Urd

Compositional trust analysis for Model Context Protocol (MCP) deployments.

Urd detects authority paths that exist in practice but not in any individual server's manifest — the places where a low-privilege tool's output influences a higher-privilege tool's execution without crossing a reviewed boundary.

Status: research preview. Active development ahead of DEF CON 34. Repository lives at github.com/redasgard/urd.

---

Why

Per-server review tells you each MCP server is secure in isolation. It does not tell you whether a deployment composed from several servers is secure as a whole. When a host agent connects to multiple servers of differing privilege, tool outputs cross trust levels silently. The edge from one server's result into another server's argument construction is rarely declared, rarely reviewed, and never forced by the protocol to be surfaced at the approval boundary.

Urd is the tool we wanted when auditing those deployments.

What it does

Urd emits a single divergence report for a given deployment:

• Declared edges — parsed from MCP server manifests and host agent configuration.
• Observed edges — reconstructed from a JSONL trace of actual message flow, with provenance markers linking tool outputs to subsequent tool arguments.
• Divergence findings — observed edges that do not correspond to any declared capability, especially those crossing a privilege boundary.

Urd does not detect novel zero-days. It detects structural patterns the protocol does not force operators to look at.

Reproducing the finding

The lab/ directory contains a minimal deployment that reproduces the core failure pattern end-to-end:

• lab/servers/weather.py — low-privilege read-only data server (Server A).
• lab/servers/admin.py — higher-privilege server backed by SQLite, exposes delete_records (Server B).
• lab/untrusted_source.py — simulated external feed that injects a uniquely identifiable marker token into Server A's output.
• lab/host.py — deterministic host agent that composes Server A output into Server B arguments.
• lab/scenarios/baseline.py — control case, benign flow.
• lab/scenarios/compositional.py — the load-bearing demonstration.

Run it

# from the repo root
python -m lab.scenarios.baseline
python -m lab.scenarios.compositional

# analyze the resulting trace
python -m urd.cli analyze \
    --manifests lab/manifests/ \
    --trace traces/compositional.jsonl \
    --output traces/compositional.divergence.json

The compositional scenario produces a trace in which a marker token generated by the untrusted source appears verbatim in Server B's delete_records parameters. The approval prompt displays those parameters without surfacing the marker's Server A provenance. Urd's divergence report identifies the edge.

Scope and limitations

What Urd catches:

• Low-privilege tool output influencing high-privilege tool argument construction
• Observed trust edges absent from the declared capability set
• Approval surface omitting upstream provenance for sourced parameters

What Urd does not catch:

• Attacks that live entirely inside a single server
• Attacks on the model itself (prompt injection, jailbreaking)
• Supply chain attacks on server implementation code
• Runtime behavior that never traces through Urd's instrumentation

License

Apache 2.0.

Authors

Red Asgard. Research led by Yevhen "valh4x" Pervushyn.