Neural Exec: Learning (and Learning from) Execution Triggers for Prompt Injection Attacks
This addresses security vulnerabilities in AI systems, particularly for applications like Retrieval-Augmented Generation, by revealing a new attack paradigm that is not incremental but poses a significant threat.
The paper tackles the problem of prompt injection attacks by introducing Neural Exec, a learning-based method to autonomously generate execution triggers, which are drastically more effective than handcrafted ones and can bypass existing detection approaches.
We introduce a new family of prompt injection attacks, termed Neural Exec. Unlike known attacks that rely on handcrafted strings (e.g., "Ignore previous instructions and..."), we show that it is possible to conceptualize the creation of execution triggers as a differentiable search problem and use learning-based methods to autonomously generate them. Our results demonstrate that a motivated adversary can forge triggers that are not only drastically more effective than current handcrafted ones but also exhibit inherent flexibility in shape, properties, and functionality. In this direction, we show that an attacker can design and generate Neural Execs capable of persisting through multi-stage preprocessing pipelines, such as in the case of Retrieval-Augmented Generation (RAG)-based applications. More critically, our findings show that attackers can produce triggers that deviate markedly in form and shape from any known attack, sidestepping existing blacklist-based detection and sanitation approaches.