scan.json (32530B)
1 { 2 "paper": { 3 "title": "System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective", 4 "authors": [ 5 "Fangzhou Wu", 6 "Ethan Cecchetti", 7 "Chaowei Xiao" 8 ], 9 "year": 2024, 10 "venue": "arXiv.org", 11 "arxiv_id": "2409.19091", 12 "doi": "10.48550/arXiv.2409.19091" 13 }, 14 "scan_version": 3, 15 "active_modules": [ 16 "experimental_rigor", 17 "data_leakage" 18 ], 19 "methodology_tags": [ 20 "theoretical", 21 "benchmark-eval", 22 "case-study" 23 ], 24 "key_findings": "The paper proposes f-secure LLM systems that disaggregate the planner and executor roles of an LLM, applying information flow control (IFC) to prevent untrusted data from reaching the planning stage. This structural defense achieves 0% attack success rate on the InjectAgent benchmark across four backbone models (GPT-3.5, GPT-4, Gemini-1.5-pro, Claude-3.5-Sonnet), while vanilla systems are vulnerable at 15–67% ASR. The f-secure system matches or improves functionality on tool-usage benchmarks compared to both vanilla ReAct and SecGPT, with negligible runtime overhead from the security mechanisms.", 25 "checklist": { 26 "artifacts": { 27 "code_released": { 28 "applies": true, 29 "answer": true, 30 "justification": "The abstract states 'Our code is released at https://github.com/fzwark/Secure_LLM_System' and provides a working URL." 31 }, 32 "data_released": { 33 "applies": true, 34 "answer": true, 35 "justification": "The paper uses publicly available benchmarks: InjectAgent (cited as [54]), and LangChain benchmarks for single tool, multiple tool, and relation data evaluation. The case study data (email content, file content) is fully reproduced in Appendices C.1–C.3." 36 }, 37 "environment_specified": { 38 "applies": true, 39 "answer": false, 40 "justification": "Appendix B.1 mentions hardware ('MacBook Pro equipped with an Apple M2 Pro chip, 12 cores, 16 GB') and libraries (OpenAI Python SDK, LangChain), but no requirements.txt, Dockerfile, or library version specifications are provided." 41 }, 42 "reproduction_instructions": { 43 "applies": true, 44 "answer": false, 45 "justification": "While code is released and detailed setup information is in Appendices B and C (including tool implementations in Figures 8–9 and the full system prompt), no step-by-step reproduction instructions or README-equivalent commands are provided in the paper." 46 } 47 }, 48 "statistical_methodology": { 49 "confidence_intervals_or_error_bars": { 50 "applies": true, 51 "answer": false, 52 "justification": "Tables 2, 3, and 4 report only point estimates. No confidence intervals, error bars, or ± notation appear anywhere in the results." 53 }, 54 "significance_tests": { 55 "applies": true, 56 "answer": false, 57 "justification": "The paper claims the f-secure system 'significantly outperforms' SecGPT (Section 7.2) and shows superiority over vanilla systems, but no statistical significance tests are applied to any comparison." 58 }, 59 "effect_sizes_reported": { 60 "applies": true, 61 "answer": true, 62 "justification": "Tables 2 and 3 report absolute performance numbers for all systems side by side, allowing computation of effect magnitudes. For example, Table 2 shows GPT-3.5 vanilla at 51.6% ASR vs f-secure at 0%, and Table 3 shows SecGPT at 26.44% step accuracy vs f-secure at 96.45% on multiple-tool usage." 63 }, 64 "sample_size_justified": { 65 "applies": true, 66 "answer": false, 67 "justification": "The InjectAgent benchmark contains 1054 test cases and the LangChain benchmarks are used as-is. No justification is provided for why these sample sizes are adequate for the claims being made." 68 }, 69 "variance_reported": { 70 "applies": true, 71 "answer": false, 72 "justification": "All results appear to be from single experimental runs. No standard deviations, variance across runs, or multi-seed results are reported in any table." 73 } 74 }, 75 "evaluation_design": { 76 "baselines_included": { 77 "applies": true, 78 "answer": true, 79 "justification": "The paper compares against two baselines: a vanilla ReAct-based LLM system implemented with LangChain, and SecGPT [44]. Both are evaluated on the same benchmarks and models." 80 }, 81 "baselines_contemporary": { 82 "applies": true, 83 "answer": true, 84 "justification": "SecGPT [44] is from 2024, and the vanilla ReAct-based system uses LangChain, both contemporary to the paper. These represent the current standard and the state-of-the-art defense respectively." 