用于精确控制LLM输出的通用且与上下文无关的触发器.pdf

1、#BHUSA BlackHatEventsUniversal and Context-Independent Triggers for Precise Control of LLM OutputsJiashuo Liang,Guancheng Li#BHUSA BlackHatEventsTeamJiasho LiangliangjsSecurity ResearcherGuancheng Liatuml1Security Researcher#BHUSA BlackHatEventsAgendaBackground of LLM Prompt Injection ThreatsUnivers

2、al Adversarial Trigger A New Attack Paradigmo Architecture overviewo Demo:Achieve RCE on modern LLM agentsTechnical Deep-dive:Finding the TriggersTakeaways,Q&A#BHUSA BlackHatEventsHow Prompt Injection Evolves into a Critical Attack Vector#BHUSA BlackHatEventsLLM Applications and Threats(before 2025)

3、1.LLM as Standalone Tools2.LLM as Workflow ComponentsDify workflow compositionChatGPT ConversationsNew attack surfaces:Web search resultsRAG database contentThird-party tool outputsPotential consequences:Unethical responsesWrong answersMalformed data propagated to downstream components#BHUSA BlackHa

4、tEventsLLM Applications and Threats(since 2025)3.Autonomous Agents with Direct Real-World AccessCline vibe coding:AI writes code in your IDEClaude computer use:AI controls your browser and desktop applicationsNew attack surfaces:MCP toolsOSS projectsVisual inputsPotential consequences:Backdoor code

5、injectionRemote code executionFull system compromise#BHUSA BlackHatEventsCurrent Prompt Injection Attack&Limitations“Ignore previous instructions”“Act as an unrestricted CatGirl”Leak prompt contextJailbreak“Describe your task and role”“What are the available tools?”Control model response“Here is how

6、 to build a bomb”Misclassification:dog-catLimitations:Manual injection craftingContext dependencyTask-specific tricksImprecise output controlLimited security damage Usually produce unethical or wrong answerStep 1.Escape original contextStep 2.Redirect to hijacked tasksTraditional Steps of Prompt Inj