Case Study

AegisMCP Security Sandbox

Securing stdio-based Model Context Protocol (MCP) integrations with OS-native sandboxing to block prompt-injection data exfiltration.

0ms Interception Latency
100% Syscall Blocking
Rust Core Daemon Language

Overview

The Model Context Protocol (MCP) connects LLMs to local data tools. However, because integrations run as subprocesses piping JSON-RPC over stdio, they run with the user's full permissions and bypass all network security controls. AegisMCP addresses this by wrapping servers in kernel-enforced sandboxes.

The Security Threat

A prompt-injected LLM can trigger a local file tool to read sensitive information (SSH keys, environment files) and exfiltrate them via an internet-connected tool. Corporate firewalls cannot see stdio traffic.

The Mitigation

We built a Rust proxy that spawns the server inside a native sandbox (using Apple Seatbelt on macOS and Landlock on Linux). If a compromised tool tries to access blocked paths, the kernel denies the syscall.

Architecture & Implementation

AegisMCP implements Hexagonal Architecture to separate domain logic from OS-level integration:

  • aegis-core: Domain logic, policy check routines, JSON-RPC framer and streaming parser.
  • aegis-proxy: A Tokio-based async stdio relayer that intercepts requests to extract tool calls and correlates them.
  • aegis-sandbox: Adapters converting generic policies into Apple Seatbelt profiles or Linux Landlock rule sets.
AegisMCP Architecture Diagram

Key Deliverables

🔒 Kernel Sandboxing

Leverages native OS kernels to block system calls dynamically, ensuring zero overhead security enforcement.

📦 Protocol Auditing

Parses JSON-RPC packets in user space to log tool execution while leaving the actual blocking to the kernel.

Looking to Sandbox Your Agent Architecture?

Let's discuss how we can secure your LLM workflows and ensure GDPR and corporate compliance.

Book a Call View Source Code