{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T11:40:07Z","timestamp":1777462807207,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":58,"publisher":"ACM","funder":[{"name":"UKRI Open Plus Fellowship (Securing the Next Billion Consumer Devices on the Edge)","award":["EP\/W005271\/1"],"award-info":[{"award-number":["EP\/W005271\/1"]}]},{"name":"Amazon Research Award \u201cAuditable Model Privacy using TEEs\u201d"},{"name":"AI Security Institute (AISI) Systemic Safety Grants Programme","award":["UKRI833"],"award-info":[{"award-number":["UKRI833"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,4,27]]},"DOI":"10.1145\/3805621.3807660","type":"proceedings-article","created":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T13:08:45Z","timestamp":1777381725000},"page":"473-480","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["<i>AgenTEE:<\/i>\n                    Confidential LLM Agent Execution on Edge Devices"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-3024-3106","authenticated-orcid":false,"given":"Sina","family":"Abdollahi","sequence":"first","affiliation":[{"name":"Computing, Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-1905-1611","authenticated-orcid":false,"given":"Mohammad M","family":"Maheri","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3399-2440","authenticated-orcid":false,"given":"Javad","family":"Forough","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5560-9871","authenticated-orcid":false,"given":"Amir","family":"Al Sadi","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-2247-1594","authenticated-orcid":false,"given":"Josh","family":"Millar","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7411-2783","authenticated-orcid":false,"given":"David","family":"Kotz","sequence":"additional","affiliation":[{"name":"Dartmouth College, Hanover, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7034-5284","authenticated-orcid":false,"given":"Marios","family":"Kogias","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5895-8903","authenticated-orcid":false,"given":"Hamed","family":"Haddadi","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom"}]}],"member":"320","published-online":{"date-parts":[[2026,4,28]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"bartowski\/Llama-3.2-1B-Instruct-GGUF. https:\/\/huggingface. co\/bartowski\/Llama-3.2-1B-Instruct-GGUF Accessed","year":"2025","unstructured":"[n.d.]. bartowski\/Llama-3.2-1B-Instruct-GGUF. https:\/\/huggingface. co\/bartowski\/Llama-3.2-1B-Instruct-GGUF Accessed Feb 2025."},{"key":"e_1_3_2_1_2_1","volume-title":"LangChain. Langchain: Build context-aware, reasoning applications with langchain's flexible abstractions and ai-first toolkit. https:\/\/www.langchain.com\/ Accessed","year":"2026","unstructured":"[n.d.]. LangChain. Langchain: Build context-aware, reasoning applications with langchain's flexible abstractions and ai-first toolkit. https:\/\/www.langchain.com\/ Accessed Feb 2026."},{"key":"e_1_3_2_1_3_1","volume-title":"Microsoft 365 Copilot hub. https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/ Accessed","year":"2026","unstructured":"[n.d.]. Microsoft 365 Copilot hub. https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/ Accessed Feb 2026."},{"key":"e_1_3_2_1_4_1","volume-title":"openai-community\/gpt2-medium. https:\/\/huggingface.co\/openai-community\/gpt2-medium Accessed","year":"2025","unstructured":"[n.d.]. openai-community\/gpt2-medium. https:\/\/huggingface.co\/openai-community\/gpt2-medium Accessed Feb 2025."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. ROCK 5B. Retrieved April 14 2025 from https:\/\/radxa.com\/products\/rock5\/5b\/"},{"key":"e_1_3_2_1_6_1","volume-title":"Using tools. https:\/\/developers.openai.com\/api\/docs\/guides\/tools Accessed","year":"2026","unstructured":"[n.d.]. Using tools. https:\/\/developers.openai.com\/api\/docs\/guides\/tools Accessed Feb 2026."},{"key":"e_1_3_2_1_7_1","volume-title":"https:\/\/en.wikipedia.org\/wiki\/Widevine Accessed","year":"2026","unstructured":"[n.d.]. Widevine. https:\/\/en.wikipedia.org\/wiki\/Widevine Accessed Feb 2026."