Confused Deputy Attacks
- Confused Deputy Attacks are security vulnerabilities where an attacker manipulates a trusted component to act on its behalf without proper authorization binding.
- These attacks span software and hardware domains, impacting systems from address translation and AI accelerators to smart contracts and credential frameworks.
- Defensive strategies focus on enforcing independent, dynamic authorization checks and strict context validation to prevent erroneous privilege delegation.
Confused deputy attacks (CDAs) are security failures in which an attacker induces a privileged or trusted component—the deputy—to perform an action on the attacker’s behalf that the attacker is not directly authorized to perform. The deputy’s authority may arise from kernel mediation, address translation, DMA-capable acceleration, contract callbacks, browser or GUI automation, retrieval pipelines, or tool-execution runtimes; the common failure is that the system applies authority on the basis of attacker-influenced designation, metadata, or context rather than a correctly bound authorization decision. Recent work shows that this pattern recurs across hardware fault attacks, accelerators, smart contracts, mobile autofill, RAG systems, agent frameworks, computer-using agents, ChatGPT Apps, and agentic browsers (Zhang et al., 2020, Danduri et al., 18 May 2026, Yao et al., 2024, Oesch et al., 2021, RoyChowdhury et al., 2024, Zuvic, 27 Jun 2026, Liu et al., 16 Mar 2026, Wang et al., 30 May 2026, Datta et al., 6 May 2026).
1. Definition and conceptual anatomy
In the classical formulation used across these papers, a CDA occurs when an attacker cannot directly access a protected resource but can cause a legitimate authority to do it implicitly. The attacker supplies designation or influence; the deputy supplies authority; the victim is the protected resource or security boundary that should not have been crossed. PThammer states this pattern directly: the attacker does not directly read or write protected memory, but instead coaxes the processor and memory-management machinery into performing the harmful access indirectly (Zhang et al., 2020).
A recurring analytical decomposition is attacker, deputy, and victim. In PThammer, the attacker is an unprivileged user-space process, the deputy is the processor’s address translation logic, and the victim is protected page-table memory such as L1PTE addresses. In the Edge AIA setting, the attacker is a userspace application, the deputy is the AIA, and the victim is restricted host memory. In ChatGPT Apps, the malicious app cannot directly invoke the victim app, but can induce the LLM mediator to do so through the shared context. In LLM agent frameworks, the attacker controls content rather than code, while the runtime executes model-emitted tool calls with real authority (Zhang et al., 2020, Danduri et al., 18 May 2026, Wang et al., 30 May 2026, Zuvic, 27 Jun 2026).
These works also converge on a distinction between authorization and mere designation. The LLM-agent paper states that capability gating is static exposure control, whereas per-call authorization is dynamic, value-sensitive control, and that “Tool exists” is not the same as “this specific invocation is authorized.” The same structural distinction appears in hardware and accelerator settings: an identifier, pointer, mask, source lane, callback, or context entry may be syntactically valid, range-valid, or schema-valid while still denoting the wrong authority basis (Zuvic, 27 Jun 2026, Santos-Grueiro, 10 Jun 2026, Yao et al., 2024).
This suggests a general characterization: CDAs arise when a privileged component accepts attacker-influenced designation without re-binding it to an independently derived authorization context. Different papers name that failure as a semantic gap, implicit endorsement, stale authority, participation-authority misbinding, or conflation of control and data, but the security structure is the same (Danduri et al., 18 May 2026, Yao et al., 2024, Santos-Grueiro, 10 Jun 2026, RoyChowdhury et al., 2024).
2. Hardware, accelerators, and non-control-data deputies
Several papers show that CDAs are not confined to classical software services. They also arise when hardware or microarchitectural components perform privileged accesses on behalf of unprivileged requests.
| Setting | Deputy | Authority failure |
|---|---|---|
| PThammer | address translation logic | implicit frequent accesses to protected page-table memory |
| Edge AIA CDA | AI accelerator | unvalidated SMIDs reach restricted host memory |
| CUDA CSC | collective primitive | wrong membership, contribution, role, or epoch is authorized |
PThammer is an eviction-based cache and TLB attack in which attacker-controlled user-space access patterns force repeated address translation and memory references. The paper summarizes the mechanism as and emphasizes that the attack needs “not only implicit but also frequent DRAM accesses to target addresses.” The novelty is therefore not only Rowhammer disturbance, but the use of privileged translation machinery as the confused deputy that reaches protected page-table memory and enables cross-user-kernel compromise (Zhang et al., 2020).
