{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,29]],"date-time":"2025-08-29T17:10:08Z","timestamp":1756487408896,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":87,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,5,14]],"date-time":"2025-05-14T00:00:00Z","timestamp":1747180800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,5,14]]},"DOI":"10.1145\/3713082.3730378","type":"proceedings-article","created":{"date-parts":[[2025,6,6]],"date-time":"2025-06-06T09:53:51Z","timestamp":1749203631000},"page":"8-17","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Contextual Agent Security: A Policy for Every Purpose"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6157-1980","authenticated-orcid":false,"given":"Lillian","family":"Tsai","sequence":"first","affiliation":[{"name":"Google"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7994-6469","authenticated-orcid":false,"given":"Eugene","family":"Bagdasarian","sequence":"additional","affiliation":[{"name":"Google"}]}],"member":"320","published-online":{"date-parts":[[2025,6,6]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"VLDB.","author":"Agrawal Rakesh","year":"2002","unstructured":"Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. \"Hippocratic Databases\". In: VLDB. 2002."},{"key":"e_1_3_2_1_2_1","volume-title":"arXiv","author":"Alon Gabriel","year":"2023","unstructured":"Gabriel Alon and Michael Kamfonas. \"Detecting Language Model Attacks with Perplexity\". In: arXiv (2023). eprint: 2308.14132 (cs.CL)."},{"volume-title":"Computer use (beta)","year":"2024","key":"e_1_3_2_1_3_1","unstructured":"Anthropic. Computer use (beta). 2024. url: https:\/\/docs.anthropic.com\/en\/docs\/build-with-claude\/computer-use."},{"volume-title":"AppArmor Security Profiles","year":"2025","key":"e_1_3_2_1_4_1","unstructured":"AppArmor. AppArmor Security Profiles. 2025. url: https:\/\/apparmor.net\/."},{"key":"e_1_3_2_1_5_1","volume-title":"UbiComp.","author":"Apthorpe Noah","year":"2018","unstructured":"Noah Apthorpe, Yan Shvartzshnaider, Arunesh Mathur, Dillon Reisman, and Nick Feamster. \"Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity\". In: UbiComp. 2018."},{"key":"e_1_3_2_1_6_1","volume-title":"AWS Identity and Access Management (IAM)","author":"AWS.","year":"2023","unstructured":"AWS. AWS Identity and Access Management (IAM). 2023. url: https:\/\/aws.amazon.com\/iam\/ (visited on 01\/30\/2023)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690350"},{"key":"e_1_3_2_1_8_1","volume-title":"ICML 2024 Next Generation of AI Safety Workshop.","author":"Balunovic Mislav","year":"2024","unstructured":"Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Martin Vechev. \"AI Agents with Formal Security Guarantees\". In: ICML 2024 Next Generation of AI Safety Workshop. 2024."},{"key":"e_1_3_2_1_9_1","volume-title":"S&P.","author":"Barth A","year":"2006","unstructured":"A Barth, A Datta, J C Mitchell, and H Nissenbaum. \"Privacy and contextual integrity: framework and applications\". In: S&P. 2006."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1561\/3300000016"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1561\/3300000016"},{"key":"e_1_3_2_1_12_1","volume-title":"Oracle Technical White Paper","author":"Browder Kristy","year":"2002","unstructured":"Kristy Browder and Mary Ann Davidson. \"The Virtual Private Database in Oracle9iR2\". In: Oracle Technical White Paper, Oracle Corporation (2002)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00778-006-0023-0"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2007.368976"},{"key":"e_1_3_2_1_15_1","volume-title":"arXiv (Feb.","author":"Criado Natalia","year":"2015","unstructured":"Natalia Criado and Jose M Such. \"Implicit Contextual Integrity in Online Social Networks\". In: arXiv (Feb. 2015). eprint: 1502.02493 (cs.SI)."