Jailbreaking LLM-Controlled Robots - Schneier on Security

Comments

Winter December 12, 2024 3:26 AM

This is a fundamental problem feature LLMs, they respond to local context, and local context only. As long as you can manipulate the context, which is what a prompt is, you can change their behavior potentially in any way you like. And any context can be changed with a specially crafted prompt as has been amply demonstrated.

The only solution I have seen is to feed the prompts and response(s) through a second system which decides whether the prompts and/or responses are allowed. That is what moderation is. Moderation should be done by AI to be effective. However, I have a strong suspicion that current LLMs make for bad moderators. But there are other models of AI than foundational LLMs.

ResearcherZero December 13, 2024 1:42 AM

You may not have to jailbreak them, perhaps they might already ignore safety features?

‘https://www.tomshardware.com/software/windows/microsoft-recall-screenshots-credit-cards-and-social-security-numbers-even-with-the-sensitive-information-filter-enabled

ResearcherZero December 13, 2024 1:48 AM

To be more clear, perhaps you may be able to induce such behaviour unintentionally, given the right set of circumstances. Children are often good at discovering such mechanisms.

Clive Robinson December 13, 2024 2:40 AM

@ Bruce,

With Regards,

“it’s easy to trick an LLM”

An LLM is after all a “deterministic system” no matter what some will claim it lacks the ability to actually “learn or reason” in the human sense, it is no more and in many respects less than a Database of information to which approximate matches are made via a far from effective indexing system.

It might look like it thinks and reasons, but it does not and in fact falls a long long way behind a database with an effective indexing system.

The term “Stochastic Parrot” should be sufficient to make this clear however apparently it does not.

A sufficiently “smart” or “experienced” person will always find ways to exploit the ineffective indexing system no matter what you do.

Because the likes of “Guide rails” and even other LLM’s will only ve able to handle,

“Known Knowns”

That are sufficiently clear. Throw in ambiguity or mask by aliases and you will get past all the “Guide rails” that you can think up.

Then there are the “Black Swans” of,

Unknown Knowns
Unknown Unknowns

And other more interesting things that are in effect “riddles” where the logic is not binary in nature.

The desire by some to make current AI LLM and ML systems appear to be capable of replacing humans is actually laughable.

Like the “Expert Systems” of the 1980’s they are just a body of stored knowledge, like a library or database. The Expert Systems due to very limited resources had to have the indexing system built by humans and thus you had in effect a multiple choice tree to walk to get to the desired piece of information, if it was there (which mostly it was not which is why Expert Systems were quite niche).

The LLM however has in effect found a way to avoid having Human Experts “pre build the question tree”. They use instead statistical approximations so users can ask questions from which the question tree can be approximated.

It would be interesting to ask the following,

1, A rooster which is a hen,
2, like all hens likes to roost.
3, A hen which is a bird,
4, will find like most birds a suitable point on which to roost.
5, Many birds will often lay an egg at their roost point.
6, So if a rooster finds a suitable point where an egg can be laid,
7, then it’s likely an egg will get laid there at some point.
8, Consider if the point is suitably pointed then the egg will have to be finely balanced if it is not to fall.
9, If the point the rooster has selected is such, and an egg is laid there, but the rooster does not have the skill to balance the egg,
10, which way will the egg fall?

The LLM can only answer the question correctly “If And Only If”(IFF) it has not just the correct information but has seen this type of question in it’s training data set.

Michael Gaul December 13, 2024 2:58 PM

Perhaps the problem is expecting the robot to be responsible for its good behavior. If it were an ordinary robot, you wouldn’t allow just any human to interact with it. So why would your AI robot not be subject to the same access controls? If it can additionally provide some internal rules to prevent a well-meaning operator from making a mistake, that is well and good, but the first priority should be to provide the same access control that you would for any other dangerous tool or weapon.

Leave a comment

All comments are now being held for moderation. For details, see this blog post.

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.