{"id":"https://openalex.org/W7160595056","doi":"https://doi.org/10.48550/arxiv.2605.06393","title":"Constraining Host-Level Abuse in Self-Hosted Computer-Use Agents via TEE-Backed Isolation","display_name":"Constraining Host-Level Abuse in Self-Hosted Computer-Use Agents via TEE-Backed Isolation","publication_year":2026,"publication_date":"2026-05-07","ids":{"openalex":"https://openalex.org/W7160595056","doi":"https://doi.org/10.48550/arxiv.2605.06393"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.06393","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.06393","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.06393","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135646008","display_name":"Di Lu","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Lu, Di","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135669727","display_name":"Bo Zhang","orcid":"https://orcid.org/0000-0001-8181-9111"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Bo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135682923","display_name":"Xiyuan Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Xiyuan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037977040","display_name":"Yongzhi Liao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liao, Yongzhi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135685169","display_name":"Xuewen Dong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dong, Xuewen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135715881","display_name":"Yulong Shen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shen, Yulong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135705568","display_name":"Zhiquan Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zhiquan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5135645825","display_name":"Jianfeng Ma","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ma, Jianfeng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5135646008"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6998999714851379,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6998999714851379,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.07240000367164612,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12203","display_name":"Mobile Agent-Based Network Management","score":0.0674000009894371,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/blocking","display_name":"Blocking (statistics)","score":0.5652999877929688},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.5467000007629395},{"id":"https://openalex.org/keywords/isolation","display_name":"Isolation (microbiology)","score":0.545199990272522},{"id":"https://openalex.org/keywords/trusted-computing","display_name":"Trusted Computing","score":0.5210000276565552},{"id":"https://openalex.org/keywords/block","display_name":"Block (permutation group theory)","score":0.484499990940094},{"id":"https://openalex.org/keywords/action","display_name":"Action (physics)","score":0.46709999442100525},{"id":"https://openalex.org/keywords/mandatory-access-control","display_name":"Mandatory access control","score":0.42750000953674316}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.717199981212616},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6801000237464905},{"id":"https://openalex.org/C144745244","wikidata":"https://www.wikidata.org/wiki/Q4927286","display_name":"Blocking (statistics)","level":2,"score":0.5652999877929688},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.5467000007629395},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.545199990272522},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.5210000276565552},{"id":"https://openalex.org/C2777210771","wikidata":"https://www.wikidata.org/wiki/Q4927124","display_name":"Block (permutation group theory)","level":2,"score":0.484499990940094},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.46709999442100525},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.42750000953674316},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3871999979019165},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.35929998755455017},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.3522999882698059},{"id":"https://openalex.org/C202775310","wikidata":"https://www.wikidata.org/wiki/Q1140366","display_name":"Trusted Platform Module","level":2,"score":0.33980000019073486},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.3264000117778778},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.27559998631477356},{"id":"https://openalex.org/C159023740","wikidata":"https://www.wikidata.org/wiki/Q623276","display_name":"Deadlock","level":2,"score":0.2547000050544739}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.06393","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.06393","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.06393","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.06393","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.6421868801116943,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Self-hosted":[0],"computer-use":[1],"agents":[2],"(SHCUAs),":[3],"such":[4,68],"as":[5,150],"OpenClaw,":[6],"combine":[7],"natural-language":[8],"interaction":[9],"with":[10,155,191],"direct":[11],"access":[12],"to":[13],"host-side":[14,62],"resources,":[15],"including":[16],"browsers,":[17],"files,":[18],"scripts,":[19],"system":[20],"commands,":[21],"and":[22,96,130,187],"external":[23],"communication":[24],"channels.":[25],"While":[26],"useful":[27],"for":[28,105,184],"automating":[29],"real":[30],"tasks,":[31],"this":[32],"capability":[33],"also":[34],"creates":[35],"a":[36,40,135],"host-level":[37],"abuse":[38],"surface:":[39],"legitimately":[41],"deployed":[42],"agent":[43],"may":[44],"be":[45,71],"steered":[46],"toward":[47],"unsafe":[48,56,175],"operations":[49,178],"through":[50],"malicious":[51],"messages,":[52],"indirect":[53],"prompt":[54],"injection,":[55],"skills,":[57],"or":[58,176],"tampering":[59],"along":[60],"the":[61,80,118,143,151,171],"control":[63],"path.":[64],"We":[65,141],"argue":[66],"that":[67,170],"risks":[69],"cannot":[70],"addressed":[72],"by":[73],"ad":[74],"hoc":[75],"blocking":[76],"rules":[77],"alone,":[78],"because":[79],"security":[81],"criticality":[82],"of":[83,108],"an":[84,102],"operation":[85,139],"depends":[86],"jointly":[87],"on":[88,117,145],"its":[89],"action":[90],"type,":[91],"target":[92],"object,":[93],"execution":[94],"context,":[95],"potential":[97],"effect.":[98],"This":[99],"paper":[100],"presents":[101],"operation-centric":[103],"model":[104],"risk-based":[106],"confinement":[107],"SHCUA":[109],"operations.":[110],"The":[111,167],"proposed":[112],"design":[113,172],"keeps":[114],"ordinary":[115,182],"functionality":[116,183],"constrained":[119,164],"REE":[120],"path,":[121],"while":[122],"protecting":[123],"security-critical":[124],"classification,":[125],"authorization,":[126],"binding,":[127],"evidence":[128,190],"generation,":[129],"selected":[131],"execution-control":[132],"decisions":[133],"inside":[134],"cloud-native":[136],"TEE-backed":[137],"trusted":[138,153,158],"plane.":[140],"instantiate":[142],"architecture":[144],"OpenClaw":[146],"using":[147],"Intel":[148],"TDX":[149],"primary":[152],"backend,":[154],"remote":[156],"terminal-side":[157],"components":[159],"verifying":[160],"TDX-audited":[161],"commands":[162],"before":[163,179],"local":[165],"execution.":[166],"evaluation":[168],"shows":[169],"can":[173],"block":[174],"policy-disallowed":[177],"execution,":[180],"preserve":[181],"allowed":[185],"workloads,":[186],"provide":[188],"auditable":[189],"deployment-dependent":[192],"overhead.":[193]},"counts_by_year":[],"updated_date":"2026-05-09T06:16:02.287421","created_date":"2026-05-09T00:00:00"}