- The attacker is not the only non-determinism in the system. Foundation models introduce a second source of non-determinism.
- The gap between “decision” and “action” is not short and well-modeled. LLM-planned actuation introduces a deliberation phase of 1–4 seconds in which intent can diverge from execution.
STRIDE+B
B is not a subclass of T (no adversary), not E (no capability exceeded), and not a reliability issue (the model returns a valid plan every time). It is a distinct class: the distribution of intent differs across acceptable models.
Attack chain: UniPwn-class BLE worm
The September 2025 UniPwn disclosure against Unitree’s Go2, B2, G1, and H1 units exploited a BLE provisioning service with hardcoded AES-CFB128 keys. The exploit propagates wormably between adjacent units. SINT’s interception chain:1
Initial Access
Adversary sends a crafted BLE advertisement. Blocked at PENDING_AUTH: any entity requesting authorization must present a DID and complete an Ed25519 challenge-response before transitioning to AUTHORIZED.
2
Capability Discovery
Malware enumerates ROS 2 topics to find
cmd_vel. Blocked at token scope: the token’s allowedTopics is a strict allowlist; enumeration is either constrained to read-only discovery scope or rejected.3
Command Injection
Malware publishes directly to
cmd_vel. Blocked at ACTING: the SINT Bridge rejects unsigned publishes; ACTING requires a prior PREPARING with actuation_armed guard and a matching policy decision.4
Persistence
Malware installs a modified systemd service. Detected via session audit: a
SESSION_STARTED event with no prior TOKEN_ISSUED in the ledger fires an alert; the session is terminated.5
Lateral Movement
Malware propagates BLE-wise to adjacent units. Blocked at token binding: each agentDID is unique and the token is bound to a specific agent; inter-agent communication requires a valid SintRequest with a token-bearing signature.
Attack chain: MCP goal hijack
CVE-2025-6514 (CVSS 9.6, JFrog July 2025) allowedmcp-remote to pass a server-supplied authorization endpoint directly to the system shell on the client. The larger class — OWASP ASI01 — covers any adversarial tool description, RAG document, or email that redirects an agent.
SINT’s interception chain:
1
Injection Vector
Malicious MCP server returns a tool description that overrides the agent’s intended behavior. Blocked at
allowedTools: the token scope is a strict allowlist; a new tool schema requires fresh token issuance, which requires the Policy Gateway’s approval and a sponsor check for T2/T3.2
Goal Hijack
Agent silently adopts an adversarial objective. Detected via CSML drift: the per-session AR_m metric spikes as the agent starts attempting actions it would not normally attempt. A
CSML_UPDATE event fires, Δ_trust elevates, and subsequent requests require human approval at T2 or T3.3
Privilege Escalation
Agent attempts actions beyond token scope. Blocked at POLICY_EVAL: the request fails validation and a
POLICY_BLOCK event is logged with rationale.4
Evidence Tampering
Adversary attempts to delete log entries. Detected at AUDIT_CHAIN_VERIFIED: the SHA-256 hash chain’s prevHash linkage means any deletion breaks the chain for every subsequent event; the TEE signature on each event verifies it was written by the authorized gateway.
Threats out of scope
SINT does not mitigate:- Physical attacks on hardware. An attacker physically lifting a robot and disconnecting its e-stop is outside the protocol.
- Correctness of the executive layer’s planning. The plan itself could be silently suboptimal within policy.
- Social engineering against the human sponsor. If the sponsor approves a malicious escalation, SINT logs it faithfully but does not prevent it.
- Compromised host OS or TEE hardware. The hardware root of trust is assumed.
- Denial of service against the Gateway itself. Network-layer DoS is upstream of SINT’s scope.
Read next
Invariants
The six formal invariants that implement STRIDE+B mitigations.
Conformance suite
157 tests including regression tests for every STRIDE+B class.