},{"key":"e_1_3_2_1_8_1","volume-title":"MAD24-410 Arm Confidential Compute Architecture open-source enablement update. Retrieved","year":"2025","unstructured":"2024. MAD24-410 Arm Confidential Compute Architecture open-source enablement update. Retrieved March 9, 2025 from https:\/\/resources.linaro.org\/en\/resource\/rEjhEezEvnNMC3LALzUTrr"},{"key":"e_1_3_2_1_9_1","volume-title":"Arm Confidential Compute Architecture. https:\/\/www.arm.com\/architecture\/security-features\/arm-confidential-compute-architecture Accessed","year":"2025","unstructured":"2025. Arm Confidential Compute Architecture. https:\/\/www.arm.com\/architecture\/security-features\/arm-confidential-compute-architecture Accessed Feb 2025."},{"key":"e_1_3_2_1_10_1","volume-title":"AVF architecture. https:\/\/source.android.com\/docs\/core\/virtualization\/architecture#memory-ownership Accessed","year":"2025","unstructured":"2025. AVF architecture. https:\/\/source.android.com\/docs\/core\/virtualization\/architecture#memory-ownership Accessed July 2025."},{"key":"e_1_3_2_1_11_1","volume-title":"Claude Code: Data Exfiltration with DNS (CVE-2025-55284). https:\/\/embracethered.com\/blog\/posts\/2025\/claude-code-exfiltration-via-dns-requests\/ Accessed","year":"2026","unstructured":"2025. Claude Code: Data Exfiltration with DNS (CVE-2025-55284). https:\/\/embracethered.com\/blog\/posts\/2025\/claude-code-exfiltration-via-dns-requests\/ Accessed Feb 2026."},{"key":"e_1_3_2_1_12_1","volume-title":"Effective context engineering for AI agents. https:\/\/www.anthropic.com\/engineering\/effective-context-engineering-for-ai-agents Accessed","year":"2026","unstructured":"2025. Effective context engineering for AI agents. https:\/\/www.anthropic.com\/engineering\/effective-context-engineering-for-ai-agents Accessed Feb 2026."},{"key":"e_1_3_2_1_13_1","volume-title":"How Devin AI Can Leak Your Secrets via Multiple Means. https:\/\/embracethered.com\/blog\/posts\/2025\/devin-can-leak-your-secrets\/ Accessed","year":"2026","unstructured":"2025. How Devin AI Can Leak Your Secrets via Multiple Means. https:\/\/embracethered.com\/blog\/posts\/2025\/devin-can-leak-your-secrets\/ Accessed Feb 2026."},{"key":"e_1_3_2_1_14_1","volume-title":"Intel Software Guard Extensions. Retrieved","year":"2025","unstructured":"2025. Intel Software Guard Extensions. Retrieved June 7, 2025 from https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/tools\/software-guard-extensions\/overview html"},{"key":"e_1_3_2_1_15_1","volume-title":"kvmtool-cca. https:\/\/gitlab.arm.com\/linux-arm\/kvmtool-cca\/-\/tree\/cca\/v3?ref_type=heads Accessed","year":"2025","unstructured":"2025. kvmtool-cca. https:\/\/gitlab.arm.com\/linux-arm\/kvmtool-cca\/-\/tree\/cca\/v3?ref_type=heads Accessed Feb 2025."},{"key":"e_1_3_2_1_16_1","volume-title":"Learn the architecture - TrustZone for AArch64. https:\/\/developer.arm.com\/documentation\/102418\/latest\/ Accessed","year":"2025","unstructured":"2025. Learn the architecture - TrustZone for AArch64. https:\/\/developer.arm.com\/documentation\/102418\/latest\/ Accessed Feb 2025."},{"key":"e_1_3_2_1_17_1","volume-title":"linux-cca. https:\/\/gitlab.arm.com\/linux-arm\/linux-cca\/-\/commit\/fad35572db Accessed","year":"2025","unstructured":"2025. linux-cca. https:\/\/gitlab.arm.com\/linux-arm\/linux-cca\/-\/commit\/fad35572db Accessed Feb 2025."},{"key":"e_1_3_2_1_18_1","volume-title":"seccomp(2) \u2014 Linux manual page. https:\/\/man7.org\/linux\/manpages\/man2\/seccomp.2.html Accessed","year":"2026","unstructured":"2025. seccomp(2) \u2014 Linux manual page. https:\/\/man7.org\/linux\/manpages\/man2\/seccomp.2.html Accessed Feb 2026."},{"key":"e_1_3_2_1_19_1","volume-title":"https:\/\/support.apple.com\/en-gb\/guide\/security\/sec59b0b31ff\/web Accessed","author":"Enclave Secure","year":"2025","unstructured":"2025. Secure Enclave. https:\/\/support.apple.com\/en-gb\/guide\/security\/sec59b0b31ff\/web Accessed Feb 2025."},{"key":"e_1_3_2_1_20_1","volume-title":"https:\/\/www.trustedfirmware.org\/projects\/tf-a Accessed","author":"A.","year":"2025","unstructured":"2025. TF-A. https:\/\/www.trustedfirmware.org\/projects\/tf-a Accessed Feb 2025."