Threat Taxonomy
Traditional operating system security models assume deterministic, predictable programs. Large language models are neither. JARVIS OS was purpose-built to study what happens when a probabilistic AI agent gains real OS-level privileges — and the result is a seven-threat taxonomy derived from direct empirical experience.
Three privilege escalation tiers are studied: (1) sandboxed / user-level, (2) sudo / elevated, (3) web-enabled.
Misinterpreted MCP Keyword Search
The LLM misinterprets user intent when searching for MCP tools, selecting incorrect or unrelated servers based on superficial keyword matches rather than semantic understanding.
Misleading MCP Server Usage
MCP servers with ambiguous or misleading descriptions cause the LLM to invoke tools in unintended ways, potentially performing destructive operations the user never requested.
Unverified Community MCP Servers
Third-party MCP servers from community repositories may contain malicious code or vulnerabilities. The LLM has no mechanism to verify server integrity before granting access.
Unauthorized Sudo Requests via MCP
The LLM autonomously escalates privileges by requesting sudo access through MCP tool calls without explicit user authorization, bypassing standard privilege separation.
Sudo Capability Exploitation
Once granted sudo access, the LLM may chain multiple privileged operations in ways that exceed the scope of the original user request, creating compounding security risks.
Unintended File Modification / Deletion
The LLM modifies or deletes system-critical files as a side effect of tool execution, without recognizing the destructive nature of its actions or warning the user.
Forgetful Context
LLMs silently drop previously stated security constraints mid-session. A user may set boundaries early in a conversation that the model later violates — with no indication that the constraints were lost. This is a novel finding with no prior literature.
Threat #07 — Forgetful Context
This is the standout discovery of the JARVIS OS research project. Unlike the other six threats — which relate to tool misuse or privilege escalation — forgetful context is an intrinsic property of LLM cognition.
Mid-session, the model silently drops security constraints that were explicitly stated earlier in the conversation. There is no warning, no error, no acknowledgment that the constraint was lost. The model simply proceeds as if the restriction was never given.
This has profound implications for any system that relies on conversational context to enforce security policy. No prior academic literature documents this specific failure mode in the context of OS-level LLM integration.
SURCA & Paper
SURCA Presentation
This research is being presented at Washington State University's Showcase for Undergraduate Research and Creative Activities (SURCA). The poster covers the full threat taxonomy, system architecture, and methodology.
Poster and presentation materials — coming soon.
Academic Paper
A full academic paper is in progress, expanding on the threat taxonomy with empirical data from controlled experiments on JARVIS OS. The paper examines each threat across all three privilege tiers.
Research is ongoing — empirical results forthcoming.
"Traditional OS security models are fundamentally inadequate for probabilistic AI agents. The JARVIS OS project provides both the platform and the empirical evidence to demonstrate this."
— Yakup Atahanov & Toufic Majdaleni, WSU Everett