Had a very similar issue porting a hypervisor to ARM S-EL2. Writes would succeed, there were no faults, and everything looked reasonable in GDB, but the other side never saw the data. The root cause was that Secure and Non-Secure physical address spaces were backed by different memory even at the same address, and a single PTE bit selected between them. That took me much longer to understand than I’d like to admit.
One thing I keep thinking about with AI security is that most of
the focus is on model behavior — alignment, jailbreaks, guardrails.
But once agents start calling tools, the attack surface shifts to
the execution boundary. A request can be replayed, tampered with,
or sent to the wrong target, and the server often has no way to
distinguish that from a legitimate call.
Cryptographic attestation at the tool-call level (sign the request,
verify before execution) would close a gap that behavioral controls
alone can't cover. Curious whether Glasswing's threat model
includes the agent-to-tool boundary or focuses primarily on the
model layer.
reply