10mo ago

in absolutely the funniest outcome so far, you can send data to an LLM that pops a Remote Code Execution vulnerability

mastodon.social Kenn White (@kennwhite@mastodon.social)

Attached: 3 images Incredible research at BlackHat Asia today by Tong Liu and team from the Institute of Information Engineering, Chinese Academy of Sciences (在iie.ac.cn 的电子邮件经过验证) A dozen+ RCEs on popular LLM framework libraries like LangChain and LlamaIndex - used in lots of chat-assisted apps i...

courtesy @self

preprint: https://arxiv.org/pdf/2309.02926
blackhat abstract: https://www.blackhat.com/asia-24/briefings/schedule/index.html#llmshell-discovering-and-exploiting-rce-vulnerabilities-in-real-world-llm-integrated-frameworks-and-apps-37215
Tong Liu's related research: https://scholar.google.com/citations?hl=en&user=egWPi_IAAAAJ

can't wait for the crypto spammers to hit every web page with a ChatGPT prompt. AI vs Crypto: whoever loses, we win

Security @lemmy.ml

☆ Yσɠƚԋσʂ ☆ @lemmy.ml

11mo ago

A dozen+ RCEs on popular LLM framework libraries like LangChain and LlamaIndex - used in lots of chat-assisted apps including GitHub

mastodon.social /@kennwhite/112290497758846218

4 0

5 comments

the inputs required to cause this are so basic, I really want to dig in and find out if this is a stupid attempt to make the LLM better at evaluating code (by doing a lazy match on the input for “evaluate” and using the LLM to guess the language) or intern-level bad code in the frameworks that integrate the LLM with the hosting websites. both paths are pretty fucking embarrassing mistakes for supposedly world-class researchers to make, though the first option points to a pretty hilarious amount of cheating going on when LLMs are supposedly evaluating and analyzing code in-model.
- It's quite common for LLMs to make use of agents for retrieving factual information, because the text processing is just garbage for that.
  For example, basic maths is not something you can do with just text generation.
  So, you hook up some API or similar and then tell the LLM before the user prompt: "For calculating maths, send it to the API at https://example.com/calc and use the response as a result."
  The LLM can figure out the semantics, so if the user asks to "compute" something or just writes "3 + 5", it will recognize that this is maths and it will usually make the right decision to use the API provided.
  Obviously, the specifics will be a bit more complex. You might need to give it an OpenAPI definition and tell it to generate an OpenAPI-compatible request, or maybe even offer it a simple script that it can just pass the "3 + 5" to and that does the request.
  Basically, the more work you take away from the LLM, the more reliable everything will work.
  It's also quite common to tell your LLM to just send the prompt to Google/Bing/whatever Search and then use the first 5 results as the basis for its response. This is especially necessary for recent information.
  
  you appear to be posting this in good faith so I won't start at my usual level, but .. what? do you realize that you didn't make a substantive contribution to the particular thing observed here, which is that somewhere in the mishmash dogshit that is popular LLM hosting there are reliable ways to RCE it with inputs? I think maybe (maybe!) you meant to, but you didn't really touch on it at all
  other than that:
  Basically, the more work you take away from the LLM, the more reliable everything will work.
  people here are aware, yes, and it stays continually entertaining