which uses HMAC-SHA256 provenance and smoothed retrieval, to achieve robust protection. This approach significantly reduces attack success rates, ensuring the integrity of your agent's accumulated memory across user sessions.

Key insights

SMSR provides certified defense against memory poisoning in persistent LLM agents using cryptographic provenance and smoothed retrieval.

Principles

• Provenance-free retrieval-time filters cannot certify against adaptive injection.
• Consistent Minority Effect impacts string-based voting, favoring verdict-based voting.

Method

SMSR uses HMAC-SHA256 for write-time provenance and randomized memory ablation with verdict-based majority voting at query time to counter memory poisoning.

In practice

• Implement HMAC-SHA256 for memory integrity at write time.
• Apply randomized memory ablation with verdict-based majority voting.

Topics

• LLM Agents
• Retrieval-Augmented Generation
• Memory Poisoning
• Certified Robustness
• HMAC-SHA256
• Multi-Session Memory Poisoning

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, AI Security Engineer, AI Engineer

Related on AIssential

• SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems — SMSR provides the first certified defense against runtime memory poisoning in persistent LLM agent systems.
• A Survey on Long-Term Memory Security in LLM Agents: Attacks, Defenses, and Governance Across the Memory Lifecycle — LLM agent memory's inherent malleability necessitates lifecycle-wide security governance for mnemonic sovereignty.
• The Proxy Knows Too Much: Sealing LLM API Routers with Attested TEEs — AEGIS secures LLM API routers by confining plaintext interactions to a client-verified hardware enclave, preventing man-in-the-middle attacks.
• When Poison Fails After Retrieval: Revisiting Corpus Poisoning under Chunking and Reranking Pipelines — Effective RAG corpus poisoning requires accounting for multi-stage retrieval, particularly chunking and reranking, to maintain attack consistency.
• Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents — Accumulated memory in LLM agents introduces longitudinal safety risks, increasing violation rates over time.
• Breaking: Autonomous Agents are a Shitshow — Autonomous agents exhibit widespread vulnerabilities to tool-chaining, goal drift, and memory poisoning attacks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.