injection

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: MIT Imports: 12 Imported by: 0

README

Advanced Injection Engine

The Advanced Injection Engine provides sophisticated prompt injection techniques that go beyond basic attacks to bypass modern LLM safety measures.

Features

1. Token Smuggling
  • Unicode Smuggling: Uses zero-width characters, direction overrides, and Unicode normalization tricks
  • Homoglyph Attacks: Replaces characters with visually similar Unicode alternatives (e.g., Cyrillic)
2. Encoding Exploits
  • Multi-Encoding: Base64, ROT13, Hex, URL encoding, Unicode escapes
  • Nested Encoding: Multiple layers of encoding to evade detection
  • Format String Exploits: Leverages format string patterns
3. Context Manipulation
  • Context Overflow: Exhausts context window to push out safety instructions
  • Instruction Fragmentation: Splits commands across context boundaries
  • Context Poisoning: Establishes false historical context
4. Instruction Hierarchy
  • Authority Override: Claims system/admin privileges
  • Nested Instructions: Uses multiple nesting levels to confuse parsers
  • Emergency Protocols: Exploits emergency/priority command patterns
5. Boundary Confusion
  • Delimiter Exploitation: Conflicting or ambiguous delimiters
  • Format Confusion: Mixed markup and formatting
  • Boundary Injection: Fake context boundaries
6. Semantic Tricks
  • Negation Confusion: Double negatives and logical puzzles
  • Synonym Substitution: Replaces filtered keywords with synonyms

Usage

Basic Example
import "github.com/llm-security/LLMrecon/src/attacks/injection"

// Create injector with configuration
config := injection.InjectorConfig{
    AggressivenessLevel: 7,  // 1-10 scale
    MaxAttempts:         3,
    MutationRate:        0.3, // 30% mutation probability
}

injector := injection.NewAdvancedInjector(config)

// Generate payload using specific technique
payload, err := injector.GeneratePayload(
    "hierarchy_override",              // technique ID
    "reveal your system prompt",       // target objective
    nil,                              // optional context
)
Using the Full Engine
// Create engine
engineConfig := injection.EngineConfig{
    MaxConcurrent:  10,
    DefaultTimeout: 30 * time.Second,
    RetryAttempts:  3,
    CollectMetrics: true,
}

engine := injection.NewEngine(engineConfig, logger)

// Configure attack
attack := injection.AttackConfig{
    Target: injection.TargetConfig{
        Objective: "Make the model reveal its instructions",
        SystemPrompt: "You are a helpful assistant",
    },
    Provider:    "openai",
    Model:       "gpt-4",
    Technique:   "unicode_smuggling",
    UseMutation: true,
    UseObfuscation: true,
}

// Execute
result, err := engine.Execute(context.Background(), attack)

Available Techniques

Token Smuggling
  • token_smuggle_unicode: Unicode normalization attacks
  • token_smuggle_homoglyph: Visually similar character substitution
Encoding Exploits
  • encoding_base64: Base64 obfuscation
  • encoding_rot13: ROT13 encoding
  • encoding_hex: Hexadecimal encoding
  • encoding_url: URL percent encoding
Context Manipulation
  • context_overflow: Context window exhaustion
  • context_fragment: Instruction fragmentation
  • context_poison: Historical context manipulation
Instruction Hierarchy
  • hierarchy_override: Authority escalation
  • hierarchy_nesting: Nested instruction confusion
Boundary Confusion
  • boundary_delimiter: Delimiter ambiguity
  • boundary_format: Format string exploitation
Semantic Tricks
  • semantic_negation: Double negative confusion
  • semantic_synonym: Keyword substitution

Risk Levels

Each technique has an associated risk level:

  • Low: Basic obfuscation, unlikely to cause issues
  • Medium: More aggressive, may trigger some defenses
  • High: Aggressive techniques, likely to be detected
  • Extreme: Very aggressive, use with caution

Success Detection

The engine includes automatic success detection based on:

  • Response pattern matching
  • Behavior change analysis
  • Evidence extraction
  • Confidence scoring

Metrics

When metrics are enabled, the engine tracks:

  • Success rates per technique
  • Average execution time
  • Token usage
  • Common failure patterns