85 }, 86 "ablation_study": { 87 "applies": true, 88 "answer": false, 89 "justification": "The f-secure system has multiple components (planner/executor separation, SEPF format, security monitor, fine-grained filtering). No ablation study removes individual components to measure their contribution. The comparison with vanilla/SecGPT shows different systems, not systematic component removal." 90 }, 91 "multiple_metrics": { 92 "applies": true, 93 "answer": true, 94 "justification": "The paper uses three distinct metric types: Attack Success Rate (Table 2), Step Accuracy and Overall Accuracy (Table 3), and execution time breakdown (Table 4)." 95 }, 96 "human_evaluation": { 97 "applies": true, 98 "answer": false, 99 "justification": "All evaluation is automated. No human evaluation of system outputs, plan quality, or security effectiveness is conducted." 100 }, 101 "held_out_test_set": { 102 "applies": true, 103 "answer": true, 104 "justification": "The f-secure system has no training phase—it is a structural defense. The benchmarks (InjectAgent, LangChain tool-usage) are used purely for evaluation, with no tuning on these test sets." 105 }, 106 "per_category_breakdown": { 107 "applies": true, 108 "answer": true, 109 "justification": "Table 2 breaks results down by attack type (Direct Harm vs Data Stealing) and setting (Base vs Enhanced). Table 3 breaks down by benchmark type (Single Tool, Multiple Tool, Relation Data). Table 4 breaks down timing by operation type." 110 }, 111 "failure_cases_discussed": { 112 "applies": true, 113 "answer": true, 114 "justification": "Section 7.2 discusses where the f-secure system underperforms: 'when using GPT-3.5, the step accuracy for the f-secure LLM system is consistently higher than its overall accuracy across all benchmarks. This suggests that while the f-secure LLM system helps generate correct individual steps... it still faces challenges in consistently producing all the steps to achieve the final results when the deployed LLM is not that capable.'" 115 }, 116 "negative_results_reported": { 117 "applies": true, 118 "answer": true, 119 "justification": "Table 3 shows cases where the f-secure system underperforms the vanilla system: GPT-3.5 Multiple Tool overall accuracy (60% vs 80%), Claude-3.5-Sonnet Relation Data step accuracy (72.53% vs 85.39%). These degradations are reported transparently." 120 } 121 }, 122 "claims_and_evidence": { 123 "abstract_claims_supported": { 124 "applies": true, 125 "answer": true, 126 "justification": "The abstract claims 'robust security while preserving functionality and efficiency.' Table 2 shows 0% ASR (robust security), Table 3 shows maintained/improved accuracy (functionality), and Table 4 shows negligible overhead (efficiency). The formal proof (Theorem 6.2) supports the theoretical security guarantee." 127 }, 128 "causal_claims_justified": { 129 "applies": true, 130 "answer": true, 131 "justification": "The paper's central causal claim—that the IFC-based disaggregation prevents execution trace compromise—is supported by a formal proof (Theorem 6.2, full proof in Appendix A) showing that untrusted information cannot influence the execution trace. The structural nature of the defense provides controlled single-variable manipulation: the only difference between vanilla and f-secure is the security architecture." 132 }, 133 "generalization_bounded": { 134 "applies": true, 135 "answer": true, 136 "justification": "Section 3 (Threat Model) explicitly bounds what is in and out of scope: model-level attacks, facility vulnerabilities, and channel compromise are excluded. Section 9 (Limitations) further narrows claims by noting the defense does not protect against model-level attacks targeting the tool-LLM executor." 137 }, 138 "alternative_explanations_discussed": { 139 "applies": true, 140 "answer": false, 141 "justification": "The paper does not discuss alternative explanations for its positive results. It does not consider whether the 0% ASR could be an artifact of the benchmark's attack diversity, whether adaptive attacks could bypass the framework within its threat model, or whether the functionality improvements might be due to SEPF rather than the security mechanism." 