},{"key":"e_1_3_2_1_16_1","volume-title":"arXiv","author":"Debenedetti Edoardo","year":"2025","unstructured":"Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Carlini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Florian Tram\u00e8r. \"Defeating Prompt Injections by Design\". In: arXiv (2025). eprint: 2503.18813."},{"key":"e_1_3_2_1_17_1","volume-title":"A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents\". In: arXiv","author":"Debenedetti Edoardo","year":"2024","unstructured":"Edoardo Debenedetti, Jie Zhang, Mislav Balunovi\u0107, Luca Beurer-Kellner, Marc Fischer, and Florian Tram\u00e8r. \"Agent-Dojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents\". In: arXiv (2024). eprint: 2406.13352 (cs.CR)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1987.232889"},{"key":"e_1_3_2_1_19_1","volume-title":"a study on mobile applications and user perception","author":"Geronimo Linda Di","year":"2020","unstructured":"Linda Di Geronimo, Larissa Braz, Enrico Fregnan, Fabio Palomba, and Alberto Bacchelli. \"UI dark patterns and where to find them: a study on mobile applications and user perception\". In: CHI. 2020."},{"key":"e_1_3_2_1_20_1","volume-title":"arXiv","author":"Dong Qingxiu","year":"2024","unstructured":"Qingxiu Dong, Lei Li, Damai Dai, Ce Zheng, Jingyuan Ma, Rui Li, Heming Xia, Jingjing Xu, Zhiyong Wu, Tianyu Liu, Baobao Chang, Xu Sun, Lei Li, and Zhifang Sui. \"A Survey on In-context Learning\". In: arXiv (2024). eprint: 2301.00234 (cs.CL)."},{"key":"e_1_3_2_1_21_1","first-page":"211","volume-title":"Adrienne Porter Felt, and David Wagner. \"Choice Architecture and Smartphone Privacy: There's a Price for That","author":"Egelman Serge","year":"2013","unstructured":"Serge Egelman, Adrienne Porter Felt, and David Wagner. \"Choice Architecture and Smartphone Privacy: There's a Price for That\". In: The Economics of Information Security and Privacy. Edited by Rainer B\u00f6hme. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pages 211--236."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.02.007"},{"key":"e_1_3_2_1_23_1","volume-title":"CCS.","author":"Felt Adrienne Porter","year":"2011","unstructured":"Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. \"Android permissions demystified\". In: CCS. 2011."},{"key":"e_1_3_2_1_24_1","volume-title":"User attention, comprehension, and behavior","author":"Felt Adrienne Porter","year":"2012","unstructured":"Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. \"Android permissions: User attention, comprehension, and behavior\". In: SOUPS. 2012."},{"key":"e_1_3_2_1_25_1","volume-title":"Verena Rieser, et al. \"The Ethics of Advanced AI Assistants\". In: arXiv","author":"Gabriel Iason","year":"2024","unstructured":"Iason Gabriel, Arianna Manzini, Geoff Keeling, Lisa Anne Hendricks, Verena Rieser, et al. \"The Ethics of Advanced AI Assistants\". In: arXiv (2024). eprint: 2404.16244 (cs.CY)."},{"key":"e_1_3_2_1_26_1","volume-title":"The Capacity for Moral Self-Correction in Large Language Models\". In: arXiv","author":"Ganguli Deep","year":"2023","unstructured":"Deep Ganguli, Amanda Askell, Nicholas Schiefer, Thomas I. Liao, Kamil\u0117 Luko\u0161i\u016bt\u0117, Anna Chen, Anna Goldie, et al. \"The Capacity for Moral Self-Correction in Large Language Models\". In: arXiv (2023). eprint: 2302.07459 (cs.CL)."},{"key":"e_1_3_2_1_27_1","first-page":"639","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Gao Peng","year":"2018","unstructured":"Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung Hwan Kim, Sanjeev R. Kulkarni, and Prateek Mittal. \"SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection\". In: 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX Association, Aug. 2018, pages 639--656."