Exploiting Novel GPT-4 APIs
This work exposes critical security risks in real-world AI APIs for developers and users, highlighting how expanded API functionalities create new attack vectors.
The paper investigated security vulnerabilities in three new GPT-4 API functionalities (fine-tuning, function calling, and knowledge retrieval), finding that fine-tuning with just 15 harmful or 100 benign examples could remove safeguards, and that function call schemas could be exposed and hijacked.
Language model attacks typically assume one of two extreme threat models: full white-box access to model weights, or black-box access limited to a text generation API. However, real-world APIs are often more flexible than just text generation: these APIs expose "gray-box" access leading to new threat vectors. To explore this, we red-team three new functionalities exposed in the GPT-4 APIs: fine-tuning, function calling and knowledge retrieval. We find that fine-tuning a model on as few as 15 harmful examples or 100 benign examples can remove core safeguards from GPT-4, enabling a range of harmful outputs. Furthermore, we find that GPT-4 Assistants readily divulge the function call schema and can be made to execute arbitrary function calls. Finally, we find that knowledge retrieval can be hijacked by injecting instructions into retrieval documents. These vulnerabilities highlight that any additions to the functionality exposed by an API can create new vulnerabilities.