Skip to content

LLM01: deduplication and targeted compression pass#116

Closed
virtualsteve-star wants to merge 2 commits into
release-candidate-1from
llm01/dedup-pass
Closed

LLM01: deduplication and targeted compression pass#116
virtualsteve-star wants to merge 2 commits into
release-candidate-1from
llm01/dedup-pass

Conversation

@virtualsteve-star

@virtualsteve-star virtualsteve-star commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

Follow-up to #101, as promised there. Two kinds of change, both targeted; nothing else is rewritten or restyled — the taxonomy, all eleven mitigations, all nine scenarios, and every substantive claim stand as written.

Part 1 — Deduplication. The entry told the same incidents and statistics two and three times as it moved from Description to Examples to Mitigations to Scenarios, which added length and, read end to end, undercut the credibility of otherwise excellent material. Each incident now gets exactly one full telling in its most useful home, with a short pointer where the repeats used to be.

Part 2 — Concept-level dedup and inherited-wording compression. Same principle at the idea level, plus three light trims of wording inherited from 2025.

3,083 → 2,783 words (−10%).

Part 1: What moved where

Incident / stat Was told at Now told once at Repeats became
Invariant Labs / Supabase / Rehberger PoC trio Indirect Injection ¶, Example #3, Scenario #9 Scenario #9 (full), Example #3 (compact index) Pointer in Indirect Injection ¶
Zou et al. five-documents / ~90% stat Example #6 and Scenario #4, near-verbatim Scenario #4 Citation + pointer in Example #6
Clusmann oncology-imaging finding Example #4 and Scenario #6 Scenario #6 Citation + pointer in Example #4
EchoLeak / Amazon Q / Supabase / Copilot recap Mitigation preamble and Scenarios #7#9 Scenarios #7#9 "(see Scenarios #7 through #9)" in preamble
Amazon Q file-wipe Mitigation #8 and Scenario #8 Scenario #8 "(see Scenario #8)" in #8
postmark-mcp narration Mitigation #10 and Scenario #9 Scenario #9 "(see Scenario #9)" in #10
M365 Copilot ASCII-smuggling PoC Example #5 and Mitigation #5 Example #5 Pointer in Mitigation #5

Part 2: Concept dedup and compression

Item Rationale
Fun-tuning outcome bullet deleted It retold Common Example #7 in full, and it is a technique, not an outcome — the list's own logic argues the cut
Lethal-trifecta explanation folded into mitigation #8 The preamble explained Willison's three legs; #8 defines the identical legs as (A)/(B)/(C). One concept, one home; Willison citation preserved in #8
Two overlapping outcome bullets merged Unauthorized tool invocation and arbitrary command execution are the same escalation at two altitudes
Jailbreaking paragraph cut to two sentences Inherited 2025 wording; four sentences said one thing
Trust-tier example lists trimmed Each bullet carried 3–5 examples; the commentary sentences, which carry the insight, are untouched
Opening input inventory shortened Six input types enumerated in sentence one, re-enumerated by the delivery-surface axis two paragraphs later

Citation closure

Unchanged, verified per-citation: every removed narration's citation survives at the incident's single home (Labunets stays at Example #7, Willison moves into mitigation #8, Toulas joins Koi Security in Scenario #9). No references.md change is needed.

🤖 Generated with Claude Code

Each recurring incident and statistic now appears in full exactly
once, with pointers replacing the repeat tellings. No wording,
structure, or scope changes outside the duplicated passages.
3,083 -> 2,930 words. Citation closure unchanged (Toulas cite
moves to Scenario #9 with the postmark narration).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Extends the dedup pass per project-lead review: fun-tuning outcome
bullet (retold as Common Example #7) deleted, lethal-trifecta
explanation folded into mitigation #8 where the Rule of Two defines
the same three legs, two overlapping outcome bullets merged, the
inherited 2025 jailbreaking paragraph cut to two sentences, trust-tier
example lists trimmed, opening input inventory shortened.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@virtualsteve-star virtualsteve-star changed the title LLM01: deduplication pass (one home per incident) LLM01: deduplication and targeted compression pass Jul 15, 2026
@virtualsteve-star

Copy link
Copy Markdown
Collaborator Author

Scope update: after project-lead review this PR now also carries the concept-level dedup (fun-tuning bullet, trifecta fold-in, outcome-bullet merge) and three light compressions of inherited 2025 wording. The body above has the full item tables. Still deliberately out of scope: mitigation-list consolidation, scenario-count reduction, and any restructuring of the taxonomy.

