{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T04:06:19Z","timestamp":1779422779084,"version":"3.53.1"},"publisher-location":"New York, NY, USA","reference-count":81,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,5,26]],"date-time":"2026-05-26T00:00:00Z","timestamp":1779753600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"SNSF Advanced Grants","award":["209506"],"award-info":[{"award-number":["209506"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,5,26]]},"DOI":"10.1145\/3786335.3813127","type":"proceedings-article","created":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T03:16:22Z","timestamp":1779419782000},"page":"812-838","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Securing Agents With Tracked Capabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-3923-8993","authenticated-orcid":false,"given":"Martin","family":"Odersky","sequence":"first","affiliation":[{"name":"LAMP, EPFL, Lausanne, VD, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2257-1413","authenticated-orcid":false,"given":"Yaoyu","family":"Zhao","sequence":"additional","affiliation":[{"name":"LAMP, EPFL, Lausanne, VD, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2089-6767","authenticated-orcid":false,"given":"Yichen","family":"Xu","sequence":"additional","affiliation":[{"name":"LAMP, EPFL, Lausanne, VD, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3569-4869","authenticated-orcid":false,"given":"Oliver","family":"Bra\u010devac","sequence":"additional","affiliation":[{"name":"LAMP, EPFL, Lausanne, VD, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-2543-3309","authenticated-orcid":false,"given":"Cao Nguyen","family":"Pham","sequence":"additional","affiliation":[{"name":"LAMP, EPFL, Lausanne, VD, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,5,26]]},"reference":[{"key":"e_1_3_3_2_2_2","volume-title":"Cedar Policy Language","author":"Services Amazon Web","year":"2024","unstructured":"Amazon Web Services. 2024. Cedar Policy Language. https:\/\/www.cedarpolicy.com\/ Accessed: 2025-06-01."},{"key":"e_1_3_3_2_3_2","volume-title":"Bedrock AgentCore Policy","author":"Services Amazon Web","year":"2025","unstructured":"Amazon Web Services. 2025. Bedrock AgentCore Policy. https:\/\/docs.aws.amazon.com\/bedrock-agentcore\/latest\/devguide\/policy.html Accessed: 2025-06-01."},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-30936-1_14"},{"key":"e_1_3_3_2_5_2","unstructured":"Dario Amodei Chris Olah Jacob Steinhardt Paul Christiano John Schulman and Dan Man\u00e9. 2016. Concrete Problems in AI Safety. CoRR abs\/1606.06565 (2016). arXiv:https:\/\/arXiv.org\/abs\/1606.06565"},{"key":"e_1_3_3_2_6_2","volume-title":"Model Context Protocol","year":"2024","unstructured":"Anthropic. 2024. Model Context Protocol. https:\/\/modelcontextprotocol.io\/ Accessed: 2025-06-01."},{"key":"e_1_3_3_2_7_2","volume-title":"Claude Code","year":"2025","unstructured":"Anthropic. 2025. Claude Code. https:\/\/docs.anthropic.com\/en\/docs\/claude-code"},{"key":"e_1_3_3_2_8_2","volume-title":"Code Execution with MCP","year":"2025","unstructured":"Anthropic. 2025. Code Execution with MCP. https:\/\/www.anthropic.com\/engineering\/code-execution-with-mcp Accessed: 2025-06-01."