Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

LLM Platform Security: Applying a Systematic Evaluation Framework to OpenAI's ChatGPT Plugins (2309.10254v2)

Published 19 Sep 2023 in cs.CR, cs.AI, cs.CL, cs.CY, and cs.LG

Abstract: LLM platforms, such as ChatGPT, have recently begun offering an app ecosystem to interface with third-party services on the internet. While these apps extend the capabilities of LLM platforms, they are developed by arbitrary third parties and thus cannot be implicitly trusted. Apps also interface with LLM platforms and users using natural language, which can have imprecise interpretations. In this paper, we propose a framework that lays a foundation for LLM platform designers to analyze and improve the security, privacy, and safety of current and future third-party integrated LLM platforms. Our framework is a formulation of an attack taxonomy that is developed by iteratively exploring how LLM platform stakeholders could leverage their capabilities and responsibilities to mount attacks against each other. As part of our iterative process, we apply our framework in the context of OpenAI's plugin (apps) ecosystem. We uncover plugins that concretely demonstrate the potential for the types of issues that we outline in our attack taxonomy. We conclude by discussing novel challenges and by providing recommendations to improve the security, privacy, and safety of present and future LLM-based computing platforms.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (91)
  1. OpenAI, “Gpt-4 is openai’s most advanced system, producing safer and more useful responses.” https://openai.com/gpt-4.
  2. OpenAI, “Introducing chatgpt.” https://openai.com/blog/chatgpt.
  3. Google, “Google bard.” https://bard.google.com/.
  4. OpenAI, “Chatgpt plugins.” https://openai.com/blog/chatgpt-plugins.
  5. TechCrunch, “Google launches a smarter bard.” https://techcrunch.com/2023/05/10/google-launches-a-smarter-bard/.
  6. K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,” arXiv preprint arXiv:2302.12173, 2023.
  7. M. Jakesch, A. Bhat, D. Buschek, L. Zalmanson, and M. Naaman, “Co-writing with opinionated language models affects users’ views,” in Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, 2023.
  8. D. Kang, X. Li, I. Stoica, C. Guestrin, M. Zaharia, and T. Hashimoto, “Exploiting programmatic behavior of llms: Dual-use through standard security attacks,” arXiv preprint arXiv:2302.05733, 2023.
  9. F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,” arXiv preprint arXiv:2211.09527, 2022.
  10. A. Zou, Z. Wang, , J. Z. Kolter, and M. Fredrikson, “Universal and transferable adversarial attacks on aligned language models,” 2023.
  11. E. Bagdasaryan, T.-Y. Hsieh, B. Nassi, and V. Shmatikov, “(ab) using images and sounds for indirect instruction injection in multi-modal llms,” arXiv preprint arXiv:2307.10490, 2023.
  12. W. Enck, D. Octeau, P. D. McDaniel, and S. Chaudhuri, “A study of android application security.,” in USENIX security symposium, 2011.
  13. J. R. Mayer and J. C. Mitchell, “Third-party web tracking: Policy and technology,” in 2012 IEEE Symposium on Security and Privacy, 2012.
  14. E. Fernandes, J. Jung, and A. Prakash, “Security analysis of emerging smart home applications,” in 2016 IEEE Symposium on Security and Privacy (SP), 2016.
  15. S. Farooqi, M. Musa, Z. Shafiq, and F. Zaffar, “Canarytrap: Detecting data misuse by third-party apps on online social networks,” Proceedings on Privacy Enhancing Technologies, 2020.
  16. C. Cobb, M. Surbatovich, A. Kawakami, M. Sharif, L. Bauer, A. Das, and L. Jia, “How risky are real users’ ifttt applets?,” in USENIX Symposium on Usable Privacy and Security (SOUPS), 2020.
  17. Y. Chen, Y. Gao, N. Ceccio, R. Chatterjee, K. Fawaz, and E. Fernandes, “Experimental security analysis of the app model in business collaboration platforms,” in 31st USENIX Security Symposium (USENIX Security 22), 2022.
  18. J. Rehberger, “Indirect prompt injection via youtube transcripts.” https://embracethered.com/blog/posts/2023/chatgpt-plugin-youtube-indirect-prompt-injection/.
  19. OpenAI, “Plugin store – submit a plugin for review.” https://platform.openai.com/docs/plugins/review/plugin-store.
  20. OpenAI, “Plugin terms.” https://openai.com/policies/plugin-terms.
  21. J. Rehberger, “Plugin vulnerabilities: Visit a website and have your source code stolen.” https://embracethered.com/blog/posts/2023/chatgpt-plugin-vulns-chat-with-code/.
  22. Y. Zhou, A. I. Muresanu, Z. Han, K. Paster, S. Pitis, H. Chan, and J. Ba, “Large language models are human-level prompt engineers,” in The Eleventh International Conference on Learning Representations, 2023.
