System-level Security for Computer Use Agents - arxiv.org/pdf/2601.09923 🧩 Problem Computer Use Agents automate desktop and browser tasks by reading screenshots or DOM state and then clicking, typing, and navigating. Malicious UI content can inject instructions that redirect actions to steal credentials or trigger financial loss. Most CUA benchmarks score task completion and miss whether the agent only executes user intended actions under hostile UI content. The paper tests system level control flow integrity for CUAs, and what failures remain. 🔍 How The authors apply architectural isolation to CUAs by splitting planning from perception, then use Single Shot Planning where a trusted planner generates a complete branching execution graph before any potentially malicious UI observation. They evaluate on OSWorld with pass@1 and pass@k task completion, and they analyze branch steering attacks plus redundancy based verification with DOM consistency and multi modal consensus. 📈 Findings Single Shot Planning retains up to 57% of frontier model utility on OSWorld while improving smaller open source models by up to 19%. On all OSWorld tasks, UITars rises from 24.4% to 29.0% success. Branch steering remains, cookie popup and pixel based attacks can steer valid plan paths, and the strongest redundancy setup still fails on the pixel attack. 🎯 Lessons learned Define failure as executing any action not reachable in a pre approved execution graph, and gate each click or keystroke on a verify step. Log screenshots, DOM, extracted coordinates, and the chosen branch so reviewers can reconstruct intent and data flow. Stress test predictable routines like cookie consent and element finding, since attackers can steer branches without changing the plan. Track utility loss and operational cost from extra checking, including false positives and token volume. Authors: @hfoerster01, Robert Mullins, Tom Blanchard, @NicolasPapernot, @NKristina01_, @florian_tramer, @iliaishacked, Cheng Zhang, Yiren Zhao - @Cambridge_Uni, @UofT, @VectorInst, @ETH_en, @aisequrity #AISecurity #LLMAgents #ComputerUseAgents #PromptInjection #AgentSecurity #InfoFlowControl #ModelIsolation #OSWorld #VisionLanguageModels #SecureByDesign #RedTeaming #AdversarialML