The Edge AIA study makes the memory-CDA conditions explicit: 1. AIA fails to validate SMIDs and 2. Attacker can provide SMIDs to restricted memory regions. Because AIAs are optimized for performance, use zero-copy transfers, and have limited OS-level awareness, the accelerator may receive a Shared Memory Identifier without understanding whether it denotes attacker-owned user memory, another process’s memory, or kernel memory. The paper reports that CDA is feasible on 6 of the 7 evaluated AIAs, impacting over 128 SoCs and over 100 million devices, and proposes an On-Demand Validation defense whose evaluation on GEM5-SALAM reports 15.33% average overhead; strict per-transaction IOMMU enforcement is reported as roughly 56% to 623% depending on settings and benchmarks (Danduri et al., 18 May 2026).
The CUDA paper generalizes the CDA lens further by treating collective primitives as deputies and participation metadata as the authority token. It defines Collective Semantic Corruption (CSC) as the case where a CUDA-conforming collective authorizes a decision over the wrong authority set because masks, predicates, source lanes, descriptors, group labels, or epochs are corrupted. The site-local participation-authority contract is written as and a CSC instance satisfies The core result is a trusted-reference mismatch in 102/102 instances, while hardened variants preserve that reference in 102/102 instances; 13 synchronization-sensitive instances are reported separately (Santos-Grueiro, 10 Jun 2026).
A common lesson across these systems is that low-level validity checks are insufficient. A mask can be legal, an SMID can be well-formed, and a microarchitectural access path can be architecturally legitimate, yet the deputy can still act on the wrong authority basis (Danduri et al., 18 May 2026, Santos-Grueiro, 10 Jun 2026, Zhang et al., 2020).
3. Callbacks, credential mediation, and contract-level authority
Smart contracts provide a particularly clear formulation of CDA as implicit endorsement. The SCIF paper characterizes CDAs as integrity violations in which an attacker influences a trusted action without explicit endorsement, typically through callbacks or indirect invocations. Its central observation is that the deputy’s call to an attacker-chosen target implicitly endorses that target selection, while the callee may interpret the call as conveying stronger authority than the caller intended. To prevent this, SCIF combines IFC with explicit endorse, dynamic trust checks on public entry points, and runtime method-signature checks that include labels rather than only method names and base types. This full-signature dispatch is the paper’s main defense against callback type confusion in examples such as Dexible and Poly Network (Yao et al., 2024).
The mobile autofill study shows the same pattern in user-facing credential mediation. Here the deputy is the autofill framework: it presents the autofill UI, decides when credentials may be offered and inserted, and mediates access between password manager, app or browser, and webpage. The paper formulates three required properties: and argues that mobile autofill frameworks can become confused deputies in manager-assisted credential phishing attacks when they offer or insert credentials in malicious webpages or hostile WebViews (Oesch et al., 2021).
The attack flows are structurally classical. A benign app hosts a WebView; malicious or compromised content renders a login form; the framework sees a login prompt and presents trusted autofill UI; the user interprets that UI as evidence of safety; the credentials are filled and become visible to malicious page code or injected JavaScript. The paper concludes that while mobile frameworks improve user interaction security, they often undermine destination binding and post-fill confidentiality, and may even make mobile password managers less secure than desktop counterparts overall, especially in browsers and WebViews (Oesch et al., 2021).
These contract and autofill examples show that a CDA does not require code execution in the protected component. The deputy may simply dispatch a callback or present a fill suggestion under incorrect authority assumptions. The security failure lies in what the deputy implicitly vouches for (Yao et al., 2024, Oesch et al., 2021).