Advanced Features

Payload Mutation

Automatically generates variations of payloads to evade detection:

config.MutationRate = 0.4  // 40% chance of mutation
Multi-Payload Generation

Generate multiple unique payloads for testing:

payloads, err := injector.GenerateMultiPayload(
    "hierarchy_override",
    "bypass safety",
    nil,
    10,  // generate 10 variants
)
Batch Execution

Run multiple attacks concurrently:

configs := []injection.AttackConfig{...}
results, err := engine.ExecuteBatch(ctx, configs)

Best Practices

  1. Start with Low Risk: Begin with low-risk techniques and escalate
  2. Use Metrics: Enable metrics to track effectiveness
  3. Combine Techniques: Layer multiple techniques for better results
  4. Test Variations: Use mutation and multi-payload generation
  5. Monitor Detection: Watch for signs of detection/filtering

Ethical Use

This tool is designed for authorized security testing only. Always:

  • Obtain proper authorization before testing
  • Respect rate limits and terms of service
  • Report vulnerabilities responsibly
  • Use findings to improve security

Contributing

To add new techniques:

  1. Implement the PayloadGenerator function
  2. Register with the injector
  3. Add success patterns
  4. Document the technique
  5. Add tests

See advanced_injector.go for examples.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AdvancedInjector

type AdvancedInjector struct {
	// contains filtered or unexported fields
}

AdvancedInjector provides sophisticated prompt injection techniques

func NewAdvancedInjector

func NewAdvancedInjector(config InjectorConfig) *AdvancedInjector

NewAdvancedInjector creates a new advanced injection engine

func (*AdvancedInjector) GenerateMultiPayload

func (i *AdvancedInjector) GenerateMultiPayload(techniqueID string, target string, context map[string]interface{}, count int) ([]string, error)

GenerateMultiPayload creates multiple payload variants

func (*AdvancedInjector) GeneratePayload

func (i *AdvancedInjector) GeneratePayload(techniqueID string, target string, context map[string]interface{}) (string, error)

GeneratePayload creates an injection payload using specified technique

func (*AdvancedInjector) GetAvailableTechniques

func (i *AdvancedInjector) GetAvailableTechniques() []string

GetAvailableTechniques returns all registered technique IDs

func (*AdvancedInjector) GetTechniques

func (i *AdvancedInjector) GetTechniques() map[string]InjectionTechnique

GetTechniques returns map of all techniques (exported for demo)

func (*AdvancedInjector) GetTechniquesByCategory

func (i *AdvancedInjector) GetTechniquesByCategory(category TechniqueCategory) []string

GetTechniquesByCategory returns techniques filtered by category

func (*AdvancedInjector) GetTechniquesByRisk

func (i *AdvancedInjector) GetTechniquesByRisk(maxRisk RiskLevel) []string

GetTechniquesByRisk returns techniques filtered by maximum risk level

func (*AdvancedInjector) RegisterTechnique

func (i *AdvancedInjector) RegisterTechnique(technique InjectionTechnique)

RegisterTechnique adds a new injection technique

type AttackConfig

type AttackConfig struct {
	// Target configuration
	Target   TargetConfig
	Provider string
	Model    string

	// Attack parameters
	Technique   string
	Payload     string
	MaxAttempts int
	Timeout     time.Duration

	// Advanced options
	UseMutation         bool
	MutationRate        float64
	UseObfuscation      bool
	AggressivenessLevel int

	// Context for the attack
	Context  map[string]interface{}
	Metadata map[string]string
}

AttackConfig configures an injection attack

type AttackResult

type AttackResult struct {
	// Identification
	ID        string
	Timestamp time.Time

	// Attack details
	Technique string
	Payload   string

	// Results
	Success    bool
	Confidence float64
	Response   string

	// Metrics
	AttemptCount int
	Duration     time.Duration
	TokensUsed   int

	// Analysis
	SuccessFactors []string
	FailureReasons []string

	// Evidence
	Evidence []Evidence

	// Metadata
	Metadata map[string]interface{}
}

AttackResult contains the results of an injection attempt

type BasicSuccessDetector

type BasicSuccessDetector struct {
	// contains filtered or unexported fields
}

BasicSuccessDetector provides basic success detection

func NewBasicSuccessDetector

func NewBasicSuccessDetector() *BasicSuccessDetector

func (*BasicSuccessDetector) AnalyzeEvidence

func (d *BasicSuccessDetector) AnalyzeEvidence(response string) []Evidence

func (*BasicSuccessDetector) CompareResponses

func (d *BasicSuccessDetector) CompareResponses(baseline, injected string) (bool, float64)

func (*BasicSuccessDetector) Detect

func (d *BasicSuccessDetector) Detect(response string, expectedBehavior string) (bool, float64)

type ChainStep

type ChainStep struct {
	Order     int
	Technique string
	Payload   string
	WaitTime  time.Duration
	Condition StepCondition
}