142 }, 143 "proxy_outcome_distinction": { 144 "applies": true, 145 "answer": true, 146 "justification": "The paper measures attack success rate directly (whether the system executes attacker-intended steps), which is a direct measure of the claimed security property (execution trace non-compromise). The functionality metrics (step accuracy, overall accuracy) directly measure task correctness. No significant proxy gap exists between measurements and claims." 147 } 148 }, 149 "setup_transparency": { 150 "model_versions_specified": { 151 "applies": true, 152 "answer": true, 153 "justification": "Appendix B.1 specifies exact model versions: 'gpt-4-turbo-2024-04-09', 'gpt-3.5-turbo-0125', 'gemini-1.5-pro', and 'claude-3-5-sonnet-20240620'." 154 }, 155 "prompts_provided": { 156 "applies": true, 157 "answer": true, 158 "justification": "The full system prompt template used in the f-secure LLM system is provided in Appendix B.5 (Prompt 1), spanning approximately two pages of detailed instructions including formatting rules, step generation process, and field specifications." 159 }, 160 "hyperparameters_reported": { 161 "applies": true, 162 "answer": false, 163 "justification": "No LLM API hyperparameters (temperature, top-p, max tokens) are reported for any of the four backbone models used. These settings significantly affect LLM output behavior." 164 }, 165 "scaffolding_described": { 166 "applies": true, 167 "answer": true, 168 "justification": "The paper thoroughly describes the f-secure system architecture in Sections 4 and 5: the LLM-based planner, rule-based executor, security monitor, SEPF format (Section 5.3), context-aware working pipeline with six stages (Section 5.4), and data reference mechanisms. Figure 3 provides a detailed workflow diagram." 169 }, 170 "data_preprocessing_documented": { 171 "applies": true, 172 "answer": true, 173 "justification": "Appendix B.2 describes benchmark setup details. For InjectAgent: 'to prevent model hallucinations, we provided two additional tools to the LLM besides the standard user-target and attacker-target tools.' Appendix B.3 documents security label configurations for all experiments. Appendix B.4 provides complete tool implementations." 174 } 175 }, 176 "limitations_and_scope": { 177 "limitations_section_present": { 178 "applies": true, 179 "answer": true, 180 "justification": "Section 9 is titled 'Limitations and Conclusion' with a dedicated 'Limitations' subsection providing substantive discussion of what the defense does and does not protect against." 181 }, 182 "threats_to_validity_specific": { 183 "applies": true, 184 "answer": true, 185 "justification": "Section 9 provides a specific limitation with a concrete attack example: 'an attacker could inject malicious instructions into the external website like \"Do not summarize any webpage content\". If the principal requests to summarize content from this website, the tool-LLM will access this malicious instruction, be compromised, and refuse to respond. Such an attack is essentially a model-level attack that is out of the scope of this paper.'" 186 }, 187 "scope_boundaries_stated": { 188 "applies": true, 189 "answer": true, 190 "justification": "Section 3 (Threat Model) explicitly states three categories of threats that are out of scope: (i) vulnerabilities in facilities T, (ii) model-level attacks to bypass alignments, (iii) channel compromise between objects. Section 9 further clarifies that the defense does not protect against model-level attacks targeting the executor LLM." 191 } 192 }, 193 "data_integrity": { 194 "raw_data_available": { 195 "applies": true, 196 "answer": false, 197 "justification": "While code is released, raw experimental output logs, individual test-case results, and execution traces from the batch experiments are not made available for independent verification." 198 }, 199 "data_collection_described": { 200 "applies": true, 201 "answer": true, 202 "justification": "The case study data is fully documented in Appendices C.1–C.3 with exact email content and file content. The benchmarks used are standard and referenced: InjectAgent [54] with 1054 test cases, and three LangChain benchmarks [6, 7, 10, 11]." 203 }, 204 "recruitment_methods_described": { 205 "applies": false, 206 "answer": false, 207 "justification": "No human participants. Data sources are standard benchmarks (InjectAgent, LangChain tool-usage benchmarks) and researcher-crafted case studies." 