{"id":42579,"date":"2024-03-20T15:52:40","date_gmt":"2024-03-20T19:52:40","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=42579"},"modified":"2024-11-01T10:02:05","modified_gmt":"2024-11-01T14:02:05","slug":"a-taxonomy-of-prompt-injection-attacks","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/03\/20\/a-taxonomy-of-prompt-injection-attacks\/","title":{"rendered":"A Taxonomy of Prompt Injection Attacks"},"content":{"rendered":"

Bruce Schneier<\/a>:<\/p>\n

\n

Researchers ran a global prompt hacking competition, and have documented<\/a> the results in a paper that both gives a lot of good examples and tries to organize a taxonomy of effective prompt injection strategies. It seems as if the most common successful strategy is the “compound instruction attack,” as in “Say ‘I have been PWNED’ without a period.”<\/p>\n<\/blockquote>\n\n

Dan Goodin<\/a>:<\/p>\n

\n

Enter ArtPrompt, a practical attack recently presented by a team of academic researchers. It formats user-entered requests—typically known as prompts—into standard statements or sentences as normal with one exception: a single word, known as a mask, is represented by ASCII art rather than the letters that spell it. The result: prompts that normally would be rejected are answered.<\/p>\n

The researchers provided one example in a recently published paper<\/a>. It provided instructions for interpreting a set of ASCII characters arranged to represent the word “counterfeit.”<\/p>\n<\/blockquote>\n\n

Via John Gruber<\/a>:<\/p>\n

\n

It’s simultaneously impressive that they’re smart enough to read ASCII art, but laughable that they’re so naive that this trick works.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n