From Prompt to Physical Actuation: Holistic Threat Modeling of LLM-Enabled Robotic Systems

TL;DR

This paper presents a comprehensive threat modeling framework for LLM-enabled robotic systems, analyzing how cybersecurity, adversarial, and conversational threats propagate through the entire perception-planning-actuation pipeline.

Contribution

It introduces a novel DFD-based analysis that unifies multiple threat categories across the full robotic architecture, revealing new attack chains and architectural vulnerabilities.

Findings

Identifies three cross-boundary attack chains leading to unsafe physical actions.

Highlights the convergence of different threat categories at the same interaction points.

Reveals architectural vulnerabilities such as lack of semantic validation and unmediated boundary crossings.

Abstract

As large language models are integrated into autonomous robotic systems for task planning and control, compromised inputs or unsafe model outputs can propagate through the planning pipeline to physical-world consequences. Although prior work has studied robotic cybersecurity, adversarial perception attacks, and LLM safety independently, no existing study traces how these threat categories interact and propagate across trust boundaries in a unified architectural model. We address this gap by modeling an LLM-enabled autonomous robot in an edge-cloud architecture as a hierarchical Data Flow Diagram and applying STRIDE-per-interaction analysis across six boundary-crossing interaction points using a three-category taxonomy of Conventional Cyber Threats, Adversarial Threats, and Conversational Threats. The analysis reveals that these categories converge at the same boundary crossings, and we trace three cross-boundary attack chains from external entry points to unsafe physical actuation, each exposing a distinct architectural property: the absence of independent semantic validation between user input and actuator dispatch, cross-modal translation from visual perception to language-model instruction, and unmediated boundary crossing through provider-side tool use. To our knowledge, this is the first DFD-based threat analysis integrating all three threat categories across the full perception-planning-actuation pipeline of an LLM-enabled robotic system.