},{"key":"e_1_3_2_1_28_1","volume-title":"Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection\". In: arXiv","author":"Greshake Kai","year":"2023","unstructured":"Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. \"Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection\". In: arXiv (2023). eprint: 2302.12173 (cs.CR)."},{"key":"e_1_3_2_1_29_1","volume-title":"TODS","author":"Griffiths Patricia P","year":"1976","unstructured":"Patricia P Griffiths and Bradford W Wade. \"An authorization mechanism for a relational database system\". In: TODS (1976)."},{"key":"e_1_3_2_1_30_1","volume-title":"SIGCAS","author":"Grodzinsky Frances S","year":"2011","unstructured":"Frances S Grodzinsky and Herman T Tavani. \"Privacy in \"the cloud\" applying Nissenbaum's theory of contextual integrity\". In: SIGCAS (2011)."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"e_1_3_2_1_32_1","volume-title":"Securing LLM Systems Against Prompt Injection","author":"Harang Rich","year":"2023","unstructured":"Rich Harang. Securing LLM Systems Against Prompt Injection. 2023. url: https:\/\/developer.nvidia.com\/blog\/securingllm-systems-against-prompt-injection."},{"key":"e_1_3_2_1_33_1","volume-title":"How your Gemini mobile app can help when your phone is locked","author":"Help Gemini Apps","year":"2025","unstructured":"Gemini Apps Help. How your Gemini mobile app can help when your phone is locked. 2025. url: https:\/\/support.google.com\/gemini\/answer\/14576209?hl=en."},{"key":"e_1_3_2_1_34_1","volume-title":"arXiv","author":"Hines Keegan","year":"2024","unstructured":"Keegan Hines, Gary Lopez, Matthew Hall, Federico Zarfati, Yonatan Zunger, and Emre Kiciman. \"Defending Against Indirect Prompt Injection Attacks With Spotlighting\". In: arXiv (2024). eprint: 2403.14720."},{"key":"e_1_3_2_1_35_1","volume-title":"LLM-based Input-Output Safeguard for Human-AI Conversations\". In: arXiv","author":"Inan Hakan","year":"2023","unstructured":"Hakan Inan, Kartikeya Upasani, Jianfeng Chi, Rashi Rungta, Krithika Iyer, Yuning Mao, Michael Tontchev, Qing Hu, Brian Fuller, Davide Testuggine, and Madian Khabsa. \"Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations\". In: arXiv (2023). eprint: 2312.06674 (cs.CL)."},{"key":"e_1_3_2_1_36_1","volume-title":"arXiv","author":"Jain Neel","year":"2023","unstructured":"Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein. \"Baseline Defenses for Adversarial Attacks Against Aligned Language Models\". In: arXiv (2023). eprint: 2309.00614 (cs.LG)."},{"key":"e_1_3_2_1_37_1","volume-title":"SOUPS.","author":"Johnson Maritza","year":"2010","unstructured":"Maritza Johnson, John Karat, Clare-Marie Karat, and Keith Grueneberg. \"Optimizing a policy authoring framework for security and privacy policies\". In: SOUPS. 2010."},{"key":"e_1_3_2_1_38_1","volume-title":"Haoxing Du, Brian Goodrich, Max Hasin","author":"Kinniment Megan","year":"2023","unstructured":"Megan Kinniment, Lucas Jun Koba Sato, Haoxing Du, Brian Goodrich, Max Hasin, Lawrence Chan, Luke Harold Miles, Tao R. Lin, Hjalmar Wijk, Joel Burget, Aaron Ho, Elizabeth Barnes, and Paul Francis Christiano. \"Evaluating Language-Model Agents on Realistic Autonomous Tasks\". In: arXiv (2023). eprint: 2312.11671."},{"key":"e_1_3_2_1_39_1","volume-title":"Using Contextual Integrity for Privacy Protection on Mobile Devices","author":"Kumar Abhishek","year":"2020","unstructured":"Abhishek Kumar, Tristan Braud, Young D Kwon, and Pan Hui. \"Aquilis: Using Contextual Integrity for Privacy Protection on Mobile Devices\". In: IMWUT. 2020."},{"volume-title":"Hugging Face prompt injection identification","year":"2024","key":"e_1_3_2_1_40_1","unstructured":"LangChain. Hugging Face prompt injection identification. 