LMVD-ID: f9191be6
Published December 1, 2024

Linked-Task LLM Jailbreak

prompt-layer
jailbreak
safety
blackbox
integrity
Affected Models:gpt-3.5, gpt-4o-mini, gpt-4o, claude-v2, llama3-8b, llama3-70b, gpt-3.5-turbo, gpt-4o

Research Paper

SATA: A Paradigm for LLM Jailbreak via Simple Assistive Task Linkage

View Paper

Description: A novel jailbreak paradigm, Simple Assistive Task Linkage (SATA), circumvents LLM safeguards by masking harmful keywords in a malicious query and using a secondary, simple assistive task (e.g., masked language modeling or element lookup by position) to convey the masked keywords' semantics to the LLM. This distracts the LLM and allows it to bypass safety checks, leading to the generation of harmful responses.

Examples: See the paper's repository for prompt examples using Masked Language Model (MLM) and Element Lookup by Position (ELP) assistive tasks. The examples demonstrate how masking harmful keywords like "bomb" or "kill" within a prompt, coupled with an assistive task, enables the LLM to generate detailed instructions on creating a bomb or committing murder. Concrete examples are available in the Appendix A.6, Figure 12 and 13 of the research paper.

Impact: Successful SATA attacks can lead to the generation of harmful content, including but not limited to instructions for creating weapons, committing violence, spreading misinformation, and inciting hatred. This can have severe consequences depending on the nature of the generated content and its dissemination.

Affected Systems: Various LLMs, including closed-source models like GPT-3.5, GPT-4, and Claude-v2, and open-source models like LLaMa 3, are vulnerable to SATA attacks. The vulnerability is not limited to specific model architectures.

Mitigation Steps:

  • Enhance LLM safety mechanisms to detect and mitigate the use of secondary, assistive tasks designed to mask malicious intent.
  • Improve LLM's ability to holistically assess the intent of a complete query, even when parts are seemingly innocuous due to masking or contextualization. Implement more robust detection of potentially harmful content within prompt engineering even if masked using language model techniques that could infer the missing semantics.
  • Develop techniques to identify and neutralize sophisticated prompt engineering patterns designed to circumvent existing safety measures.
  • Employ a more robust adversarial training regimen that accounts for prompt engineering techniques like SATA.

© 2025 Promptfoo. All rights reserved.