Demystifying MCP: Behind the Hype 1.0

Transcript

1. Model Context Protocol Makan Sepehrifar

2. Tool/Service API Endpoint Input/Output Schema Consumer Application Protocol Good Old

   Days 1

3. Tool/Service API Application Protocol Endpoint Input/Output Schema Client Input Parameters

   (Type + Description) Tool Wrapper Consumer And you involved Architects 1 2 Standard Protocol (REST, …..)

4. Tool/Service API Consumer Application Protocol Endpoint Input/Output Schema Client Input

   Parameters (Type + Description) Large Language Model Action Description In Natural Language 1) Deduce Input Parameters 2) Call Client 3) Deduce Output from Response 4) Return the Result Response (usually in Natural Language) The Generative AI Hype began in 2023 1 2 3 4 5 6

5. Consumer Large Language Model Action Description In Natural Language Response

   (usually in Natural Language) Tool Registry Tool 1 Tool 2 Tool Description Input Parameters (Type + Description) Tool Description Input Parameters (Type + Description) 1) Deduce Input Parameters 0) Select the Tool 3.1) Deduce Output from Response 4) Return the Result 2.2) Call Client 3.2) Validate the Result Tool/Service API Client Tool Wrapper 1 2.1) Instantiate/find Client Application Protocol Endpoint Input/Output Schema Arsernal of Tools 1 2 3 4 5 6 7

6. Consumer Large Language Model Tool Registry Tool 1 Tool 2

   Tool Description Input Parameters (Type + Description) Tool Description Input Parameters (Type + Description) 1) Deduce Input Parameters 0) Select the Tool 3.1) Deduce Output from Response 4) Return the Result 2.2) Call Client 3.2) Validate the Result Tool/Service API Client Tool Wrapper 1 2.1) Instantiate/find Client Application Protocol Endpoint Input/Output Schema Final result not achieved? Memory History Welcome to Agentic AI 1 2 3 4 5 6 7 8

7. What is MCP (Model Context Protocol)? • JSON RPC 2.0

   • Available Channels : STDIO, SSE, Streamable Http • Phases: • Handshake / Initialization • Discovering Available Tools • Calling a Tool • Listing and Reading Resources • Listing and Reading Prompts

8. { "jsonrpc": "2.0", "id": 2, "method": "tools/list" } { "jsonrpc":

   "2.0", "id": 2, "result": { "tools": [ { "name": "searchTickets", "description": "Search incident tickets by query", "inputSchema": { "type": "object", "properties": { "query": { "type": "string" }, "limit": { "type": "integer", "minimum": 1, "maximum": 100 } }, "required": ["query"] } }, { "name": "updateTicket", "description": "Update an incident ticket", "inputSchema": { "type": "object", "properties": { "id": { "type": "string" }, "status": { "type": "string", "enum": ["open", "in_progress", "resolved"] }, "comment": { "type": "string" } }, "required": ["id", "status"] } } ] } } Listing Tools Request Response

9. { "jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": { "name":

   "searchTickets", "arguments": { "query": "priority:P1 status:open", "limit": 5 } } } { "jsonrpc": "2.0", "id": 3, "result": { "content": { "type": "application/json", "data": [ { "id": "INC-1023", "title": "Prod API outage", "status": "open", "priority": "P1" }, { "id": "INC-1044", "title": "DB connection pool exhaustion", "status": "open", "priority": "P1" } ] }, "meta": { "source": "servicenow", "fetchedAt": "2025-12-08T18:20:14Z" } } } Calling a Tool Request Response

10. MCP Registry • Think of a Service Catalog for MCP

    Servers • Server Meta Data: • Identity • Package • Runtime Info • Capabilities • Version & Description { "identity": "com.example.remote-weather", "displayName": "Remote Weather Service", "description": "Provides weather data and forecasts via MCP tools over SSE", "version": "1.0.0", "capabilities": { "tools": true, "resources": true, "prompts": false }, "packages": [], // No local install because it's remote-only "runtime": { "transport": { "sse": { "endpoint": "https://api.example.com/mcp/stream", "auth": "bearer", "scopes": ["weather.read", "forecast.read"] } } }, "provider": { "name": "Example Corp", "homepage": "https://example.com/mcp/weather" }, "tags": ["weather", "remote", "sse"]

