What Happened in There? A Tamper-Evident Audit Trail for AI Agents
AI agents running on user systems pose security risks because they can manipulate their own logs, making it difficult to verify their actions. The nono system addresses this by using a sandboxed architecture where a trusted supervisor process records an immutable audit trail outside the agent's reach. It employs cryptographic Merkle trees to ensure log integrity and enable verifiable inclusion proofs without requiring full log reprocessing.
- ▪AI agents can access sensitive system resources and may falsify their own activity logs.
- ▪nono uses OS-enforced sandboxing and separates the untrusted agent from a trusted supervisor that exclusively writes the audit log.
- ▪The audit trail is protected using Merkle trees, ensuring tamper-evidence and allowing third parties to verify individual events via inclusion proofs.
- ▪Seccomp BPF filters trap system calls, enabling the supervisor to monitor and log all capability requests made by the agent.
- ▪The design ensures that the audit record is bound to the actual binary executed and can be verified independently by external parties.
Opening excerpt (first ~120 words) tap to expand
The problem with "trust me, bro" logs If you run an autonomous AI agent on your machine, you are giving a language model permission to open files, run commands, touch your filesystem, and reach out to the network. You know it's dangerous, but you have to trust it to do the right thing. You have to trust it to tell you the truth about what it did, and quite often they are outright liars. So: what actually happened during that session? Most tooling hands you a log file. A log file is a story the program tells about itself. If the program is compromised — or if the agent has managed to write somewhere it shouldn't — the log becomes part of the attack surface.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Nono.