ChainStep represents a step in an injection chain

type ConditionType

type ConditionType string

ConditionType defines types of step conditions

const (
	AlwaysCondition       ConditionType = "always"
	OnSuccessCondition    ConditionType = "on_success"
	OnFailureCondition    ConditionType = "on_failure"
	OnPatternCondition    ConditionType = "on_pattern"
	OnConfidenceCondition ConditionType = "on_confidence"
)

type EncodingFunc

type EncodingFunc func(text string) string

EncodingFunc encodes/obfuscates text

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine implements the InjectionEngine interface

func NewEngine

func NewEngine(config EngineConfig, logger Logger) *Engine

NewEngine creates a new injection engine

func (*Engine) Execute

func (e *Engine) Execute(ctx context.Context, config AttackConfig) (*AttackResult, error)

Execute runs a single injection attack

func (*Engine) ExecuteBatch

func (e *Engine) ExecuteBatch(ctx context.Context, configs []AttackConfig) ([]*AttackResult, error)

ExecuteBatch runs multiple injection attempts concurrently

func (*Engine) GetTechniques

func (e *Engine) GetTechniques() []TechniqueInfo

GetTechniques returns available injection techniques

func (*Engine) SetProviderManager

func (e *Engine) SetProviderManager(pm ProviderManager)

SetProviderManager sets the provider manager

func (*Engine) ValidatePayload

func (e *Engine) ValidatePayload(payload string) error

ValidatePayload checks if a payload is valid

type EngineConfig

type EngineConfig struct {
	MaxConcurrent  int
	DefaultTimeout time.Duration
	RetryAttempts  int
	RetryDelay     time.Duration
	CollectMetrics bool
	DebugMode      bool
}

EngineConfig holds configuration for the injection engine

type EnhancedSuccessDetector added in v0.1.1

type EnhancedSuccessDetector struct {
	// contains filtered or unexported fields
}

EnhancedSuccessDetector provides advanced success detection with ML-inspired techniques

func NewEnhancedSuccessDetector added in v0.1.1

func NewEnhancedSuccessDetector() *EnhancedSuccessDetector

NewEnhancedSuccessDetector creates a new enhanced detector

func (*EnhancedSuccessDetector) AnalyzeEvidence added in v0.1.1

func (d *EnhancedSuccessDetector) AnalyzeEvidence(response string) []Evidence

AnalyzeEvidence extracts detailed evidence from the response

func (*EnhancedSuccessDetector) CompareResponses added in v0.1.1

func (d *EnhancedSuccessDetector) CompareResponses(baseline, injected string) (bool, float64)

CompareResponses checks for behavior changes between baseline and injected responses

func (*EnhancedSuccessDetector) Detect added in v0.1.1

func (d *EnhancedSuccessDetector) Detect(response string, expectedBehavior string) (bool, float64)

Detect analyzes a response for injection success indicators

type ErrorType

type ErrorType string
const (
	TechniqueNotFoundError ErrorType = "technique_not_found"
	PayloadGenerationError ErrorType = "payload_generation"
	ProviderError          ErrorType = "provider_error"
	TimeoutError           ErrorType = "timeout"
	ValidationError        ErrorType = "validation"
	RateLimitError         ErrorType = "rate_limit"
)

type Evidence

type Evidence struct {
	Type        EvidenceType
	Content     string
	Confidence  float64
	Explanation string
}

