IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems

TL;DR

IsolateGPT introduces an execution isolation architecture for LLM-based systems, enhancing security and privacy by preventing malicious interactions among apps, with minimal performance overhead.

Contribution

The paper proposes IsolateGPT, a novel architecture that demonstrates the feasibility of execution isolation in LLM-based systems to address security and privacy risks.

Findings

IsolateGPT effectively protects against various security and privacy attacks.

The system incurs less than 30% performance overhead on most queries.

It maintains full functionality while providing isolation.

Abstract

Large language models (LLMs) extended as systems, such as ChatGPT, have begun supporting third-party applications. These LLM apps leverage the de facto natural language-based automated execution paradigm of LLMs: that is, apps and their interactions are defined in natural language, provided access to user data, and allowed to freely interact with each other and the system. These LLM app ecosystems resemble the settings of earlier computing platforms, where there was insufficient isolation between apps and the system. Because third-party apps may not be trustworthy, and exacerbated by the imprecision of natural language interfaces, the current designs pose security and privacy risks for users. In this paper, we evaluate whether these issues can be addressed through execution isolation and what that isolation might look like in the context of LLM-based systems, where there are arbitrary natural language-based interactions between system components, between LLM and apps, and between apps. To that end, we propose IsolateGPT, a design architecture that demonstrates the feasibility of execution isolation and provides a blueprint for implementing isolation, in LLM-based systems. We evaluate IsolateGPT against a number of attacks and demonstrate that it protects against many security, privacy, and safety issues that exist in non-isolated LLM-based systems, without any loss of functionality. The performance overhead incurred by IsolateGPT to improve security is under 30% for three-quarters of tested queries.