LMVD-ID: 77fd1d24
Published July 1, 2024

Direct Parameter Jailbreak

model-layer
whitebox
jailbreak
extraction
data-security
safety
integrity
Affected Models:llama2-7b, llama2-7b-chat, codellama-7b, mistral-v0.1-7b

Research Paper

Model Surgery: Modulating LLM's Behavior Via Simple Parameter Editing

View Paper

Description: A vulnerability exists in large language models (LLMs) where a small subset of parameters can be directly edited to significantly alter the model's behavior, such as inducing or suppressing toxicity, jailbreaking susceptibility, or altering sentiment expression. This manipulation is achieved through training a linear classifier ("behavior probe") to identify parameters strongly correlated with the target behavior and then modifying those parameters, bypassing standard retraining methods.

Examples: See https://github.com/lucywang720/model-surgery. The repository contains code and data demonstrating the modification of LLaMA2-7B and other models to reduce toxicity, increase resistance to jailbreaking prompts, and shift sentiment expression. Specific examples of altered outputs for various prompts are included in the Appendix of the research paper.

Impact: An attacker with knowledge of the model's architecture and access to a subset of its parameters could:

  • Inject malicious behavior into the LLM, causing it to generate toxic, harmful, or biased content.
  • Circumvent safety measures designed to prevent jailbreaking attempts.
  • Manipulate the sentiment or overall tone of the LLM's responses.
  • Potentially create models that exhibit unintended or undesirable behaviors not present in the original model.

Affected Systems: Large language models (LLMs) using transformer architectures, including but not limited to LLaMA 2, CodeLLaMA, and Mistral, are vulnerable. The vulnerability's severity depends on the model's size, architecture, and the attacker's level of access to its parameters.

Mitigation Steps:

  • Parameter Protection: Implement robust access controls and encryption to prevent unauthorized access to the LLM's parameters. This includes controlling both read and write access.
  • Regular Audits: Conduct comprehensive audits of the LLM's parameters to detect any unauthorized modifications or anomalies.
  • Parameter Integrity Checks: Develop methods to regularly verify the integrity of the model’s parameters, comparing them against a known good baseline. This could involve cryptographic hashes or similar techniques.
  • Defense Mechanisms: Explore and implement defensive techniques to counter parameter manipulation, possibly employing techniques such as parameter obfuscation or watermarking.
  • Robust Model Training: Develop more robust training methods that make the models less susceptible to simple parameter-based modifications. This may require moving beyond the current linear-separability characteristics.

© 2025 Promptfoo. All rights reserved.