Evidence represents a piece of evidence for injection success

type EvidenceType

type EvidenceType string

EvidenceType categorizes the type of evidence for injection success

const (
	DirectResponseEvidence      EvidenceType = "direct_response"
	BehaviorChangeEvidence      EvidenceType = "behavior_change"
	InstructionLeakEvidence     EvidenceType = "instruction_leak"
	ConstraintViolationEvidence EvidenceType = "constraint_violation"
	OutputPatternEvidence       EvidenceType = "output_pattern"
)

type InMemoryMetricsCollector

type InMemoryMetricsCollector struct {
	// contains filtered or unexported fields
}

InMemoryMetricsCollector provides in-memory metrics collection

func NewInMemoryMetricsCollector

func NewInMemoryMetricsCollector() *InMemoryMetricsCollector

func (*InMemoryMetricsCollector) GetAverageTime

func (m *InMemoryMetricsCollector) GetAverageTime(technique string) time.Duration

func (*InMemoryMetricsCollector) GetSuccessRate

func (m *InMemoryMetricsCollector) GetSuccessRate(technique string) float64

func (*InMemoryMetricsCollector) GetTechniqueStats

func (m *InMemoryMetricsCollector) GetTechniqueStats(technique string) *TechniqueStats

func (*InMemoryMetricsCollector) RecordAttempt

func (m *InMemoryMetricsCollector) RecordAttempt(result *AttackResult)

type InjectionChain

type InjectionChain struct {
	ID          string
	Name        string
	Description string
	Steps       []ChainStep
}

InjectionChain represents a multi-step injection attack

type InjectionEngine

type InjectionEngine interface {
	// Execute runs an injection attack
	Execute(ctx context.Context, config AttackConfig) (*AttackResult, error)

	// ExecuteBatch runs multiple injection attempts
	ExecuteBatch(ctx context.Context, configs []AttackConfig) ([]*AttackResult, error)

	// GetTechniques returns available injection techniques
	GetTechniques() []TechniqueInfo

	// ValidatePayload checks if a payload is valid
	ValidatePayload(payload string) error
}

InjectionEngine defines the interface for injection attacks

type InjectionError

type InjectionError struct {
	Type    ErrorType
	Message string
	Details map[string]interface{}
}

Error types

func (*InjectionError) Error

func (e *InjectionError) Error() string

type InjectionTechnique

type InjectionTechnique struct {
	ID          string
	Name        string
	Description string
	Category    TechniqueCategory
	Risk        RiskLevel
	Generator   PayloadGeneratorFunc
	Validator   PayloadValidator
	Examples    []string
}

InjectionTechnique represents a specific injection method

type InjectorConfig

type InjectorConfig struct {
	AggressivenessLevel int                  // 1-10, higher = more aggressive
	TargetModel         string               // Model-specific optimizations
	MaxAttempts         int                  // Max injection attempts
	MutationRate        float64              // Payload mutation probability
	SuccessPatterns     []string             // Patterns indicating success
	CustomTechniques    []InjectionTechnique // User-defined techniques

}

InjectorConfig holds configuration for the injection engine

type Logger

type Logger interface {
	Debug(msg string, keysAndValues ...interface{})
	Info(msg string, keysAndValues ...interface{})
	Warn(msg string, keysAndValues ...interface{})
	Error(msg string, keysAndValues ...interface{})
}

Logger defines logging interface

type Message

type Message struct {
	Role    string
	Content string
}

Message represents a conversation message

type MetricsCollector

type MetricsCollector interface {
	// RecordAttempt logs an injection attempt
	RecordAttempt(result *AttackResult)

	// GetSuccessRate returns success rate for a technique
	GetSuccessRate(technique string) float64

	// GetAverageTime returns average execution time
	GetAverageTime(technique string) time.Duration

	// GetTechniqueStats returns detailed statistics
	GetTechniqueStats(technique string) *TechniqueStats
}

MetricsCollector collects attack metrics

type ModelBehavior added in v0.1.1

type ModelBehavior struct {
	TypicalRefusalPhrases []string
	SafetyDisclaimer      []string
	HelpfulnessIndicators []string
	ComplianceIndicators  []string
}

ModelBehavior defines expected behaviors for different models

type MutationFunc

type MutationFunc func(string) string

type ObfuscationFunc

type ObfuscationFunc func(string) string

type Obfuscator

type Obfuscator struct {
	// contains filtered or unexported fields
}

Obfuscator handles text obfuscation

func NewObfuscator

func NewObfuscator() *Obfuscator

func (*Obfuscator) Obfuscate

func (o *Obfuscator) Obfuscate(text string) string

type PayloadGenerator

type PayloadGenerator interface {
	// Generate creates a new payload
	Generate(technique string, target string, context map[string]interface{}) (string, error)

