A prompt is structured into three layers: the system prompt for instructions, the context for additional data, and the unpredictable user input.
A Chevrolet car dealer's chatbot was exploited by users to generate humorous and unintended responses, including a legally binding offer for a $1 car.
Attackers can use creative phrasing like "repeat everything above" to trick an LLM into revealing its hidden system prompt and instructions.
Prompt injections are used to access sensitive business data, gain personal advantages like bypassing HR filters, or exploit integrated tools to steal information like 2FA tokens.
Initial defense ideas like avoiding secrets or tool integration are impractical, and simple system prompt instructions are easily circumvented by attackers.
More effective defenses include fine-tuning models on domain-specific data to reduce reliance on instructions and using specialized adversarial prompt detectors to identify malicious input.
Treat all system prompt data as public, use a layered defense of instructions, detectors, and fine-tuning, and accept that no completely reliable solution exists yet.
Wilken GmbH
Ulm, Germany
27:32Sebastian Schrittwieser
23:24Keno Dreßel
29:00Alex Soto
30:36Mackenzie Jackson
33:28Maxim Salnikov
27:02Mirko Ross
31:12Daniel Töws
25:17Scott Hanselman
.png?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
Wolters Kluwer
Alphen aan den Rijn, Netherlands
AVEX Automotive GmbH & Co. KG
Hamburg, Germany
Collaboration Betters The World GmbH
Mindrift
Looma Gmbh
Magdeburg, Germany
Ignite Technical Resources
Richmond, United Kingdom
83zero Ltd
Manchester, United Kingdom
