Model Context Protocol (MCP) vs Security
What is MCP
Model Context Protocol (MCP) is an open protocol designed to provide a secure, standardized, and flexible integration between large language models (LLMs) and external data sources or tools. MCP enables AI-powered applications to dynamically enrich and customize model contexts while allowing developers to build more secure and efficient AI systems.
MCP follows a client-server architecture and consists of some key components: MCP Clients, MCP Servers. MCP Clients facilitate the connection between LLM-based applications and MCP Servers. MCP Servers manage specific data sources (such as file systems, APIs, or proprietary datasets) and expose relevant information to LLMs through the protocol. This structured approach ensures that models access only the necessary data, enhancing both security and performance.
Example
This article will analyze several MCP Servers. You can access all MCP Servers at https://mcp-get.com/.
server-filesystem
Source:
This server allows LLM models to perform operations on a file server, such as:
- Read/write files
- Create/list/delete directories
- Move files/directories
- Search files
- Get file metadata
The server’s configuration is as follows:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/serhatcicek/Desktop",
"/Users/serhatcicek/"
]
}
}
}In this configuration, the server’s access to specific paths is determined. It is important to carefully consider these access permissions, and if possible, restrict the files that the LLM can access. For example, files within a sandbox can be restricted, and access can be granted only to files under a specific path (e.g., /Users/{username}/LLM-Folder/).
Security Analyses
When using MCP servers, several security precautions should be considered:
Restriction
File Restriction: As seen in the previous example, if the server has access to the file system, root directories should be avoided, and specific directories should be provided to the LLM. This ensures that only necessary files are accessible by the LLM.
API Key Restriction: Some servers communicate with external tools such as GitHub, Git, Slack, Yahoo, Brave, etc. These servers require an API key from the outsourced tool to function. When defining API keys for servers, these values should be restricted. For example, if an API key is created for an LLM on GitHub, it should only grant access to a specific project and not provide full access to all repositories or permissions.
Source Restriction: Some servers directly access data sources like MsSQL, PostgreSQL, etc. The data sources accessible by the servers should be limited. Servers connecting to PostgreSQL should not use admin privileges; instead, they should use users with only the necessary permissions to perform the required tasks.
Dependency Control
MCP servers can be developed using programming languages such as JavaScript (TypeScript), Java, Kotlin, and Python. The developed servers may utilize some dependencies of the respective programming languages. Therefore, the dependencies of the used MCP server should not be overlooked. Any security vulnerability present in a dependency can potentially affect the user.
MCP servers may be vulnerable to Dependency Injection (DI) flaws. It is crucial not to overlook the dependencies of the servers, as any weakness in these dependencies can be exploited and compromise the security of the system.