},{"key":"e_1_3_2_1_21_1","volume-title":"https:\/\/www.trustedfirmware.org\/projects\/tf-rmm Accessed","author":"RMM.","year":"2025","unstructured":"2025. TF-RMM. https:\/\/www.trustedfirmware.org\/projects\/tf-rmm Accessed Feb 2025."},{"key":"e_1_3_2_1_22_1","volume-title":"Use system instructions (Generative AI on Vertex AI). https:\/\/docs.cloud.google.com\/vertex-ai\/generative-ai\/docs\/learn\/prompts\/system-instructions Accessed","year":"2026","unstructured":"2026. Use system instructions (Generative AI on Vertex AI). https:\/\/docs.cloud.google.com\/vertex-ai\/generative-ai\/docs\/learn\/prompts\/system-instructions Accessed Feb 2026."},{"key":"e_1_3_2_1_23_1","volume-title":"An Early Experience with Confidential Computing Architecture for On-Device Model Protection. arXiv preprint arXiv:2504.08508","author":"Abdollahi Sina","year":"2025","unstructured":"Sina Abdollahi, Mohammad Maheri, Sandra Siby, Marios Kogias, and Hamed Haddadi. 2025. An Early Experience with Confidential Computing Architecture for On-Device Model Protection. arXiv preprint arXiv:2504.08508 (2025)."},{"key":"e_1_3_2_1_24_1","volume-title":"Marios Kogias, David Kotz, and Hamed Haddadi.","author":"Abdollahi Sina","year":"2025","unstructured":"Sina Abdollahi, Amir Al Sadi, Marios Kogias, David Kotz, and Hamed Haddadi. 2025. Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA. arXiv preprint arXiv:2512.01594 (2025)."},{"key":"e_1_3_2_1_25_1","volume-title":"Prompt leakage effect and defense strategies for multi-turn llm interactions. arXiv preprint arXiv:2404.16251","author":"Agarwal Divyansh","year":"2024","unstructured":"Divyansh Agarwal, Alexander R Fabbri, Ben Risher, Philippe Laban, Shafiq Joty, and Chien-Sheng Wu. 2024. Prompt leakage effect and defense strategies for multi-turn llm interactions. arXiv preprint arXiv:2404.16251 (2024)."},{"key":"e_1_3_2_1_26_1","volume-title":"Systematic outliers in large language models. arXiv preprint arXiv:2502.06415","author":"An Yongqi","year":"2025","unstructured":"Yongqi An, Xu Zhao, Tao Yu, Ming Tang, and Jinqiao Wang. 2025. Systematic outliers in large language models. arXiv preprint arXiv:2502.06415 (2025)."},{"key":"e_1_3_2_1_27_1","volume-title":"OpenCCA: An Open Framework to Enable Arm CCA Research. arXiv preprint arXiv:2506.05129","author":"Bertschi Andrin","year":"2025","unstructured":"Andrin Bertschi and Shweta Shinde. 2025. OpenCCA: An Open Framework to Enable Arm CCA Research. arXiv preprint arXiv:2506.05129 (2025)."},{"key":"e_1_3_2_1_28_1","volume-title":"SANCTUARY: ARMing TrustZone with User-space Enclaves. In NDSS.","author":"Brasser Ferdinand","year":"2019","unstructured":"Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2019. SANCTUARY: ARMing TrustZone with User-space Enclaves. In NDSS."},{"key":"e_1_3_2_1_29_1","volume-title":"International Workshop on Engineering Multi-Agent Systems. Springer, 141\u2013156","author":"Chen Wei","year":"2025","unstructured":"Wei Chen, Zhiyuan Li, Zhen Guo, and Yikang Shen. 2025. Octo-planner: On-device language model for planner-action agents. In International Workshop on Engineering Multi-Agent Systems. Springer, 141\u2013156."},{"key":"e_1_3_2_1_30_1","volume-title":"Defeating prompt injections by design. arXiv preprint arXiv:2503.18813","author":"Debenedetti Edoardo","year":"2025","unstructured":"Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Carlini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Florian Tram\u00e8r. 2025. Defeating prompt injections by design. arXiv preprint arXiv:2503.18813 (2025)."},{"key":"e_1_3_2_1_31_1","volume-title":"int8 (): 8-bit matrix multiplication for transformers at scale. Advances in neural information processing systems 35","author":"Dettmers Tim","year":"2022","unstructured":"Tim Dettmers, Mike Lewis, Younes Belkada, and Luke Zettlemoyer. 2022. Gpt3. int8 (): 8-bit matrix multiplication for transformers at scale. Advances in neural information processing systems 35 (2022), 30318\u201330332."},{"key":"e_1_3_2_1_32_1","volume-title":"International Conference on Machine Learning. PMLR, 201\u2013210","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conference on Machine Learning. PMLR, 201\u2013210."