Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Manipulation Facing Threats: Evaluating Physical Vulnerabilities in End-to-End Vision Language Action Models

Hao Cheng, Erjia Xiao, Yichi Wang, Chengyuan Yu, Mengshu Sun, Qiang Zhang, Jiahang Cao, Yijie Guo, Ning Liu, Kaidi Xu, Jize Zhang, Chao Shen, Philip Torr, Jindong Gu, Renjing Xu

TL;DR

This work addresses safety in open-vocabulary robotic manipulation by introducing the Physical Vulnerability Evaluating Pipeline (PVEP) to quantify VLAM robustness against visual threats. It evaluates open-source VLAMs (LLaRA and OpenVLA) within simulation environments (VIMA and SimplerEnv) under three threat categories: Out-of-Distribution, Typography-based Visual Prompts, and Adversarial Patch Attacks, using failure rate and task timesteps as metrics. Key findings include Blur as the most effective OOD attack, typography prompts showing moderate impact with textual prompts often more influential than numeric ones, and adversarial patches demonstrating transferability from MLLMs to VLAMs with white-box attacks being extraordinarily effective. The results establish a reproducible framework for robustness assessment and inform design choices for safer VLAM-enabled robotic systems in real-world settings.

Abstract

Recently, driven by advancements in Multimodal Large Language Models (MLLMs), Vision Language Action Models (VLAMs) are being proposed to achieve better performance in open-vocabulary scenarios for robotic manipulation tasks. Since manipulation tasks involve direct interaction with the physical world, ensuring robustness and safety during the execution of this task is always a very critical issue. In this paper, by synthesizing current safety research on MLLMs and the specific application scenarios of the manipulation task in the physical world, we comprehensively evaluate VLAMs in the face of potential physical threats. Specifically, we propose the Physical Vulnerability Evaluating Pipeline (PVEP) that can incorporate as many visual modal physical threats as possible for evaluating the physical robustness of VLAMs. The physical threats in PVEP specifically include Out-of-Distribution, Typography-based Visual Prompt, and Adversarial Patch Attacks. By comparing the performance fluctuations of VLAMs before and after being attacked, we provide generalizable \textbf{\textit{Analyses}} of how VLAMs respond to different physical threats.

Manipulation Facing Threats: Evaluating Physical Vulnerabilities in End-to-End Vision Language Action Models

TL;DR

This work addresses safety in open-vocabulary robotic manipulation by introducing the Physical Vulnerability Evaluating Pipeline (PVEP) to quantify VLAM robustness against visual threats. It evaluates open-source VLAMs (LLaRA and OpenVLA) within simulation environments (VIMA and SimplerEnv) under three threat categories: Out-of-Distribution, Typography-based Visual Prompts, and Adversarial Patch Attacks, using failure rate and task timesteps as metrics. Key findings include Blur as the most effective OOD attack, typography prompts showing moderate impact with textual prompts often more influential than numeric ones, and adversarial patches demonstrating transferability from MLLMs to VLAMs with white-box attacks being extraordinarily effective. The results establish a reproducible framework for robustness assessment and inform design choices for safer VLAM-enabled robotic systems in real-world settings.

Abstract

Recently, driven by advancements in Multimodal Large Language Models (MLLMs), Vision Language Action Models (VLAMs) are being proposed to achieve better performance in open-vocabulary scenarios for robotic manipulation tasks. Since manipulation tasks involve direct interaction with the physical world, ensuring robustness and safety during the execution of this task is always a very critical issue. In this paper, by synthesizing current safety research on MLLMs and the specific application scenarios of the manipulation task in the physical world, we comprehensively evaluate VLAMs in the face of potential physical threats. Specifically, we propose the Physical Vulnerability Evaluating Pipeline (PVEP) that can incorporate as many visual modal physical threats as possible for evaluating the physical robustness of VLAMs. The physical threats in PVEP specifically include Out-of-Distribution, Typography-based Visual Prompt, and Adversarial Patch Attacks. By comparing the performance fluctuations of VLAMs before and after being attacked, we provide generalizable \textbf{\textit{Analyses}} of how VLAMs respond to different physical threats.
Paper Structure (16 sections, 5 equations, 4 figures, 2 tables, 1 algorithm)

This paper contains 16 sections, 5 equations, 4 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Physical Vulnerability Evaluating Pipeline
  4. Preliminaries of Physical Attacks
  5. Threat Models
  6. Experiments
  7. Models and Simulators
  8. Physical Attack Settings
  9. Out-of-Distribution Attack
  10. Typography-based Visual Prompt Attack
  11. Adversarial Patch Attack
  12. Results
  13. Out-of-Distribution (Analysis 1)
  14. Typography-based Visual Prompt (Analysis 2)
  15. Adversarial Patch (Analysis 3 & 4)
  16. ...and 1 more sections

Figures (4)

  • Figure 1: Performance degradation and time delay of LLaRA and OpenVLA due to physical attacks ($\times 35$ is for better illustration).
  • Figure 2: The framework for evaluating VLAMs utilizing Physical Vulnerability Evaluation Pipeline (PVEP).
  • Figure 3: Under 3 physical attack categories: (left) Time steps (with a maximum limit of 8) of LLaRA on 14 VIMA tasks that are listed in TABLE \ref{['failure_rate_llara']}. (right) Failure rates of the OOD attacks with other levels that are not listed in TABLE \ref{['failure_rate_llara']}.
  • Figure 4: Under 3 physical attack categories: (left) Time steps (with a maximum limit of 300) of OpenVLA on 6 SimplerEnv tasks that are listed in TABLE \ref{['failure_rate_openvla']}. (right) Failure rates of the OOD attacks with other levels that are not listed in TABLE \ref{['failure_rate_openvla']}.