2024. url: https:\/\/python.langchain.com\/v0.1\/docs\/guides\/productionization\/safety\/hugging_face_prompt_injection\/."},{"key":"e_1_3_2_1_41_1","unstructured":"Joel Z Leibo Alexander Sasha Vezhnevets Manfred Diaz John P Agapiou William A Cunningham Peter Sunehag Julia Haas Raphael Koster Edgar A Du\u00e9\u00f1ez-Guzm\u00e1n William S Isaac et al. \"A theory of appropriateness with applications to generative artificial intelligence\". In: arXiv (2024). eprint: 2412.19010."},{"key":"e_1_3_2_1_42_1","volume-title":"A Survey on Red Teaming for Generative Models\". In: arXiv","author":"Lin Lizhi","year":"2024","unstructured":"Lizhi Lin, Honglin Mu, Zenan Zhai, Minghan Wang, Yuxia Wang, Renxi Wang, Junjie Gao, Yixuan Zhang, Wanxiang Che, Timothy Baldwin, Xudong Han, and Haonan Li. \"Against The Achilles' Heel: A Survey on Red Teaming for Generative Models\". In: arXiv (2024). eprint: 2404.00629 (cs.CL)."},{"key":"e_1_3_2_1_43_1","volume-title":"arXiv","author":"Liu Yupei","year":"2024","unstructured":"Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. \"Formalizing and Benchmarking Prompt Injection Attacks and Defenses\". In: arXiv (2024). eprint: 2310.12815 (cs.CR)."},{"key":"e_1_3_2_1_44_1","volume-title":"A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal\". In: arXiv","author":"Mazeika Mantas","year":"2024","unstructured":"Mantas Mazeika, Long Phan, Xuwang Yin, Andy Zou, Zifan Wang, Norman Mu, Elham Sakhaee, Nathaniel Li, Steven Basart, Bo Li, David Forsyth, and Dan Hendrycks. \"Harm-Bench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal\". In: arXiv (2024). eprint: 2402.04249 (cs.LG)."},{"key":"e_1_3_2_1_45_1","volume-title":"USENIX Security.","author":"Mehta Aastha","year":"2017","unstructured":"Aastha Mehta, Eslam Elnikety, Katura Harvey, Deepak Garg, and Peter Druschel. \"Qapla: Policy Compliance for Database-Backed Systems\". In: USENIX Security. 2017."},{"volume-title":"Row-level security - SQL server","year":"2023","key":"e_1_3_2_1_46_1","unstructured":"Microsoft. Row-level security - SQL server. 2023. url: https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/row-level-security (visited on 01\/30\/2023)."},{"key":"e_1_3_2_1_47_1","volume-title":"ICLR.","author":"Mireshghallah Niloofar","year":"2024","unstructured":"Niloofar Mireshghallah, Hyunwoo Kim, Xuhui Zhou, Yulia Tsvetkov, Maarten Sap, Reza Shokri, and Yejin Choi. \"Can LLMs Keep a Secret? Testing Privacy Implications of Language Models via Contextual Integrity Theory\". In: ICLR. 2024."},{"key":"e_1_3_2_1_48_1","volume-title":"ICLR.","author":"Mireshghallah Niloofar","year":"2024","unstructured":"Niloofar Mireshghallah, Hyunwoo Kim, Xuhui Zhou, Yulia Tsvetkov, Maarten Sap, Reza Shokri, and Yejin Choi. \"Can LLMs keep a secret? Testing privacy implications of language models via contextual integrity theory\". In: ICLR. 2024."},{"volume-title":"Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data. SIGMOD '07","author":"Murthy Ravi","key":"e_1_3_2_1_49_1","unstructured":"Ravi Murthy and Eric Sedlar. \"Flexible and Efficient Access Control in Oracle\". In: Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data. SIGMOD '07. Beijing, China: Association for Computing Machinery, 2007, pages 973--980."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3083060"},{"key":"e_1_3_2_1_51_1","first-page":"119","article-title":"Privacy as contextual integrity","volume":"79","author":"Nissenbaum Helen","year":"2004","unstructured":"Helen Nissenbaum. \"Privacy as contextual integrity\". In: Washington Law Review 79 (2004), pages 119--157.","journal-title":"Washington Law Review"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1515\/til-2019-0008"},{"key":"e_1_3_2_1_53_1","unstructured":"OpenAI. Introducing Operator. 