The Dark Side of Function Calling: Pathways to Jailbreaking Large Language Models

TL;DR

This paper reveals a critical security vulnerability in the function calling feature of large language models, demonstrating a high success rate for jailbreak attacks and proposing defensive strategies to mitigate this risk.

Contribution

It introduces a novel jailbreak function attack exploiting alignment issues and safety gaps, and offers practical defense methods for LLM security.

Findings

Over 90% success rate of jailbreak attacks on six LLMs

Analysis of vulnerabilities in function calling process

Proposed defensive prompts to enhance security

Abstract

Large language models (LLMs) have demonstrated remarkable capabilities, but their power comes with significant security considerations. While extensive research has been conducted on the safety of LLMs in chat mode, the security implications of their function calling feature have been largely overlooked. This paper uncovers a critical vulnerability in the function calling process of LLMs, introducing a novel "jailbreak function" attack method that exploits alignment discrepancies, user coercion, and the absence of rigorous safety filters. Our empirical study, conducted on six state-of-the-art LLMs including GPT-4o, Claude-3.5-Sonnet, and Gemini-1.5-pro, reveals an alarming average success rate of over 90\% for this attack. We provide a comprehensive analysis of why function calls are susceptible to such attacks and propose defensive strategies, including the use of defensive prompts. Our findings highlight the urgent need for enhanced security measures in the function calling capabilities of LLMs, contributing to the field of AI safety by identifying a previously unexplored risk, designing an effective attack method, and suggesting practical defensive measures. Our code is available at https://github.com/wooozihui/jailbreakfunction.