ASI-04: MCP Supply Chain Compromise Lab#795
Conversation
…_ten/frameworks/asi04 directory deleting duplicate asi04 from previous PR Signed-off-by: aamir <32578528+syedDS@users.noreply.github.com>
razashariff
left a comment
razashariff
left a comment
There was a problem hiding this comment.
Relevant to the supply chain compromise mitigation: MCPS (MCP Secure) provides signTool() and verifyTool() which hash-pin MCP tool definitions at registration time. If an attacker modifies the tool name, description, or input schema after signing, verifyTool() returns hash_changed: true and valid: false.
This directly addresses the provenance gap — the tool definition itself becomes a signed artifact, not just the registry metadata. Combined with ECDSA P-256 agent passports and per-message signing, the full chain from tool registration through tool invocation is cryptographically bound.
Published as an IETF Internet-Draft and available on npm as mcp-secure (zero dependencies). Could be a useful addition to the mitigation section of this lab.
Its a good suggestion , since mcp-secure is JS/npm and the lab is Python , i can open a new PR with addition of Tier 2 mitigation including Tool Definition Signing after the existing provenance checking. |
|
Thanks @syedDS — happy to help with the Python integration if useful. The signTool/verifyTool flow maps directly to tool definition provenance. A PR adding it as a Tier 2 mitigation makes sense. |
|
Opened new PR duplicated to this one due to shift being done GenAI-Security-Project/GenAI-Agent-Security-Initiative#8. |
|
Thanks for the heads-up @syedDS — appreciate you flagging the move. Will follow Raza |
|
@syedDS — re-reading our March exchange, you'd mentioned opening a new PR with Tool Definition Signing as a Tier 2 mitigation alongside the existing provenance check. Now that the lab has moved into Raza |
Sure go ahead and add the port of tool into agent.py in the new repo |
3 participants
This hands-on lab demonstrates ASI-04: Supply Chain Compromise through MCP (Model Context Protocol) registry poisoning and showcases provenance-based mitigation strategies.
Key Features
-Interactive 3-Phase Demo Flow:
a)Attack Demonstration: Switch to compromised MCP registry, capture flag (ASI04_FLAG{mcp_supply_chain_compromised})
b)Mitigation Setup: Enable provenance checking with trusted source allowlist
c)Defense Validation: Agent refuses to load untrusted MCPs, blocks supply chain attack
d)Live Web Interface: Server-side rendered UI at http://localhost:5050 with real-time status updates
-Automated Testing: Single-command test script validates full attack-to-mitigation flow
-Docker-Based: Complete lab environment with docker-compose up - no complex setup
Please follow README.md for instructions.