{"id":"https://openalex.org/W7161309496","doi":"https://doi.org/10.48550/arxiv.2605.14932","title":"Toward Securing AI Agents Like Operating Systems","display_name":"Toward Securing AI Agents Like Operating Systems","publication_year":2026,"publication_date":"2026-05-14","ids":{"openalex":"https://openalex.org/W7161309496","doi":"https://doi.org/10.48550/arxiv.2605.14932"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.14932","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14932","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.14932","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5049436073","display_name":"Lukas Pirch","orcid":"https://orcid.org/0009-0003-9185-780X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pirch, Lukas","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067407906","display_name":"Micha Horlboge","orcid":"https://orcid.org/0009-0005-3195-4573"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Horlboge, Micha","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136245620","display_name":"Patrick Gro\u00dfmann","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gro\u00dfmann, Patrick","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5092462132","display_name":"Syeda Mahnur Asif","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Asif, Syeda Mahnur","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087960572","display_name":"Klim Kireev","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kireev, Klim","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136191312","display_name":"Thorsten Holz","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Holz, Thorsten","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5066077721","display_name":"Konrad Rieck","orcid":"https://orcid.org/0000-0002-5054-8758"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rieck, Konrad","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.2102999985218048,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.2102999985218048,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1867000013589859,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.055399999022483826,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.6040999889373779},{"id":"https://openalex.org/keywords/through-the-lens-metering","display_name":"Through-the-lens metering","score":0.41100001335144043},{"id":"https://openalex.org/keywords/face","display_name":"Face (sociological concept)","score":0.3804999887943268},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.37880000472068787},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.35929998755455017},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.2924000024795532}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6901000142097473},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6478000283241272},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.6040999889373779},{"id":"https://openalex.org/C43091099","wikidata":"https://www.wikidata.org/wiki/Q1067788","display_name":"Through-the-lens metering","level":3,"score":0.41100001335144043},{"id":"https://openalex.org/C2779304628","wikidata":"https://www.wikidata.org/wiki/Q3503480","display_name":"Face (sociological concept)","level":2,"score":0.3804999887943268},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.37880000472068787},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.35929998755455017},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3472999930381775},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.302700012922287},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.2924000024795532},{"id":"https://openalex.org/C13687954","wikidata":"https://www.wikidata.org/wiki/Q4826847","display_name":"Autonomous agent","level":2,"score":0.2547999918460846},{"id":"https://openalex.org/C207267971","wikidata":"https://www.wikidata.org/wiki/Q120208","display_name":"Emerging technologies","level":2,"score":0.2540000081062317},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.25369998812675476},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.25270000100135803}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.14932","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14932","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.14932","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14932","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Autonomous":[0],"agents":[1,66],"based":[2],"on":[3],"large":[4],"language":[5],"models":[6],"(LLMs)":[7],"are":[8],"rapidly":[9],"emerging":[10],"as":[11,19],"a":[12,102,118,180],"general-purpose":[13],"technology,":[14],"with":[15,51,179],"recent":[16],"systems":[17,42],"such":[18],"OpenClaw":[20],"extending":[21],"their":[22],"capabilities":[23,50,160],"through":[24,67],"broad":[25],"tool":[26],"use,":[27],"third-party":[28],"skills,":[29],"and":[30,86,106,141,149],"deeper":[31],"integration":[32],"into":[33],"user":[34,55],"environments.":[35],"At":[36],"the":[37,62,68,95,185],"same":[38],"time,":[39],"these":[40],"agentic":[41,159,189],"introduce":[43],"substantial":[44],"security":[45,63],"risks":[46],"by":[47,90,163],"combining":[48],"unconstrained":[49],"access":[52],"to":[53],"sensitive":[54],"data.":[56],"In":[57],"this":[58,91,114],"work,":[59],"we":[60,93,116,132,153],"investigate":[61],"of":[64,70,98,182,188],"LLM-based":[65],"lens":[69],"operating":[71,174],"systems.":[72,190],"We":[73,177],"argue":[74],"that":[75,134,142,156],"both":[76],"face":[77],"strikingly":[78],"similar":[79],"challenges":[80],"in":[81,139],"isolating":[82],"resources,":[83],"separating":[84],"privileges,":[85],"mediating":[87],"communication.":[88],"Guided":[89],"perspective,":[92],"survey":[94],"current":[96],"landscape":[97],"open-source":[99],"agents,":[100],"derive":[101],"unified":[103],"agent":[104],"architecture,":[105],"systematically":[107],"analyze":[108],"potential":[109],"attack":[110],"vectors.":[111],"To":[112],"validate":[113],"analysis,":[115],"conduct":[117],"case":[119],"study":[120],"evaluating":[121],"four":[122],"widely":[123],"used":[124],"OpenClaw-like":[125],"agents.":[126],"Even":[127],"under":[128],"modest":[129],"attacker":[130],"capabilities,":[131],"find":[133],"several":[135],"protection":[136],"mechanisms":[137],"fail":[138],"practice":[140],"secure":[143,186],"operation":[144],"requires":[145],"detailed":[146],"system":[147,175],"knowledge":[148],"careful":[150],"configuration.":[151],"However,":[152],"also":[154],"observe":[155],"while":[157],"some":[158],"remain":[161],"insecure":[162],"design,":[164],"many":[165],"vulnerabilities":[166],"can":[167],"be":[168],"mitigated":[169],"using":[170],"well-established":[171],"techniques":[172],"from":[173],"security.":[176],"conclude":[178],"set":[181],"recommendations":[183],"for":[184],"design":[187]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-16T00:00:00"}