  23. OpenAI, “Chatgpt plugins documentation.” https://platform.openai.com/docs/plugins/introduction.
  24. OpenAI, “Getting started.” https://platform.openai.com/docs/plugins/getting-started.
  25. OpenAI, “Plugin policies.” https://openai.com/policies/usage-policies#plugin-policies.
  26. OpenAI, “Brand guidelines.” https://openai.com/brand#plugins.
  27. OpenAI, “Updating your plugin.” https://platform.openai.com/docs/plugins/production/updating-your-plugin.
  28. OpenAI, “Domain verification and security.” https://platform.openai.com/docs/plugins/production/domain-verification-and-security.
  29. OpenAI, “Rate limits.” https://platform.openai.com/docs/plugins/production/rate-limits,.
  30. OpenAI, “Ip egress ranges.” https://platform.openai.com/docs/plugins/production/ip-egress-ranges.
  31. A. Guha, M. Fredrikson, B. Livshits, and N. Swamy, “Verified security for browser extensions,” in 2011 IEEE Symposium on Security and Privacy, 2011.
  32. L. Liu, X. Zhang, G. Yan, S. Chen, et al., “Chrome extensions: Threat analysis and countermeasures.,” in NDSS, Citeseer, 2012.
  33. I. Sanchez-Rola, I. Santos, and D. Balzarotti, “Extension breakdown: Security analysis of browsers extension resources control policies,” in 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, 2017.
  34. D. F. Somé, “Empoweb: Empowering web applications with browser extensions,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019.
  35. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security, 2011.
  36. U. Iqbal, P. N. Bahrami, R. Trimananda, H. Cui, A. Gamero-Garrido, D. Dubois, D. Choffnes, A. Markopoulou, F. Roesner, and Z. Shafiq, “Tracking, profiling, and ad targeting in the alexa echo smart speaker ecosystem,” in ACM Internet Measurement Conference (IMC), 2023.
  37. C. Manning and H. Schutze, Foundations of statistical natural language processing. MIT press, 1999.
  38. T. Kohno, Y. Acar, and W. Loh, “Ethical frameworks and computer security trolley problems: Foundations for conversations,” in USENIX Security, 2023.
  39. OpenAI, “Model behavior feedback.” https://openai.com/form/model-behavior-feedback.
  40. autoinfra.ai, “Automate your devops + infra.” autoinfra.ai.
  41. “Chatgpt ssh plugin.” https://chatsshplug.com.
  42. “Welcome to upskillr.ai.” https://www.upskillr.ai/.
  43. “Scraper plugin.” https://gafo.tech/.
  44. F. T. Commission et al., “Data brokers: A call for transparency and accountability,” Washington, DC, 2014.
  45. L. Olejnik, T. Minh-Dung, and C. Castelluccia, “Selling off privacy at auction,” in Network and Distributed System Security Symposium, 2014.
  46. G. Venkatadri, P. Sapiezynski, E. M. Redmiles, A. Mislove, O. Goga, M. Mazurek, and K. P. Gummadi, “Auditing offline data brokers via facebook’s advertising platform,” in The World Wide Web Conference, 2019.
  47. “Pdf exporter - a chatgpt plugin.” https://www.replypdf.com/.
  48. “Think better with reflect.” https://reflect.app/.
  49. “Pdf exporter - terms of use.” https://web.archive.org/web/20230608205302/https://www.replypdf.com/legal.
  50. “Reflect app privacy policy.” https://web.archive.org/web/20230318175219/https://reflect.app/terms.
  51. P. Papadopoulos, N. Kourtellis, and E. P. Markatos, “Cookie synchronization: Everything you always wanted to know but were afraid to ask,” in The Web Conference (WWW), 2019.
  52. OpenAI, “What makes a great plugin.” https://platform.openai.com/docs/plugins/review/what-makes-a-great-plugin.
  53. S. A. Crosby and D. S. Wallach, “Denial of service via algorithmic complexity attacks,” in 12th USENIX Security Symposium (USENIX Security 03), 2003.
  54. F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,” in NeurIPS ML Safety Workshop, 2022.
  55. T. Tom Warren, “These are microsoft’s bing ai secret rules and why it says it’s named sydney.” https://www.theverge.com/23599441/microsoft-bing-ai-sydney-secret-rules.
  56. L. Daryanani, “How to jailbreak chatgpt.” https://watcher.guru/news/how-to-jailbreak-chatgpt.
  57. OpenAI, “Data controls faq.” https://help.openai.com/en/articles/7730893-data-controls-faq.
  58. “Amzpro.” https://turboooo.com/.
  59. T. Markup, “Google’s top search result? surprise! it’s google.” https://themarkup.org/google-the-giant/2020/07/28/google-search-results-prioritize-google-products-over-competitors.
  60. T. W. S. Journal, “Amazon changed search algorithm in ways that boost its own products.” https://themarkup.org/google-the-giant/2020/07/28/google-search-results-prioritize-google-products-over-competitors.
  61. J. Maynez, S. Narayan, B. Bohnet, and R. McDonald, “On faithfulness and factuality in abstractive summarization,” in Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, 2020.
  62. “Uniket beauty.” https://www.uniket.store.
  63. “Tira beauty.” https://www.tirabeauty.com.
  64. H. Lightman, V. Kosaraju, Y. Burda, H. Edwards, B. Baker, T. Lee, J. Leike, J. Schulman, I. Sutskever, and K. Cobbe, “Let’s verify step by step,” arXiv preprint arXiv:2305.20050, 2023.
  65. “Lexi shopper.” https://lexi-shopping-assistant-chatgpt-plugin.iamnazzty.repl.co.
  66. “Jio copilot.” https://www.jiocommerce.io/co-pilot.
  67. “Expedia.” https://www.expedia.com.
  68. “Trip.com.” https://www.trip.com.
  69. “Klook.” https://www.klook.com.
  70. J. H. Saltzer and M. D. Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE, 1975.
  71. C. Reis, A. Moshchuk, and N. Oskov, “Site isolation: Process separation for web sites within the browser,” in 28th USENIX Security Symposium (USENIX Security 19), 2019.
  72. WHATWG, “Cross-document messaging.” https://html.spec.whatwg.org/multipage/web-messaging.html.
  73. A. Brohan, N. Brown, J. Carbajal, Y. Chebotar, X. Chen, K. Choromanski, T. Ding, D. Driess, A. Dubey, C. Finn, P. Florence, C. Fu, M. G. Arenas, K. Gopalakrishnan, K. Han, K. Hausman, A. Herzog, J. Hsu, B. Ichter, A. Irpan, N. Joshi, R. Julian, D. Kalashnikov, Y. Kuang, I. Leal, L. Lee, T.-W. E. Lee, S. Levine, Y. Lu, H. Michalewski, I. Mordatch, K. Pertsch, K. Rao, K. Reymann, M. Ryoo, G. Salazar, P. Sanketi, P. Sermanet, J. Singh, A. Singh, R. Soricut, H. Tran, V. Vanhoucke, Q. Vuong, A. Wahid, S. Welker, P. Wohlhart, J. Wu, F. Xia, T. Xiao, P. Xu, S. Xu, T. Yu, and B. Zitkovich, “Rt-2: Vision-language-action models transfer web knowledge to robotic control.” arXiv:2307.15818, 2023.
  74. OpenAI, “Plugin authentication.” https://platform.openai.com/docs/plugins/authentication.
  75. “It’s all fun and game until you have to personally test 100’s of chatgpt plugins.” https://twitter.com/OfficialLoganK/status/1659729516804161536.
  76. “Clinical trial radar.” trialradar.marketflare.repl.co.
  77. “Magic plugin.” https://getmagic.com.
  78. “Resumecopilot plugin.” https://c-resume.copilot.us.
  79. “Askyourpdf plugin.” https://askyourpdf.com.
  80. “Jiggybase plugin.” https://jiggybase.plugin.jiggy.ai.
  81. “Resumecopilot privacy policy.” https://web.archive.org/web/20230610224109/https://c-resume.copilot.us/home/terms.
  82. “Askyourpdf privacy policy.” AskYourPDF_privacypolicyhttps://web.archive.org/web/20230608074506/https://askyourpdf.com/terms.
  83. “Jiggybase privacy policy.” https://jiggy.ai/legal.
  84. “Creatuity stores.” https://creatuity.com.
  85. OpenAI, “Plugin store review criteria.” https://platform.openai.com/docs/plugins/review/plugin-store.
  86. OpenAI, “Can i charge people money for my plugin?.” https://platform.openai.com/docs/plugins/production/can-i-charge-people-money-for-my-plugin.
  87. “Playlistai.” https://playlistai-plugin.vercel.app.
  88. “Playlistai stripe payment link.” https://buy.stripe.com/00gcN073P1xV0SY5kn?prefilled_email=rmfmcbqrfk%40privaterelay.appleid.com.
  89. “Ai agents.” https://ai-agents-plugin.vercel.ap.
  90. “Seo plugin.” seo-plugin.orrenprunckun.com.
  91. “edx plugin.” https://www.edx.org/.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Umar Iqbal (50 papers)
  2. Tadayoshi Kohno (32 papers)
  3. Franziska Roesner (23 papers)
Citations (30)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. LLM Platform Security: Applying a Systematic Evaluation Framework to OpenAI’s ChatGPT Plugins (1 point, 0 comments)