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670370"},{"key":"e_1_3_2_1_35_1","volume-title":"Aster: Fixing the Android TEE ecosystem with Arm CCA. arXiv preprint arXiv:2407.16694","author":"Kuhne Mark","year":"2024","unstructured":"Mark Kuhne, Supraja Sridhara, Andrin Bertschi, Nicolas Dutly, Srdjan Capkun, and Shweta Shinde. 2024. Aster: Fixing the Android TEE ecosystem with Arm CCA. arXiv preprint arXiv:2407.16694 (2024)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3600006.3613165"},{"key":"e_1_3_2_1_37_1","volume-title":"Shadow in the cache: Unveiling and mitigating privacy risks of kv-cache in llm inference. arXiv preprint arXiv:2508.09442","author":"Luo Zhifan","year":"2025","unstructured":"Zhifan Luo, Shuo Shao, Su Zhang, Lijing Zhou, Yuke Hu, Chenxu Zhao, Zhihao Liu, and Zhan Qin. 2025. Shadow in the cache: Unveiling and mitigating privacy risks of kv-cache in llm inference. arXiv preprint arXiv:2508.09442 (2025)."},{"key":"e_1_3_2_1_38_1","volume-title":"ZK-APEX: Zero-Knowledge Approximate Personalized Unlearning with Executable Proofs. arXiv preprint arXiv:2512.09953","author":"Maheri Mohammad M","year":"2025","unstructured":"Mohammad M Maheri, Sunil Cotterill, Alex Davidson, and Hamed Haddadi. 2025. ZK-APEX: Zero-Knowledge Approximate Personalized Unlearning with Executable Proofs. arXiv preprint arXiv:2512.09953 (2025)."},{"key":"e_1_3_2_1_39_1","volume-title":"Telesparse: Practical privacy-preserving verification of deep neural networks. arXiv preprint arXiv:2504.19274","author":"Maheri Mohammad M","year":"2025","unstructured":"Mohammad M Maheri, Hamed Haddadi, and Alex Davidson. 2025. Telesparse: Practical privacy-preserving verification of deep neural networks. arXiv preprint arXiv:2504.19274 (2025)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3458864.3466628"},{"key":"e_1_3_2_1_41_1","volume-title":"Follow my instruction and spill the beans: Scalable data extraction from retrieval-augmented generation systems. arXiv preprint arXiv:2402.17840","author":"Qi Zhenting","year":"2024","unstructured":"Zhenting Qi, Hanlin Zhang, Eric Xing, Sham Kakade, and Himabindu Lakkaraju. 2024. Follow my instruction and spill the beans: Scalable data extraction from retrieval-augmented generation systems. arXiv preprint arXiv:2402.17840 (2024)."},{"key":"e_1_3_2_1_42_1","volume-title":"Toolllm: Facilitating large language models to master 16000+ real-world apis. arXiv preprint arXiv:2307.16789","author":"Qin Yujia","year":"2023","unstructured":"Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, et al. 2023. Toolllm: Facilitating large language models to master 16000+ real-world apis. arXiv preprint arXiv:2307.16789 (2023)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196522"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00013"},{"key":"e_1_3_2_1_45_1","volume-title":"Toolformer: Language models can teach themselves to use tools. Advances in neural information processing systems 36","author":"Schick Timo","year":"2023","unstructured":"Timo Schick, Jane Dwivedi-Yu, Roberto Dess\u00ec, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. Toolformer: Language models can teach themselves to use tools. Advances in neural information processing systems 36 (2023), 68539\u201368551."},{"key":"e_1_3_2_1_46_1","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC 22)","author":"Shen Tianxiang","year":"2022","unstructured":"Tianxiang Shen, Ji Qi, Jianyu Jiang, Xian Wang, Siyuan Wen, Xusheng Chen, Shixiong Zhao, Sen Wang, Li Chen, Xiapu Luo, et al. 2022. SOTER: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723\u2013738."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3642970.3655845"},{"key":"e_1_3_2_1_48_1","volume-title":"33rd USENIX Security Symposium (USENIX Security'24)","author":"Sridhara Supraja","year":"2024","unstructured":"Supraja Sridhara, Andrin Bertschi, Benedict Schl\u00fcter, Mark Kuhne, Fabio Aliberti, and Shweta Shinde. 2024. ACAI: Extending Arm Confidential Computing Architecture Protection from CPUs to Accelerators. In 33rd USENIX Security Symposium (USENIX Security'24)."