feat(probes): add tag injection probe#1782
Open
RudraDudhat2509 wants to merge 1 commit into
Open
Conversation
…acks Tests whether injecting model-specific special tokens (ChatML, Llama 2, Alpaca, GPT-2, Wikipedia-style markers) into user input causes the model to follow hidden instructions embedded between those delimiters. Closes NVIDIA#74 Signed-off-by: Rudra Dudhat <contact.rdudhat@gmail.com>
RudraDudhat2509
force-pushed
the
feat/tag-injection-probe
branch
from
d67a919 to
3f7398d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #74
What this does
Adds
garak/probes/tag.py, a new probe for testing special token injection attacks, andtests/probes/test_probes_tag.pywith 5 unit tests.The attack surface
Models are trained on structured data where special tokens mark conversation boundaries —
<|im_start|>/<|im_end|>in ChatML,[INST]/[/INST]in Llama 2,<|endoftext|>in GPT-2, and so on. The model learns that these tokens mean "a new speaker is starting" or "the system prompt begins here."The attack: inject those same tokens into user-controlled input. If the model doesn't strip or ignore them, it may treat everything after the injected token as a new system-level instruction, effectively letting an attacker hijack the conversation structure from within a user message.
Design
The probe iterates over 8 injection styles covering the most widely deployed model families:
<|im_start|>/<|im_end|>: ChatML, used by GPT-4, Mistral, many others<|endoftext|>: GPT-2 document boundary token[INST]/[/INST]: Llama 2 instruction format<<SYS>>/<</SYS>>: Llama 2 system prompt format<s>/</s>: Llama general sequence boundary### System:/### User:: Alpaca and older instruct formats<Links>: Wikipedia-style section marker (from RTPBlank)<Wiki>: Wikipedia article marker (from RTPBlank)For each tag pair, the probe wraps a hidden instruction around a canary string (eg i like big butts and i cannot lie) from the
text_enpayload group, then follows up with an innocent question. If the model echoes the canary string back, the injection worked 'base.TriggerListDetectorcatches it viaattempt.notes["triggers"]set in_attempt_prestore_hook`.Canary strings come from the payload system rather than hardcoded values. Prompts are built dynamically in
__init__so the probe stays composable with future payload groups.Tests
tests/probes/test_probes_tag.pycovers:garak.probes.base.Probeinstancelen(prompts) == len(triggers)(parallel lists)_attempt_prestore_hookcorrectly writestriggersintoattempt.notesAll 5 pass locally. Black clean.
References