2025. url: https:\/\/openai.com\/index\/introducing-operator\/."},{"key":"e_1_3_2_1_54_1","volume-title":"Top 10 for Large Language Model Applications","author":"OWASP.","year":"2023","unstructured":"OWASP. Top 10 for Large Language Model Applications. 2023. url: https:\/\/owasp.org\/wwwproject-top-10-for-large-language-modelapplications\/assets\/PDF\/OWASP-Top-10-for-LLMs2023-v1_1.pdf."},{"key":"e_1_3_2_1_55_1","volume-title":"Overly Permissive Regular Expression","author":"OWASP.","year":"2025","unstructured":"OWASP. Overly Permissive Regular Expression. 2025. url: https:\/\/owasp.org\/www-community\/vulnerabilities\/Overly_Permissive_Regular_Expression."},{"key":"e_1_3_2_1_56_1","volume-title":"2019 USENIX Annual Technical Conference (USENIX ATC '19)","author":"Pang Ruoming","year":"2019","unstructured":"Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christina D. Richards, and Mengzhi Wang. \"Zanzibar: Google's Consistent, Global Authorization System\". In: 2019 USENIX Annual Technical Conference (USENIX ATC '19). Renton, WA, 2019."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-019-0031-1"},{"key":"e_1_3_2_1_58_1","volume-title":"Attack Techniques For Language Models\". In: arXiv","author":"Perez F\u00e1bio","year":"2022","unstructured":"F\u00e1bio Perez and Ian Ribeiro. \"Ignore Previous Prompt: Attack Techniques For Language Models\". In: arXiv (2022). eprint: 2211.09527 (cs.CL)."},{"key":"e_1_3_2_1_59_1","unstructured":"recordsetter.com\/. Longest Active Email Address. url: https:\/\/recordsetter.com\/world-record\/email-address\/4310 (visited on 01\/05\/2025)."},{"key":"e_1_3_2_1_60_1","volume-title":"What is SELinux?","author":"Hat Red","year":"2025","unstructured":"Red Hat. What is SELinux? 2025. url: https:\/\/www.redhat.com\/en\/topics\/linux\/what-is-selinux."},{"key":"e_1_3_2_1_61_1","volume-title":"I might be OOTL here but why is Google Assistant now requiring me to unlock my phone for every single command?","author":"User Reddit","year":"2024","unstructured":"Reddit User. I might be OOTL here but why is Google Assistant now requiring me to unlock my phone for every single command? 2024. url: https:\/\/www.reddit.com\/r\/GooglePixel\/comments\/1d8piqj\/i_might_be_ootl_here_but_why_is_google_assistant\/."},{"key":"e_1_3_2_1_62_1","unstructured":"Scott Reed Konrad Zolna Emilio Parisotto Sergio Gomez Colmenarejo Alexander Novikov Gabriel Barth-Maron Mai Gimenez Yury Sulsky Jackie Kay Jost Tobias Springenberg Tom Eccles Jake Bruce Ali Razavi Ashley Edwards Nicolas Heess Yutian Chen Raia Hadsell Oriol Vinyals Mahyar Bordbar and Nando de Freitas. \"A Generalist Agent\". In: arXiv (2022). eprint: 2205.06175 (cs.AI)."},{"key":"e_1_3_2_1_63_1","volume-title":"INTERACT.","author":"Reeder Robert W","year":"2007","unstructured":"Robert W Reeder, Clare-Marie Karat, John Karat, and Carolyn Brodie. \"Usability challenges in security and privacy policy-authoring interfaces\". In: INTERACT. 2007."},{"volume-title":"Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data. SIGMOD '04","author":"Rizvi Shariq","key":"e_1_3_2_1_64_1","unstructured":"Shariq Rizvi, Alberto Mendelzon, S. Sudarshan, and Prasan Roy. \"Extending Query Rewriting Techniques for Fine-Grained Access Control\". In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data. SIGMOD '04. Paris, France: Association for Computing Machinery, 2004, pages 551--562."},{"key":"e_1_3_2_1_65_1","volume-title":"arXiv","author":"Ruan Yangjun","year":"2024","unstructured":"Yangjun Ruan, Honghua Dong, Andrew Wang, Silviu Pitis, Yongchao Zhou, Jimmy Ba, Yann Dubois, Chris J. Maddison, and Tatsunori Hashimoto. \"Identifying the Risks of LM Agents with an LM-Emulated Sandbox\". In: arXiv (2024). eprint: 2309.15817 (cs.AI)."