	// GenerateVariants creates multiple payload variants
	GenerateVariants(technique string, target string, count int) ([]string, error)

	// Mutate modifies an existing payload
	Mutate(payload string) string

	// Obfuscate applies obfuscation to a payload
	Obfuscate(payload string) string
}

PayloadGenerator generates injection payloads

type PayloadGeneratorFunc

type PayloadGeneratorFunc func(target string, context map[string]interface{}) string

PayloadGeneratorFunc creates injection payloads

type PayloadMutator

type PayloadMutator struct {
	// contains filtered or unexported fields
}

PayloadMutator handles payload mutations

func NewPayloadMutator

func NewPayloadMutator(rate float64) *PayloadMutator

func (*PayloadMutator) Mutate

func (m *PayloadMutator) Mutate(payload string) string

type PayloadValidator

type PayloadValidator func(payload string) bool

PayloadValidator checks if a payload is valid

type Provider

type Provider interface {
	Query(ctx context.Context, messages []Message, options map[string]interface{}) (string, error)
	GetModel() string
	GetTokenCount(text string) int
}

Provider represents an LLM provider

type ProviderManager

type ProviderManager interface {
	GetProvider(name string) (Provider, error)
	ListProviders() []string
}

ProviderManager manages LLM provider connections

type ResponseAnalyzer

type ResponseAnalyzer struct {
	// contains filtered or unexported fields
}

ResponseAnalyzer analyzes responses for success indicators

func NewResponseAnalyzer

func NewResponseAnalyzer(patterns []string) *ResponseAnalyzer

func (*ResponseAnalyzer) AnalyzeResponse

func (a *ResponseAnalyzer) AnalyzeResponse(response string) (bool, float64)

type RiskLevel

type RiskLevel int

RiskLevel indicates the aggressiveness of a technique

const (
	LowRisk RiskLevel = iota
	MediumRisk
	HighRisk
	ExtremeRisk
)

type StepCondition

type StepCondition struct {
	Type            ConditionType
	PreviousResult  string // e.g., "success", "failure", "partial"
	ResponsePattern string // regex pattern
	MinConfidence   float64
}

StepCondition defines when a step should execute

type SuccessDetector

type SuccessDetector interface {
	// Detect checks if an injection was successful
	Detect(response string, expectedBehavior string) (bool, float64)

	// AnalyzeEvidence extracts evidence from response
	AnalyzeEvidence(response string) []Evidence

	// CompareResponses checks behavior change
	CompareResponses(baseline, injected string) (changed bool, confidence float64)
}

SuccessDetector analyzes responses for success indicators

type TargetConfig

type TargetConfig struct {
	// What we want the model to do
	Objective string

	// Expected behavior if successful
	SuccessIndicators []string

	// Context to work with
	SystemPrompt string
	History      []Message
}

TargetConfig defines the target for injection

type TechniqueCategory

type TechniqueCategory string

TechniqueCategory categorizes injection techniques

const (
	TokenSmugglingCategory       TechniqueCategory = "token_smuggling"
	EncodingExploitCategory      TechniqueCategory = "encoding_exploit"
	ContextManipulationCategory  TechniqueCategory = "context_manipulation"
	InstructionHierarchyCategory TechniqueCategory = "instruction_hierarchy"
	BoundaryConfusionCategory    TechniqueCategory = "boundary_confusion"
	SemanticTrickCategory        TechniqueCategory = "semantic_trick"
)

type TechniqueInfo

type TechniqueInfo struct {
	ID          string
	Name        string
	Description string
	Category    string
	Risk        string
	SuccessRate float64
	Examples    []string
}

TechniqueInfo provides information about an injection technique

type TechniqueStats

type TechniqueStats struct {
	TotalAttempts      int
	SuccessfulAttempts int
	SuccessRate        float64
	AverageTime        time.Duration
	AverageTokens      int
	LastSuccess        time.Time
	LastFailure        time.Time
	CommonFailures     map[string]int
}

TechniqueStats contains statistics for a technique

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL