LLM01: deduplication and targeted compression pass#116
LLM01: deduplication and targeted compression pass#116virtualsteve-star wants to merge 2 commits into
Conversation
Each recurring incident and statistic now appears in full exactly once, with pointers replacing the repeat tellings. No wording, structure, or scope changes outside the duplicated passages. 3,083 -> 2,930 words. Citation closure unchanged (Toulas cite moves to Scenario #9 with the postmark narration). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Extends the dedup pass per project-lead review: fun-tuning outcome bullet (retold as Common Example #7) deleted, lethal-trifecta explanation folded into mitigation #8 where the Rule of Two defines the same three legs, two overlapping outcome bullets merged, the inherited 2025 jailbreaking paragraph cut to two sentences, trust-tier example lists trimmed, opening input inventory shortened. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Scope update: after project-lead review this PR now also carries the concept-level dedup (fun-tuning bullet, trifecta fold-in, outcome-bullet merge) and three light compressions of inherited 2025 wording. The body above has the full item tables. Still deliberately out of scope: mitigation-list consolidation, scenario-count reduction, and any restructuring of the taxonomy. |
|
@rocklambros @cybershujin — here's something to consider. This PR stops deliberately short of one more step, and I want to put it in front of you rather than in the diff. The mitigation list still has eleven controls, several differing mainly in granularity, and the current numbering interleaves two strategies (reducing injection success vs. containing the consequences). The consolidated version would look like this: Reduce injection success
Contain the consequences
Test the whole defense
Net: 11 → 8 controls in three honestly-labeled groups, roughly 150–200 further words, and the list fits on one screen. Costs, stated plainly: it renumbers the list, so the entry's three internal cross-references get updated in the same diff, and anyone externally citing RC1 control numbers needs the old→new map above. My view: I think this is cleaner, and it's the last piece of my RC1 review that hasn't landed. But I won't die on this hill — the entry is already in good shape after this PR, and control-number stability through the RC is a legitimate reason to say no. If either of you wants it, say the word and it arrives as its own PR with the number map in the body; if not, it dies here and the 2027 cycle inherits the idea. |
| ### Description | ||
|
|
||
| A **prompt-injection vulnerability** occurs when input to a large language model (LLM), whether direct user input, retrieved documents, tool output, image, audio, or video content, intermediate reasoning, or persistent memory, alters the model's behavior in ways the application developer did not intend. LLMs make no architectural distinction between "instructions" and "data" (both are tokens on the same stream), so there is no clean equivalent to parameterized queries (NCSC, 2025). Inputs need not be human-readable, need not arrive directly from a user, and need not be visible in the rendered interface to influence the model. | ||
| A **prompt-injection vulnerability** occurs when input to a large language model (LLM), whether user text, retrieved content, tool output, media, intermediate reasoning, or persistent memory, alters the model's behavior in ways the application developer did not intend. LLMs make no architectural distinction between "instructions" and "data" (both are tokens on the same stream), so there is no clean equivalent to parameterized queries (NCSC, 2025). Inputs need not be human-readable, need not arrive directly from a user, and need not be visible in the rendered interface to influence the model. |
There was a problem hiding this comment.
I want to retain "direct" in user input and "image, audio or video"
Technically speaking indirect prompt injection can still retrieve user input, we want to distinguish the two. It is also relevant that we make sure that we explain that media means all those versions. People might think "media" means "new media" and not specifically audio, image or video. Also relevant to understanding the multi-modal prompt injection "spread" across multiple media elements.
ok with the change from "documents" to "content" however.
cybershujin
left a comment
There was a problem hiding this comment.
Thanks @virtualsteve-star — I'm on board with the dedup/compression pass overall; most of it is a clear improvement and I'm accepting it wholesale except for five specific retains. Inline comments have the detail:
- Description opening — keep "direct user input" and the explicit "image, audio, or video content" rather than "user text" / "media". "direct" distinguishes it from indirect injection, and "media" reads ambiguously (people may read it as "new media"). The documents → content change is good.
- Untrusted surfaces — "emails from unknown senders" rather than "unknown-sender email" (clearer, more common phrasing).
- Semi-trusted surfaces — please retain "changelogs" alongside READMEs; it was a specific in-the-wild vector and behaves differently from a README (people don't usually read changelogs but they do read READMEs).
- Mitigation preamble — keep the full "lethal trifecta" (Willison, 2025) sentence here, where it frames the problem, distinct from its use to define a control in mitigation #8.
- Mitigation #8 — the "(see Scenario #8)" swap is great; please drop the compacted trifecta restatement here, since it now stays in the preamble.