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313655"},{"key":"e_1_3_2_1_67_1","volume-title":"Department of Commerce","author":"National Institute of Standards and Technology.","year":"2014","unstructured":"National Institute of Standards and Technology. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162. U.S. Department of Commerce, Dec. 2014."},{"key":"e_1_3_2_1_68_1","volume-title":"A Systematic Literature Review\". In: arXiv","author":"Su Jing","year":"2024","unstructured":"Jing Su, Chufeng Jiang, Xin Jin, Yuxin Qiao, Tingsong Xiao, Hongda Ma, Rong Wei, Zhi Jing, Jiajun Xu, and Junhong Lin. \"Large Language Models for Forecasting and Anomaly Detection: A Systematic Literature Review\". In: arXiv (2024). eprint: 2402.10350 (cs.LG)."},{"key":"e_1_3_2_1_69_1","volume-title":"Gemini: a family of highly capable multimodal models\". In: arXiv","author":"Team Gemini","year":"2023","unstructured":"Gemini Team, Rohan Anil, Sebastian Borgeaud, Jean-Baptiste Alayrac, Jiahui Yu, Radu Soricut, Johan Schalkwyk, Andrew M Dai, Anja Hauth, Katie Millican, et al. \"Gemini: a family of highly capable multimodal models\". In: arXiv (2023). eprint: 2312.11805."},{"key":"e_1_3_2_1_70_1","volume-title":"EMNLP.","author":"Tonmoy SM","year":"2024","unstructured":"SM Tonmoy, SM Zaman, Vinija Jain, Anku Rani, Vipula Rawte, Aman Chadha, and Amitava Das. \"A comprehensive survey of hallucination mitigation techniques in large language models\". In: EMNLP. 2024."},{"key":"e_1_3_2_1_71_1","volume-title":"Training LLMs to Prioritize Privileged Instructions\". In: arXiv","author":"Wallace Eric","year":"2024","unstructured":"Eric Wallace, Kai Xiao, Reimar Leike, Lilian Weng, Johannes Heidecke, and Alex Beutel. \"The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions\". In: arXiv (2024). eprint: 2404.13208 (cs.CR)."},{"key":"e_1_3_2_1_72_1","first-page":"80079","volume-title":"T. Naumann, A. Globerson, K. Saenko, M. Hardt, and S. Levine.","author":"Wei Alexander","year":"2023","unstructured":"Alexander Wei, Nika Haghtalab, and Jacob Steinhardt. \"Jail-broken: How Does LLM Safety Training Fail?\" In: Advances in Neural Information Processing Systems. Edited by A. Oh, T. Naumann, A. Globerson, K. Saenko, M. Hardt, and S. Levine. Volume 36. Curran Associates, Inc., 2023, pages 80079--80110."},{"key":"e_1_3_2_1_73_1","volume-title":"Regular expression Denial of Service - ReDoS","author":"Weidman Adar","year":"2025","unstructured":"Adar Weidman. Regular expression Denial of Service - ReDoS. 2025. url: https:\/\/owasp.org\/www-community\/attacks\/Regular_expression_Denial_of_Service_-_ReDoS."},{"key":"e_1_3_2_1_74_1","volume-title":"USENIX Security.","author":"Wijesekera Primal","year":"2015","unstructured":"Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. \"Android permissions remystified: A field study on contextual integrity\". In: USENIX Security. 2015."},{"key":"e_1_3_2_1_75_1","volume-title":"Prompt injection attacks against GPT-3","author":"Willison Simon","year":"2023","unstructured":"Simon Willison. Prompt injection attacks against GPT-3. 2023. url: https:\/\/simonwillison.net \/2022\/Sep \/12\/prompt-injection."},{"key":"e_1_3_2_1_76_1","volume-title":"Delimiters won't save you from prompt injection","author":"Willison Simon","year":"2024","unstructured":"Simon Willison. Delimiters won't save you from prompt injection. 2024. url: https:\/\/simonwillison.net\/2023\/May\/11\/delimiters-wont-save-you."},{"key":"e_1_3_2_1_77_1","volume-title":"The Dual LLM pattern for building AI assistants that can resist prompt injection","author":"Willison Simon","year":"2024","unstructured":"Simon Willison. The Dual LLM pattern for building AI assistants that can resist prompt injection. 2024. url: https:\/\/simonwillison.net\/2023\/Apr\/25\/dual-llm-pattern\/."},{"key":"e_1_3_2_1_78_1","volume-title":"You can't solve AI security problems with more AI","author":"Willison Simon","year":"2024","unstructured":"Simon Willison. You can't solve AI security problems with more AI. 2024. url: https:\/\/simonwillison.net\/2022\/Sep\/17\/prompt-injection-more-ai\/."},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1017\/S0269888900008122"},{"key":"e_1_3_2_1_80_1","volume-title":"An Information Flow Control Perspective\". In: arXiv","author":"Wu Fangzhou","year":"2024","unstructured":"Fangzhou Wu, Ethan Cecchetti, and Chaowei Xiao. \"System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective\". In: arXiv (2024). eprint: 2409.19091 (cs.CR)."},{"key":"e_1_3_2_1_81_1","volume-title":"An Execution Isolation Architecture for LLM-Based Systems\". In: arXiv","author":"Wu Yuhao","year":"2024","unstructured":"Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal. \"SecGPT: An Execution Isolation Architecture for LLM-Based Systems\". In: arXiv (2024). eprint: 2403.04960 (cs.CR)."},{"key":"e_1_3_2_1_82_1","volume-title":"arXiv","author":"Xu Xiaohan","year":"2024","unstructured":"Xiaohan Xu, Ming Li, Chongyang Tao, Tao Shen, Reynold Cheng, Jinyang Li, Can Xu, Dacheng Tao, and Tianyi Zhou. \"A survey on knowledge distillation of large language models\". In: arXiv (2024). eprint: 2402.13116."},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/2980983.2908098"},{"key":"e_1_3_2_1_84_1","volume-title":"arXiv","author":"Yi Jingwei","year":"2023","unstructured":"Jingwei Yi, Yueqi Xie, Bin Zhu, Emre Kiciman, Guangzhong Sun, Xing Xie, and Fangzhao Wu. \"Benchmarking and defending against indirect prompt injection attacks on large language models\". In: arXiv (2023). eprint: 2312.14197."},{"key":"e_1_3_2_1_85_1","volume-title":"Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts\". In: arXiv","author":"Yu Jiahao","year":"2024","unstructured":"Jiahao Yu, Xingwei Lin, Zheng Yu, and Xinyu Xing. \"GPT-FUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts\". In: arXiv (2024). eprint: 2309.10253 (cs.AI)."},{"key":"e_1_3_2_1_86_1","first-page":"701","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Zhang Wen","year":"2022","unstructured":"Wen Zhang, Eric Sheng, Michael Chang, Aurojit Panda, Mooly Sagiv, and Scott Shenker. \"Blockaid: Data Access Policy Enforcement for Web Applications\". In: 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). Carlsbad, CA: USENIX Association, July 2022, pages 701--718."},{"key":"e_1_3_2_1_87_1","unstructured":"Wangchunshu Zhou Yuchen Eleanor Jiang Long Li Jialong Wu Tiannan Wang Shi Qiu Jintian Zhang Jing Chen Ruipu Wu Shuai Wang Shiding Zhu Jiyu Chen Wentao Zhang Xiangru Tang Ningyu Zhang Huajun Chen Peng Cui and Mrinmaya Sachan. \"Agents: An Open-source Framework for Autonomous Language Agents\". In: arXiv (2023). eprint: 2309.07870 (cs.CL)."}],"event":{"name":"HOTOS '25: Workshop on Hot Topics in Operating Systems","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Banff AB Canada","acronym":"HOTOS '25"},"container-title":["Proceedings of the Workshop on Hot Topics in Operating Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3713082.3730378","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3713082.3730378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,29]],"date-time":"2025-08-29T16:49:01Z","timestamp":1756486141000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3713082.3730378"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,14]]},"references-count":87,"alternative-id":["10.1145\/3713082.3730378","10.1145\/3713082"],"URL":"https:\/\/doi.org\/10.1145\/3713082.3730378","relation":{},"subject":[],"published":{"date-parts":[[2025,5,14]]},"assertion":[{"value":"2025-06-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}