undefined | Better HN

0 pointsfoolswisdom11mo ago0 comments

I'm not sure I follow. Traditional computing does allow us to make this distinction, and allows us to control the scenarios when we don't want this distinction, and when we have software that doesn't implement such rules appropriately we consider it a security vulnerability.

We're just treating LLMs and agents different because we're focused on making them powerful, and there is basically no way to make the distinction with an LLM. Doesn't change the fact that we wouldn't have this problem with a traditional approach.

0 comments

blincoln11mo ago

I think it would be possible to use a model like prepared SQL statements with a list of bound parameters.

Doing so would mean giving up some of the natural language interface aspect of LLMs for security-critical contexts, of course, but it seems like in most cases, that would only be visible to developers building on top of the model, not end users, since end use input would become one or more of the bound parameters.

E.g. the LLM is trained to handle a set of instructions like:

---

Parse the user's message into a list of topics and optionally a list of document types. Store the topics in string array %TOPICS%. If a list of document types is specified, store that list in string array %DOCTYPES%.

Reset all context.

Search for all documents that seem to contain topics like the ones in %TOPICS%. If %DOCTYPES% is populated, restrict the search to those document types.

----

Like a prepared statement, the values would never be inlined, the variables would always be pointers to isolated data.

Obviously there are some hard problems in glossing over, but addressing them should be able to take advantage of a wealth of work that's already been done in input validation in general and RAG-type LLM approaches specifically, right?

int_19h11mo ago

The LLM ultimately needs to see the actual text in %TOPICS% etc, meaning that it must be somewhere in its input.

j / k navigate · click thread line to collapse