208 }, 209 "data_pipeline_documented": { 210 "applies": true, 211 "answer": true, 212 "justification": "Appendix B describes the experimental pipeline: model versions (B.1), benchmark details including modifications (B.2), security label configurations (B.3), custom tool implementations with Python code (B.4), and the full system prompt (B.5). For InjectAgent, they explain: 'Since this benchmark does not provide real tools, we simulate the tool outputs using the provided dataset and treat all outputs as untrusted.'" 213 } 214 }, 215 "conflicts_of_interest": { 216 "funding_disclosed": { 217 "applies": true, 218 "answer": false, 219 "justification": "The acknowledgments thank Ruoyu Wang for 'insightful suggestions on the project and generous support for the project experiments' but no formal funding source, grant number, or funding agency is disclosed." 220 }, 221 "affiliations_disclosed": { 222 "applies": true, 223 "answer": true, 224 "justification": "All three authors are listed as affiliated with the University of Wisconsin-Madison. Since the paper evaluates no product from their institution, no conflict arises from the affiliation." 225 }, 226 "funder_independent_of_outcome": { 227 "applies": true, 228 "answer": false, 229 "justification": "Funding is not formally disclosed, so independence of the funder cannot be assessed. The acknowledgment of 'generous support for the project experiments' from an individual is not elaborated." 230 }, 231 "financial_interests_declared": { 232 "applies": true, 233 "answer": false, 234 "justification": "No competing interests statement or financial disclosure section is present in the paper." 235 } 236 }, 237 "contamination": { 238 "training_cutoff_stated": { 239 "applies": false, 240 "answer": false, 241 "justification": "This paper tests a system-level defense architecture, not model knowledge. The benchmarks evaluate whether the system can resist prompt injection attacks and correctly execute tool-usage tasks, not whether the model has memorized benchmark answers." 242 }, 243 "train_test_overlap_discussed": { 244 "applies": false, 245 "answer": false, 246 "justification": "The paper evaluates a structural defense framework, not model capabilities on a knowledge benchmark. Train/test overlap for the underlying LLM is not relevant to the security claims." 247 }, 248 "benchmark_contamination_addressed": { 249 "applies": false, 250 "answer": false, 251 "justification": "The benchmarks test system behavior under attack and correct tool usage, not model knowledge recall. Contamination of attack templates would not invalidate the structural defense guarantees." 252 } 253 }, 254 "human_studies": { 255 "pre_registered": { 256 "applies": false, 257 "answer": false, 258 "justification": "No human participants in any part of the study. All evaluation is automated using LLM systems and benchmarks." 259 }, 260 "irb_or_ethics_approval": { 261 "applies": false, 262 "answer": false, 263 "justification": "No human participants." 264 }, 265 "demographics_reported": { 266 "applies": false, 267 "answer": false, 268 "justification": "No human participants." 269 }, 270 "inclusion_exclusion_criteria": { 271 "applies": false, 272 "answer": false, 273 "justification": "No human participants." 274 }, 275 "randomization_described": { 276 "applies": false, 277 "answer": false, 278 "justification": "No human participants." 279 }, 280 "blinding_described": { 281 "applies": false, 282 "answer": false, 283 "justification": "No human participants." 284 }, 285 "attrition_reported": { 286 "applies": false, 287 "answer": false, 288 "justification": "No human participants." 289 } 290 }, 291 "cost_and_practicality": { 292 "inference_cost_reported": { 293 "applies": true, 294 "answer": true, 295 "justification": "Table 4 provides detailed execution time breakdowns in seconds for all three systems across all benchmarks and models, including step generation time, facility execution time, security check time, and step modification time." 296 }, 297 "compute_budget_stated": { 298 "applies": true, 299 "answer": false, 300 "justification": "Appendix B.1 mentions hardware ('MacBook Pro equipped with an Apple M2 Pro chip, 12 cores, 16 GB') but no total API spend, total experiment time, or aggregate compute budget is reported." 301 } 302 }, 303 "experimental_rigor": { 304 "seed_sensitivity_reported": { 305 "applies": true, 306 "answer": false, 307 "justification": "All results appear to be from single experimental runs. No multi-seed analysis is reported despite LLM outputs being stochastic." 