Prompt Injection as Role Confusion
Researchers have discovered a challenge in large language models where they struggle to distinguish between privileged text and untrusted user input. This issue, known as role confusion, can lead to models being tricked into overriding their initial training and providing undesirable responses. The study found that rewriting text in a slightly different style can significantly impact how models classify the text, highlighting the need for improved role perception in language models.
- ▪The study confirms that models take the style of the text more seriously than the actual text, leading to concerning jailbreaks.
- ▪Destyling text can reduce average attack success from 61% to 10% by changing the model's role perception.
- ▪The underlying mechanism is called role confusion, which is a key challenge in addressing prompt injection in today's models.
Opening excerpt (first ~120 words) tap to expand
Prompt Injection as Role Confusion (via) First, I absolutely love this: This is a blog-style writeup of the paper. I wish every paper would come with one of these. Academic writing is pretty dry - the impact of a paper can be so much higher if you publish a readable version to accompany the formal one. Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell present some fascinating research into the challenge of having models distinguish their own privileged text (here wrapped in role tags like <system>, <think>, and <assistant>) from untrusted user input wrapped in <user>. The bad news: they confirm that not only is this not possible, but it looks like models take the style of the text more seriously than the actual text! This leads to some very concerning jailbreaks.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Simon Willison's Weblog.