{"id":"https://openalex.org/W7140118138","doi":"https://doi.org/10.48550/arxiv.2603.19469","title":"A Framework for Formalizing LLM Agent Security","display_name":"A Framework for Formalizing LLM Agent Security","publication_year":2026,"publication_date":"2026-03-19","ids":{"openalex":"https://openalex.org/W7140118138","doi":"https://doi.org/10.48550/arxiv.2603.19469"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.19469","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19469","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.19469","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5119968245","display_name":"Vincent Siu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Siu, Vincent","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100783350","display_name":"Jingxuan He","orcid":"https://orcid.org/0000-0003-1036-2876"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"He, Jingxuan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130363975","display_name":"Kyle Montgomery","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Montgomery, Kyle","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130349607","display_name":"Zhun Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Zhun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130384539","display_name":"Neil Zhenqiang Gong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gong, Neil","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130402379","display_name":"Chenguang Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Chenguang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5130400043","display_name":"Dawn Song","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Dawn","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.427700012922287,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.427700012922287,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.41600000858306885,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.03240000084042549,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5885000228881836},{"id":"https://openalex.org/keywords/action","display_name":"Action (physics)","score":0.5541999936103821},{"id":"https://openalex.org/keywords/oracle","display_name":"Oracle","score":0.5346999764442444},{"id":"https://openalex.org/keywords/security-through-obscurity","display_name":"Security through obscurity","score":0.5142999887466431},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.5029000043869019},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.45210000872612},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.4140999913215637},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.399399995803833},{"id":"https://openalex.org/keywords/perspective","display_name":"Perspective (graphical)","score":0.3785000145435333}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7312999963760376},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6859999895095825},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5885000228881836},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.5541999936103821},{"id":"https://openalex.org/C55166926","wikidata":"https://www.wikidata.org/wiki/Q2892946","display_name":"Oracle","level":2,"score":0.5346999764442444},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.5142999887466431},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.5029000043869019},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.45210000872612},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.4140999913215637},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.399399995803833},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.3785000145435333},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3481000065803528},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.3458999991416931},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.3352000117301941},{"id":"https://openalex.org/C108759981","wikidata":"https://www.wikidata.org/wiki/Q788590","display_name":"Authorization","level":2,"score":0.33489999175071716},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.33239999413490295},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3314000070095062},{"id":"https://openalex.org/C76178495","wikidata":"https://www.wikidata.org/wiki/Q4808784","display_name":"Asset (computer security)","level":2,"score":0.32670000195503235},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.320499986410141},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.311599999666214},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.30469998717308044},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.29490000009536743},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.2874000072479248},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.2782999873161316},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.27570000290870667},{"id":"https://openalex.org/C144559511","wikidata":"https://www.wikidata.org/wiki/Q2986279","display_name":"Principal (computer security)","level":2,"score":0.26840001344680786},{"id":"https://openalex.org/C2779304628","wikidata":"https://www.wikidata.org/wiki/Q3503480","display_name":"Face (sociological concept)","level":2,"score":0.26460000872612},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.2524999976158142}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.19469","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19469","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.19469","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19469","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.8277404308319092}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Security":[0],"in":[1,84,91],"LLM":[2,51,126],"agents":[3,52],"is":[4,34],"inherently":[5],"contextual.":[6],"For":[7],"example,":[8],"the":[9,30,39,108],"same":[10],"action":[11,40,133],"taken":[12],"by":[13,243],"an":[14,175],"agent":[15,176],"may":[16],"represent":[17],"legitimate":[18],"behavior":[19],"or":[20,86,206,229],"a":[21,61,65,99,159,178],"security":[22,48,92,119,124,170,208,231],"violation":[23],"depending":[24],"on":[25],"whose":[26],"instruction":[27],"led":[28],"to":[29,55,77],"action,":[31],"what":[32],"objective":[33],"being":[35],"pursued,":[36],"and":[37,105,147,199,213],"whether":[38,168],"serves":[41],"that":[42,101,121,164,225],"objective.":[43],"However,":[44],"existing":[45,103,186],"definitions":[46,215],"of":[47,110,161,167,204,216],"attacks":[49,104],"against":[50],"often":[53],"fail":[54],"capture":[56,122],"this":[57,95,114,182],"contextual":[58,111,123,214],"nature.":[59],"As":[60],"result,":[62],"defenses":[63,70,83,106,222],"face":[64],"fundamental":[66],"utility-security":[67],"tradeoff:":[68],"applying":[69,82],"uniformly":[71],"across":[72],"all":[73],"contexts":[74,88],"can":[75,89],"lead":[76],"significant":[78],"utility":[79],"loss,":[80],"while":[81],"insufficient":[85],"inappropriate":[87],"result":[90],"vulnerabilities.":[93],"In":[94],"work,":[96],"we":[97,116,184,220,235],"present":[98],"framework":[100],"systematizes":[102],"from":[107,144],"perspective":[109],"security.":[112],"To":[113],"end,":[115],"propose":[117],"four":[118],"properties":[120,171],"for":[125],"agents:":[127],"task":[128,197],"alignment":[129,134],"(pursuing":[130],"authorized":[131],"objectives),":[132,139],"(individual":[135],"actions":[136],"serving":[137],"those":[138],"source":[140],"authorization":[141],"(executing":[142],"commands":[143],"authenticated":[145],"sources),":[146],"data":[148],"isolation":[149],"(ensuring":[150],"information":[151],"flows":[152],"respect":[153],"privilege":[154],"boundaries).":[155],"We":[156],"further":[157],"introduce":[158],"set":[160],"oracle":[162,227],"functions":[163,228],"enable":[165],"verification":[166],"these":[169,217],"are":[172],"violated":[173],"as":[174,189,202,223],"executes":[177],"user":[179],"task.":[180],"Using":[181],"framework,":[183],"reformalize":[185,221],"attacks,":[187],"such":[188],"indirect":[190],"prompt":[191,194],"injection,":[192,195],"direct":[193],"jailbreak,":[196],"drift,":[198],"memory":[200],"poisoning,":[201],"violations":[203],"one":[205],"more":[207],"properties,":[209],"thereby":[210],"providing":[211],"precise":[212],"attacks.":[218],"Similarly,":[219],"mechanisms":[224],"strengthen":[226],"perform":[230],"property":[232],"checks.":[233],"Finally,":[234],"discuss":[236],"several":[237],"important":[238],"future":[239],"research":[240],"directions":[241],"enabled":[242],"our":[244],"framework.":[245]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-03-24T00:00:00"}