@virtualsteve-star

Copy link
Copy Markdown
Collaborator Author

@rocklambros @cybershujin — here's something to consider. This PR stops deliberately short of one more step, and I want to put it in front of you rather than in the diff.

The mitigation list still has eleven controls, several differing mainly in granularity, and the current numbering interleaves two strategies (reducing injection success vs. containing the consequences). The consolidated version would look like this:

Reduce injection success

  1. Constrain the model's role in the system prompt (old README: update Slack channel to #team-genai-top-10-llm #1, absorbing old Adding new entry proposal as Supply Chain Trust Failure #6 — provenance labeling and prompt constraints are one control class, instruction and context separation, with the identical adaptive-attack failure mode and the same Nasr et al. cite)
  2. Filter at every modality boundary (old LLM05: refresh reference links for 2026 #3)
  3. Strip tag-block / variation-selector / zero-width characters at every boundary (old Add 2026/new_entry_candidates directory #5)
  4. Pin, sign, and verify every MCP server and tool package (old LLM05: add control character sanitization to output handling guidance #10)

Contain the consequences

  1. Define a strict output schema and validate in trusted application code (old add into LLM03 1, risk ,1 mitigation point i.e.11 and few references #2)
  2. Contain consequences via least privilege, deterministic mediation, human confirmation on privileged actions, and Rule-of-Two capability budgeting (old LLM05: refresh reference links for 2026 #4 + LLM01: dedupe duplicate Greshake reference (#3 and #7) #7 + Revise LLM02 for 2026 Sensitive Information Disclosure #8 folded into one control with the pieces as clauses — they are one strategy stated at three grain sizes; all citations retained)
  3. Treat agent memory writes as privileged operations (old LLM05: add Markdown auto-render exfiltration to output handling guidance #9)

Test the whole defense

  1. Test against adaptive attackers; reject static-only claims (old New entry: Weaponized LLM Abuse #11, with the extended benchmark discussion trimmed to the AgentDojo/JailbreakBench pointers)

Net: 11 → 8 controls in three honestly-labeled groups, roughly 150–200 further words, and the list fits on one screen. Costs, stated plainly: it renumbers the list, so the entry's three internal cross-references get updated in the same diff, and anyone externally citing RC1 control numbers needs the old→new map above.

My view: I think this is cleaner, and it's the last piece of my RC1 review that hasn't landed. But I won't die on this hill — the entry is already in good shape after this PR, and control-number stability through the RC is a legitimate reason to say no. If either of you wants it, say the word and it arrives as its own PR with the number map in the body; if not, it dies here and the 2027 cycle inherits the idea.

### Description

A **prompt-injection vulnerability** occurs when input to a large language model (LLM), whether direct user input, retrieved documents, tool output, image, audio, or video content, intermediate reasoning, or persistent memory, alters the model's behavior in ways the application developer did not intend. LLMs make no architectural distinction between "instructions" and "data" (both are tokens on the same stream), so there is no clean equivalent to parameterized queries (NCSC, 2025). Inputs need not be human-readable, need not arrive directly from a user, and need not be visible in the rendered interface to influence the model.
A **prompt-injection vulnerability** occurs when input to a large language model (LLM), whether user text, retrieved content, tool output, media, intermediate reasoning, or persistent memory, alters the model's behavior in ways the application developer did not intend. LLMs make no architectural distinction between "instructions" and "data" (both are tokens on the same stream), so there is no clean equivalent to parameterized queries (NCSC, 2025). Inputs need not be human-readable, need not arrive directly from a user, and need not be visible in the rendered interface to influence the model.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to retain "direct" in user input and "image, audio or video"

Technically speaking indirect prompt injection can still retrieve user input, we want to distinguish the two. It is also relevant that we make sure that we explain that media means all those versions. People might think "media" means "new media" and not specifically audio, image or video. Also relevant to understanding the multi-modal prompt injection "spread" across multiple media elements.

ok with the change from "documents" to "content" however.