308 }, 309 "number_of_runs_stated": { 310 "applies": true, 311 "answer": false, 312 "justification": "The paper does not state how many times each experiment was run. Results are presented as single numbers without indication of repetition." 313 }, 314 "hyperparameter_search_budget": { 315 "applies": true, 316 "answer": false, 317 "justification": "No hyperparameter search is reported. The system prompt template and configuration appear fixed, but no budget for prompt engineering or configuration tuning is disclosed." 318 }, 319 "best_config_selection_justified": { 320 "applies": true, 321 "answer": false, 322 "justification": "The final system configuration (prompt template, security labels) appears to be presented without discussion of how it was selected or what alternatives were tried." 323 }, 324 "multiple_comparison_correction": { 325 "applies": true, 326 "answer": false, 327 "justification": "Comparisons are made across 4 models × 3 benchmarks × 3 systems with no correction for multiple comparisons. No statistical tests are used at all." 328 }, 329 "self_comparison_bias_addressed": { 330 "applies": true, 331 "answer": false, 332 "justification": "The authors implement both the f-secure system and the vanilla ReAct baseline themselves. No acknowledgment of potential bias in implementing competing systems, as noted by Lucic et al. (2018)." 333 }, 334 "compute_budget_vs_performance": { 335 "applies": true, 336 "answer": false, 337 "justification": "While Table 4 reports timing breakdowns, performance is not shown as a function of compute budget. The f-secure system's step generation can be slower than vanilla for some models, but this is not analyzed as a performance-compute tradeoff." 338 }, 339 "benchmark_construct_validity": { 340 "applies": true, 341 "answer": false, 342 "justification": "The paper uses InjectAgent for security evaluation and LangChain benchmarks for functionality without discussing whether these benchmarks adequately capture real-world LLM system security threats or tool-usage complexity." 343 }, 344 "scaffold_confound_addressed": { 345 "applies": true, 346 "answer": true, 347 "justification": "When comparing across models (rows in Tables 2–4), the same system architecture is used for each model. The comparison between f-secure and vanilla/SecGPT is inherently a scaffold comparison by design—the scaffold IS the independent variable being evaluated." 348 } 349 }, 350 "data_leakage": { 351 "temporal_leakage_addressed": { 352 "applies": true, 353 "answer": false, 354 "justification": "No discussion of whether InjectAgent attack templates or LangChain benchmark test cases existed before the training data cutoff of the backbone models." 355 }, 356 "feature_leakage_addressed": { 357 "applies": true, 358 "answer": false, 359 "justification": "No discussion of whether the evaluation setup leaks information that would not be available in real deployment scenarios." 360 }, 361 "non_independence_addressed": { 362 "applies": true, 363 "answer": false, 364 "justification": "No analysis of whether InjectAgent test cases share structural similarities or templates that could inflate apparent generalization." 365 }, 366 "leakage_detection_method": { 367 "applies": true, 368 "answer": false, 369 "justification": "No concrete leakage detection or prevention method is applied to any of the benchmarks used." 370 } 371 } 372 }, 373 "claims": [ 374 { 375 "claim": "The f-secure LLM system achieves 0% attack success rate on all InjectAgent attacks across all four backbone models and both attack settings.", 376 "evidence": "Table 2 shows 0% ASR for GPT-3.5 Turbo, GPT-4 Turbo, Gemini-1.5-pro, and Claude-3.5-Sonnet across base and enhanced settings for both direct harm and data stealing, compared to 1.1%–67.4% ASR for vanilla systems.", 377 "supported": "strong" 378 }, 379 { 380 "claim": "The f-secure LLM system preserves ι-execution trace non-compromise, meaning untrusted information cannot influence the execution plan.", 381 "evidence": "Theorem 6.2 with a complete formal proof in Appendix A, analyzing security through both the planning stage (Equations 7–13) and execution stage (Equations 14–15).", 382 "supported": "strong" 383 }, 384 { 385 "claim": "The f-secure LLM system maintains or improves execution correctness compared to vanilla LLM systems and significantly outperforms SecGPT.", 386 "evidence": "Table 3 shows the f-secure system matches or improves step/overall accuracy in most benchmark-model combinations vs