4. Tool-using LLM agents and runtime authorization
In LLM agent systems, the deputy is typically the runtime that holds side-effecting tools while reading untrusted content. The audited-framework paper states the core failure succinctly: LangChain/LangGraph, LlamaIndex, and the Stripe Agent Toolkit provide capability gating by default, but none provides a deterministic fail-closed per-call value authorization gate by default. The default failure mode is that a model-emitted tool call is dispatched after tool-name lookup and shape or schema validation, but concrete argument values are not re-authorized before execution. The paper’s reference control, ScopeGate, introduces five stages—scope, authorization, money ceiling, idempotency, and default deny—and reports 0/48 static bypasses, 0/29 unauthorized attempts (40-iteration adaptive run), 0/10 benign false-denies, and Latam-GPT payment-agent containment at 10/10 (Zuvic, 27 Jun 2026).
The AARM specification broadens this into a runtime-security architecture. It treats the orchestration layer as untrusted, shifts the security boundary to tool execution, and requires that all actions be intercepted before execution. Its central mechanism is accumulated session context, combined with policy evaluation over the action-context pair, The paper explicitly presents confused deputy attacks as cases in which static authorization might permit an action, but the intent is adversarial; intent alignment, context-dependent deny, defer, and step-up are therefore the primary anti-CDA mechanisms (Errico, 10 Feb 2026).
SEAgent instantiates a related idea in LLM-based agent systems using a MAC framework built upon ABAC and an information-flow graph. It defines privilege escalation formally as the existence of an invocation action outside the oracle-defined minimal action set for the user query, and extends that model to inter-agent messaging. Its multi-agent confused deputy case study uses a malicious web browser or search agent to cause a trusted smart lock agent to invoke UnlockDoor. The enforcement logic is path-sensitive: an upstream UNFILTERED agent influencing a non-LOW sensitivity tool is denied, even if a trusted intermediary agent is the immediate caller. The paper reports 0% ASR for SEAgent on the benchmarked attack categories and negligible policy-check overhead in the AWS benchmark, with average policy-check time 0.00586s in travel and 0.00307s in mortgage (Ji et al., 17 Jan 2026).
Across these agent papers, the central doctrine is that the model may propose, but only an independent policy mechanism may approve. Capability exposure, schema conformance, and delegated credentials do not by themselves constitute authorization (Zuvic, 27 Jun 2026, Errico, 10 Feb 2026, Ji et al., 17 Jan 2026).
5. Perception, shared context, and web-mediated confused deputies
Recent AI papers extend the CDA concept beyond symbolic tool invocation into perception, context sharing, and ordinary web interaction. The visual confused deputy paper defines a failure mode in which a computer-using agent authorizes an action based on a misperceived screen state caused by grounding errors, adversarial screenshot manipulation, or TOCTOU races. The concrete ScreenSwap attack swaps the pixel regions of two GUI buttons in the screenshot so that the LLM believes it is clicking a benign control while the real coordinates hit a privileged control. To mitigate this, the paper proposes dual-channel contrastive classification, operating outside the agent’s perceptual loop, with an OR/veto rule that blocks if either the visual click-target channel or the textual reasoning channel indicates risk. Reported results include F1 = 0.875 on 13 OS-Harm scenarios, F1 = 0.915 for image + text veto on 260 real screenshots and 1040 test cases from ScreenSpot-Pro, and runtime of about 14 ms per click on an AMD MI300X GPU (Liu et al., 16 Mar 2026).
The agentic-browser paper argues that indirect prompt injection is only part of the problem. It frames the browser agent as a confused deputy that cannot distinguish legitimate page components from malicious ones and derives a taxonomy of 20 attacks, implementing 18 and reproducing 14 of the 20 attacks across 4 major LLM models. Its five failure modes include agents bridging same-site data, bridging cross-site data, hallucinating URLs, websites attacking the LLM itself, and agents misusing integrated tools. A key claim is that agentic browsers collapse trusted and untrusted page content into a single input, allowing traditional web threats such as phishing, scams, and interface mimicry to reemerge in amplified form (Datta et al., 6 May 2026).
The ChatGPT Apps paper identifies cross-app context poisoning as a CDA in a multi-tenant LLM platform. Multiple third-party apps share one conversation and write into a persistent, flat, untagged context visible to the LLM and to co-resident apps. The paper emphasizes sendFollowUpMessage as the direct write primitive and reports that undocumented parameters systemPrompt and isVisible amplify it to silent, system-priority writes. Using this channel, a malicious app can poison context so that the LLM later manipulates benign co-resident apps; the base confused-deputy attack succeeds across six evaluated ChatGPT models, and the paper argues that fixing the problem requires an architectural change rather than a patch (Wang et al., 30 May 2026).
