Hugging Face's logo
Papers
arxiv:2503.18813

Defeating Prompt Injections by Design

Published on Mar 24
· Submitted by iliashum on Mar 25
Upvote
18
Authors:
Edoardo Debenedetti ,
Ilia Shumailov ,
,
,
Nicholas Carlini ,
,
,
,
,
Florian Tramèr

Abstract

Large Language Models (LLMs) are increasingly deployed in agentic systems that interact with an external environment. However, LLM agents are vulnerable to prompt injection attacks when handling untrusted data. In this paper we propose CaMeL, a robust defense that creates a protective system layer around the LLM, securing it even when underlying models may be susceptible to attacks. To operate, CaMeL explicitly extracts the control and data flows from the (trusted) query; therefore, the untrusted data retrieved by the LLM can never impact the program flow. To further improve security, CaMeL relies on a notion of a capability to prevent the exfiltration of private data over unauthorized data flows. We demonstrate effectiveness of CaMeL by solving 67% of tasks with provable security in AgentDojo [NeurIPS 2024], a recent agentic security benchmark.

View arXiv page View PDF Add to collection

Community

iliashum
 Paper author Paper submitter

Turns out it is possible to defeat a large class of prompt injections by design with no changes to the underlying vulnerable llm

Your need to confirm your account before you can post a new comment.

Sign up or log in to comment

Models citing this paper 0

No model linking this paper

Cite arxiv.org/abs/2503.18813 in a model README.md to link it from this page.

Datasets citing this paper 0

No dataset linking this paper

Cite arxiv.org/abs/2503.18813 in a dataset README.md to link it from this page.

Spaces citing this paper 0

No Space linking this paper

Cite arxiv.org/abs/2503.18813 in a Space README.md to link it from this page.

Collections including this paper 4