},{"key":"e_1_3_2_1_49_1","volume-title":"LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps","author":"Sun Lizhi","year":"2022","unstructured":"Lizhi Sun, Shuocheng Wang, Hao Wu, Yuhang Gong, Fengyuan Xu, Yunxin Liu, Hao Han, and Sheng Zhong. 2022. LEAP: TrustZone Based Developer-Friendly TEE for Intelligent Mobile Apps. IEEE Transactions on Mobile Computing (2022)."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179382"},{"key":"e_1_3_2_1_51_1","volume-title":"SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840","author":"van Elsloo Tim","year":"2019","unstructured":"Tim van Elsloo, Giorgio Patrini, and Hamish Ivey-Law. 2019. SEALion: A framework for neural network inference on encrypted data. arXiv preprint arXiv:1904.12840 (2019)."},{"key":"e_1_3_2_1_52_1","volume-title":"CAGE: Complementing Arm CCA with GPU Extensions. In Network and Distributed System Security (NDSS) Symposium.","author":"Wang Chenxu","year":"2024","unstructured":"Chenxu Wang, Fengwei Zhang, Yunjie Deng, Kevin Leach, Jiannong Cao, Zhenyu Ning, Shoumeng Yan, and Zhengyu He. 2024. CAGE: Complementing Arm CCA with GPU Extensions. In Network and Distributed System Security (NDSS) Symposium."},{"key":"e_1_3_2_1_53_1","volume-title":"Mobile-agent: Autonomous multi-modal mobile device agent with visual perception. arXiv preprint arXiv:2401.16158","author":"Wang Junyang","year":"2024","unstructured":"Junyang Wang, Haiyang Xu, Jiabo Ye, Ming Yan, Weizhou Shen, Ji Zhang, Fei Huang, and Jitao Sang. 2024. Mobile-agent: Autonomous multi-modal mobile device agent with visual perception. arXiv preprint arXiv:2401.16158 (2024)."},{"key":"e_1_3_2_1_54_1","unstructured":"Guanlong Wu Zheng Zhang Yao Zhang Weili Wang Jianyu Niu Ye Wu and Yinqian Zhang. 2025. I Know What You Asked: Prompt Leakage via KV-Cache Sharing in Multi-Tenant LLM Serving. In NDSS."},{"key":"e_1_3_2_1_55_1","volume-title":"Isolategpt: An execution isolation architecture for llm-based agentic systems. arXiv preprint arXiv:2403.04960","author":"Wu Yuhao","year":"2024","unstructured":"Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal. 2024. Isolategpt: An execution isolation architecture for llm-based agentic systems. arXiv preprint arXiv:2403.04960 (2024)."},{"key":"e_1_3_2_1_56_1","volume-title":"React: Synergizing reasoning and acting in language models. In The eleventh international conference on learning representations.","author":"Yao Shunyu","year":"2022","unstructured":"Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik R Narasimhan, and Yuan Cao. 2022. React: Synergizing reasoning and acting in language models. In The eleventh international conference on learning representations."},{"key":"e_1_3_2_1_57_1","volume-title":"The super weight in large language models. arXiv preprint arXiv:2411.07191","author":"Yu Mengxia","year":"2024","unstructured":"Mengxia Yu, De Wang, Qi Shan, Colorado J Reed, and Alvin Wan. 2024. The super weight in large language models. arXiv preprint arXiv:2411.07191 (2024)."},{"key":"e_1_3_2_1_58_1","volume-title":"Attacks on third-party apis of large language models. arXiv preprint arXiv:2404.16891","author":"Zhao Wanru","year":"2024","unstructured":"Wanru Zhao, Vidit Khazanchi, Haodi Xing, Xuanli He, Qiongkai Xu, and Nicholas Donald Lane. 2024. Attacks on third-party apis of large language models. arXiv preprint arXiv:2404.16891 (2024)."}],"event":{"name":"EuroSys '26: 21st European Conference on Computer Systems","location":"Edinburgh Scotland Uk","acronym":"EuroMLSys '26","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"]},"container-title":["Proceedings of the Sixth European Workshop on Machine Learning and Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3805621.3807660","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T13:18:31Z","timestamp":1777382311000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3805621.3807660"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,27]]},"references-count":58,"alternative-id":["10.1145\/3805621.3807660","10.1145\/3805621"],"URL":"https:\/\/doi.org\/10.1145\/3805621.3807660","relation":{},"subject":[],"published":{"date-parts":[[2026,4,27]]},"assertion":[{"value":"2026-04-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}