@cybershujin cybershujin left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @virtualsteve-star — I'm on board with the dedup/compression pass overall; most of it is a clear improvement and I'm accepting it wholesale except for five specific retains. Inline comments have the detail:

  1. Description opening — keep "direct user input" and the explicit "image, audio, or video content" rather than "user text" / "media". "direct" distinguishes it from indirect injection, and "media" reads ambiguously (people may read it as "new media"). The documents → content change is good.
  2. Untrusted surfaces — "emails from unknown senders" rather than "unknown-sender email" (clearer, more common phrasing).
  3. Semi-trusted surfaces — please retain "changelogs" alongside READMEs; it was a specific in-the-wild vector and behaves differently from a README (people don't usually read changelogs but they do read READMEs).
  4. Mitigation preamble — keep the full "lethal trifecta" (Willison, 2025) sentence here, where it frames the problem, distinct from its use to define a control in mitigation #8.
  5. Mitigation #8 — the "(see Scenario #8)" swap is great; please drop the compacted trifecta restatement here, since it now stays in the preamble.

Everything else — accepted. To save a round-trip, I've opened #123, which is your pass verbatim plus exactly these five retains (co-authored to you), so it can go straight into release-candidate-1. Happy to use whichever of the two is easier for the maintainers.

* **Untrusted surfaces.** Public web pages, emails from unknown senders, public files, search results. Defenders must generally treat anything from these sources as suspicious. Most prompt-injection research has focused here.
* **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs and changelogs, third-party API responses, content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors.
* **Trusted surfaces.** Code in a repository the developer owns, rows in the developer's own production database, internal documents, the user's own emails or calendar, content authored by colleagues. The developer may not realize an attacker has placed content here, perhaps via an unrelated upstream vector such as a public bug-report form or a customer-facing input.
* **Untrusted surfaces.** Public web pages, unknown-sender email, search results. Defenders must treat anything from these sources as suspicious. Most prompt-injection research has focused here.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing "emails form unknown-senders" to "unknown-sender email" feels a bit confusing. "Unknown-sender email" is not a common term and I'm worried will be confusing.

* **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs and changelogs, third-party API responses, content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors.
* **Trusted surfaces.** Code in a repository the developer owns, rows in the developer's own production database, internal documents, the user's own emails or calendar, content authored by colleagues. The developer may not realize an attacker has placed content here, perhaps via an unrelated upstream vector such as a public bug-report form or a customer-facing input.
* **Untrusted surfaces.** Public web pages, unknown-sender email, search results. Defenders must treat anything from these sources as suspicious. Most prompt-injection research has focused here.
* **Semi-trusted surfaces.** Issue titles in a public bug tracker, package READMEs, third-party API responses: content the user chose to retrieve but did not author. The user trusts the platform but not necessarily individual contributors.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to retain changelogs as this was a very specific in the wild example, and it is different than readme in terms of people do not typically read the changelog but they DO read the README

Prompt injection is intrinsic to current generative AI: LLMs make no architectural distinction between instructions and data, and their behavior is stochastic, so no reliable prevention mechanism exists today, a position consistent with NIST (2025), NCSC (2025), and Debenedetti et al. (2025). Defense is therefore architectural rather than interceptive. Design the surrounding system on the explicit assumption that the model's instruction boundary will eventually be bypassed, and constrain what the model is permitted to do, and what its outputs are permitted to reach, so a successful injection does not translate into a successful exploit.

Most high-impact prompt-injection incidents on record (EchoLeak / CVE-2025-32711 [Reddy & Gujral, 2025], the Amazon Q runtime and supply-chain pair [Amazon Web Services, 2025a, 2025b], the Supabase MCP `service_role` exfiltration [General Analysis, 2025], and GitHub Copilot / CVE-2025-53773 [Rehberger, 2025a]) became severe because the injection landed inside a system whose tools, scopes, or output-rendering capabilities let the compromised model act on the attacker's behalf at the user's privilege level. This is the operational relationship between this entry and **LLM03:2026 Excessive Agency**: prompt injection is the input-side compromise, and excessive functionality, permissions, or autonomy are what give that compromise consequences outside the chat window. Simon Willison's "lethal trifecta" (2025) restates the same structural diagnosis as a pre-deployment check: an agent that can simultaneously access private data, ingest untrusted content, and communicate externally has the conditions for high-impact exploitation, and removing any one leg removes them.
Most high-impact prompt-injection incidents on record became severe because the injection landed inside a system whose tools, scopes, or output-rendering capabilities let the compromised model act on the attacker's behalf at the user's privilege level (see Scenarios #7 through #9). This is the operational relationship between this entry and **LLM03:2026 Excessive Agency**: prompt injection is the input-side compromise, and excessive functionality, permissions, or autonomy are what give that compromise consequences outside the chat window.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like all these changes EXCEPT I do want to retain this "Simon Willison's "lethal trifecta" (2025) restates the same structural diagnosis as a pre-deployment check: an agent that can simultaneously access private data, ingest untrusted content, and communicate externally has the conditions for high-impact exploitation, and removing any one leg removes them." in this section. I understand the intent for the rest of the edits is to prevent a repeat of things said later down, and I know that in recommended mitigations section we talk about this in terms of a "rule" to follow; but I think these are different enough in the way they are phrased (one is talking about the problem, the other is using that problem to define a security control solution) that presenting them both is important.

