Learn PromptingCode Injection
Code injection is a prompt hacking exploit where the attacker is able to get the LLM to run arbitrary code (often Python). This can occur in tool-augmented LLMs, where the LLM is able to send code to an interpreter, but it can also occur when the LLM itself is used to evaluate code.
Code injection has reportedly been performed on an AI app, MathGPT and was used to obtain it's OpenAI API key (MITRE report).
MathGPT has since been secured against code injection. Please do not attempt to hack it; they pay for API calls.
Example
Let's work with a simplified example of the MathGPT app. We will assume that it takes in a math problem and writes Python code to try to solve the problem.
Here is the prompt that the simplified example app uses:
Write Python code to solve the following math problem:
{{user_input}}
Let's hack it here:
This is a simple example, but it shows that this type of exploit is significant and dangerous.
Sander Schulhoff
Sander Schulhoff is the CEO of HackAPrompt and Learn Prompting. He created the first Prompt Engineering guide on the internet, two months before ChatGPT was released, which has taught 3 million people how to prompt ChatGPT. He also partnered with OpenAI to run the first AI Red Teaming competition, HackAPrompt, which was 2x larger than the White House's subsequent AI Red Teaming competition. Today, HackAPrompt partners with the Frontier AI labs to produce research that makes their models more secure. Sander's background is in Natural Language Processing and deep reinforcement learning. He recently led the team behind The Prompt Report, the most comprehensive study of prompt engineering ever done. This 76-page survey, co-authored with OpenAI, Microsoft, Google, Princeton, Stanford, and other leading institutions, analyzed 1,500+ academic papers and covered 200+ prompting techniques.
Footnotes
-
Kang, D., Li, X., Stoica, I., Guestrin, C., Zaharia, M., & Hashimoto, T. (2023). Exploiting Programmatic Behavior of LLMs: Dual-Use Through Standard Security Attacks. ↩