},{"key":"e_1_3_3_2_9_2","volume-title":"Equipping Agents for the Real World with Agent Skills","year":"2025","unstructured":"Anthropic. 2025. Equipping Agents for the Real World with Agent Skills. https:\/\/www.anthropic.com\/engineering\/equipping-agents-for-the-real-world-with-agent-skills Accessed: 2025-06-01."},{"key":"e_1_3_3_2_10_2","volume-title":"How We Built Our Multi-Agent Research System","year":"2025","unstructured":"Anthropic. 2025. How We Built Our Multi-Agent Research System. https:\/\/www.anthropic.com\/engineering\/multi-agent-research-system Accessed: 2026-02-26."},{"key":"e_1_3_3_2_11_2","unstructured":"Victor Barres Honghua Dong Soham Ray Xujie Si and Karthik Narasimhan. 2025. \u03c42-Bench: Evaluating Conversational Agents in a Dual-Control Environment. CoRR abs\/2506.07982 (2025). arXiv:https:\/\/arXiv.org\/abs\/2506.07982"},{"key":"e_1_3_3_2_12_2","unstructured":"Luca Beurer-Kellner Beat Buesser Ana-Maria Cretu Edoardo Debenedetti Daniel Dobos Daniel Fabian Marc Fischer David Froelicher Kathrin Grosse Daniel Naeff Ezinwanne Ozoani Andrew Paverd Florian Tram\u00e8r and V\u00e1clav Volhejn. 2025. Design Patterns for Securing LLM Agents against Prompt Injections. CoRR abs\/2506.08837 (2025). arXiv:https:\/\/arXiv.org\/abs\/2506.08837"},{"key":"e_1_3_3_2_13_2","doi-asserted-by":"publisher","unstructured":"Aleksander Boruch-Gruszecki Adrien Ghosn Mathias Payer and Cl\u00e9ment Pit-Claudel. 2024. Gradient: Gradual Compartmentalization via Object Capabilities Tracked in Types. Proc. ACM Program. Lang. 8 OOPSLA2 (2024) 1135\u20131161. 10.1145\/36897513689751\"\/>","DOI":"10.1145\/3689751"},{"key":"e_1_3_3_2_14_2","doi-asserted-by":"publisher","unstructured":"Aleksander Boruch-Gruszecki Martin Odersky Edward Lee Ondrej Lhot\u00e1k and Jonathan\u00a0Immanuel Brachth\u00e4user. 2023. Capturing Types. ACM Trans. Program. Lang. Syst. 45 4 (2023) 21:1\u201321:52. 10.1145\/36180033618003\"\/>","DOI":"10.1145\/3618003"},{"key":"e_1_3_3_2_15_2","volume-title":"ICLR","author":"Boruch-Gruszecki Aleksander","year":"2026","unstructured":"Aleksander Boruch-Gruszecki, Yangtian Zi, Zixuan Wu, Tejas Oberoi, Carolyn\u00a0Jane Anderson, Joydeep Biswas, and Arjun Guha. 2026. Agnostics: Learning to Code in Any Programming Language via Reinforcement with a Universal Learning Environment. In ICLR. OpenReview.net. https:\/\/openreview.net\/forum?id=mjDT60Ffms"},{"key":"e_1_3_3_2_16_2","doi-asserted-by":"publisher","unstructured":"Jonathan\u00a0Immanuel Brachth\u00e4user Philipp Schuster Edward Lee and Aleksander Boruch-Gruszecki. 2022. Effects capabilities and boxes: From scope-based reasoning to type-based reasoning and back. Proc. ACM Program. Lang. 6 OOPSLA (2022) 1\u201330. 10.1145\/35273203527320\"\/>","DOI":"10.1145\/3527320"},{"key":"e_1_3_3_2_17_2","doi-asserted-by":"publisher","unstructured":"Jonathan\u00a0Immanuel Brachth\u00e4user Philipp Schuster and Klaus Ostermann. 2020. Effects as capabilities: Effect handlers and lightweight effect polymorphism. Proc. ACM Program. Lang. 4 OOPSLA (2020) 126:1\u2013126:30. 10.1145\/34281943428194\"\/>","DOI":"10.1145\/3428194"},{"key":"e_1_3_3_2_18_2","unstructured":"Christoph B\u00fchler Matteo Biagiola Luca\u00a0Di Grazia and Guido Salvaneschi. 2025. Securing AI Agent Execution. CoRR abs\/2510.21236 (2025). arXiv:https:\/\/arXiv.org\/abs\/2510.21236"},{"key":"e_1_3_3_2_19_2","volume-title":"Check Point Researchers Expose Critical Claude Code Flaws","author":"Research Check Point","year":"2026","unstructured":"Check Point Research. 2026. Check Point Researchers Expose Critical Claude Code Flaws. https:\/\/blog.checkpoint.com\/research\/check-point-researchers-expose-critical-claude-code-flaws\/ Accessed: 2026-02-26."},{"key":"e_1_3_3_2_20_2","unstructured":"Mark Chen Jerry Tworek Heewoo Jun Qiming Yuan Henrique\u00a0Pond\u00e9 de Oliveira\u00a0Pinto Jared Kaplan Harri Edwards Yuri Burda Nicholas Joseph Greg Brockman Alex Ray Raul Puri Gretchen Krueger Michael Petrov Heidy Khlaaf Girish Sastry Pamela Mishkin Brooke Chan Scott Gray Nick Ryder Mikhail Pavlov Alethea Power Lukasz Kaiser Mohammad Bavarian Clemens Winter Philippe Tillet Felipe\u00a0Petroski Such Dave Cummings Matthias Plappert Fotios Chantzis Elizabeth Barnes Ariel Herbert-Voss William\u00a0Hebgen Guss Alex Nichol Alex Paino Nikolas Tezak Jie Tang Igor Babuschkin Suchir Balaji Shantanu Jain William Saunders Christopher Hesse Andrew\u00a0N. Carr Jan Leike Joshua Achiam Vedant Misra Evan Morikawa Alec Radford Matthew Knight Miles Brundage Mira Murati Katie Mayer Peter Welinder Bob McGrew Dario Amodei Sam McCandlish Ilya Sutskever and Wojciech Zaremba. 2021. Evaluating Large Language Models Trained on Code. CoRR abs\/2107.03374 (2021). arXiv:https:\/\/arXiv.org\/abs\/2107.03374"},{"key":"e_1_3_3_2_21_2","volume-title":"USENIX Security Symposium","author":"Chen Sizhe","year":"2025","unstructured":"Sizhe Chen, Julien Piet, Chawin Sitawarin, and David Wagner. 2025. StruQ: Defending Against Prompt Injection with Structured Queries. In USENIX Security Symposium. USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/chen-sizhe"},{"key":"e_1_3_3_2_22_2","unstructured":"Mihai Christodorescu Earlence Fernandes Ashish Hooda Somesh Jha Johann Rehberger Kamalika Chaudhuri Xiaohan Fu Khawaja Shams Guy Amir Jihye Choi Sarthak Choudhary Nils Palumbo Andrey Labunets and Nishit\u00a0V. Pandya. 2025. Systems Security Foundations for Agentic Computing. CoRR abs\/2512.01295 (2025). arXiv:https:\/\/arXiv.org\/abs\/2512.01295"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-02450-5_14"},{"key":"e_1_3_3_2_24_2","unstructured":"Edoardo Debenedetti Ilia Shumailov Tianqi Fan Jamie Hayes Nicholas Carlini Daniel Fabian Christoph Kern Chongyang Shi Andreas Terzis and Florian Tram\u00e8r. 2025. Defeating Prompt Injections by Design. CoRR abs\/2503.18813 (2025). arXiv:https:\/\/arXiv.org\/abs\/2503.18813"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2636"},{"key":"e_1_3_3_2_26_2","unstructured":"DeepSeek-AI Aixin Liu Aoxue Mei Bangcai Lin Bing Xue Bingxuan Wang Bingzheng Xu Bochao Wu Bowei Zhang Chaofan Lin Chen Dong Chengda Lu Chenggang Zhao Chengqi Deng Chenhao Xu Chong Ruan Damai Dai Daya Guo Dejian Yang Deli Chen Erhang Li Fangqi Zhou Fangyun Lin Fucong Dai Guangbo Hao Guanting Chen Guowei Li H. Zhang Hanwei Xu Hao Li Haofen Liang Haoran Wei Haowei Zhang Haowen Luo Haozhe Ji Honghui Ding Hongxuan Tang Huanqi Cao Huazuo Gao Hui Qu Hui Zeng Jialiang Huang Jiashi Li Jiaxin Xu Jiewen Hu Jingchang Chen Jingting Xiang Jingyang Yuan Jingyuan Cheng Jinhua Zhu Jun Ran Junguang Jiang Junjie Qiu Junlong Li Junxiao Song Kai Dong Kaige Gao Kang Guan Kexin Huang Kexing Zhou Kezhao Huang Kuai Yu Lean Wang Lecong Zhang Lei Wang Liang Zhao Liangsheng Yin Lihua Guo Lingxiao Luo Linwang Ma Litong Wang Liyue Zhang M.