undefined

points

[-]

Also encrypting+steganography to exfiltrate secrets in binary/base64 sections of files in (public) repos relying on version control software for the network access.

And side channels based on timing/ordering allowed network accesses, e.g. https://allowed.site/0 and https://allowed.site/1.

There's essentially no prevention against exfiltration prompt injections without a full classified data processing system that prevents interactions between different classification levels except through strict controls including provable redaction that excludes side-channels (e.g. information theoretic proof that side effects are limited to pre-defined finite outcomes).

It's also incredibly difficult to prevent prompt injection; attackers have the huge asymmetric advantage of being able to test prompts against all known security measures and trying multiple parallel attempts, including obfuscating them. Injections can be in dependencies, externally generated data, bug reports (which often contain externally-generated data), documentation, and many other useful places that we want agents to have access to.

My prediction: we'll continue to essentially YOLO it.

by robbomacrae13 hours ago|

parent|

[-]

I've been working on addressing the exfiltration leg as well as the other legs of the lethal trifecta in my OrcaBot [0][1] platform and I thought I had it mostly covered with the help of a network snitch and egress allowlist until I read these comments.

Domain fronting and Steganography in commits to public repos are not solved and probably in all honesty not completely solvable. I wonder if this well end up like in banking where no bank can completely eliminate fraud. I've got some ideas to do bank like fraud detection within OrcaBot now so might be able to limit the impact a little. Thank you!

[0] https://orcabot.com/blog#breaking-the-lethal-trifecta

[1] https://github.com/Hyper-Int/OrcaBot