{"id":"https://openalex.org/W7161740495","doi":"https://doi.org/10.48550/arxiv.2605.16976","title":"Securing LLM Agents Need Intent-to-Execution Integrity","display_name":"Securing LLM Agents Need Intent-to-Execution Integrity","publication_year":2026,"publication_date":"2026-05-16","ids":{"openalex":"https://openalex.org/W7161740495","doi":"https://doi.org/10.48550/arxiv.2605.16976"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.16976","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.16976","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.16976","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136475019","display_name":"Wenjie Qu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qu, Wenjie","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136464586","display_name":"Ming Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Ming","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136488644","display_name":"Peiran Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Peiran","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5008450480","display_name":"Shengfang Zhai","orcid":"https://orcid.org/0000-0001-6820-6361"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhai, Shengfang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136494261","display_name":"Jiaheng Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Jiaheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5136497563","display_name":"Dawn Song","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Dawn","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.807699978351593,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.807699978351593,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.030899999663233757,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10126","display_name":"Logic, programming, and type systems","score":0.023499999195337296,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/correctness","display_name":"Correctness","score":0.8129000067710876},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.5698999762535095},{"id":"https://openalex.org/keywords/property","display_name":"Property (philosophy)","score":0.5594000220298767},{"id":"https://openalex.org/keywords/position-paper","display_name":"Position paper","score":0.44209998846054077},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4293999969959259},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.3652999997138977}],"concepts":[{"id":"https://openalex.org/C55439883","wikidata":"https://www.wikidata.org/wiki/Q360812","display_name":"Correctness","level":2,"score":0.8129000067710876},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.761900007724762},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6137999892234802},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.5698999762535095},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.5594000220298767},{"id":"https://openalex.org/C78780964","wikidata":"https://www.wikidata.org/wiki/Q7233193","display_name":"Position paper","level":2,"score":0.44209998846054077},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4293999969959259},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3652999997138977},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.35690000653266907},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.296999990940094},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.28929999470710754},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.28839999437332153},{"id":"https://openalex.org/C198082294","wikidata":"https://www.wikidata.org/wiki/Q3399648","display_name":"Position (finance)","level":2,"score":0.2808000147342682},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.26429998874664307}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.16976","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.16976","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.16976","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.16976","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"This":[0],"position":[1],"paper":[2],"argues":[3],"that":[4,15,70,122,143,157,187,215],"securing":[5,228],"LLM":[6,27,128,144,230],"agents":[7,28,61,145],"requires":[8],"first":[9],"defining":[10],"an":[11,18,31],"end-to-end":[12],"correctness":[13,120],"property":[14,121],"specifies":[16],"when":[17],"agent's":[19],"execution":[20,108,180],"faithfully":[21],"reflects":[22],"the":[23,107,136],"user's":[24],"intent.":[25,162],"Modern":[26],"operate":[29],"over":[30],"\\emph{intent-to-execution":[32,205],"pipeline},":[33],"where":[34,151],"natural-language":[35],"instructions":[36],"are":[37,72,146],"translated":[38],"into":[39],"concrete":[40],"system":[41],"operations":[42],"such":[43,78],"as":[44,79],"tool":[45,63,179],"calls,":[46,64],"API":[47],"requests,":[48],"and":[49,87,96,177,182,197,221],"code":[50],"execution.":[51],"While":[52],"recent":[53],"defenses":[54,210],"have":[55],"made":[56],"progress":[57,112],"in":[58,106,113,227],"constraining":[59],"how":[60],"construct":[62],"most":[65],"existing":[66,139,208],"formulations":[67],"implicitly":[68],"assume":[69],"tools":[71],"trusted.":[73],"The":[74],"emergence":[75],"of":[76,84,138],"systems":[77,217],"OpenClaw,":[80],"with":[81],"open":[82],"ecosystems":[83],"third-party":[85],"skills":[86],"direct":[88],"access":[89],"to":[90,134,149,155],"user":[91,161],"environments,":[92],"breaks":[93],"this":[94,165],"assumption":[95],"exposes":[97],"new":[98],"failure":[99],"modes,":[100],"including":[101],"malicious":[102],"or":[103],"over-privileged":[104],"components":[105],"pipeline.":[109],"Despite":[110],"rapid":[111],"defense":[114],"mechanisms,":[115],"there":[116],"is":[117],"no":[118],"adequate":[119],"defines":[123],"what":[124],"``secure''":[125],"means":[126],"for":[127],"agents,":[129],"nor":[130],"a":[131],"principled":[132],"way":[133],"evaluate":[135],"coverage":[137],"defenses.":[140],"We":[141,201],"observe":[142],"structurally":[147],"analogous":[148],"compilers,":[150],"security":[152],"violations":[153],"correspond":[154],"mis-executions":[156],"do":[158],"not":[159],"preserve":[160],"Drawing":[163],"on":[164],"analogy,":[166],"we":[167],"identify":[168],"two":[169],"fundamental":[170,225],"problem":[171],"sources":[172],"--":[173,181],"untrusted":[174,178],"data":[175],"ingestion":[176],"derive":[183],"four":[184],"integrity":[185],"properties":[186,213],"must":[188],"hold":[189],"simultaneously:":[190],"\\emph{Tool":[191],"Integrity},":[192,194,196],"\\emph{Instruction":[193],"\\emph{Judgment":[195],"\\emph{Data":[198],"Flow":[199],"Integrity}.":[200],"call":[202],"their":[203],"conjunction":[204],"integrity}.":[206],"Analyzing":[207],"agentic":[209],"against":[211],"these":[212],"reveals":[214],"current":[216],"provide":[218],"only":[219],"partial":[220],"non-compositional":[222],"coverage,":[223],"leaving":[224],"gaps":[226],"modern":[229],"agents.":[231]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-20T00:00:00"}