7. **Require explicit human confirmation before any privileged, irreversible, or externally visible action**, surfacing the exact rendered action rather than a summary to the reviewer. Invisible-character smuggling can make the displayed action differ from the executed one (#5), and approval fatigue degrades reviewer judgment at volume.

8. **Budget agent capabilities with the Rule of Two as a floor** (Meta AI, 2025). Treat simultaneous access to (A) untrusted input, (B) sensitive data, and (C) state change or external communication as high-risk: any [A,B,C] agent needs per-action human approval, and [A,B] or [A,C] configurations need an explicit residual-risk assessment. The Amazon Q incident (Amazon Web Services, 2025b) wiped a developer's files from an [A,B] configuration. NIST AI 100-2 E2025 and the CISA, FBI, NSA, and ACSC OT guidance (CISA et al., 2025) endorse the rule, which is silent on autonomy depth (Noma Security, 2025).
8. **Budget agent capabilities with the Rule of Two as a floor** (Meta AI, 2025). Treat simultaneous access to (A) untrusted input, (B) sensitive data, and (C) state change or external communication as high-risk: any [A,B,C] agent needs per-action human approval, and [A,B] or [A,C] configurations need an explicit residual-risk assessment (see Scenario #8). Simon Willison's "lethal trifecta" (2025) makes the same diagnosis as a pre-deployment check. NIST AI 100-2 E2025 and the CISA, FBI, NSA, and ACSC OT guidance (CISA et al., 2025) endorse the rule, which is silent on autonomy depth (Noma Security, 2025).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually slightly different. see my comment on line R67:

For this - I like the "(see Scenario #8) to replace the line "The Amazing Q incident (Amazon Web Services, 2025b) wiped a developer's files from an [A,B] configuration" as a good change to implement. I do not want to compact the lethal trifecta concept into this one sentence however - instead of adding the sentence here "Simon Willison's "lethal trifecta"..." I would just keep the lethal trifecta content above in the R67 section as I mentioned.

@cybershujin

Copy link
Copy Markdown
Collaborator

Heads-up: I've opened #123, which carries this dedup/compression pass forward verbatim and additionally applies the five retains from my review (co-authored to @virtualsteve-star so the compression credit stays with you). It's based on current release-candidate-1, mergeable with no conflicts, so a maintainer can take #123 straight in and close this one in its favor — saving you a re-edit. Happy to go whichever way is easier for the maintainers.

rocklambros pushed a commit that referenced this pull request Jul 17, 2026
Incorporates @virtualsteve-star's deduplication and compression pass (#116)
in full, plus the five retains raised in review so it can merge without a
further round-trip:

- Description: keep "direct user input" and the explicit "image, audio, or
  video content" (not "user text" / "media"); keep the documents -> content change.
- Untrusted surfaces: "emails from unknown senders" (not "unknown-sender email").
- Semi-trusted surfaces: retain "changelogs" alongside READMEs (a distinct
  in-the-wild vector; readers treat changelogs and READMEs differently).
- Mitigation preamble: retain the full "lethal trifecta" (Willison, 2025)
  sentence here, where it frames the problem, distinct from its use as a
  control in mitigation #8.
- Mitigation #8: keep the "(see Scenario #8)" pointer; drop the compacted
  trifecta restatement, which now lives in the preamble.

Everything else from #116 is carried through unchanged. Supersedes #116.

Co-authored-by: Steve Wilson <62770473+virtualsteve-star@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@rocklambros

Copy link
Copy Markdown
Collaborator

Superseded by #123 (cybershujin, LLM01 entry owner). Both are the same ~10% deduplication pass and both pass conformance; #123 is the owner's version and retains what this PR compressed — the concrete modality list (image/audio/video vs 'media'), 'and changelogs', and the full 'lethal trifecta' explanation kept in the Description (where it frames the LLM01-to-LLM03 boundary) rather than relocated to mitigation #8. Merging #123 in lieu of this PR per the entry owner's call. Thanks @virtualsteve-star — the dedup structure you established is what #123 builds on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants