CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents
Hanna Foerster, Robert Mullins, Tom Blanchard, Nicolas Papernot, Kristina Nikolić, Florian Tramèr, Ilia Shumailov, Cheng Zhang, Yiren Zhao
TL;DR
This work rethinks security for Computer Use Agents by applying a Dual-LLM framework with Single-Shot Planning and an Observe-Verify-Act paradigm to enforce strict control-flow integrity while navigating dynamic GUIs. By generating a complete execution graph upfront, the Privileged Planner (P-LLM) prevents arbitrary instruction injections, while the Quarantined Perception (Q-VLM) handles untrusted observations within fixed plan branches. The authors identify Branch Steering as a data-flow risk and mitigate it with redundancy-based defenses (DOM Consistency and Multi-Modal Consensus), evaluating the approach on OSWorld. Results show substantial utility retention, with up to 57% of large-model performance preserved and up to 19% gains for smaller open-source models, demonstrating that security and practicality can coexist in CUAs. However, Branch Steering and pixel-level attacks reveal residual vulnerabilities, motivating future work on stronger data-flow defenses and adaptive strategy improvements for secure, privacy-preserving desktop automation.
Abstract
AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior to steal credentials or cause financial loss. The only known robust defense is architectural isolation that strictly separates trusted task planning from untrusted environment observations. However, applying this design to Computer Use Agents (CUAs) -- systems that automate tasks by viewing screens and executing actions -- presents a fundamental challenge: current agents require continuous observation of UI state to determine each action, conflicting with the isolation required for security. We resolve this tension by demonstrating that UI workflows, while dynamic, are structurally predictable. We introduce Single-Shot Planning for CUAs, where a trusted planner generates a complete execution graph with conditional branches before any observation of potentially malicious content, providing provable control flow integrity guarantees against arbitrary instruction injections. Although this architectural isolation successfully prevents instruction injections, we show that additional measures are needed to prevent Branch Steering attacks, which manipulate UI elements to trigger unintended valid paths within the plan. We evaluate our design on OSWorld, and retain up to 57% of the performance of frontier models while improving performance for smaller open-source models by up to 19%, demonstrating that rigorous security and utility can coexist in CUAs.