vanilla. It substantially outperforms SecGPT, e.g., GPT-3.5 Multiple Tool: 96.45% vs 26.44% step accuracy. However, some regressions exist, e.g., GPT-3.5 Multiple Tool overall accuracy: 60% vs 80% for vanilla.", 387 "supported": "moderate" 388 }, 389 { 390 "claim": "The security mechanisms in the f-secure LLM system introduce negligible runtime overhead.", 391 "evidence": "Table 4 shows step security check and step modification times are approximately 0.0001× the step generation cost. However, step generation time is slightly higher than vanilla for GPT-3.5 and GPT-4 models due to longer input prompts.", 392 "supported": "moderate" 393 }, 394 { 395 "claim": "SecGPT fails to protect against in-app execution trace compromise in all three attack cases.", 396 "evidence": "Figures 5–7 and Appendix C show detailed execution traces where SecGPT is compromised in one-step, chain-based, and conditional attack scenarios, while the f-secure system defends successfully.", 397 "supported": "strong" 398 } 399 ], 400 "red_flags": [ 401 { 402 "flag": "No variance or uncertainty quantification", 403 "detail": "All experiments appear to be single-run with no standard deviations, confidence intervals, or multi-seed results reported. LLM outputs are inherently stochastic, and the execution traces could vary across runs. The 0% ASR claim is particularly sensitive to this—even a single success across multiple runs would change the result." 404 }, 405 { 406 "flag": "Limited attack diversity in security evaluation", 407 "detail": "Security evaluation relies on one benchmark (InjectAgent) with two attack types and three hand-crafted case studies. No adaptive attacks that specifically target the IFC framework are tested, such as attacks that exploit the executor without needing planner compromise, or attacks that encode information in trusted output structure." 408 }, 409 { 410 "flag": "No ablation of defense components", 411 "detail": "The system has multiple components (planner/executor separation, SEPF, security monitor, fine-grained filtering) but no ablation shows which components are necessary or sufficient. The functionality improvements could be due to SEPF format rather than the security mechanism." 412 } 413 ], 414 "cited_papers": [ 415 { 416 "title": "SecGPT: An Execution Isolation Architecture for LLM-Based Systems", 417 "authors": ["Yuhao Wu", "Franziska Roesner", "Tadayoshi Kohno", "Ning Zhang", "Umar Iqbal"], 418 "year": 2024, 419 "arxiv_id": "2403.04960", 420 "relevance": "Most directly comparable defense system for LLM system security, which the paper benchmarks against and shows fails to protect against in-app execution trace compromise." 421 }, 422 { 423 "title": "InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents", 424 "authors": ["Qiusi Zhan", "Zhixiang Liang", "Zifan Ying", "Daniel Kang"], 425 "year": 2024, 426 "relevance": "Primary security evaluation benchmark used in the paper, with 1054 test cases for indirect prompt injection attacks." 427 }, 428 { 429 "title": "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection", 430 "authors": ["Kai Greshake", "Sahar Abdelnabi", "Shailesh Mishra", "Christoph Endres", "Thorsten Holz", "Mario Fritz"], 431 "year": 2023, 432 "arxiv_id": "2302.12173", 433 "relevance": "Foundational work demonstrating indirect prompt injection attacks against LLM-integrated applications, which this paper defends against." 434 }, 435 { 436 "title": "Prompt Injection Attack against LLM-Integrated Applications", 437 "authors": ["Yi Liu", "Gelei Deng", "Yuekang Li", "Kailong Wang", "Tianwei Zhang", "Yepang Liu", "Haoyu Wang", "Yan Zheng", "Yang Liu"], 438 "year": 2023, 439 "arxiv_id": "2306.05499", 440 "relevance": "Characterizes prompt injection attacks against LLM-integrated applications, part of the threat landscape this paper addresses." 441 }, 442 { 443 "title": "Prompt Injection Attacks and Defenses in LLM-Integrated Applications", 444 "authors": ["Yupei Liu", "Yuqi Jia", "Runpeng Geng", "Jinyuan Jia", "Neil Zhenqiang Gong"], 445 "year": 2023, 446 "arxiv_id": "2310.12815", 447 "relevance": "Studies both attacks and defenses for prompt injection in LLM applications, providing context for the defense landscape." 448 }, 449 { 450 "title": "StruQ: Defending Against Prompt Injection with Structured Queries", 451 "authors": ["Sizhe Chen", "Julien Piet", "Chawin Sitawarin", "David Wagner"], 452 "year": 2024, 453 "relevance": "Model-level defense against prompt injection via structured queries, contrasting with this paper's system-level approach." 