CaMeLs Can Use Computers Too:  System-level Security for Computer Use Agents

Hanna Foerster; Tom Blanchard; Kristina Nikolić; Ilia Shumailov; Cheng Zhang; Robert D. Mullins; Nicolas Papernot; Florian Tramèr; Yiren Zhao

CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents

Hanna Foerster, Tom Blanchard, Kristina Nikolić, Ilia Shumailov, Cheng Zhang, Robert D. Mullins, Nicolas Papernot, Florian Tramèr, Yiren Zhao

Published: 23 May 2026, Last Modified: 23 May 2026ICML 2026 AIWILDEveryoneRevisionsBibTeXCC BY 4.0

Keywords: Computer Use Agents, prompt injections, control flow integrity, Dual-LLM, agent security

TL;DR: We adapt Dual-LLM (CaMeL) to Computer Use Agents, giving the first control-flow-integrity guarantees while keeping significant OSWorld utility, and identify Branch Steering as a residual data-flow attack redundancy defenses cannot fully block.

Abstract: AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior. Among proposed defenses, architectural isolation provides the strongest guarantees by strictly separating trusted task planning from untrusted environment observations. However, applying this design to Computer Use Agents (CUAs), which automate tasks by viewing screens and executing actions, presents a fundamental challenge. Current agents require continuous observation of UI state to determine each action, which conflicts with the isolation required for security. We resolve this tension by demonstrating that UI workflows, while dynamic, are structurally predictable. Single-shot planning, where a trusted planner emits upfront a complete branching plan covering all anticipated runtime states, provides control flow integrity guarantees against arbitrary instruction injections. We introduce NOVA (Navigating via Observation, Verification, and Action) to make this viable in the combinatorially large UI state space, where the plan can invoke a perception model to resolve runtime values such as UI coordinates. We evaluate our design on OSWorld, and retain up to 57\% of the performance of frontier models while improving performance for smaller open-source models by up to 19\%, demonstrating that rigorous security and utility can coexist in CUAs. Although upfront planning prevents instruction injections, we show that additional measures are needed to defend against Branch Steering attacks, where adversaries deceive the perception model into routing execution down attacker-preferred branches of the plan, such as redirecting the agent to a malicious website.

Track: Regular Paper (9 pages)

Email Sharing: We authorize the sharing of all author emails with Program Chairs.

Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.

Submission Number: 111

Loading