\u00a0S. Di M.\u00a0Y Xu Mingchuan Zhang Minghua Zhang Minghui Tang Mingxu Zhou Panpan Huang Peixin Cong Peiyi Wang Qiancheng Wang Qihao Zhu Qingyang Li Qinyu Chen Qiushi Du Ruiling Xu Ruiqi Ge Ruisong Zhang Ruizhe Pan Runji Wang Runqiu Yin Runxin Xu Ruomeng Shen Ruoyu Zhang S.\u00a0H. Liu Shanghao Lu Shangyan Zhou Shanhuang Chen Shaofei Cai Shaoyuan Chen Shengding Hu Shengyu Liu Shiqiang Hu Shirong Ma Shiyu Wang Shuiping Yu Shunfeng Zhou Shuting Pan Songyang Zhou Tao Ni Tao Yun Tian Pei Tian Ye Tianyuan Yue Wangding Zeng Wen Liu Wenfeng Liang Wenjie Pang Wenjing Luo Wenjun Gao Wentao Zhang Xi Gao Xiangwen Wang Xiao Bi Xiaodong Liu Xiaohan Wang Xiaokang Chen Xiaokang Zhang Xiaotao Nie Xin Cheng Xin Liu Xin Xie Xingchao Liu Xingkai Yu Xingyou Li Xinyu Yang Xinyuan Li Xu Chen Xuecheng Su Xuehai Pan Xuheng Lin Xuwei Fu Y.\u00a0Q. Wang Yang Zhang Yanhong Xu Yanru Ma Yao Li Yao Li Yao Zhao Yaofeng Sun Yaohui Wang Yi Qian Yi Yu Yichao Zhang Yifan Ding Yifan Shi Yiliang Xiong Ying He Ying Zhou Yinmin Zhong Yishi Piao Yisong Wang Yixiao Chen Yixuan Tan Yixuan Wei Yiyang Ma Yiyuan Liu Yonglun Yang Yongqiang Guo Yongtong Wu Yu Wu Yuan Cheng Yuan Ou Yuanfan Xu Yuduan Wang Yue Gong Yuhan Wu Yuheng Zou Yukun Li Yunfan Xiong Yuxiang Luo Yuxiang You Yuxuan Liu Yuyang Zhou Z.\u00a0F. Wu Z.\u00a0Z. Ren Zehua Zhao Zehui Ren Zhangli Sha Zhe Fu Zhean Xu Zhenda Xie Zhengyan Zhang Zhewen Hao Zhibin Gou Zhicheng Ma Zhigang Yan Zhihong Shao Zhixian Huang Zhiyu Wu Zhuoshu Li Zhuping Zhang Zian Xu Zihao Wang Zihui Gu Zijia Zhu Zilin Li Zipeng Zhang Ziwei Xie Ziyi Gao Zizheng Pan Zongqing Yao Bei Feng Hui Li J.\u00a0L. Cai Jiaqi Ni Lei Xu Meng Li Ning Tian R.\u00a0J. Chen R.\u00a0L. Jin S.\u00a0S. Li Shuang Zhou Tianyu Sun X.\u00a0Q. Li Xiangyue Jin Xiaojin Shen Xiaosha Chen Xinnan Song Xinyi Zhou Y.\u00a0X. Zhu Yanping Huang Yaohui Li Yi Zheng Yuchen Zhu Yunxian Ma Zhen Huang Zhipeng Xu Zhongyu Zhang Dongjie Ji Jian Liang Jianzhong Guo Jin Chen Leyi Xia Miaojun Wang Mingming Li Peng Zhang Ruyi Chen Shangmian Sun Shaoqing Wu Shengfeng Ye T. Wang W.\u00a0L. Xiao Wei An Xianzu Wang Xiaowen Sun Xiaoxiang Wang Ying Tang Yukun Zha Zekai Zhang Zhe Ju Zhen Zhang and Zihua Qu. 2025. DeepSeek-V3.2: Pushing the Frontier of Open Large Language Models. CoRR abs\/2512.02556 (2025). arXiv:https:\/\/arXiv.org\/abs\/2512.02556"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/365230.365252"},{"key":"e_1_3_3_2_28_2","unstructured":"Aarya Doshi Yining Hong Congying Xu Eunsuk Kang Alexandros Kapravelos and Christian K\u00e4stner. 2026. Towards Verifiably Safe Tool Use for LLM Agents. CoRR abs\/2601.08012 (2026). arXiv:https:\/\/arXiv.org\/abs\/2601.08012To appear at ICSE-NIER 2026."},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3426428.3426913"},{"key":"e_1_3_3_2_30_2","volume-title":"Minding Mindful Machines: AI Agents and Data Protection Considerations","author":"Forum Future of Privacy","year":"2025","unstructured":"Future of Privacy Forum. 2025. Minding Mindful Machines: AI Agents and Data Protection Considerations. https:\/\/fpf.org\/blog\/minding-mindful-machines-ai-agents-and-data-protection-considerations\/ Accessed: 2025-06-01."},{"key":"e_1_3_3_2_31_2","volume-title":"Fuchsia Operating System","year":"2024","unstructured":"Google. 2024. Fuchsia Operating System. https:\/\/fuchsia.dev\/ Accessed: 2025-06-01."},{"key":"e_1_3_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2020.10"},{"key":"e_1_3_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/1411204.1411243"},{"key":"e_1_3_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.18653\/V1\/2024.FINDINGS-EMNLP.585"},{"key":"e_1_3_3_2_35_2","unstructured":"Wenlong Huang Fei Xia Ted Xiao Harris Chan Jacky Liang Pete Florence Andy Zeng Jonathan Tompson Igor Mordatch Yevgen Chebotar Pierre Sermanet Noah Brown Tomas Jackson Linda Luu Sergey Levine Karol Hausman and Brian Ichter. 2022. Inner Monologue: Embodied Reasoning through Planning with Language Models. arxiv:https:\/\/arXiv.org\/abs\/2207.05608\u00a0[cs.RO] https:\/\/arxiv.org\/abs\/2207.05608"},{"key":"e_1_3_3_2_36_2","volume-title":"The Twelfth International Conference on Learning Representations","author":"Jimenez Carlos\u00a0E","year":"2024","unstructured":"Carlos\u00a0E Jimenez, John Yang, Alexander Wettig, Shunyu Yao, Kexin Pei, Ofir Press, and Karthik\u00a0R Narasimhan. 2024. SWE-bench: Can Language Models Resolve Real-world GitHub Issues?. In The Twelfth International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=VTF8yNQM66"},{"key":"e_1_3_3_2_37_2","doi-asserted-by":"publisher","unstructured":"Ralf Jung Jacques-Henri Jourdan Robbert Krebbers and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang. 2 POPL (2018) 66:1\u201366:34. 10.1145\/31581543158154\"\/>","DOI":"10.1145\/3158154"},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"publisher","unstructured":"Christoph Kern. 2025. Safe Coding: Rigorous Modular Reasoning about Software Safety. ACM Queue 23(5) (2025). 10.1145\/37730983773098\"\/>","DOI":"10.1145\/3773098"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-17511-4_20"},{"key":"e_1_3_3_2_40_2","first-page":"3767","volume-title":"USENIX Security Symposium","author":"Liu Fengyu","year":"2025","unstructured":"Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Chengyuan Zhou, Hao Chen, and Min Yang. 2025. Make Agent Defeat Agent: Automatic Detection of Taint-Style Vulnerabilities in LLM-based Agents. In USENIX Security Symposium. USENIX Association, 3767\u20133786. https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/liu-fengyu"},{"key":"e_1_3_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/73560.73564"},{"key":"e_1_3_3_2_42_2","doi-asserted-by":"publisher","unstructured":"Erik Meijer. 2025. Guardians of the Agents. Commun. ACM 69 1 (2025) 46\u201352. 10.1145\/37775443777544\"\/>","DOI":"10.1145\/3777544"},{"key":"e_1_3_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2017.20"},{"key":"e_1_3_3_2_44_2","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"Mettler Adrian","year":"2010","unstructured":"Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A Security-Oriented Subset of Java. In Network and Distributed System Security Symposium (NDSS). The Internet Society."},{"key":"e_1_3_3_2_45_2","unstructured":"Mark\u00a0S. Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.\u00a0D. Dissertation. John Hopkins University."},{"key":"e_1_3_3_2_46_2","volume-title":"Concurrency Among Strangers: Programming in E as Plan Coordination","author":"Miller Mark\u00a0S.","year":"2005","unstructured":"Mark\u00a0S. Miller, E.\u00a0Dean Tribble, and Jonathan Shapiro. 2005. Concurrency Among Strangers: Programming in E as Plan Coordination. http:\/\/www.erights.org\/talks\/promises\/paper\/tgc05.pdf TGC 2005, LNCS 3705."},{"key":"e_1_3_3_2_47_2","unstructured":"Mark\u00a0S. Miller Ka-Ping Yee and Jonathan Shapiro. 2003. Capability Myths Demolished. https:\/\/classpages.cselabs.umn.edu\/Fall-2021\/csci5271\/papers\/SRL2003-02.pdf Technical Report SRL2003-02 Johns Hopkins University."},{"key":"e_1_3_3_2_48_2","unstructured":"MiniMax. 2026. MiniMax M2.5: Built for Real-World Productivity. https:\/\/www.minimax.io\/news\/minimax-m25."},{"key":"e_1_3_3_2_49_2","unstructured":"Milad Nasr Nicholas Carlini Chawin Sitawarin Sander\u00a0V. Schulhoff Jamie Hayes Michael Ilie Juliette Pluto Shuang Song Harsh Chaudhari Ilia Shumailov Abhradeep Thakurta Kai\u00a0Yuanqing Xiao Andreas Terzis and Florian Tram\u00e8r. 2025. The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against LLM Jailbreaks and Prompt Injections. CoRR abs\/2510.09023 (2025). arXiv:https:\/\/arXiv.org\/abs\/2510.09023"},{"key":"e_1_3_3_2_50_2","doi-asserted-by":"publisher","unstructured":"Martin Odersky Olivier Blanvillain Fengyun Liu Aggelos Biboudis Heather Miller and Sandro Stucki. 2018. Simplicitly: Foundations and applications of implicit function types. Proc. ACM Program. Lang. 2 POPL (2018) 42:1\u201342:29. 10.1145\/31581303158130\"\/>","DOI":"10.1145\/3158130"},{"key":"e_1_3_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/237721.237729"},{"key":"e_1_3_3_2_52_2","unstructured":"OpenAI. 2025. gpt-oss-120b & gpt-oss-20b Model Card. CoRR abs\/2508.10925 (2025). arXiv:https:\/\/arXiv.org\/abs\/2508.10925"},{"key":"e_1_3_3_2_53_2","volume-title":"OpenCode: The Open Source AI Coding Agent","year":"2025","unstructured":"OpenCode. 2025. OpenCode: The Open Source AI Coding Agent. https:\/\/github.com\/anomalyco\/opencode Accessed: 2026-02-22."},{"key":"e_1_3_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/2983990.2984009"},{"key":"e_1_3_3_2_55_2","unstructured":"Shishir\u00a0G. Patil Tianjun Zhang Vivian Fang Noppapon C. Roy Huang Aaron Hao Martin Casado Joseph\u00a0E. Gonzalez Raluca\u00a0Ada Popa and Ion Stoica. 2024. GoEX: Perspectives and Designs Towards a Runtime for Autonomous LLM Applications. CoRR abs\/2404.06921 (2024). arXiv:https:\/\/arXiv.org\/abs\/2404.06921"},{"key":"e_1_3_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.52202\/079017-4020"},{"key":"e_1_3_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833571"},{"key":"e_1_3_3_2_58_2","volume-title":"Monty: A Python Interpreter in Rust","year":"2025","unstructured":"Pydantic. 2025. Monty: A Python Interpreter in Rust. https:\/\/github.com\/pydantic\/monty"},{"key":"e_1_3_3_2_59_2","unstructured":"Brandon Radosevich and John Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. CoRR abs\/2504.03767 (2025). arXiv:https:\/\/arXiv.org\/abs\/2504.03767"},{"key":"e_1_3_3_2_60_2","volume-title":"Claude AI APIs Can Be Abused for Data Exfiltration","author":"Rehberger Johann","year":"2025","unstructured":"Johann Rehberger. 