454 }, 455 { 456 "title": "A New Era in LLM Security: Exploring Security Concerns in Real-World LLM-Based Systems", 457 "authors": ["Fangzhou Wu", "Ning Zhang", "Somesh Jha", "Patrick McDaniel", "Chaowei Xiao"], 458 "year": 2024, 459 "relevance": "Prior work from the same first author that introduces the information flow control framework for analyzing LLM system security." 460 }, 461 { 462 "title": "ReAct: Synergizing Reasoning and Acting in Language Models", 463 "authors": ["Shunyu Yao", "Jeffrey Zhao", "Dian Yu", "Nan Du", "Izhak Shafran", "Karthik Narasimhan", "Yuan Cao"], 464 "year": 2023, 465 "relevance": "The ReAct agent framework is the baseline system architecture that the paper's defense modifies and evaluates against." 466 }, 467 { 468 "title": "LLM Platform Security: Applying a Systematic Evaluation Framework to OpenAI's ChatGPT Plugins", 469 "authors": ["Umar Iqbal", "Tadayoshi Kohno", "Franziska Roesner"], 470 "year": 2023, 471 "arxiv_id": "2309.10254", 472 "relevance": "Studies security of the ChatGPT plugin ecosystem, relevant to understanding LLM system security threats." 473 }, 474 { 475 "title": "Tensor Trust: Interpretable Prompt Injection Attacks from an Online Game", 476 "authors": ["Sam Toyer", "Olivia Watkins", "Ethan Adrian Mendes", "Justin Svegliato", "Luke Bailey", "Tiffany Wang", "Isaac Ong", "Karim Elmaaroufi", "Pieter Abbeel", "Trevor Darrell", "Alan Ritter", "Stuart Russell"], 477 "year": 2023, 478 "arxiv_id": "2311.01011", 479 "relevance": "Gamified dataset of prompt injection attacks and defenses, relevant to understanding attack diversity." 480 }, 481 { 482 "title": "Jatmo: Prompt Injection Defense by Task-Specific Finetuning", 483 "authors": ["Julien Piet", "Maha Alrashed", "Chawin Sitawarin", "Sizhe Chen", "Zeming Wei", "Elizabeth Sun", "Basel Alomair", "David Wagner"], 484 "year": 2024, 485 "arxiv_id": "2312.17673", 486 "relevance": "Model-level defense against prompt injection via fine-tuning, representing the class of defenses this paper argues are insufficient." 487 }, 488 { 489 "title": "AgentBench: Evaluating LLMs as Agents", 490 "authors": ["Xiao Liu", "Hao Yu", "Hanchen Zhang"], 491 "year": 2023, 492 "arxiv_id": "2308.03688", 493 "relevance": "Benchmark for evaluating LLM agents across diverse environments, relevant to understanding agent capability evaluation." 494 }, 495 { 496 "title": "Benchmarking and Defending Against Indirect Prompt Injection Attacks on Large Language Models", 497 "authors": ["Jingwei Yi", "Yueqi Xie", "Bin Zhu", "Keegan Hines", "Emre Kiciman", "Guangzhong Sun", "Xing Xie", "Fangzhao Wu"], 498 "year": 2023, 499 "arxiv_id": "2312.14197", 500 "relevance": "Benchmarks and defenses for indirect prompt injection, directly relevant to the attack class this paper addresses." 501 } 502 ], 503 "engagement_factors": { 504 "practical_relevance": { 505 "score": 2, 506 "justification": "The f-secure framework with released code could be adapted by practitioners building LLM-based systems, though it requires significant architectural changes rather than being a drop-in solution." 507 }, 508 "surprise_contrarian": { 509 "score": 1, 510 "justification": "The idea that structural separation beats model-level defenses aligns with established security principles (separation of privilege), so it confirms rather than challenges conventional wisdom in security." 511 }, 512 "fear_safety": { 513 "score": 2, 514 "justification": "The paper vividly demonstrates how easily vanilla LLM systems can be compromised to leak private data or delete files, raising concerns about deployed LLM agents." 515 }, 516 "drama_conflict": { 517 "score": 1, 518 "justification": "The paper demonstrates that SecGPT fails to defend against in-app attacks, which could be seen as calling out a competing approach, but this is presented in an academic rather than dramatic framing." 519 }, 520 "demo_ability": { 521 "score": 2, 522 "justification": "Code is released at GitHub with tool implementations and prompts provided, allowing replication though it requires API keys and benchmark setup." 523 }, 524 "brand_recognition": { 525 "score": 0, 526 "justification": "University of Wisconsin-Madison is a reputable university but not a famous AI lab; none of the authors are widely recognized names in the broader tech community." 527 } 528 } 529 }