11. Consumer Large Language Model MCP Registry MCP 1 MCP 2

    Tool Description Input Parameters (Type + Description) Tool Description Input Parameters (Type + Description) 1) Deduce Input Parameters 0) Select the Tool 3.1) Deduce Output from Response 4) Return the Result 2.2) Call Client 3.2) Validate the Result Tool/Service MCP Server MCP Client 2.1) Instantiate Client JSON RPC 2.0 OAuth Registry Protocol Final result not achieved? Context Context MCP Host 1 2 3 4 5 6 7 8 9

12. Model Context Protocol is aiming to fix an Integration Problem

    not a Gen AI Problem.

13. MCP will revolutionize AI, the same way that REST changed

    Internet. 13

14. Demo Time

15. MCP Registry MCP Server Service Provider Deploy Publish Read Available

    / Allowed MCP Servers Populate Allowed MCP Servers Searches and Install MCP Server Verify MCP Meta Data Asks the Question MCP Client JSON-RPC / SSE • Semantic Intent Detection • Pick the Tool based on Capabilities • Input Inference based on User Intent • Instantiate MCP Client • Call MCP Server with Inferred Input Parameters • Pass the Output again to LLM for Summarization • Check Output vs User Intent • Summarize the Output 1 2 3 5 4 2 1 3 4 6

16. Challenges around using MCP Servers • Protocol Vulnerabilities • Authentication

    through OAuth has been added to the Protocol • SSE and Streamable HTTP provide necessary protocol encryption • No Governance around MCP Providers • GitHub Copilot has introduced MCP Governance through Registry • Non-Determinism (Agent on behalf of User) • Focus on Deterministic Tool Providing through MCP • Start with Read-Only, Information Providing MCPs

17. Authentication MCP Server #2 MCP Client JSON-RPC / SSE OAuth

    Authentication Access Token Access Token Verify Token MCP Server #1 JSON-RPC / SSE Access Token

18. Glimpse of Future MCP Server #2 MCP Client JSON-RPC /

    SSE OAuth Authentication Access Token Access Token MCP Server #1 JSON-RPC / SSE JSON-RPC / SSE MCP Gateway Verify Token

19. What can go wrong? Basically Everything!!!!

20. The Universal Attack Surface • Expanded Attack Surface • Prompt

    Injection Vulnerabilities • Data Exposure Risk • Authentication Complexities

21. The problem of Trust • MCPs are packaged as ready

    clients. • Who are we talking to?

22. Consumer Large Language Model MCP Registry MCP 1 MCP 2

    Tool Description Input Parameters (Type + Description) Tool Description Input Parameters (Type + Description) 1) Deduce Input Parameters 0) Select the Tool 3.1) Deduce Output from Response 4) Return the Result 2.2) Call Client 3.2) Validate the Result Tool/Service MCP Server MCP Client 2.1) Instantiate Client JSON RPC 2.0 OAuth Registry Protocol Final result not achieved? Context Context MCP Host 1 2 3 4 5 6 7 8 9

23. 4 (new) Faces of the Attacks • Data Poisoning •

    This attack manipulates user behavior by feeding the agent misleading logic or fake dependencies — like gaslighting an AI into making dumb decisions on your behalf. • JSON Injection • Think of it like feeding malware via API. If a plugin pulls data from a tampered local source, it can manipulate outputs, leak sensitive info, or even alter execution flow — all without you noticing. • Function Override • This one replaces core system functions with malicious ones. It’s like teaching your AI assistant to “delete files” when you say, “make a backup.” • Cross-MCP Call Attacks • The most devious — it links your AI agent to other malicious agents or services through encoded prompts. One infected plugin can create a chain reaction across multiple protocols.

24. New Nightmare • Analysis revealed (March 2025): • Command Injection

    Vulnerabilities: 43% of tested implementations contained command injection flaws • Path Traversal/Arbitrary File Read: 22% allowed accessing files outside intended directories • SSRF Vulnerabilities: 30% permitted unrestricted URL fetching

25. Questions?