{"id":"https://openalex.org/W7139928360","doi":"https://doi.org/10.48550/arxiv.2603.18433","title":"Prompt Control-Flow Integrity: A Priority-Aware Runtime Defense Against Prompt Injection in LLM Systems","display_name":"Prompt Control-Flow Integrity: A Priority-Aware Runtime Defense Against Prompt Injection in LLM Systems","publication_year":2026,"publication_date":"2026-03-19","ids":{"openalex":"https://openalex.org/W7139928360","doi":"https://doi.org/10.48550/arxiv.2603.18433"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.18433","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18433","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.18433","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5123717660","display_name":"Md Takrim Ul Alam","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Alam, Md Takrim Ul","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063245603","display_name":"Akif Islam","orcid":"https://orcid.org/0009-0004-2755-7316"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Islam, Akif","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5120752089","display_name":"Mohd Ruhul Ameen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ameen, Mohd Ruhul","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130243515","display_name":"Abu Saleh Musa Miah","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Miah, Abu Saleh Musa","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5130227713","display_name":"Jungpil Shin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shin, Jungpil","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5123717660"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.7692000269889832,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.7692000269889832,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.09239999949932098,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11948","display_name":"Machine Learning in Materials Science","score":0.02539999969303608,"subfield":{"id":"https://openalex.org/subfields/2505","display_name":"Materials Chemistry"},"field":{"id":"https://openalex.org/fields/25","display_name":"Materials Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.5515000224113464},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.5414999723434448},{"id":"https://openalex.org/keywords/middleware","display_name":"Middleware (distributed applications)","score":0.5360999703407288},{"id":"https://openalex.org/keywords/blacklist","display_name":"Blacklist","score":0.4372999966144562},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.4140999913215637},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.3968999981880188},{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.38760000467300415},{"id":"https://openalex.org/keywords/resilience","display_name":"Resilience (materials science)","score":0.35929998755455017}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7870000004768372},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.5515000224113464},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.5414999723434448},{"id":"https://openalex.org/C169468491","wikidata":"https://www.wikidata.org/wiki/Q146923","display_name":"Middleware (distributed applications)","level":2,"score":0.5360999703407288},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.46050000190734863},{"id":"https://openalex.org/C2781345505","wikidata":"https://www.wikidata.org/wiki/Q2535979","display_name":"Blacklist","level":2,"score":0.4372999966144562},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.4140999913215637},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.3968999981880188},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.3937000036239624},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.38760000467300415},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.35929998755455017},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3587999939918518},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.3508000075817108},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.3368000090122223},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.3222000002861023},{"id":"https://openalex.org/C187713609","wikidata":"https://www.wikidata.org/wiki/Q2465461","display_name":"Default gateway","level":2,"score":0.3197000026702881},{"id":"https://openalex.org/C108759981","wikidata":"https://www.wikidata.org/wiki/Q788590","display_name":"Authorization","level":2,"score":0.31290000677108765},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3107999861240387},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.30970001220703125},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.3084999918937683},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.29409998655319214},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.2874999940395355},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.2815000116825104},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.2727000117301941},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.2685999870300293},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2554999887943268},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.25200000405311584}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.18433","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18433","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.18433","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18433","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7619495987892151,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"models":[2,60],"(LLMs)":[3],"deployed":[4,103,161],"behind":[5],"APIs":[6,105],"and":[7,26,38,71,84,106,115,135,150,157],"retrieval-augmented":[8],"generation":[9],"(RAG)":[10],"stacks":[11],"are":[12],"vulnerable":[13],"to":[14,91],"prompt":[15,152],"injection":[16],"attacks":[17],"that":[18,59,148],"may":[19],"override":[20],"system":[21],"policies,":[22],"subvert":[23],"intended":[24],"behavior,":[25],"induce":[27],"unsafe":[28],"outputs.":[29],"Existing":[30],"defenses":[31],"often":[32],"treat":[33],"prompts":[34],"as":[35,63,98],"flat":[36],"strings":[37],"rely":[39],"on":[40,109],"ad":[41],"hoc":[42],"filtering":[43],"or":[44],"static":[45],"jailbreak":[46],"detection.":[47],"This":[48],"paper":[49],"proposes":[50],"Prompt":[51],"Control-Flow":[52],"Integrity":[53],"(PCFI),":[54],"a":[55,64,76,99,110,130,137,155],"priority-aware":[56,151],"runtime":[57],"defense":[58,159],"each":[61],"request":[62],"structured":[65],"composition":[66],"of":[67,113,141],"system,":[68],"developer,":[69],"user,":[70],"retrieved-document":[72],"segments.":[73],"PCFI":[74,97,124],"applies":[75],"three-stage":[77],"middleware":[78],"pipeline,":[79],"lexical":[80],"heuristics,":[81],"role-switch":[82],"detection,":[83],"hierarchical":[85],"policy":[86],"enforcement,":[87],"before":[88],"forwarding":[89],"requests":[90],"the":[92,120],"backend":[93],"LLM.":[94],"We":[95],"implement":[96],"FastAPI-based":[100],"gateway":[101],"for":[102,160],"LLM":[104,162],"evaluate":[107],"it":[108],"custom":[111],"benchmark":[112,122],"synthetic":[114],"semi-realistic":[116],"prompt-injection":[117],"workloads.":[118],"On":[119],"evaluated":[121],"suite,":[123],"intercepts":[125],"all":[126],"attack-labeled":[127],"requests,":[128],"maintains":[129],"0%":[131],"False":[132],"Positive":[133],"Rate,":[134],"introduces":[136],"median":[138],"processing":[139],"overhead":[140],"only":[142],"0.04":[143],"ms.":[144],"These":[145],"results":[146],"suggest":[147],"provenance-":[149],"enforcement":[153],"is":[154],"practical":[156],"lightweight":[158],"systems.":[163]},"counts_by_year":[],"updated_date":"2026-05-03T08:25:01.440150","created_date":"2026-03-21T00:00:00"}