LMVD-ID: 7bcb1563
Published February 1, 2025

AP-Test Guardrail Identification

prompt-layer
jailbreak
extraction
blackbox
safety
application-layer
Affected Models:gpt-4o, llama 3.1, gemini 2-9b, chatgpt, llamaguard, llamaguard2, llamaguard3, aegisdefensive, aegispermissive, shieldgemma-2b, shieldgemma-9b, shieldgemma-27b, perspective, gpt4o

Research Paper

Peering Behind the Shield: Guardrail Identification in Large Language Models

View Paper

Description: This vulnerability allows attackers to identify the presence and location (input or output stage) of specific guardrails implemented in Large Language Models (LLMs) by using carefully crafted adversarial prompts. The attack, termed AP-Test, leverages a tailored loss function to optimize these prompts, maximizing the likelihood of triggering a specific guardrail while minimizing triggering others. Successful identification provides attackers with valuable information to design more effective attacks that evade the identified guardrails.

Examples: The paper provides examples of adversarial prompts designed to trigger specific guardrails (WildGuard, LlamaGuard, LlamaGuard2, LlamaGuard3). See arXiv:2405.18540 for the specific experimental setups, adversarial prompts, and results.

Impact: Successful exploitation allows attackers to:

  • Bypass guardrails: Crafting more effective attacks that evade the identified guardrails.
  • Improve attack efficiency: Focusing attacks only on vulnerabilities not protected by guardrails.
  • Compromise LLM safety: Leading to the generation of unsafe or harmful content.

Affected Systems: Large Language Models (LLMs) utilizing any of the affected guardrails (WildGuard, LlamaGuard, LlamaGuard2, LlamaGuard3, AegisDefensive, AegisPermissive, ShieldGemma variants, Perspective API, GPT-4o) are vulnerable. The vulnerability is applicable to any system using these guardrails within a black-box setting, where the internal workings of the agent are not known.

Mitigation Steps:

  • Guardrail obfuscation: Implement techniques to mask the functionality and parameters of the guardrails.
  • Diverse defense mechanisms: Employ multiple, independent guardrail types and mechanisms to reduce the impact of successful identification.
  • Adversarial training: Train LLMs and guardrails against the types of adversarial prompts used in AP-Test.
  • Regular security audits: Conduct security audits and red teaming exercises to proactively identify and address potential vulnerabilities.
  • Input sanitization Implement robust input validation and sanitization to limit the impact of adversarial prompts.
  • Output validation: Validate responses from the LLM before returning them to users to detect and mitigate unsafe content generation.

© 2025 Promptfoo. All rights reserved.