2025. Claude AI APIs Can Be Abused for Data Exfiltration. https:\/\/www.securityweek.com\/claude-ai-apis-can-be-abused-for-data-exfiltration\/"},{"key":"e_1_3_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/2983990.2984008"},{"key":"e_1_3_3_2_62_2","volume-title":"ICLR","author":"Ruan Yangjun","year":"2024","unstructured":"Yangjun Ruan, Honghua Dong, Andrew Wang, Silviu Pitis, Yongchao Zhou, Jimmy Ba, Yann Dubois, Chris\u00a0J. Maddison, and Tatsunori Hashimoto. 2024. Identifying the Risks of LM Agents with an LM-Emulated Sandbox. In ICLR. OpenReview.net. arXiv:https:\/\/arXiv.org\/abs\/2309.15817"},{"key":"e_1_3_3_2_63_2","doi-asserted-by":"publisher","unstructured":"Andrei Sabelfeld and Andrew\u00a0C. Myers. 2003. Language-based information-flow security. IEEE J. Sel. Areas Commun. 21 1 (2003) 5\u201319. 10.1109\/JSAC.2002.806121","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_3_3_2_64_2","doi-asserted-by":"publisher","unstructured":"Jerome\u00a0H. Saltzer and Michael\u00a0D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63 9 (1975) 1278\u20131308. 10.1109\/PROC.1975.9939","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_3_2_65_2","volume-title":"Gears: An experimental asynchronous programming library","year":"2024","unstructured":"Scala. 2024. Gears: An experimental asynchronous programming library. EPFL LAMP. https:\/\/lampepfl.github.io\/gears Source: https:\/\/github.com\/lampepfl\/gears. Accessed: 2024-09-09."},{"key":"e_1_3_3_2_66_2","volume-title":"Scala 3: Capture Checker","year":"2024","unstructured":"Scala. 2024. Scala 3: Capture Checker. EPFL LAMP. https:\/\/nightly.scala-lang.org\/docs\/reference\/experimental\/capture-checking\/ Source: https:\/\/github.com\/scala\/scala3. Accessed: 2026-02-19."},{"key":"e_1_3_3_2_67_2","volume-title":"NeurIPS","author":"Schick Timo","year":"2023","unstructured":"Timo Schick, Jane Dwivedi-Yu, Roberto Dess\u00ec, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. Toolformer: Language Models Can Teach Themselves to Use Tools. In NeurIPS. arXiv:https:\/\/arXiv.org\/abs\/2302.04761"},{"key":"e_1_3_3_2_68_2","volume-title":"NDSS","author":"Syros Georgios","year":"2026","unstructured":"Georgios Syros, Anshuman Suri, Jacob Ginesin, Cristina Nita-Rotaru, and Alina Oprea. 2026. SAGA: A Security Architecture for Governing AI Agentic Systems. In NDSS. The Internet Society."},{"key":"e_1_3_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3759427.3760373"},{"key":"e_1_3_3_2_70_2","unstructured":"Sanidhya Vijayvargiya Aditya\u00a0Bharat Soni Xuhui Zhou Zora\u00a0Zhiruo Wang Nouha Dziri Graham Neubig and Maarten Sap. 2025. OpenAgentSafety: A Comprehensive Framework for Evaluating Real-World AI Agent Safety. CoRR abs\/2507.06134 (2025). arXiv:https:\/\/arXiv.org\/abs\/2507.06134"},{"key":"e_1_3_3_2_71_2","unstructured":"Robert N.\u00a0M. Watson Simon\u00a0W. Moore Peter Sewell and Peter\u00a0G. Neumann. 2019. An Introduction to CHERI. https:\/\/www.cl.cam.ac.uk\/techreports\/UCAM-CL-TR-941.pdf University of Cambridge Computer Laboratory Technical Report UCAM-CL-TR-941."},{"key":"e_1_3_3_2_72_2","volume-title":"The Dual LLM Pattern for Building AI Assistants That Can Resist Prompt Injection","author":"Willison Simon","year":"2023","unstructured":"Simon Willison. 