Everything else — accepted. To save a round-trip, I've opened #123, which is your pass verbatim plus exactly these five retains (co-authored to you), so it can go straight into release-candidate-1. Happy to use whichever of the two is easier for the maintainers.
| * **Untrusted surfaces.** Public web pages, emails from unknown senders, public files, search results. Defenders must generally treat anything from these sources as suspicious. Most prompt-injection research has focused here. | ||
| * **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs and changelogs, third-party API responses, content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors. | ||
| * **Trusted surfaces.** Code in a repository the developer owns, rows in the developer's own production database, internal documents, the user's own emails or calendar, content authored by colleagues. The developer may not realize an attacker has placed content here, perhaps via an unrelated upstream vector such as a public bug-report form or a customer-facing input. | ||
| * **Untrusted surfaces.** Public web pages, unknown-sender email, search results. Defenders must treat anything from these sources as suspicious. Most prompt-injection research has focused here. |
There was a problem hiding this comment.
Changing "emails form unknown-senders" to "unknown-sender email" feels a bit confusing. "Unknown-sender email" is not a common term and I'm worried will be confusing.
| * **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs and changelogs, third-party API responses, content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors. | ||
| * **Trusted surfaces.** Code in a repository the developer owns, rows in the developer's own production database, internal documents, the user's own emails or calendar, content authored by colleagues. The developer may not realize an attacker has placed content here, perhaps via an unrelated upstream vector such as a public bug-report form or a customer-facing input. | ||
| * **Untrusted surfaces.** Public web pages, unknown-sender email, search results. Defenders must treat anything from these sources as suspicious. Most prompt-injection research has focused here. | ||
| * **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs, third-party API responses: content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors. |
There was a problem hiding this comment.
I would like to retain changelogs as this was a very specific in the wild example, and it is different than readme in terms of people do not typically read the changelog but they DO read the README
| Prompt injection is intrinsic to current generative AI: LLMs make no architectural distinction between instructions and data, and their behavior is stochastic, so no reliable prevention mechanism exists today, a position consistent with NIST (2025), NCSC (2025), and Debenedetti et al. (2025). Defense is therefore architectural rather than interceptive. Design the surrounding system on the explicit assumption that the model's instruction boundary will eventually be bypassed, and constrain what the model is permitted to do, and what its outputs are permitted to reach, so a successful injection does not translate into a successful exploit. | ||
|
|
||
| Most high-impact prompt-injection incidents on record (EchoLeak / CVE-2025-32711 [Reddy & Gujral, 2025], the Amazon Q runtime and supply-chain pair [Amazon Web Services, 2025a, 2025b], the Supabase MCP `service_role` exfiltration [General Analysis, 2025], and GitHub Copilot / CVE-2025-53773 [Rehberger, 2025a]) became severe because the injection landed inside a system whose tools, scopes, or output-rendering capabilities let the compromised model act on the attacker's behalf at the user's privilege level. This is the operational relationship between this entry and **LLM03:2026 Excessive Agency**: prompt injection is the input-side compromise, and excessive functionality, permissions, or autonomy are what give that compromise consequences outside the chat window. Simon Willison's "lethal trifecta" (2025) restates the same structural diagnosis as a pre-deployment check: an agent that can simultaneously access private data, ingest untrusted content, and communicate externally has the conditions for high-impact exploitation, and removing any one leg removes them. | ||
| Most high-impact prompt-injection incidents on record became severe because the injection landed inside a system whose tools, scopes, or output-rendering capabilities let the compromised model act on the attacker's behalf at the user's privilege level (see Scenarios #7 through #9). This is the operational relationship between this entry and **LLM03:2026 Excessive Agency**: prompt injection is the input-side compromise, and excessive functionality, permissions, or autonomy are what give that compromise consequences outside the chat window. |
There was a problem hiding this comment.
I like all these changes EXCEPT I do want to retain this "Simon Willison's "lethal trifecta" (2025) restates the same structural diagnosis as a pre-deployment check: an agent that can simultaneously access private data, ingest untrusted content, and communicate externally has the conditions for high-impact exploitation, and removing any one leg removes them." in this section. I understand the intent for the rest of the edits is to prevent a repeat of things said later down, and I know that in recommended mitigations section we talk about this in terms of a "rule" to follow; but I think these are different enough in the way they are phrased (one is talking about the problem, the other is using that problem to define a security control solution) that presenting them both is important.
