ObliInjection: Order-Oblivious Prompt Injection Attack to LLM Agents with Multi-source Data

TL;DR

ObliInjection is a novel prompt injection attack targeting multi-source data in LLMs, effectively contaminating inputs even when only a few segments are compromised, regardless of their order.

Contribution

This work introduces the first order-oblivious prompt injection attack for multi-source LLM inputs, with innovative loss and algorithm to handle segment order uncertainty.

Findings

Effective even with 1 contaminated segment out of 6-100

High success rate across diverse datasets and LLMs

Outperforms existing prompt injection methods in multi-source scenarios

Abstract

Prompt injection attacks aim to contaminate the input data of an LLM to mislead it into completing an attacker-chosen task instead of the intended task. In many applications and agents, the input data originates from multiple sources, with each source contributing a segment of the overall input. In these multi-source scenarios, an attacker may control only a subset of the sources and contaminate the corresponding segments, but typically does not know the order in which the segments are arranged within the input. Existing prompt injection attacks either assume that the entire input data comes from a single source under the attacker's control or ignore the uncertainty in the ordering of segments from different sources. As a result, their success is limited in domains involving multi-source data. In this work, we propose ObliInjection, the first prompt injection attack targeting LLM applications and agents with multi-source input data. ObliInjection introduces two key technical innovations: the order-oblivious loss, which quantifies the likelihood that the LLM will complete the attacker-chosen task regardless of how the clean and contaminated segments are ordered; and the orderGCG algorithm, which is tailored to minimize the order-oblivious loss and optimize the contaminated segments. Comprehensive experiments across three datasets spanning diverse application domains and twelve LLMs demonstrate that ObliInjection is highly effective, even when only one out of 6-100 segments in the input data is contaminated. Our code and data are available at: https://github.com/ReachalWang/ObliInjection.