2023. The Dual LLM Pattern for Building AI Assistants That Can Resist Prompt Injection. https:\/\/simonwillison.net\/2023\/Apr\/25\/dual-llm-pattern\/ Accessed: 2026-02-22."},{"key":"e_1_3_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1145\/355616.364017"},{"key":"e_1_3_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2022.15"},{"key":"e_1_3_3_2_75_2","series-title":"Proceedings of Machine Learning Research","volume-title":"ICML","volume":"267","author":"Xiang Zhen","year":"2025","unstructured":"Zhen Xiang, Linzhi Zheng, Yanjie Li, Junyuan Hong, Qinbin Li, Han Xie, Jiawei Zhang, Zidi Xiong, Chulin Xie, Carl Yang, Dawn Song, and Bo Li. 2025. GuardAgent: Safeguard LLM Agents via Knowledge-Enabled Reasoning. In ICML(Proceedings of Machine Learning Research, Vol.\u00a0267). PMLR \/ OpenReview.net. arXiv:https:\/\/arXiv.org\/abs\/2406.09187"},{"key":"e_1_3_3_2_76_2","doi-asserted-by":"publisher","unstructured":"Yichen Xu Oliver Bra\u010devac Cao\u00a0Nguyen Pham and Martin Odersky. 2025. What\u2019s in the Box: Ergonomic and Expressive Capture Tracking over Generic Data Structures. Proc. ACM Program. Lang. 9 OOPSLA2 (2025) 1726\u20131753. 10.1145\/37631123763112\"\/>","DOI":"10.1145\/3763112"},{"key":"e_1_3_3_2_77_2","volume-title":"ICLR","author":"Yao Shunyu","year":"2023","unstructured":"Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik\u00a0R. Narasimhan, and Yuan Cao. 2023. ReAct: Synergizing Reasoning and Acting in Language Models. In ICLR. OpenReview.net. arXiv:https:\/\/arXiv.org\/abs\/2210.03629"},{"key":"e_1_3_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.18653\/V1\/2024.FINDINGS-EMNLP.79"},{"key":"e_1_3_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.18653\/V1\/2024.FINDINGS-ACL.624"},{"key":"e_1_3_3_2_80_2","unstructured":"Alex\u00a0L. Zhang Tim Kraska and Omar Khattab. 2025. Recursive Language Models. CoRR abs\/2512.24601 (2025). arXiv:https:\/\/arXiv.org\/abs\/2512.24601"},{"key":"e_1_3_3_2_81_2","volume-title":"ICLR","author":"Zhang Hanrong","year":"2025","unstructured":"Hanrong Zhang, Jingyuan Huang, Kai Mei, Yifei Yao, Zhenting Wang, Chenlu Zhan, Hongwei Wang, and Yongfeng Zhang. 2025. Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents. In ICLR. OpenReview.net. arXiv:https:\/\/arXiv.org\/abs\/2410.02644"},{"key":"e_1_3_3_2_82_2","unstructured":"Jinhao Zhu Kevin Tseng Gil Vernik Xiao Huang Shishir\u00a0G. Patil Vivian Fang and Raluca\u00a0Ada Popa. 2025. MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents. CoRR abs\/2512.11147 (2025). arXiv:https:\/\/arXiv.org\/abs\/2512.11147"}],"event":{"name":"CAIS '26: ACM Conference on AI and Agentic Systems","location":"San Jose CA USA","acronym":"CAIS '26"},"container-title":["Proceedings of the ACM Conference on AI and Agentic Systems"],"original-title":[],"deposited":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T03:17:42Z","timestamp":1779419862000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3786335.3813127"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,26]]},"references-count":81,"alternative-id":["10.1145\/3786335.3813127","10.1145\/3786335"],"URL":"https:\/\/doi.org\/10.1145\/3786335.3813127","relation":{},"subject":[],"published":{"date-parts":[[2026,5,26]]},"assertion":[{"value":"2026-05-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}