| 7. **Require explicit human confirmation before any privileged, irreversible, or externally visible action**, surfacing the exact rendered action rather than a summary to the reviewer. Invisible-character smuggling can make the displayed action differ from the executed one (#5), and approval fatigue degrades reviewer judgment at volume. | ||
|
|
||
| 8. **Budget agent capabilities with the Rule of Two as a floor** (Meta AI, 2025). Treat simultaneous access to (A) untrusted input, (B) sensitive data, and (C) state change or external communication as high-risk: any [A,B,C] agent needs per-action human approval, and [A,B] or [A,C] configurations need an explicit residual-risk assessment. The Amazon Q incident (Amazon Web Services, 2025b) wiped a developer's files from an [A,B] configuration. NIST AI 100-2 E2025 and the CISA, FBI, NSA, and ACSC OT guidance (CISA et al., 2025) endorse the rule, which is silent on autonomy depth (Noma Security, 2025). | ||
| 8. **Budget agent capabilities with the Rule of Two as a floor** (Meta AI, 2025). Treat simultaneous access to (A) untrusted input, (B) sensitive data, and (C) state change or external communication as high-risk: any [A,B,C] agent needs per-action human approval, and [A,B] or [A,C] configurations need an explicit residual-risk assessment (see Scenario #8). Simon Willison's "lethal trifecta" (2025) makes the same diagnosis as a pre-deployment check. NIST AI 100-2 E2025 and the CISA, FBI, NSA, and ACSC OT guidance (CISA et al., 2025) endorse the rule, which is silent on autonomy depth (Noma Security, 2025). |
There was a problem hiding this comment.
This is actually slightly different. see my comment on line R67:
For this - I like the "(see Scenario #8) to replace the line "The Amazing Q incident (Amazon Web Services, 2025b) wiped a developer's files from an [A,B] configuration" as a good change to implement. I do not want to compact the lethal trifecta concept into this one sentence however - instead of adding the sentence here "Simon Willison's "lethal trifecta"..." I would just keep the lethal trifecta content above in the R67 section as I mentioned.
|
Heads-up: I've opened #123, which carries this dedup/compression pass forward verbatim and additionally applies the five retains from my review (co-authored to @virtualsteve-star so the compression credit stays with you). It's based on current |
Incorporates @virtualsteve-star's deduplication and compression pass (#116) in full, plus the five retains raised in review so it can merge without a further round-trip: - Description: keep "direct user input" and the explicit "image, audio, or video content" (not "user text" / "media"); keep the documents -> content change. - Untrusted surfaces: "emails from unknown senders" (not "unknown-sender email"). - Semi-trusted surfaces: retain "changelogs" alongside READMEs (a distinct in-the-wild vector; readers treat changelogs and READMEs differently). - Mitigation preamble: retain the full "lethal trifecta" (Willison, 2025) sentence here, where it frames the problem, distinct from its use as a control in mitigation #8. - Mitigation #8: keep the "(see Scenario #8)" pointer; drop the compacted trifecta restatement, which now lives in the preamble. Everything else from #116 is carried through unchanged. Supersedes #116. Co-authored-by: Steve Wilson <62770473+virtualsteve-star@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
|
Superseded by #123 (cybershujin, LLM01 entry owner). Both are the same ~10% deduplication pass and both pass conformance; #123 is the owner's version and retains what this PR compressed — the concrete modality list (image/audio/video vs 'media'), 'and changelogs', and the full 'lethal trifecta' explanation kept in the Description (where it frames the LLM01-to-LLM03 boundary) rather than relocated to mitigation #8. Merging #123 in lieu of this PR per the entry owner's call. Thanks @virtualsteve-star — the dedup structure you established is what #123 builds on. |
Summary
Follow-up to #101, as promised there. Two kinds of change, both targeted; nothing else is rewritten or restyled — the taxonomy, all eleven mitigations, all nine scenarios, and every substantive claim stand as written.
Part 1 — Deduplication. The entry told the same incidents and statistics two and three times as it moved from Description to Examples to Mitigations to Scenarios, which added length and, read end to end, undercut the credibility of otherwise excellent material. Each incident now gets exactly one full telling in its most useful home, with a short pointer where the repeats used to be.
Part 2 — Concept-level dedup and inherited-wording compression. Same principle at the idea level, plus three light trims of wording inherited from 2025.
3,083 → 2,783 words (−10%).
Part 1: What moved where
Part 2: Concept dedup and compression
Citation closure
Unchanged, verified per-citation: every removed narration's citation survives at the incident's single home (Labunets stays at Example #7, Willison moves into mitigation #8, Toulas joins Koi Security in Scenario #9). No
references.mdchange is needed.🤖 Generated with Claude Code