LLM Prompt Self-Replication - AI Security Technique
AI Security TechniqueAn adversary may use a carefully crafted LLM Prompt Injection designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on the system. The self-replicating prompt is typically paired with other malicious instructions (ex: LLM Jailbreak, LLM Data Leakage).
Overview
A source-backed snapshot of this AI security technique.
Technique details
Identifiers, maturity, and source taxonomy for this technique.
- ATLAS ID
- AML.T0061
- Maturity
- demonstrated
- Priority score
- 159
Attack flow
How to read the public records connected to this technique.
Impact
Why this technique may deserve attention in the current dataset.
- Evidence leveldemonstrated
- Mapped defenses3 ATLAS mitigation records
- Public examples1 linked case study records
- Research risks24 related MIT AI Risk records above the confidence threshold
- Vulnerabilities0 linked CVE records
Mitigations
Defenses that may help against this attack.
AML.M0020 - Generative AI Guardrails
Guardrails can help prevent replication attacks in model inputs and outputs.
AML.M0021 - Generative AI Guidelines
Guidelines can help instruct the model to produce more secure output, preventing the model from generating self-replicating outputs.
AML.M0022 - Generative AI Model Alignment
Model alignment can increase the security of models to self replicating prompt attacks.
Case studies
Examples from public reports and exercises.
Morris II Worm: RAG-Based Attack
Researchers developed Morris II, a zero-click worm designed to attack generative AI (GenAI) ecosystems and propagate between connected GenAI systems. The worm uses an adversarial self-replicating prompt which uses prompt injection to replicate the prompt as output and perform malicious activity. The researchers demonstrate how this worm can propagate through an email system with a RAG-based assistant. They use a target system that automatically ingests received emails, retrieves past correspondences, and generates a reply for the user. To carry out the attack, they send a malicious email containing the adversarial self-replicating prompt, which ends up in the RAG database. The malicious instructions in the prompt tell the assistant to include sensitive user data in the response. Future requests to the email assistant may retrieve the malicious email. This leads to propagation of the worm due to the self-replicating portion of the prompt, as well as leaking private information due to the malicious instructions.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