ConfusedPilot shows the same structural problem in enterprise RAG. Retrieved document text and task instructions are concatenated into a single modified prompt, so an attacker who can modify shared documents can cause the deputy to treat malicious text as instruction rather than evidence. The paper presents two principal effects: integrity compromise through malicious text in modified retrieval prompts and confidentiality compromise through stale cache or phantom documents. It further argues that misinformation can propagate across enterprise workflows when victims reuse Copilot outputs in downstream documents, turning the deputy into a misinformation multiplier (RoyChowdhury et al., 2024).
A plausible implication is that modern CDA surfaces increasingly involve not only explicit delegation, but also mediated perception and mediated context. The deputy may be confused by pixels, retrieved prose, or shared conversational state just as readily as by a pathname, callback, or memory identifier (Liu et al., 16 Mar 2026, Wang et al., 30 May 2026, RoyChowdhury et al., 2024, Datta et al., 6 May 2026).
6. Defensive principles, recurring misconceptions, and open directions
Across these domains, defenses converge on authority binding rather than mere input validation. On-Demand Validation for AI accelerators revalidates SMIDs against PID-scoped kernel knowledge and defers unmapping to block stale mappings; Collective Integrity Contracts (CIC) bind participation metadata before collective use; SCIF requires explicit endorsement and full-signature agreement for callbacks; ScopeGate inserts a deterministic PDP/PEP between the model and the side-effecting tool; AARM intercepts every action at runtime and evaluates it against accumulated context and intent alignment; the visual guardrail verifies both what the agent is clicking and why; the ChatGPT Apps paper calls for per-app context isolation, context provenance, cross-app permissioning, and return-path mediation (Danduri et al., 18 May 2026, Santos-Grueiro, 10 Jun 2026, Yao et al., 2024, Zuvic, 27 Jun 2026, Errico, 10 Feb 2026, Liu et al., 16 Mar 2026, Wang et al., 30 May 2026).
Several misconceptions are rejected repeatedly. First, range-validity, schema-validity, or type-shape validity is not enough: a valid mask, source lane, SMID, or tool argument may still encode the wrong authority (Santos-Grueiro, 10 Jun 2026, Danduri et al., 18 May 2026, Zuvic, 27 Jun 2026). Second, capability gating is not authorization; exposure of a tool or primitive does not authorize a specific call with attacker-chosen concrete values (Zuvic, 27 Jun 2026). Third, prompt-injection framing alone is too narrow: agentic browsers are vulnerable to ordinary web deception, and visual confused deputies arise from misperceived state even without textual injection (Datta et al., 6 May 2026, Liu et al., 16 Mar 2026). Fourth, software-only defenses are not universal: PThammer shows that detection focused on cache miss rates or same-row access patterns can miss translation-driven access patterns, while several accelerator and platform papers argue that architectural changes are sometimes required (Zhang et al., 2020, Danduri et al., 18 May 2026, Wang et al., 30 May 2026).
The literature also separates containment from cure. The ScopeGate paper explicitly states that containment is not a cure: it bounds what a compromised model can do via governed tools, but does not stop prompt injection itself, detect poisoned weights, or guarantee safe natural-language output (Zuvic, 27 Jun 2026). Similar limitations appear elsewhere: the ChatGPT Apps paper treats flat shared context as an architectural gap by design; the RAG paper notes the difficulty of separating instructions from retrieved content because legitimate documents may themselves contain instruction-like language; the mobile autofill paper shows that secure UI signaling can itself become part of the deputy problem when the framework’s trust cues are misapplied (Wang et al., 30 May 2026, RoyChowdhury et al., 2024, Oesch et al., 2021).
The broader technical lesson is that CDAs are best understood as authorization failures caused by misbound authority. Whether the deputy is a page-table walker, an AIA, a collective primitive, an autofill framework, a smart contract, a browser agent, a computer-using agent, a RAG pipeline, or an LLM tool runtime, the decisive question is the same: who or what is the deputy actually authorized to act for at the moment of use? Systems that do not answer that question with independent, fail-closed mediation remain vulnerable to confused-deputy failure.